Adding ASLR to Jailbroken iPhones [PDF] - Antid0te

Recommendations

Info

Relocating the Dynamic Linker (III) • rebase tool does work now $ rebase -v -low_address 0x23456000 /Volumes/Jasper8C148.N90OS/usr/lib/dyld arm 0x2FE00000 -> 0x23456000 /Volumes/Jasper8C148.N90OS/usr/lib/dyld • however the rebased linker will crash on the iPhone • the reason is that rebase does not relocate the entrypoint $ otool -l ./dyld ... Load command 7 cmd LC_UNIXTHREAD cmdsize 84 flavor ARM_THREAD_STATE count ARM_THREAD_STATE_COUNT r0 0x00000000 r1 0x00000000 r2 0x00000000 r3 0x00000000 r4 0x00000000 r5 0x00000000 r6 0x00000000 r7 0x00000000 r8 0x00000000 r9 0x00000000 r10 0x00000000 r11 0x00000000 r12 0x00000000 r13 0x00000000 r14 0x00000000 r15 0x2fe01028 r16 0x00000000 ... Stefan Esser • Adding ASLR to jailbroken iPhones • December 2010 • 44
Stack Randomization (I) • stack of main thread is allocated near dyld • usually mapped at 0x2FD00000 -> 0x2FDFFFFF or 0x2FF10000 -> 0x2FFFFFFF • predictable location allows for easier exploitation of e.g. stack based buffer overflows • relocation can be done in user - space Stefan Esser • Adding ASLR to jailbroken iPhones • December 2010 • 45
Page 1 and 2: http://www.sektioneins.de Adding AS
Page 3 and 4: What the talk is NOT about This tal
Page 5 and 6: Part I Introduction Stefan Esser
Page 7 and 8: Jailbroken iPhones and Security •
Page 9 and 10: Codesigning ??? • every binary on
Page 11 and 12: Example Crashdump CrashReporter Key
Page 13 and 14: Part II Dyld Shared Cache and ASLR
Page 15 and 16: Libraries where are thou? • since
Page 17 and 18: dyld_shared_cache Header Stefan Ess
Page 19 and 20: Rebasing the Libraries... • okay
Page 21 and 22: the iPhone SDK to the rescue? (II)
Page 23 and 24: Okay what now ? looking at differen
Page 25 and 26: Obvious Complications • different
Page 27 and 28: Let‘s start diffing • Python im
Page 29 and 30: Analysing the results (I) • Expec
Page 31 and 32: What are the two large unknown valu
Page 33 and 34: Small Values and Pointers • some
Page 35 and 36: iPhone libobjc does not match the s
Page 37 and 38: Analysing the different pointer pro
Page 39 and 40: What needs to be rebased? • image
Page 41 and 42: The Dynamic Linker • iPhone OS /
Page 43: Relocating the Dynamic Linker (II)
Page 47 and 48: Stack Randomization Test int main()
Page 49 and 50: Baby Steps... • generic solution
Page 51 and 52: Crazy Solution • Crazy Solution
Page 53 and 54: Brute Force Pointer Detection (II)
Page 55 and 56: Part IV Installing it on the iPhone
Page 57 and 58: Analysis of current Jailbreak • /
Page 59 and 60: Installing an alternative dyld •
Page 61 and 62: Thank you for listening... DEMO Ste

Adding ASLR to Jailbroken iPhones [PDF] - Antid0te

Create successful ePaper yourself

Delete template?

Save as template?