iOS Kernel Heap Armageddon - Hakim
iOS Kernel Heap Armageddon - Hakim
iOS Kernel Heap Armageddon - Hakim
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
OSString Memory Layout and Overwriting It<br />
• overwriting flags controls if string is freed or not<br />
• overwriting length<br />
• might allow kernel heap information leaks<br />
• on free memory end up in wrong kalloc zone<br />
• overwriting string ptr<br />
0x00<br />
0x04<br />
0x08<br />
0x0C<br />
0x10<br />
0x14<br />
vtable ptr + 8<br />
retainCount<br />
flags<br />
length<br />
string ptr<br />
• allows kernel heap information leaks<br />
• on free arbitrary pointer ends up in kalloc zone<br />
kalloc()ed memory<br />
Stefan Esser • <strong>iOS</strong> <strong>Kernel</strong> <strong>Heap</strong> <strong>Armageddon</strong> REVISITED • July 2012 •<br />
70