Difference between revisions of "AT+XAPP Vulnerability"

From The iPhone Wiki
Jump to: navigation, search
(New page: Used as an injection vector for the current iPhone 3G and iPhone 3GS unlock payloads‭ - ‬ultrasn0w 0.93‭. ‬Currently available in all baseband versions until 05.13.04‭.‬ ‭ ==...)
 
m
 
(24 intermediate revisions by 11 users not shown)
Line 1: Line 1:
Used as an injection vector for the current iPhone 3G and iPhone 3GS unlock payloads‭ - ‬ultrasn0w 0.93‭. ‬Currently available in all baseband versions until 05.13.04‭.‬
+
Used as an injection vector for the [[X-Gold 608]] and [[XMM 6180]] [[unlock]] payload. ‬Currently available in all X-Gold 608 basebands until [[05.13.04]] and [[06.15.00]], and XMM 6180 baseband [[01.59.00]].‬
 
 
 
== Credit ==
 
== Credit ==
  +
* '''vulnerability''': [[sherif_hashim]], also discovered by [[westbaer]], [[User:Geohot|geohot]] and [[User:Oranav|Oranav]] (each one independently)
 
  +
* '''exploitation''': [[iPhone Dev Team]]
sherif_hashim
 
 
   
 
== Exploit ==
 
== Exploit ==
  +
There is a stack overflow in the AT+XAPP‭="..." ‬command‭, ‬which allows unsigned code execution on the [[X-Gold 608]] and [[XMM 6180]].
   
  +
at+xapp="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa4444555566667777PPPP"
   
  +
Applying a string of more than 52‭ ‬characters will trigger the overflow.
There is a stack overflow in the AT+XAPP‭="..." ‬command‭, ‬which allows unsigned code execution on the X-Gold 608‭.‬
 
   
at+xapp‭="‬00000000000000000000000000000000000000000000000000000‭"‬
 
 
applying a string more than 52‭ ‬characters will trigger the overflow
 
 
 
== Implementation ==
 
== Implementation ==
  +
The exploit was used by [[iPhone Dev Team]] in [[ultrasn0w]] 1.0-1 and 1.2, which is able to unlock the [[X-Gold 608]] basebands [[04.26.08]], [[05.11.07]], [[05.12.01]], [[05.13.04]] and [[06.15.00]](ultrasn0w 1.2 only), and [[XMM 6180]] baseband [[01.59.00]].
   
  +
{{stub|exploit}}
 
  +
[[Category:Baseband Exploits]]
The exploit is used by the dev team in ultrasn0w 0.93‭ which is able to unlock 4.26.08‭, ‬5.11.07‭, ‬5.12.01‭ ‬and 5.13.04‭ ‬BB firmwares
 
 
----
 
 
Category‭: ‬Baseband Exploits
 

Latest revision as of 23:48, 22 January 2013

Used as an injection vector for the X-Gold 608 and XMM 6180 unlock payload. ‬Currently available in all X-Gold 608 basebands until 05.13.04 and 06.15.00, and XMM 6180 baseband 01.59.00.‬ ‭

Credit

Exploit

There is a stack overflow in the AT+XAPP‭="..." ‬command‭, ‬which allows unsigned code execution on the X-Gold 608 and XMM 6180.

at+xapp="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa4444555566667777PPPP"

Applying a string of more than 52‭ ‬characters will trigger the overflow.

Implementation

The exploit was used by iPhone Dev Team in ultrasn0w 1.0-1 and 1.2, which is able to unlock the X-Gold 608 basebands 04.26.08, 05.11.07, 05.12.01, 05.13.04 and 06.15.00(ultrasn0w 1.2 only), and XMM 6180 baseband 01.59.00.

Tango Utilities-terminal.png This exploit article is a "stub", an incomplete page. Please add more content to this article and remove this tag.