iOS Kernel Heap Armageddon - Hakim
iOS Kernel Heap Armageddon - Hakim iOS Kernel Heap Armageddon - Hakim
Overwriting _MALLOC()ed Data • changing the size of a memory block • freeing the block will put it in the wrong freelist • smaller sizes will leak some memory • bigger sizes will result in buffer overflows size + 4 ⎧ ⎪ ⎪ ⎪ ⎨ ⎪ ⎪ ⎪ ⎩ size data Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 26
What about kern_os_malloc(), new and new[] Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 27
- Page 1 and 2: http://www.sektioneins.de iOS Kerne
- Page 3 and 4: DISCLAIMER iOS 6 • is in beta =>
- Page 5 and 6: So what is this talk about? • zon
- Page 7 and 8: Some Kernel Zones $ zprint kalloc e
- Page 9 and 10: iOS Kernel Zone Allocator 101 • k
- Page 11 and 12: iOS Kernel Zone Allocator 101 • z
- Page 13 and 14: iOS Kernel Zone Allocator 101 • w
- Page 15 and 16: Exploiting the freelist in iOS 6
- Page 17 and 18: Overview Managers and Wrappers not
- Page 19 and 20: kalloc() • kalloc() is a wrapper
- Page 21 and 22: kfree() • kfree() is a bit specia
- Page 23 and 24: _MALLOC() • _MALLOC() is a wrappe
- Page 25: _MALLOC() in iOS 5.x void *_MALLOC(
- Page 29 and 30: mcache / slab could and might fill
- Page 31 and 32: kernel_memory_allocate • “maste
- Page 33 and 34: Cross Zone Attacks • what is the
- Page 35 and 36: Visualization of Zone Page Allocati
- Page 37 and 38: Visualization of Zone Page Allocati
- Page 39 and 40: Visualization of Zone Page Allocati
- Page 41 and 42: Visualization of Zone Page Allocati
- Page 43 and 44: Visualization of Zone Page Allocati
- Page 45 and 46: Visualization of Zone Page Allocati
- Page 47 and 48: Visualization of Zone Page Allocati
- Page 49 and 50: Visualization of Zone Page Allocati
- Page 51 and 52: Visualization of Zone Page Allocati
- Page 53 and 54: Visualization of Zone Page Allocati
- Page 55 and 56: Visualization of Zone Page Allocati
- Page 57 and 58: Visualization of Zone Page Allocati
- Page 59 and 60: Visualization of Zone Page Allocati
- Page 61 and 62: Zone Page Allocation Distribution (
- Page 63 and 64: Cross Memory Allocator Attacks •
- Page 65 and 66: iOS Kernel C++ • iOS kernel‘s l
- Page 67 and 68: OSObject Memory Layout 0x00 0x04 vt
- Page 69 and 70: Overwriting an OSObject in Memory
- Page 71 and 72: OSArray Memory Layout and Overwriti
- Page 73 and 74: “Generic“ Technique to control
- Page 75 and 76: Heap Feng Shui / Heap Massage / ...
Overwriting _MALLOC()ed Data<br />
• changing the size of a memory block<br />
• freeing the block will put it in the wrong freelist<br />
• smaller sizes will leak some memory<br />
• bigger sizes will result in buffer overflows<br />
size + 4<br />
⎧<br />
⎪<br />
⎪<br />
⎪<br />
⎨<br />
⎪<br />
⎪<br />
⎪<br />
⎩<br />
size<br />
data<br />
Stefan Esser • <strong>iOS</strong> <strong>Kernel</strong> <strong>Heap</strong> <strong>Armageddon</strong> REVISITED • July 2012 •<br />
26