You can be an iOS hacker: Stack Pivots and JOP/ROPs
Show transcript [en]
um we're now on to our amazing first Speaker which is Lena Lao her talk is you can be an iOS hacker stack pivots and job props so big round of applause for [Applause] Lena hello hello hello okay
all right awesome good morning everyone thank you all for joining me here today my name is inverse cause or inverse if you want to keep it casual uh my government name because we all live in we're in camber right now is Lena So today we're going to be talking about iOS and specifically I want to be talking about stack pivoting and job props iPhone versus Android in various different countries it shouldn't come as a surprise that in Australia and United States more people have iPhones than they do Android but the reality of the situation is Android does dominate the global market share of phones uh obviously in countries like China our usage of mobile phones has
been pretty crazy like 60% of all internet traffic now comes from a mobile device I saw this start like a few weeks ago where there was like a high percentage of Americans that are mobile only users which means they don't even own like a desktop or a PC they just do everything on their mobile phone I'm not going to like take you to Yap town about how important mobile phones are I'm sure we all know everybody has a phone I'm sure you can look at someone next to you they're probably holding a phone I know I for one like basically sleep with my phone under my pillow uh but the reason I wanted to bring this up is that your
phone is like a catalog of your personal life and so it should come as no surprise that it's a very attractive Target for a large number of people or organizations there have been a lot of Articles coming out from Amnesty International and also from citizen lab talking about this concept of it's a bit of a buzzfeed title but like governments can hack into your phone when you sleep and this is really the case like last week there was this blog it's not really a blog like a news article about how the Colombian president was urging their civilians to check their phone for the Advent of Pegasus and Pegasus is a spyware that's developed by an Israeli
organization called NSO group and NSO group you know I'm sure like some of some people in the audience may have heard of them before but back in like 2021 is they were blacklisted from the US government and earlier this year there were conversations around actually Banning employees from NSO group from actually entering into the US now I personally love a little did my mic just cut I personally love a little bit of irony so the US government actually has been a previous client of the NSO group and they purchased spyware from them uh but under a holding company under a fake front company called Cleopatra now why did I go Yap about all of that
and the reason for that is I want to talk about I want you guys to know kind of the context for why we're even having this discussion today and then I want to talk a little bit about how transparent the industry is how difficult it is for someone to get into it and then I want to talk a bit about memory corruption bugs and then stack pivoting so when I really wanted to get into iOS hacking there was really not that much information out there and I kind of felt like I was just I just kept hitting my head against a wall like it's completely different to learning about exploiting Windows if you just try to
learn how to exploit things on Windows there's a million articles on the internet YouTube videos step-by-step blog post guiding you on the latest ways of you know uh bypassing EDR techniques whatever but it's not the same for iOS you have books that are really dated that don't apply for recent versions you have literally like not that many poc's out there on GitHub you're there's not much information out there and not many people talking about it and when I started learning about hacking iOS and trying to get into it just just as an aside I'm a bit of a masochist I absolutely love the feeling of being a noob and like knowing nothing about something and then the process of
like unifying myself so I this is just something that I really like so one of the best best things that I found for learning about this was actually the project zero blog posts now for those of you who don't know what project zero is it's uh it's a group of security researchers at Google that band together and they write research and Technical blog posts about uh zero days that they find in the wild it's not all iOS it's like iOS various other devices as well now the issue with these blog posts is they're not exactly beginner friendly they kind of just go straight in it's like bam you just go straight into it and so if you're new to like learning
how to hack iOS you're going to be reading this thinking is this English it's really hard to understand but what project Zero have done is they've published like exploit chains and kind of step-by-step walk through how those exploit chains work and it's really really interesting and I wanted to bring up this uh tweet zit or whatever the whatever the term is uh that Valentina put up which was to her follower list what percentage of software developers do you think can read a project zero blog post and actually understand high level just like a little bit of what's going on I'm going to guess most of her followers are like infosec people but that poll had around 4,000 people voting
and the guess was that maybe 0 to 5% of software developers can actually understand one of those blog posts I do have to shout out that like the vend diagram cross-section of software Dev and infos isn't exactly like one toone crossover so naturally some software devs have no idea what project zero is so maybe that you know contributed to the uh the voting but nonetheless they are very very difficult to understand and because there's not much information and you know you're relying on these technical blog posts to kind of learn what's going on some people have a different opinion uh there was this blog this blog and tweet that was published a few months ago by someone called Michael
I don't know him personally but they wrote a blog post that project zero should actually stop publishing these blog posts altogether and the reasoning was because project zero published a series of zero days found on the wild blog post Etc and that led to burning a 9-month long counter counterterrorist operation that was being run by a us Allied government so it was a 9mon long government 9month long government operation something to do with counterterrorism and because project zero came out and published the technical details of that particular exploit it resulted in them burning that operation and naturally this like caused a lot of debate in the Osa Community some people stand Michael's POV some people stand project Zero's POV but
project zero came back and was like you know yeah like maybe the Western governments are the ones using these exploits on counter terrorist operations but it's only a matter of time before nonwestern governments use these against us for I guess lack of a better word counter counter counter terrorist operations so yeah I mean it's interesting this kind of discussion around whether or not you should be publishing these things and actually even letting it out on the market another reason that I found and one of the reasons why maybe people are not so open to publishing things or teaching people or like elucidating the realm of iOS exploit is there's a lot of money in the market to be
made I'm sure a lot of people who are bug bounties or like people who like you know people who like money would have some familiarity with what zerodium is but for those of you who don't know what it is they essentially buy exploits from you that you find uh but what I wanted to highlight here is actually if you look at their website they sorry they will pay upwards of 200,000 USD up to 2.5 million USD for an Android full chain with persistence zero click why I wanted to point this out is compare this to the windows Market compare this to how much an exploit would go for on the market if you were finding something maybe like an RC on I
don't know like a Windows desktop Windows Server Mac Etc the upward range for how much they would pay for I guess a server is 1 mil so the mobile market is more than double the amount that you can make that reduces the incentivization for someone to go forward and just be like publishing pox for clout or whatever it is like you know you're not talking about an insignificant amount of money here and what better person to get an idea of where the market is headed than from marked out he did this amazing keynote at blue hat last year I really recommend you guys watch it I basically took this from his slide deck and his
prediction for how much a full or close to full compromise will go for in the future for mobiles is upwards of 10 million USD so 2.5 in the future potentially 10 mil plus is not a it's not an insignificant amount of money if you think about this from an ESPN standpoint or like a government standpoint the information that you glean from a desktop and a server is not as interesting as the information you would get from a device that someone literally uses for I don't know what your average screen time is but like 4 hours I'm guessing like 4 hours a day like the amount of information you can glean about a person's life it's
completely different and on top of that it's really hard to find it's really hard to develop exploits and things on iOS project Z also maintain a list of zero days in the wild and this is a public spreadsheet of zero days in the wild and all I've done is I've just aggregated the Last 5 Years just dumped it together into one spreadsheet so this is everything from 2019 uh to 2024 there's one glaringly obvious pattern that's like popping out in your face that I've also highlighted in yellow so I hope even though you guys might be tired you see you see this uh basically all of them if not except for three are all memory corruption
vulnerabilities and what I also kind of want to highlight is okay I don't have a cursor on the screen is that if you take a look at the second last column root cuse analysis A lot of them don't have writeups it's just a cve link not much documentation nobody really talking about it it's this just really it's completely different than the windows space a lot of these memory corruption vulnerabilities that you're looking at on the on the previous slide uh a lot of them impact the Heap in some kind of way and so memory corruption just for those of you who don't know it's a class of different kinds of bugs any anything from uh you can find a heap overflow all
the way to like a years after free it's a whole different multiple different kinds of bugs it's just an umbrella ter and they can occur on multiple different places but as you can see here uh a lot of them impact the Heap now I just really want to do like a 10c what is a stack versus Heap just in case we have people who don't know what this is uh and by the way I took this screenshot from like a CS 101 course and it gave me PTSD to UNI um what is a stack versus a heap I'm just going to give like a very high level description think of a stack and Heap as just an area in memory and the
stack is like a flights departure board it just tracks like the program execution flow like this function is going to run then this function is going to run run this function is going to run Etc think of the Heap as just another part of memory that just every single time you use maloc kalloc it's just dynamically allocated memory it's all you have to know and so the problem with some of these memory corruption vulnerabilities if they impact the Heap is that on an iOS device you're not in this situation like Windows where you can just go on the side and like write you know code up a little dll in your Visual Studio code and then inject that you know
reflectively load your D L it's a different situation you can't just inject and introduce like arbitrary code into the system and that makes exploitability a lot more difficult and the solution to that is by doing something called Gadget chaining uh R chaining Rob jobs it's just and what a gadget is is a code segment it's your iPhone is running and there's code running always on your iPhone you're just reusing pieces of code that are legitimate and already exist on your iPhone and piecing it together to achieve your actions on objectives I hate saying actions on objectives whatever I said it you're piecing together pieces of code to achieve what it is that you want to
do but the issue is is if you have some kind of control over the Heap you're not in a state where you can just chain like a full stack of rock rock chains because you know the function's going to execute it's just going to jump back into the stack and so you have this next problem of how do you chain Mass amounts of gadgets on the Heap and one of the solutions to solving this is a technique called stack pivoting and how stack pivoting works and I'm just going to pull this nice diagram back up again is at the top of the stack there is something called a stack pointer it's not that complicated just
think of it like a finger pointing to the top of the stack like hey what's up the Stack's here and all it is is let's just say you know you see the stack you see the Heap you introduce some kind of attack you maybe do like a heap spray you spray a bunch of objects into the Heap you have something sitting in the Heap all you're doing as the attacker is you're manipulating this stack pointer to point to a heap address that you wanted to point to so the program now thinks oh what's up the Heap is now the stack like you've just tricked the system into thinking the Heap is the stack then from this point forward
you're in a position where you can do your evil actions and these evil actions can be things like setting up a bunch of gadgets now on the Heap and then after you do your evil things you can then have to restore the stack pointer back to the stack cuz you know your girl's not going to just let the stack pointer stay pointing at the Heap for the rest of the you know for the situation and yeah so voila you point the stack pointer back to the actual stack that's basically like the tldr of what this talk is about there's so many benefits of doing stack pivoting like you know you have better control over what you're doing
you're in a situation now where you can chain multiple amounts of gadgets on the Heap you're not faced with things like stack protections and just as just as an aside I hope you guys are playing the game deadlock I'm obsessed with this game right now I want to jump into some examples of Stack pivoting I guess in the wild where security researchers have published stack pivot chains and I'm just going to show you literally every single example I could find on the internet there's not that many uh the first one is from a project the write up it's a remote iOS exploitation this was 2019 it starts off with a heap spray they're just spraying objects onto the Heap then they
trigger the vulnerability and then from there they want to set up a rck chain what that means again is just reusing code on an iPhone and in a creative way to achieve your actions and objectives by stacking them one by one so then to do that they they move forward into performing an actual stack pivot and then they Implement their Gadget chain or Rob payload I kind of have to talk about this a little bit cuz we're going to start going into some assembly so I'm not going to talk about every single register in iOS and really cover it this is just the bare minimum that you need need to know a register think of it as
just like something that holds some kind of value and that value can be like a memory address it can be like decimal it can be asky like just hold some kind of data and there is like x0 all the way through to x28 and these registers just hold some kind of data uh x16 is a bit different that holds s calls but you know you don't really have to know that for this talk and then the only other three that you really need to know for this talk are x29 x30 and X31 x29 is the frame pointer it just points to the stack frame in a function call x30 stands for the link register and every single time you run a little
function like your program function and it hits return the return will jump to the address stored inside x30 the link register and then the last one the stack pointer is just what we were talking about for the previous slides it's just the finger pointing to the top of the stack now you are going to have to read assembly there's no escaping this to perform this uh I think assembly maybe puts off a few people because it looks it's like just looks like a nerd in a basement but once you get over the unapproachable vibe of how it looks it's so much easier than learning like you know another language it's not as difficult as how it looks I do think
it's prettier than C++ Lo no offense so this particular stack pivot chain uh from Project zero went on for six gadgets long and I don't have a cursor but you can see like just the starting Gadget what Gadget zero looks like the next example I could find on the internet was from Alibaba security and this was from like a blog post they posted on medium this is a pretty old uh old blog post but their stack pivot ch was pretty short it was just four different gadgets long and it's really succinct uh it gets to the point just so that we kind of get used to looking at assembly the actual pivoting is happening on the third Square you should
not call that a square it's a triangle not a triangle it's a rectangle the third rectangle where it's going move spx2 pretty simple to understand it's just moving the value stored in X2 into the stack pointer so now the stack pointer goes oh hectic the the Heap is now the stack at this address awesome that's literally it yeah interestingly enough I could not actually find any other example published on the internet there like the only two uh I guess I mean I I can't really speak to why that is the case maybe I mean I have some guesses like maybe people don't want to publish their stack pivot chains because if you you know publish an entire stack pivot chain
it can be reused by other people in their exploits and maybe you don't want to help them because you know you want that money you want that bag I don't know I don't know what the the the psychology behind it is but this is kind of how we start doing it I call this like the jigsaw puzzle because I really like jigsaws and I enjoy doing this because this to me is the same thing as doing a jigsa puzzle you have the starting point which is uh you found some kind of Heap vulnerab hit some kind of memory corruption bug and then you have your end goal of I want to execute a stack pivot it chain so that I can
then set up my rck payload to lead into my next exploit or whatever whatever you're vibing that day and then you have everything in the middle questions that might be appearing in your head right now what the heck is a gadget where do I find a gadget how does this even work where where do these gadgets live in how many gadgets do I need to find how do I even start approaching this problem where's the best place to start all all very natural questions that I also had when I was figuring this out by myself so the first question that I kind of you know figured out was what kind of Gadget uh what kind of gadgets exist
so a gadget is just a legitimate existing piece of code running at runtime on your iPhone you you are just literally repurposing that code and piecing them together to achieve your goals your goal would be let's figure out a chain of different code segments that work together to create this stack pivot and then from there let's figure out other existing code segments that fit together to do my R chain that does whatever I want to do with it this little three three step three step three instruction sequence is just kind of what a gadget looks like they're kind of short not that hard to understand like looks crazy but it's not that crazy it's just storing a bunch of
values into different registers and then returning R just means return and if I've lost you just stare at Subway Subway Surface there's two different types of gadgets that exist there is something called Rob and something called job and Rob just stands for return oriented programming jop stands for jump oriented programming R like honestly I don't know why they got to make it so confusing it's like basically does similar things uh R just ends in a return you know hence return oriented programming jop stands for jump oriented programming so it's meant to end in jump but obviously arm makes everything a lot more difficult so in instead of jump you have BR which just means Branch to a register which does
the same thing so the first one it just does something and then returns and then the second one for job it does something and then it branches it's kind of the same thing as just jumping into the value stored in a register real world example of Rob jobs just because I know people like having these examples of just gives context to why we're even talking about this I loved this write up from a secur list cuz py so one of their security researchers was targeted and they were targeted with azero click exploit where they received a PDF file and just in how that PDF payload was rendered it led into the series of exploits being chained up the
r drop component part of this you can see I've highlighted in I've highlighted in a cute purple color don't know if that's purple or pink highlighted there so attack create an iMessage account they send this person a PDF file the payloads in the PDF file how it's rendered exploits this particular cve then it leads into a r job that R job sets everything up that leads into the next exploit which is a pack bypass pointer authentication codes just a mitigation on iOS and then from there a series of other exploits were chained I want you guys to see that when you are sitting in a situation where you are exploiting iOS it's not as simple as let
me just find one cve and that one CV is going to just get me you know get me you know rce on the system or root root the system it's not that that's not a feasible way of seeing the situation it's really complex exploits a chained and then R drop is just a technique R drop stack pivoting it's all just a technique that facilitates your ability to craft these exploit chains and you know hopefully get more reliable and so our goal is we want to find a sequence of Rob job gadgets that allow us to perform this so-called stack pivoting that's our end goal and just to warm us up a bit I want to go and look
at this Alibaba example I think that this example is an example of a An Elegant stack pivot chain but not highly effective now because it's this these these gadgets don't exist uh so Alibaba security found these gadgets inside lib system uh platform dib I'll talk about what a dib is later uh but basically at the very start of this stack pivot chain the threat actors I should not say threat actors the attack the attackers the security researchers they control x0 all that means is there there are values inside the memory uh location of x0 that maybe stores like an address on the heat that they want to fake the stack at the first two lines here in red are
just setting it up so that they can get that value transferred from their control which is x0 into the X2 register all that means is they need to get that Heap address that they want to fake as the stack into X2 so the first two instructions are just doing that and then from there they're moving the value of X2 into the stack pointer and that's the actual stack pivot the project zero ones are a lot more realistic when I say realistic I'd say like realistic now uh so basically how this works is the threat actors or the attackers or the security researchers don't know don't know what to all of them do a heap spray and then
from there the attacker controls x0 so x0 contains an address on the Heap I'm not going to go through the entire uh project zero stack pivot Gadget chain just the stack piver part and I've abstracted this heavily to Not freak people out so at the very end the first instruction looks crazy but all it's doing is just think of it like pushing things onto the stack it's just going put the value of X8 and X1 onto the stack just push this crap onto the stack and then the next Gadget just pops it off the stack into x29 and x30 pretty simple to understand just pushing putting values onto the stack and then putting those values into
x29 and x30 which we know are the frame pointer and the link register so when we hit that next instruction R it's going to jump into the address stored in x30 which is the function of what a link register does and that is the x30 register is going to have the value of the next Gadget so now we've jumped red into red is such a weird way to word it red into Gadget 4 and then all that's doing is taking the value of x29 and putting that into the SP register stack pivot a stack pointer and that is actually just the stack pivot component so just to reiterate the Heap address that we want to fake the stack
at is stored in X8 that value is then popped off the stack into x29 and then from there the stack pivot Gadget moves it into the stack pointer that's literally all that's happening but a very logical question you might have is at the start of this execution flow we know that the attackers control x0 so how do you go from controlling x0 to getting something into X8 and X1 and that's where you have to find other gadgets and this is why I call it a jigel puzzle to fill in the blanks to lead you to that point I want to show like a very high level diagram of how this would work because I think a logical question at
this stage would be like you find these gadgets but what do you do with them like how do you put them in memory or what does it look like so this white square I keep calling it a square this white rectangle is just memory and this first memory is just the address 0x lead and the register x0 is currently pointing to that memory region let's just pretend this is a heap let's say you as an attacker just does like you as an attacker does a heap did a heap overflow English is not my first language you as an attacker did a heap overflow and let's just say you overflowed it with 41s oh sorry with A's
and then instead of doing that you might want to uh manipulate your payload so instead of A's it's just Gadget one's address Gadget 2's address maybe some rubbish Gadget 3's address so on and so forth and so what this would look like in theory this is like a very uh tldd version of it is maybe at the current address of where x0 is pointing to you have Gadget one's address and then Gadget two and then some rubbish Gadget three then you have your stack pivot Gadget so what these three gadgets are doing before the stack pivot Gadget is setting up the registers so the stack pivot Gadget you chose works and then from there let's just say like you
probably wouldn't be right after it you set up your Rob chain a logical question now is okay but you know Lena you mentioned the Heap you can't just be r r red on the Heap how do you then execute all these gadgets before you even do a stack pivot and that's where the concept of something called a dispatcher comes in let's just say we're trying to execute Gadget 2 all the way to the stack pivot Gadget how are we supposed to jump across this space and get this to run and that is the concept of a dispatcher and all it is is just a fancy term for a different kind of job Gadget this is a very simplistic example
of what a dispatcher might look like you have x0 register storing the address of something of of a gadget and you want to now execute this particular stack pivot Gadget that is stored 24 bytes after the original position of what x0 is pointing to so what you would do is in this particular Gadget 2 address you would put a dispatcher Gadget and all the dispatcher is doing and all this assembly is doing is it's just going x0 don't want you to point there anymore point x0 plus an offset of 18 hex which is 24 bytes and that's your new value so now x0 no longer sits there it's pointing to here and so the next
instruction where it goes Branch to register x0 is going to read the value stored in x0 and because we've gone x0 you don't sit here anymore you sit x0 + 18 18 hex which is 24 you sit here the value that we're jumping to is the stuck pivot Gadget so that's how you uh that's how you navigate kind of getting your gadgets to run this is another like diagram of how this would kind of work I just kind of want to walk you through this so it's like drilled into your head uh let's just say you do like a heap overflow you've got your attack of payload you've got all your gadgets Gadget 1 2 3
rubbish another Gadget all of that's sitting in a dispatcher table and let's just say like for this example P your first Gadget a dispatcher the first Gadget all this first line is doing is just incrementing the U memory of x3 and x0 by0 x0 + 20 hex and then the x0 is incremented by x0 + 20 + 8 uh and so the next instruction where it goes Branch into X3 is just going to execute what X3 is pointing to which would be Gadget 3 so the dispatcher now allowed us to jump over this padding run Gadget 3 Gadget 3 executes and Gadget 3 is just doing something like moving X2 into X4 what these gadgets do will depend on
what you're trying to achieve so obviously in between your jumping or dis dispatcher gadgets you would have gadgets that actually are doing something useful and then it branches into x0 now x0 originally would have been up here where the dispatcher is but because the dispatcher incremented the value of x0 by x0 plus hex2 plus a it's now pointing under this gadget right here so that triggers the dispatcher to run again and it just does the same thing because it's the same code the same code the same assembly and that iterates Gadget 4 to execute Gadget 4 would then Branch into x0 again the dispatcher runs then we go into Gadget five dispatcher runs go into Gadget six
dispatcher runs Etc it's how you kind of get over these spaces and so that leads into another question of okay cool uh where do we actually look for these gadgets how do we find them where do we where do we even start looking the best place you can look for them is in something called a dib it just stands for dynamic Library if you are familiar with Windows it's kind of similar to like DLS but the difference is in Windows when when you have all the DLS they're all just like listed like you know all the DLS are listed out on iOS they're all cached into one file called the dialate Shar cache uh this
was after iOS 3 .1 and this is the this purple like directory is where you find it so you have to actually extract this cached file and then extract the dibs from there uh this is just me showing you on my phone uh where where it is my phone's called Honeypot don't hack me so dial shed cash okay there's two open source tools that you can use for this you can use dialate shed cash extractor or you can use dial EXT ractor uh you can see there's like 2,000 plus dibs stored in here so once I extracted that the next step is that we're actually going to hunt for gadgets two open source tools you can
use that I recommend uh sash's ropper or Jonathan's R Gadget I personally prefer sash's ropper no hate to Jonathan just personal preference uh all you have to do is point this tool at a DI or all the dibs that you've extracted and write what kind of instruction you're looking for so for example if we're looking for a stack pivot Gadget where it's like move something into the stack pointer then you would search for move SP and then from there it will spit out every single static address at a certain recursion depth inside this Diop that it finds this gadget in and as you can see it's just listed all of them here and the red is just the static address and
then you've got the actual Gadget sitting there they're really short but what this means is you have to pick what Gadget to use and you have to construct this jigsaw puzzle and you've got to figure out how am I going to get all these moving pieces to work together another thing to note is like you're not going to just copy paste this address and use it it's the static address you have to calculate it at runtime where this actually sits so I want to talk a little bit about this the conversation between elegance and Effectiveness the Alibaba uh pivot chain was really elegant but you know the that Gadget doesn't exist anymore iOS developers should touch grass uh okay I shouldn't
say that I don't really go outside much either so uh Effectiveness means that the gadgets that you pick are likely to persist on other versions and they're not likely going to be you know patched or you know they're more effective but what you end up with is you might end up with a gadget chain that's not like as sexy as La Baba one like four gadgets you might end up with longer Gadget chains but you know they're more effective and these gadgets are more they occur more frequently in the wild so uh one of the effective gadgets you can use for this is in the function epilog and I found these two in lib di.
diib these are the static addresses it's actually one Gadget that I'm reusing twice so this what you see on the right left okay what you see on the left is actually the gadget and then all I'm doing in the gadget before that is just using it 8 bytes after so starting from ldp I'm just repurposing one Gadget twice all the first Gadget is doing is it's popping things off the stack into x29 and x30 and then returning to the next address here and then the next the next Gadget is just moving the value of x29 into to stack pointer and then from there you would set up your rchain and so that brings us the
question of how to approach this problem and look everyone has their own Vibe on how they do things this is just my personal opinion I think it's easier to work backwards so you start off at the point where you control x0 and I just realized someone might be asking like why why do you start off at e uh why do you start off with controlling x0 the reason for that is after you performed dynamic memory allocation uh like let's say you do like a maloc x0 will contain the Heap address where you've just allocated that memory in so if we work backwards it makes everything easier cuz you've got the starting point of some kind of control
over x0 and then you've got your end goal of I want to do a stack pivot so once you have the stack pivot Gadget that you've chosen all you have to do is fill in the blanks and manipulate the registers find gadgets that manipulate the registers in a way that allow you to achieve your own goal whereas if you do not start off with your stack pivot Gadget and you just start off with controlling x0 who knows what fairy tale land you'll end up in and you're probably going to spend a lot more time filling in the blanks so let's work backwards a little bit the last one we saw pops things off the stack into x29 and x30 but then the
next logical question would be how do we put something onto the stack and so this particular instruction STP essentially achieves something similar pushes things onto the stack and this one is found in lib system c. iib and all it's doing is it's putting the values inside X1 and X2 onto the stack now there's all these other instructions in there and this is actually something I want to say is when you are constructing a gadget chain we don't live in this wonderful land where everything is like perfect and there's no Superfluous instructions you might have gadgets that have other instructions assembly instructions in there that mess up your registers introduce random other registers do some kind of rubbish and then messes up your
chain you and then you're going to have to find gadgets that clean that up or deal with it or select other gadgets you know it's not as straightforward as a to be and sometimes gadgets that you want to exist might not exist and so that then working backwards brings us to the next problem which is we've put these values onto the stack you know but how do we get the values from x0 into X1 and X2 how do we do that and to answer that question this is what I've come up with so Gadget 2 and Gadget 5 do exactly that Gadget 2 allows us to write a value into X1 and Gadget 5 allows us to write a value into
X2 but here's the kicker they're not really touching x0 they're writing these values from X8 plus a certain offset in HEX and so how do we go from controlling x0 to X8 and this is kind of design Choice why I chose these two gadgets is because both of them are reading from X8 which means it's it only adds one level of work for me where all I have to do now is find a gadget that allows me to write the value of x0 into X8 which is what Gadget one will be and then from there for me to iterate through these various gadgets I just have to fill in these question marks question marks with dispatcher
gadgets that allow me to kind of get to the next Gadget so on and so forth this process is a lot of trial and error it's like I don't even know how to explain it sometimes like you end up with your stack pivot Gadget and you work all the way back and then there's just like one Gadget that doesn't fit and your whole world just falls apart maybe not that dramatic but the whole thing just crumbles and you might have to start again and you know figure out what to do because like if I go back here and I pick this this gadget there might not be other gadgets that exist that allow me to kind of fill in these
blanks or I might find a dispatcher Gadget that overwrites a value in a register that I need that value to be in that register and so it is a lot a lot of trial and error uh the end result when I was doing this uh for my reasons this final payload is what it kind of looks like this is this is really weird but I think this is a me thing this is how I like to visualize how what I'm doing as you can see 0 bytes is just at 0 bytes where the actual uh memory location of x0 points to the actual payload itself is 272 bytes the fake Heap or the fake stack in
the Heap starts here at 304 bytes onwards and that's where I set up my Rob chain but what I want to point out here is that my Gadget chain was a characters eight characters eight gadgets long and something to say is in a lot of my previous examples I had you know like uh stripped down diagrams where I had Gadget one Gadget 2 Gadget three Gadget four it's not like that in reality like as you can see I've got Gadget one here then I goes to gadget two then it goes to gadget sorry Gadget three then it goes to gadget two then it goes to gadget six it's in different places and the reason why that might occur is uh
maybe selection of what your dispatcher looks like it could be a multitude of other reasons but this is what my resulting payload looks like and uh all these other things like x81 is just how I track what is stored in each register so I you know I like to just I do things very visually and so takeaways from my presentation I want to highlight exploitation hopefully you can gather is extremely difficult and it's very very timec consuming uh you are going to have to read assembly the Heap is unpredictable and you know uh often times your exploit may not run correctly 100% of the time there are ways to improve the reliability of it and maybe
there is a good reason why there isn't that many poc's out there why there aren't that many blog posts out there why there aren't that many people talking about how to exploit iOS firstly there's the money component you know potentially $2.5 million internet clout you know or there's also the added component of humanitarian uh reasons and where your ethic stands around who would this exploit obviously be purchased by the government who would be the end Target of that a lot of reasons around that but because of that and because there's not that much information about it it's so hard to get into and that makes it really hard to defend because in order to really defend something or
be able to detect something you kind of need to know how everything works like even when you're doing incident response like you really want to know how the attacks actually work it makes you better at your job and that's one of the reasons why I wanted to talk about this today if you really enjoyed this talk I have an entire course on iOS exploitation uh we actually reconstruct exploits one of them is the forc entry exploit used by NSO group but other than that I want to thank you all for your time today uh if you've got any questions or anything I'll be outside I'll be around during the break and you can always hit me up
preferably on Discord or Twitter on X I'm chronically online so I'll definitely be around but thank you guys for your time
[Applause]
Related talks
23:15
43:48
56:06
45:31
53:54
48:01