iOS Kernel Heap Armageddon - Hakim
iOS Kernel Heap Armageddon - Hakim iOS Kernel Heap Armageddon - Hakim
Allocate Attacker Controlled Data • by putting data into a tag we can fill memory with any data • because data is either in base64 or hex format we can have NULs • is more convenient than because it reads in chunks of 4096 ThisIsOurData VGhpcyBJcyBPdXIgRGF0YSB3aXRoIGEgTlVMPgA8+ADw= 00112233445566778899aabbccddeeff ... Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 90
Heap Spraying • allocate repeatedly ✔ • allocate attacker controlled data ✔ • allocate large quantities of data in a row ✔ • usually fill memory with specific pattern ✔ Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 91
- Page 39 and 40: Visualization of Zone Page Allocati
- Page 41 and 42: Visualization of Zone Page Allocati
- Page 43 and 44: Visualization of Zone Page Allocati
- Page 45 and 46: Visualization of Zone Page Allocati
- Page 47 and 48: Visualization of Zone Page Allocati
- Page 49 and 50: Visualization of Zone Page Allocati
- Page 51 and 52: Visualization of Zone Page Allocati
- Page 53 and 54: Visualization of Zone Page Allocati
- Page 55 and 56: Visualization of Zone Page Allocati
- Page 57 and 58: Visualization of Zone Page Allocati
- Page 59 and 60: Visualization of Zone Page Allocati
- Page 61 and 62: Zone Page Allocation Distribution (
- Page 63 and 64: Cross Memory Allocator Attacks •
- Page 65 and 66: iOS Kernel C++ • iOS kernel‘s l
- Page 67 and 68: OSObject Memory Layout 0x00 0x04 vt
- Page 69 and 70: Overwriting an OSObject in Memory
- Page 71 and 72: OSArray Memory Layout and Overwriti
- Page 73 and 74: “Generic“ Technique to control
- Page 75 and 76: Heap Feng Shui / Heap Massage / ...
- Page 77 and 78: OSUnserializeXML() • deserializat
- Page 79 and 80: How does the parser work? (II) •
- Page 81 and 82: How does the parser work? (IV) •
- Page 83 and 84: How does the parser work? (VI) •
- Page 85 and 86: How does the parser work? (VIII)
- Page 87 and 88: Heap Spraying (Remember?) • alloc
- Page 89: Heap Spraying • allocate repeated
- Page 93 and 94: Fill Arbitrary Sized Memory Blocks
- Page 95 and 96: Poking Holes into Allocated Data
- Page 97 and 98: Extra: Keeping Data Allocated • s
Allocate Attacker Controlled Data<br />
• by putting data into a tag we can fill memory with any data<br />
• because data is either in base64 or hex format we can have NULs<br />
• is more convenient than because it reads in chunks of 4096<br />
<br />
<br />
ThisIsOurData<br />
<br />
VGhpcyBJcyBPdXIgRGF0YSB3aXRoIGEgTlVMPgA8+ADw=<br />
00112233445566778899aabbccddeeff<br />
...<br />
<br />
<br />
<br />
Stefan Esser • <strong>iOS</strong> <strong>Kernel</strong> <strong>Heap</strong> <strong>Armageddon</strong> REVISITED • July 2012 •<br />
90