The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
HFS Heap Overflow
By fuzzing the HFS btree parser, a heap overflow in the zone allocator was found. Mounting a clean, overflowed and payload images in a Heap Feng Shui way worked. The kernel heap overflow exploit copies 0x200 bytes from the vnimage.payload file to the kernel sysent, replacing a syscall to a write anywhere gadget. Some syscalls (first 0xA0 bytes and the last 6 bytes) are trashed in the operation because the HFS protocol needed to be respected. So these bytes are restored as fast as possible to get a stable exploit, then the write anywhere is used to copy the kernel exploit and jump to it. The kernel exploit just patches the kernel security features, as usual.
Credit
References
This article is a "stub", an incomplete page. Please add more content to this article and remove this tag. |