Moore is the man. I have lost count of the number of times I have uttered those words. I am a huge fan of Metasploit and the framework it provides is unrivaled. I recently wrote about the hacking platform that an iPhone provides, noting it would be a great tool for a bad guy. Moore is a man on a mission…
We can store our shellcode at offset 0x12C and patch the return value with 0x0006b400 + 0xA4 to return back to it. A quick test, by setting offset 0x12C to 0xffffffff (an invalid instruction), demonstrates that this works. We have successfully exploited the iPhone libtiff vulnerability using a return-to-libc back to memcpy().
Modified iPhones make this stack/heap overflow easier to accomplish, while “native” iPhones require some additional manipulation to consistently produce the exploit.
This attack exploits libtiff (TIFF Image Library in OS X) by writing to the stack a memory location that is writable and then execute that code (gross oversimplification). The manner in which this exploit is delivered opens the door for other exploits and shows how research to “modify” the iPhone for freedom from AT&T can be used to 0wn the iPhone!
Metasploit continues to be a great tool for “evaluating” security of just about anything:
While using a hex editor to write this exploit is possible, the Metasploit Framework provides a much easier method of testing different contents for the TIFF file. A working exploit for this flaw (successfully tested on 1.00 and 1.02 firmwares) can be found in the development version of the Metasploit Framework (available via Subversion).
Techie-type folks have been using MAC PowerBooks for years because OS X gives them access to a UNIX operating system and a very functional GUI in a secure little package.
It seems logical the iPhone would make a great penetration testing or security assessment tool and if the good guys use them, it stands to reason the bad guys are too! Why couldn’t the iPhone be a hacker’s choice for mobile hacking platforms?
Except for Windows Mobile, most phone operating systems are unique to the manufacturer. The underlying firmware is often ARM-based but the popularity of hacking ARM devices isn’t there. This uniqueness is one of the major reasons why cellular phones have not seen the same level of malware target them that targets PCs, to date. The iPhone brings to the hacker a mobile UNIX hacking platform much more discrete than those shiny PowerBooks or plastic looking iBooks. It definitely costs less than a PowerBook or an iBook; granted it doesn’t have the same processor, RAM, or hard disk capacity, but attack code created on the iPhone and the ability to hack other ARM-based devices from the iPhone could open the doors for new attacks on existing mobile devices.