Update on exploiting the Samba lsa_io_trans_names() Heap Overflow in Mac OS X

After some tests, we discovered that when the smbd process is started by the lauchd daemon, exploiting this vulnerability using the size() pointer in initial_malloc_zones may cause a unexpected behavior. The lauchd daemon starts a smbd process only at the first brute force interaction, and does not start any new smbd processes at subsequent iterations, causing exploitation to fail.

However, we found a reliable way to exploit this vulnerability even if the smbd process is started by the launchd daemon.

Continue reading “Update on exploiting the Samba lsa_io_trans_names() Heap Overflow in Mac OS X”

Exploiting the Samba lsa_io_trans_names() Heap Overflow in Mac OS X

While developing an exploit for the Samba lsa_io_trans_names() Heap Overflow for the Mac OS X operating system, we discovered that the szone_free() function has some interesting behavior.

The szone_free() function can be abused to overwrite one of the function pointers in the initial_malloc_zones structure and achieve arbitrary code execution. Exploitation is not straightforward, however, due to how the szone_free() function operates.

Continue reading “Exploiting the Samba lsa_io_trans_names() Heap Overflow in Mac OS X”