[ ]
Heap Spraying on iOS
- ************************ [ ] By abusing a memory leak (not an information leak!), A bug in which a chunk of memory is “forgotten” and never freed, and triggering it multiple times until the desired amount of memory has been leaked.
- [ ]By finding and abusing an “amplification gadget”: a piece of code that takes an existing chunk of data and copies it, potentially multiple times, thus allowing the attacker to spray a large amount of memory by only sending a relatively small number of bytes.
- [!]As it turns out, the NSKeyedUnarchiver API provides both primitives and this exploit actually combines the two: it sends messages of around kB, which seems to be the maximum size of inline data, and with that sprays around MB of heap data. It then leaks those 31 MB and repeats the procedure a couple of times to perform the full heap spray.
(*******************. As part of its initWithCoder, an ACZeroingString will take an existing NSData object and copy its content into a newly malloc’ed memory chunk.
[NSSharedKeySet indexForKey:]
isKindOfClass****************method.
- ************************ [ ] An actual pointer to an ObjC object [ ]
- [ ]A pointer-sized value containing both the type and value information
- [!]The layout of objects will be discussed in the next post, where it will be relevant for gaining code execution. However, for this blog post it is already necessary to take a closer look at ObjC tagged pointers.
forKey:@”NS.configDict”] ****************
[NSCFString isEqual:]
[ ]
GIPHY App Key not set. Please check settings