Hacking Mac OS X - Black Hat

More documents

Recommendations

Info

sqlite3 iPhone:~ root# sqlite3 /private/var/mobile/Library/SMS/sms.db .dump BEGIN TRANSACTION; CREATE TABLE _SqliteDatabaseProperties (key TEXT, value TEXT, UNIQUE(key)); INSERT INTO "_SqliteDatabaseProperties" VALUES('_ClientVersion','7'); INSERT INTO "_SqliteDatabaseProperties" VALUES('_UniqueIdentifier','DD1AAE95-AD0D-4927-9FCB-085D977261E8'); INSERT INTO "_SqliteDatabaseProperties" VALUES('counter_in_all','48'); INSERT INTO "_SqliteDatabaseProperties" VALUES('counter_in_lifetime','48'); INSERT INTO "_SqliteDatabaseProperties" VALUES('counter_out_all','67'); INSERT INTO "_SqliteDatabaseProperties" VALUES('counter_out_lifetime','67'); INSERT INTO "_SqliteDatabaseProperties" VALUES('__CPRecordSequenceNumber','612'); CREATE TABLE message (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT, date INTEGER, text TEXT, flags INTEGER, replace INTEGER, svc_center TEXT, group_id INTEGER, association_id INTEGER, height INTEGER, UIFlags INTEGER, version INTEGER); INSERT INTO "message" VALUES(1,'636399XXXX',1204652484,'Yes, its snowing lots here. Its going to be hard for you to get home',3,0,NULL, 1,1204652484,75,0,0); INSERT INTO "message" VALUES(2,'1636399XXXX',1204847456,'Stuck in traffic sorry u have to deal with the kids by yourself',2,0,NULL,1,0,56,0,0);
Exploits then... When iPhone was released, we had: CrashReporter reports when phone was plugged into iTunes Access to iPhone filesystem when phone was off Cross compiler for generic ARM that sorta worked IDA Pro that sucked Required lots of patience and trial and error
Page 1 and 2:
Owning the Fanboys: Hacking Mac OS
Page 3 and 4:
Outline Leopard security Tracing ex
Page 5 and 6:
Sandboxing Done via Seatbelt kext C
Page 7 and 8:
More sandboxing Some applications a
Page 9 and 10:
Leopard firewall Disabled by defaul
Page 11 and 12:
One final note on Leopard “Securi
Page 13 and 14:
Truss syscall:::entry /execname ==
Page 15 and 16:
Memory Tracer pid$target::malloc:en
Page 17 and 18:
iTunes hates you (gdb) attach 7551
Page 19 and 20:
Inside iTunes In gdb (0x1f = PT_DEN
Page 21 and 22:
Jump tables EIP relative data addre
Page 23 and 24: Result of script
Page 25 and 26: Typical disassembly of Obj-C
Page 27 and 28: objc_msgSend Typically the first ar
Page 29 and 30: The code get_func_name(cpu.eip + di
Page 31 and 32: More results: xrefs!
Page 33 and 34: Changelog snooping Apple forks proj
Page 35 and 36: Apple’s pre-release vulnerabiliti
Page 37 and 38: Server Side mDNSResponder (sandboxe
Page 39 and 40: Safari Native support /Applications
Page 41 and 42: ReportCrash aka CrashReporter launc
Page 43 and 44: Monitoring script #!/bin/bash X=0;
Page 45 and 46: Exploiting Safari Massaging the hea
Page 47 and 48: Heap spray This unpredictability wa
Page 49 and 50: The plan Occurs in three steps Defr
Page 51 and 52: Create adjacent allocations Keep re
Page 53 and 54: JavaScript Safari JavaScript code i
Page 55 and 56: Therefore... In JavaScript var name
Page 57 and 58: Heap overflows Some protections on
Page 59 and 60: Win var name = new Array(1000); nam
Page 61 and 62: Pwn2Own - feng shei try{ for(i=0; i
Page 63 and 64: Heap defragmentation Breakpoint 3,
Page 65 and 66: Right in the hole! Breakpoint 3, 0x
Page 67 and 68: iPhone Apple’s phone Runs a strip
Page 69 and 70: Unlocking from carrier 3G Requires
Page 71 and 72: Processes # ps aux USER PID %CPU %M
Page 73: Interesting files /private/var/mobi
Page 77 and 78: Smaller attack surface Mostly like
Page 79 and 80: Port of RegEx exploit NOOP sled and
Page 81 and 82: Feng shei iPhone style (Output from
Page 83 and 84: http://appleguytom.blogspot.com/200
show all

Hacking Mac OS X - Black Hat

Create successful ePaper yourself

Delete template?

Save as template?