Targeting the iOS Kernel - Reverse Engineering Mac OS X
Targeting the iOS Kernel - Reverse Engineering Mac OS X Targeting the iOS Kernel - Reverse Engineering Mac OS X
Attacking through Network Protocols (II) main kernel ----------net_add_proto() call at 800eb3c6 type: 0 - protocol: 00000000 - domain: internet type: DGRAM - protocol: 00000011 - domain: internet -> setsockopt handler at 800f8e95 -> packet parser at 800f9001 type: STREAM - protocol: 00000006 - domain: internet -> setsockopt handler at 800f7a95 -> packet parser at 800ef249 type: RAW - protocol: 000000ff - domain: internet -> setsockopt handler at 800edfc1 -> packet parser at 800ee28d type: RAW - protocol: 00000001 - domain: internet -> setsockopt handler at 800edfc1 -> packet parser at 800e8fa5 Stefan Esser • Targeting the iOS Kernel • April 2011 • 44
Attacking through Network Protocols (III) net_add_proto() call at 8027ce2c type: STREAM - protocol: 00000000 - domain: unix -> setsockopt handler at 8019e7b5 type: DGRAM - protocol: 00000000 - domain: unix -> setsockopt handler at 8019e7b5 com.apple.nke.ppp ----------------net_add_proto() call at 808179ca type: RAW - protocol: 00000001 - domain: PPP com.apple.nke.pptp -----------------net_add_proto() call to complex for this script at 80a84774 --- com.apple.nke.lttp-----------------net_add_proto() call to complex for this script at 8081f714 Stefan Esser • Targeting the iOS Kernel • April 2011 • 45
- Page 1 and 2: Targeting the iOS Kernel Stefan Ess
- Page 3 and 4: Motivation • iPhone security heav
- Page 5 and 6: Part I Introduction Stefan Esser
- Page 7 and 8: Finding Vulnerabilities in the iOS
- Page 9 and 10: Interesting Kernel Bugs - OS X OS X
- Page 11 and 12: Part II The iOS Kernelcache Stefan
- Page 13 and 14: Getting the iOS Kernelcache (II)
- Page 15 and 16: Kernelcache is just a Mach-O Binary
- Page 17 and 18: iOS Kernelcache vs. IDA • IDA can
- Page 19 and 20: Helping IDA - Kernel Extensions •
- Page 21 and 22: Helping IDA - findAndMarkKEXT.py St
- Page 23 and 24: IOKit Driver Classes (I) • IOKit
- Page 25 and 26: IOKit Object Hierarchy - Full View
- Page 27 and 28: Part IV iOS Kernel Where Are your S
- Page 29 and 30: Kernel Symbols - Manual Symbolizati
- Page 31 and 32: Zynamic‘s BinDiff • Zynamic‘s
- Page 33 and 34: Zynamic‘s BinDiff - Demo (II) Ste
- Page 35 and 36: Using IOKit Class Hierarchy for Sym
- Page 37 and 38: Exporting Symbols • IDA cannot ex
- Page 39 and 40: iOS Kernel Attack Surface • simpl
- Page 41 and 42: Finding and Marking the Syscall Tab
- Page 43: Attacking through Network Protocols
- Page 47 and 48: Attacking through Devices (II) com.
- Page 49 and 50: Dumping List of Sysctl Handlers mai
- Page 51 and 52: Attacking from User-Land: IOKit Dri
- Page 53 and 54: iOS Kernel Debugging • no support
- Page 55 and 56: iPhone Dock Connector (Pin-Out) PIN
- Page 57 and 58: Ingredients (I) • 470 kΩ resisto
- Page 59 and 60: Ingredients (III) • FT232RL Break
- Page 61 and 62: Final USB and USB Serial Cable •
- Page 63 and 64: KDP over serial • KDP over serial
- Page 65 and 66: Using GDB... $ /Developer/Platforms
- Page 67: Links • xpwntool - https://github
Attacking through Network Protocols (II)<br />
main kernel<br />
----------net_add_proto()<br />
call at 800eb3c6<br />
type: 0 - protocol: 00000000 - domain: internet<br />
type: DGRAM - protocol: 00000011 - domain: internet<br />
-> setsockopt handler at 800f8e95<br />
-> packet parser at 800f9001<br />
type: STREAM - protocol: 00000006 - domain: internet<br />
-> setsockopt handler at 800f7a95<br />
-> packet parser at 800ef249<br />
type: RAW - protocol: 000000ff - domain: internet<br />
-> setsockopt handler at 800edfc1<br />
-> packet parser at 800ee28d<br />
type: RAW - protocol: 00000001 - domain: internet<br />
-> setsockopt handler at 800edfc1<br />
-> packet parser at 800e8fa5<br />
Stefan Esser • <strong>Targeting</strong> <strong>the</strong> <strong>i<strong>OS</strong></strong> <strong>Kernel</strong> • April 2011 •<br />
44