|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "HFS Heap Overflow"
(→References) |
m |
||
| Line 14: | Line 14: | ||
*[https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/ All about Heap Spraying] |
*[https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/ All about Heap Spraying] |
||
| − | {{stub}} |
+ | {{stub|exploits}} |
[[Category:Exploits]] |
[[Category:Exploits]] |
||
Revision as of 21:27, 24 December 2012
By fuzzing the HFS btree parser, a heap overflow in the zone allocator was found. Mounting a clean, overflowed and payload images in a Heap Feng Shui way worked. The kernel heap overflow exploit copies 0x200 bytes from the vnimage.payload file to the kernel sysent, replacing a syscall to a write anywhere gadget. Some syscalls (first 0xA0 bytes and the last 6 bytes) are trashed in the operation because the HFS protocol needed to be respected. So these bytes are restored as fast as possible to get a stable exploit, then the write anywhere is used to copy the kernel exploit and jump to it. The kernel exploit just patches the kernel security features, as usual.
Credit
References
| [[File:|30px]] | This exploits article is a "stub", an incomplete page. Please add more content to this article and remove this tag. |
