Page 1 of 1

Some question about CVE-2016-1803

PostPosted: Fri Aug 05, 2016 6:22 am
by chengyang
If any one has insterset about CVE-2016-1803, an arbitrarily code execution vulnerability on OS X 10.11.4, plz have a look at

I compiled the CoreCaptureNull.c and run the program, but no panic happpens.
When I go through the POC code, I found it make an IOKit call of the NO.0 selector of IOAudioEngine, but as the description, the exploit should triggered by "CoreCaptureUserClient::stashGet".

So I find that there is an kext called corecapture
Code: Select all
graysn0wdeMac:~ graysn0w$ kextstat | grep apture
   82    1 0xffffff7f818e9000 0x22000    0x22000 (1.0.4) 16BA9642-2B81-3FEC-BB6F-FE8E8039DDDF <7 6 5 4 3 1>
   83    0 0xffffff7f81913000 0x7000     0x7000 (1) D71C8900-BCBC-3B5D-9F9C-077C3B29DF70 <82 7 6 5 4 3 1>

I guess if the POC is wrong and I replace IOAudioEngine with corecapture or CoreCaptureResponder, I don't know the number of stashGet selector, but I 'm just failed finding the corecapture service or CoreCaptureResponder connection...

So confused, Any suggestion please? You can use
Code: Select all
 gcc -m32 -Wl,-pagezero_size,0 -O3 -framework IOKit CoreCaptureNull.c
to compile it.
Thank you.