Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The proof of concept starts with a write of a bunch of A's to a file owned by root and read only. Next, they execute a C file that uses mlock on that file. The file is still read only and owned by root but now contains a bunch of 0's.

VME's define the privileges which a particular map has over a regions vm_object. The behavior VM_BEHAVIOR_ZERO_WIRED_PAGES can be set by a task on any vm_entry. However, there are no permission checks on this, causing the zero_wired_pages flag to be set. In vm_map_delete, the unwire function looks up the page of the underlying object and zeros the portion of it out. Again, no permissions are checked in this case.

The next challenge is getting the page wired to something interesting. mlock is a wrapper around mach_vm_wire_kernel which contains the ability to do writes. Using this, it's possible to mmap an interesting part of a page, mark it with VM_BEHAVIOR_ZERO_WIRED_PAGES, mlock the page and it'll zero out parts of the data.

A pretty classic, yet complicated to exploit, permissions issue. Neat!