跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

FaceTime - 'readSPSandGetDecoderParams' Stack Corruption

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
There are a variety of problems that occur when processing malformed H264 streams in readSPSandGetDecoderParams, leading to OOB read, OOB write and stack_chk crashes. I think the root cause is stack corruption. This issue can occur if someone accepts a malicious FaceTime call.

To reproduce the issue:

On the target device:

1) build no-encrypt.c (gcc -dynamiclib -o mylib)
2) copy the file to /usr/lib/mylib
3) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)

This will strip encryption to allow the target to receive unencrypted packets. It is also possible to repro this issue using the method described in  issue 1634 , but it is much more reliable and debuggable with the unencrypted packets

On the host device:

    1) Build video-replay.c attached (gcc -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
    2) Use bspatch to apply the attached binpatch to /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference. The version I patched has an md5 sum of 0de78198e29ae43e686f59d550150d1b and the patched version has an md5 sum of af5bb770f08e315bf471a0fadcf96cf8. This patch alters SendRTP to retrieve the length of an encrypted packet from offset 0x650 of the encrypted buffer, as the existing code doesn't respect the output size returned from CCCryptorUpdate
    3) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
    4) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
    5) Restart the machine
    6) Extract the attached sc.zip to /out and change the permissions so it's readable by AVConference
    7) Call target, when they pick up, AVConference will crash

When I reproduced this, my host was a Mac mini running version 10.13.6. My target was a MacBook Pro running 10.13.6. This PoC only works on a Mac, but the vulnerable code appears to be in iOS 11.3.1 as well.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45787.zip

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。