IOSurface Kernel Exploit

From The iPhone Wiki
Revision as of 20:33, 12 October 2010 by Liamchat (talk | contribs) (i think it is correct)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This vulnerability, along with the Malformed_CFF_Vulnerability, was used in Star/JailbreakMe 2.0. It is a buffers overflow in the handling of the kernel-extension for managing pixel buffers however mobilesafari run's as mobile so in order to use this exploit you need to get root permission this is achieved by the Incomplete_Codesign_Exploit


exploit

Selector 19 was Vulnerability to a buffers overflow that allow access to the root filesystem without making the kernel fail signature checks

Selector Action Input Output
0 lookupFromMachPort - 1,208 bytes of stuff
1 release IOSurfaceID surfaceID -
2 lock struct IOSurfaceLockArg 1,208 bytes of stuff
3 unlock struct IOSurfaceLockArg struct IOSurfaceLockSeedArg
4 lockPlane struct IOSurfaceLockArg 1,208 bytes of stuff
5 unlockPlane struct IOSurfaceLockArg struct IOSurfaceLockSeedArg
6 lookup void* ??? 1,208 bytes of stuff
7 setYCbCrMatrix IOSurfaceID surfaceID, uint32_t YCbCrMatrix -
8 wrapClientImage 28 bytes of stuff 1,208 bytes of stuff
9 wrapClientMemory void* param0, void* param1 1,208 bytes of stuff
10 getYCbCrMatrix IOSurfaceID surfaceID uint32_t YCbCrMatrix
11 setValue ? -
12 getValueMethod ? ?
13 kIOSurfaceMethodRemoveValue ? -
14 bindAccel IOSurfaceID surfaceID, void* unknown0, void* unknown4 -
15 bindAccelOnPlane IOSurfaceID surfaceID, void* param1, void* param2, size_t planeIndex -
16 readLimits - 20 bytes of stuff.
17 kIOSurfaceMethodIncrementUseCount IOSurfaceID surfaceID -
18 kIOSurfaceMethodDecrementUseCount IOSurfaceID surfaceID -
19 ? void* ??? void* ???
20 setSurfaceNotify 24 bytes of stuff -
21 removeSurfaceNotify 24 bytes of stuff -

Credit

comex