Presentation Title iPhone Exploitation: One ROPe to Bind Them All?
Exploitation of iPhones and other devices based on iOS requires very sophisticated ROP payloads because of the code signing and non executable memory protections. The trouble with generating ROP payloads for iDevices is that every device class and every firmware version comes with its libraries at a different base address. And newer firmwares even have ASLR built in. Choosing
the right ROPe without any help from an information leak is therefore challenging.
This session will reveal how bad the odds are to choose the right ROP payload and will introduce the idea of multi environment ROP payloads that are valid for more than one address layout.
It will be discussed how such ROP payloads have to be designed and a toll will be presented that tries to find the best possible ROP payload that works in as many address layouts as possible.
About Stefan Esser
Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot linux directly from the harddisk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the german web application company SektionEins GmbH that he co- founded. In 2010 and 2011 he got a lot of attention for presenting about iPhone security topics and supplying the jailbreaking scene with an exploit that survived multiple updates by Apple.