O'Reilly logo

A Bug Hunter's Diary by Tobias Klein

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

7.2 Exploitation

After I found the bug, I did the following to gain control over EIP:

  • Step 1: Trigger the bug to crash the system (denial of service).

  • Step 2: Prepare a kernel-debugging environment.

  • Step 3: Connect the debugger to the target system.

  • Step 4: Get control over EIP.

Step 1: Trigger the Bug to Crash the System (Denial of Service)

Once I had found the bug, it was easy to trigger it and cause a system crash. All I had to do was send a malformed TIOCSETD IOCTL request to the kernel. Example 7-2 shows the source code of the POC I developed to cause a crash.

Example 7-2. POC code (poc.c) I wrote to trigger the bug I found in the kernel of OS X

01 #include <sys/ioctl.h> 02 03 int 04 main (void) 05 { 06 unsigned long ldisc = 0xff000000; 07 08 ioctl ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required