iOS Kernel Heap Armageddon - Hakim
iOS Kernel Heap Armageddon - Hakim iOS Kernel Heap Armageddon - Hakim
How does the parser work? (V) • key parser object is then converted to an internal OSString object • new operator will allocate 20 bytes for OSString object via kalloc() • OSString contructor will create a copy of the string with kalloc() • string in parser key object will be freed with kern_os_free() 0x00 0x04 vtable ptr + 8 retainCount Allocations so far: // Dict kern_os_alloc(44) = kalloc(44+4) 0x08 0x0C 0x10 flags length string ptr kalloc()ed memory // Key kern_os_alloc(7+1) = kalloc(7+1+4) kern_os_alloc(44) = kalloc(44+4) kalloc(20) kalloc(7+1) kern_os_free(x, 7+1) = kfree(x, 7+1+4) 0x14 Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 82
How does the parser work? (VI) • next expected object is the dictionary value • in this case it is a string defined by the tag • because it is a string it is handled in the same way as a key • length + 1 bytes are allocated via kern_os_malloc() plus a header • string is copied into it IsThere one technique to rule them all? Answer Audience meet OSUnserializeXML() Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 83
- Page 31 and 32: kernel_memory_allocate • “maste
- Page 33 and 34: Cross Zone Attacks • what is the
- Page 35 and 36: Visualization of Zone Page Allocati
- Page 37 and 38: Visualization of Zone Page Allocati
- Page 39 and 40: Visualization of Zone Page Allocati
- Page 41 and 42: Visualization of Zone Page Allocati
- Page 43 and 44: Visualization of Zone Page Allocati
- Page 45 and 46: Visualization of Zone Page Allocati
- Page 47 and 48: Visualization of Zone Page Allocati
- Page 49 and 50: Visualization of Zone Page Allocati
- Page 51 and 52: Visualization of Zone Page Allocati
- Page 53 and 54: Visualization of Zone Page Allocati
- Page 55 and 56: Visualization of Zone Page Allocati
- Page 57 and 58: Visualization of Zone Page Allocati
- Page 59 and 60: Visualization of Zone Page Allocati
- Page 61 and 62: Zone Page Allocation Distribution (
- Page 63 and 64: Cross Memory Allocator Attacks •
- Page 65 and 66: iOS Kernel C++ • iOS kernel‘s l
- Page 67 and 68: OSObject Memory Layout 0x00 0x04 vt
- Page 69 and 70: Overwriting an OSObject in Memory
- Page 71 and 72: OSArray Memory Layout and Overwriti
- Page 73 and 74: “Generic“ Technique to control
- Page 75 and 76: Heap Feng Shui / Heap Massage / ...
- Page 77 and 78: OSUnserializeXML() • deserializat
- Page 79 and 80: How does the parser work? (II) •
- Page 81: How does the parser work? (IV) •
- Page 85 and 86: How does the parser work? (VIII)
- Page 87 and 88: Heap Spraying (Remember?) • alloc
- Page 89 and 90: Heap Spraying • allocate repeated
- Page 91 and 92: Heap Spraying • allocate repeated
- Page 93 and 94: Fill Arbitrary Sized Memory Blocks
- Page 95 and 96: Poking Holes into Allocated Data
- Page 97 and 98: Extra: Keeping Data Allocated • s
How does the parser work? (V)<br />
• key parser object is then converted to an internal OSString object<br />
• new operator will allocate 20 bytes for OSString object via kalloc()<br />
• OSString contructor will create a copy of the string with kalloc()<br />
• string in parser key object will be freed with kern_os_free()<br />
0x00<br />
0x04<br />
vtable ptr + 8<br />
retainCount<br />
Allocations so far:<br />
// Dict<br />
kern_os_alloc(44)<br />
= kalloc(44+4)<br />
0x08<br />
0x0C<br />
0x10<br />
flags<br />
length<br />
string ptr<br />
kalloc()ed memory<br />
// Key<br />
kern_os_alloc(7+1) = kalloc(7+1+4)<br />
kern_os_alloc(44) = kalloc(44+4)<br />
kalloc(20)<br />
kalloc(7+1)<br />
kern_os_free(x, 7+1) = kfree(x, 7+1+4)<br />
0x14<br />
Stefan Esser • <strong>iOS</strong> <strong>Kernel</strong> <strong>Heap</strong> <strong>Armageddon</strong> REVISITED • July 2012 •<br />
82