7.2 Exploitation

After I found the bug, I did the following to gain control over EIP:

  • Step 1: Trigger the bug to crash the system (denial of service).

  • Step 2: Prepare a kernel-debugging environment.

  • Step 3: Connect the debugger to the target system.

  • Step 4: Get control over EIP.

Step 1: Trigger the Bug to Crash the System (Denial of Service)

Once I had found the bug, it was easy to trigger it and cause a system crash. All I had to do was send a malformed TIOCSETD IOCTL request to the kernel. Example 7-2 shows the source code of the POC I developed to cause a crash.

Example 7-2. POC code (poc.c) I wrote to trigger the bug I found in the kernel of OS X

01 #include <sys/ioctl.h> 02 03 int 04 main (void) 05 { 06 unsigned long ldisc = 0xff000000; 07 08 ioctl ...

Get A Bug Hunter's Diary now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.