async_wake-fun icon indicating copy to clipboard operation
async_wake-fun copied to clipboard
verified publisher icon ninjaprawn

[@ninjaprawn] Question regarding offsets

Open ghost opened this issue 7 years ago • 8 comments

Seeing that the xnu kernel uses PIC to randomize data and code locations, how are we meant to find and use the offsets (for kernel instructions) in this if they are in a different location every time?

ghost avatar Dec 26 '17 04:12 ghost

Just put in unslid address, it would add leaked kaslr slide to it. https://github.com/ninjaprawn/async_awake-fun/blob/2576281e82f3f71699c726f112bf4335924182ed/async_wake_ios/symbols.c#L144

However, this project does not use device-specific offsets at all -- they're only used by "poc kernel debugger" by ian.

stek29 avatar Dec 26 '17 05:12 stek29

Ohhhhh ok thx! Could this type of method be used with other processes that use PIC?

ghost avatar Dec 26 '17 09:12 ghost

What do you mean by PIC? ASLR? Leaking ASLR shift is important step of exploitation, there are many methods of doing it :)

stek29 avatar Dec 26 '17 09:12 stek29

program independent code (i think thats what its called)

ghost avatar Dec 27 '17 03:12 ghost

Ah, position independent code. PIC is just a requirement to make ASLR possible.

stek29 avatar Dec 28 '17 09:12 stek29

Ohhh thx

ghost avatar Jan 02 '18 08:01 ghost

Hey just a quick question about this, why is it subtracting 0xFFFFFFF007004000?

ghost avatar Jan 02 '18 10:01 ghost

The TEXT header starts at 0xFFFFFFF007004000 for all 64bit kernels. Since ALSR is applied to the kernel (aka KASLR), we need to find the slide to do things like call functions.

ninjaprawn avatar Jan 02 '18 11:01 ninjaprawn