iOS Kernel Heap Armageddon - Hakim
iOS Kernel Heap Armageddon - Hakim
iOS Kernel Heap Armageddon - Hakim
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
OSArray Memory Layout and Overwriting It<br />
0x00<br />
0x04<br />
0x08<br />
vtable ptr + 8<br />
retainCount<br />
updateStamp<br />
0x00<br />
0x04<br />
kalloc(capacity * sizeof(void *)) • overwriting<br />
updateStamp +<br />
fOptions = not<br />
interesting<br />
OSObject ptr<br />
OSObject ptr<br />
0x0C<br />
fOptions<br />
0x08<br />
NULL<br />
0x10<br />
array ptr<br />
0x0C<br />
0x14<br />
0x18<br />
0x1C<br />
0x20<br />
0x24<br />
count<br />
capacity<br />
capacityIncrement<br />
reserved<br />
• overwriting count + capacity + capacityIncrement<br />
• might allow uninitialized memory access<br />
• or different consufing attacks agains kalloc zones<br />
• overwriting array ptr + array itself<br />
• allows supplying arbitrary OSObject ptrs<br />
• any action the kernel performs on these will result in code exec<br />
Stefan Esser • <strong>iOS</strong> <strong>Kernel</strong> <strong>Heap</strong> <strong>Armageddon</strong> REVISITED • July 2012 •<br />
71