Uninformed: Informative Information for the Uninformed

Vol 8» 2007.Sep


This paper has given a quick walk-through of a real vulnerability in Apple's wireless driver in terms of discovery and exploitation. Getting code execution is only one part of an exploit. To do something useful, an attacker needs kernel-mode shellcode. That subject will be covered in a future paper.

The exploit discussed in this paper is just a proof-of-concept since, as it stands now, one needs to know what the load address of the kernel module on the target machine. This is a choice, not a restriction. This method of gaining execution is well suited to a proof-of-concept. Creation of a weaponized exploit that can execute arbitrary code with no prior knowledge is just as easy. It's just a matter of overwriting different parts of the kernel.

If the reader is interested in OS X kernel shellcode design, be sure to review the example scripts that contain different payloads that could be packed into the RSN IE and other optional elements.