XNU heap exploitation: From kernel bug to kernel control | Tihmstar | NULLCON Goa 2020 скачать в хорошем качестве

XNU heap exploitation: From kernel bug to kernel control | Tihmstar | NULLCON Goa 2020

Talk Abstract: ---------------------- This talk walks through the exploitation of two kernel bugs [CVE-2018-4344 and CVE-2019-6225] by presenting three kernel exploits namely treadm1ll, v1ntex, and v3ntex. Therefore first a quick introduction into XNU internals of Mach ports and heap allocators zalloc and kalloc is given and afterward shown how to get from a POC to a full kernel exploit. The main focus here is layed on outlining what primitives can be used for exploitation, which may not be obvious at first glance, as well as giving an example of how the heap can be massaged in a way that is useful for exploitation. Changes between versions [iOS 11 to iOS 12] which can have an impact on the primitives are taken into account because sometimes it is enough to replace just one element in the chain to fix the exploit [v1ntex to v3ntex]. About Speaker: ------------------------ I started hacking iOS in 2015 and since then I created various tools for research, downgrading, and contributed to various jailbreaks. Among those, I created tools for downgrading: futurerestore, tsschecker, img4tool Released various local, remote, and untethered jailbreaks [32bit and 64bit] for iOS 8-12 for iPhone, iPod, iPad, AppleWatch, AppleTV. ------------------------------------------------- #Nullcon2020 #iOS #Hacking ------------------------------------------------- Follow nullcon on Facebook:   / nullcon   Twitter:   / nullcon   LinkedIn:   / nullcon   Website: https://nullcon.net YouTube: https://www.youtube.com/user/nullcon?...