Adding ASLR to Jailbroken iPhones [PDF] - Antid0te
Adding ASLR to Jailbroken iPhones [PDF] - Antid0te
Adding ASLR to Jailbroken iPhones [PDF] - Antid0te
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Analysis of current Jailbreak<br />
• /sbin/launchd launched in a way that libgmalloc.dylib is loaded<br />
• libgmalloc.dylib is a fake dylib that just replaces stack with payload<br />
• stack payload launches a ROP attack<br />
• ROP is used for sysctl()<br />
• security.mac.proc_enforce=0<br />
• secutiry.mac.vnode_enforce=0<br />
• and executing /usr/lib/pf2<br />
• pf2 is a kernel exploit that patches the kernel and re-executes /sbin/launchd<br />
Stefan Esser • <strong>Adding</strong> <strong>ASLR</strong> <strong>to</strong> jailbroken <strong>iPhones</strong> • December 2010 •<br />
57