Difference between revisions of "IOSurface Kernel Exploit"

From The iPhone Wiki
Jump to: navigation, search
m
m
Line 1: Line 1:
This vulnerability, along with the [[Malformed_CFF_Vulnerability]], was used in [[Star]]/[[JailbreakMe]] 2.0. It is a buffers overflow in the handling of the [http://iphonedevwiki.net/index.php/IOCoreSurfaceRoot kernel-extension for managing pixel buffers] used to get root privileges.
+
This vulnerability, along with the [[Malformed CFF Vulnerability]], was used in [[Star]]/[[JailbreakMe]] 2.0. It is a buffer overflow in the handling of the [http://iphonedevwiki.net/index.php/IOCoreSurfaceRoot kernel-extension for managing pixel buffers] used to get root privileges.
   
  +
== Credit ==
  +
[[User:Comex|comex]]
   
== exploit ==
+
== Exploit ==
   
 
Selector 19 was Vulnerability to a buffer overflow that allow access to the root filesystem without making the kernel fail signature check
 
Selector 19 was Vulnerability to a buffer overflow that allow access to the root filesystem without making the kernel fail signature check
Line 54: Line 56:
 
| 21 || removeSurfaceNotify || 24 bytes of stuff || -
 
| 21 || removeSurfaceNotify || 24 bytes of stuff || -
 
|}
 
|}
 
== Credit ==
 
[[User:Comex|comex]]
 

Revision as of 00:43, 19 October 2010

This vulnerability, along with the Malformed CFF Vulnerability, was used in Star/JailbreakMe 2.0. It is a buffer overflow in the handling of the kernel-extension for managing pixel buffers used to get root privileges.

Credit

comex

Exploit

Selector 19 was Vulnerability to a buffer overflow that allow access to the root filesystem without making the kernel fail signature check

Selector Action Input Output
0 lookupFromMachPort - 1,208 bytes of stuff
1 release IOSurfaceID surfaceID -
2 lock struct IOSurfaceLockArg 1,208 bytes of stuff
3 unlock struct IOSurfaceLockArg struct IOSurfaceLockSeedArg
4 lockPlane struct IOSurfaceLockArg 1,208 bytes of stuff
5 unlockPlane struct IOSurfaceLockArg struct IOSurfaceLockSeedArg
6 lookup void* ??? 1,208 bytes of stuff
7 setYCbCrMatrix IOSurfaceID surfaceID, uint32_t YCbCrMatrix -
8 wrapClientImage 28 bytes of stuff 1,208 bytes of stuff
9 wrapClientMemory void* param0, void* param1 1,208 bytes of stuff
10 getYCbCrMatrix IOSurfaceID surfaceID uint32_t YCbCrMatrix
11 setValue ? -
12 getValueMethod ? ?
13 kIOSurfaceMethodRemoveValue ? -
14 bindAccel IOSurfaceID surfaceID, void* unknown0, void* unknown4 -
15 bindAccelOnPlane IOSurfaceID surfaceID, void* param1, void* param2, size_t planeIndex -
16 readLimits - 20 bytes of stuff.
17 kIOSurfaceMethodIncrementUseCount IOSurfaceID surfaceID -
18 kIOSurfaceMethodDecrementUseCount IOSurfaceID surfaceID -
19 ? void* ??? void* ???
20 setSurfaceNotify 24 bytes of stuff -
21 removeSurfaceNotify 24 bytes of stuff -