Targeting the iOS Kernel - Reverse Engineering Mac OS X

31.12.2012 Views
Attacking from User-Land: Sysctl • sysctl is interface that gives user-land access to kernel variables • sysctl variables get added by the functions • sysctl_register_oid() • sysctl_register_set() / sysctl_register_all() • script scanning for xrefs can find all defined sysctl variables • interesting for vulnerability research are • sysctl handlers • writeable variables Stefan Esser • Targeting the iOS Kernel • April 2011 • 48

Dumping List of Sysctl Handlers main kernel ----------sysctl handler at 8017a805 (sub_8017A804) sysctl handler at 8017c015 (_sysctl_handle_quad) sysctl handler at 8017ae21 (sub_8017AE20) sysctl handler at 80089625 (sub_80089624) sysctl handler at 8017b2b1 (sub_8017B2B0) sysctl handler at 8019ce29 (sub_8019CE28) sysctl handler at 8017c231 (sub_8017C230) sysctl handler at 8017e23d (sub_8017E23C) sysctl handler at 8017a1b5 (sub_8017A1B4) sysctl handler at 8017a441 (sub_8017A440) sysctl handler at 800f4445 (sub_800F4444) sysctl handler at 8011cc49 (sub_8011CC48) sysctl handler at 8017a84d (sub_8017A84C) sysctl handler at 8008c051 (sub_8008C050) sysctl handler at 8017e1b9 (sub_8017E1B8) ... com.apple.iokit.AppleProfileFamily ---------------------------------sysctl handler at 8039ef51 (sub_8039EF50) com.apple.driver.AppleD1815PMU -----------------------------sysctl handler at 807b513d com.apple.iokit.IOUSBFamily --------------------------sysctl handler at 803cd165 (sub_803CD164) com.apple.iokit.IOUSBMassStorageClass ------------------------------------sysctl handler at 808dd019 com.apple.driver.AppleARMPlatform --------------------------------sysctl handler at 8036ecf1 (sub_8036ECF0) com.apple.iokit.IOSCSIArchitectureModelFamily --------------------------------------------sysctl handler at 80794cd1 (sub_80794CD0) Stefan Esser • Targeting the iOS Kernel • April 2011 • 49

Page 1 and 2: Targeting the iOS Kernel Stefan Ess

Page 3 and 4: Motivation • iPhone security heav

Page 5 and 6: Part I Introduction Stefan Esser

Page 7 and 8: Finding Vulnerabilities in the iOS

Page 9 and 10: Interesting Kernel Bugs - OS X OS X

Page 11 and 12: Part II The iOS Kernelcache Stefan

Page 13 and 14: Getting the iOS Kernelcache (II)

Page 15 and 16: Kernelcache is just a Mach-O Binary

Page 17 and 18: iOS Kernelcache vs. IDA • IDA can

Page 19 and 20: Helping IDA - Kernel Extensions •

Page 21 and 22: Helping IDA - findAndMarkKEXT.py St

Page 23 and 24: IOKit Driver Classes (I) • IOKit

Page 25 and 26: IOKit Object Hierarchy - Full View

Page 27 and 28: Part IV iOS Kernel Where Are your S

Page 29 and 30: Kernel Symbols - Manual Symbolizati

Page 31 and 32: Zynamic‘s BinDiff • Zynamic‘s

Page 33 and 34: Zynamic‘s BinDiff - Demo (II) Ste

Page 35 and 36: Using IOKit Class Hierarchy for Sym

Page 37 and 38: Exporting Symbols • IDA cannot ex

Page 39 and 40: iOS Kernel Attack Surface • simpl

Page 41 and 42: Finding and Marking the Syscall Tab

Page 43 and 44: Attacking through Network Protocols

Page 45 and 46: Attacking through Network Protocols

Page 47: Attacking through Devices (II) com.

Page 51 and 52: Attacking from User-Land: IOKit Dri

Page 53 and 54: iOS Kernel Debugging • no support

Page 55 and 56: iPhone Dock Connector (Pin-Out) PIN

Page 57 and 58: Ingredients (I) • 470 kΩ resisto

Page 59 and 60: Ingredients (III) • FT232RL Break

Page 61 and 62: Final USB and USB Serial Cable •

Page 63 and 64: KDP over serial • KDP over serial

Page 65 and 66: Using GDB... $ /Developer/Platforms

Page 67: Links • xpwntool - https://github

kernel

targeting

stefan

esser

april

handler

sysctl

symbols

iokit

code

reverse

engineering

reverse.put.as

Targeting the iOS Kernel - Reverse Engineering Mac OS X

Targeting the iOS Kernel - Reverse Engineering Mac OS X ... View more Targeting the iOS Kernel - Reverse Engineering Mac OS X

Delete template?

Save as template ?

Targeting the iOS Kernel - Reverse Engineering Mac OS X Targeting the iOS Kernel - Reverse Engineering Mac OS X