Photographers WannCry (2017)
Back to 2017 I was still doing app pentesting. I came across that my DSLR camera has an Android subsystem and it supports photography apps, therefore I started to investigate if there is a way to pwn it. I did it.
Back to 2017 I was still doing app pentesting. I came across that my DSLR camera has an Android subsystem and it supports photography apps, therefore I started to investigate if there is a way to pwn it. I did it.
In the previous parts, we have trigger use-after-free on Objective-C objects, and successfully refilled the dangling pointer with fully-controlled data. Now take a look at some prior research articles for further exploitation.
In the last post, I used a client-side XSS to get JavaScript injected to a local pre-installed app. It has no process isolation while it still supports in-process just-in-time (JIT). Any working WebKit exploit works there too, with much more access than WebContent renderer. It doesn’t even need real code execution to launch Calculator app.
Ever since Pointer Authentication Code (PAC) has been introduced, iPhone remained standing for more than two years on various pwn contests until TianfuCup 2020 (Project Zero has reported a remote zero click exploit in 2019). Ant Security and Qihoo 360 used two different bug chains respectively to successfully gained remote code execution with userspace sandbox escape on iPhone 11 with iOS 14.2.
Days ago a twitter post revealed a bug in iOS Wi-Fi service:
I designed the challenge Dezhou Instrumentz for RealWorldCTF. For further explaination I gave a talk regarding the motivation and expected solution for it: