1 00:00:03,709 --> 00:00:06,920 my name is Joshua most people know me as 2 00:00:06,920 --> 00:00:11,570 prophets Anja been around Joburg seen 3 00:00:11,570 --> 00:00:17,510 for quite a while so I basically taught 4 00:00:17,510 --> 00:00:20,090 myself everything about hacking the 5 00:00:20,090 --> 00:00:23,360 chief research each week or for the 6 00:00:23,360 --> 00:00:30,400 green boys in an accident jailbreak so 7 00:00:30,400 --> 00:00:34,219 this is really more of a story about 8 00:00:34,219 --> 00:00:38,600 well my entire year of 2017 I was 9 00:00:38,600 --> 00:00:40,700 working on this exploit I don't usually 10 00:00:40,700 --> 00:00:42,890 have that long as an attention span but 11 00:00:42,890 --> 00:00:44,450 this was actually really really fun to 12 00:00:44,450 --> 00:00:54,770 track what got me started and this was 13 00:00:54,770 --> 00:00:59,350 actually back when I was a child so I 14 00:00:59,350 --> 00:01:03,170 had an old Macintosh before my one other 15 00:01:03,170 --> 00:01:06,789 13 school also had one so we kind of 16 00:01:06,789 --> 00:01:11,539 shared you know video games that I was 17 00:01:11,539 --> 00:01:13,310 going to do mine one day ups there was 18 00:01:13,310 --> 00:01:16,479 something called Apple remote access 19 00:01:16,479 --> 00:01:19,639 basically allows you to dial into a 20 00:01:19,639 --> 00:01:23,619 negative use phone and xstep this was 21 00:01:23,619 --> 00:01:26,450 1997 course the internet was still 22 00:01:26,450 --> 00:01:28,810 clearly very nuanced 23 00:01:28,810 --> 00:01:32,090 so I didn't have it in it at this time 24 00:01:32,090 --> 00:01:34,729 I did not even have I'm building 25 00:01:34,729 --> 00:01:38,479 actually went to school and traded a han 26 00:01:38,479 --> 00:01:42,259 Solo trading card in for my first 56k 27 00:01:42,259 --> 00:01:47,149 modem chance to test this out at bowing 28 00:01:47,149 --> 00:01:49,399 to his computer set it up when he using 29 00:01:49,399 --> 00:01:53,779 the shower one morning and maybe it's 30 00:01:53,779 --> 00:02:00,259 not a little bit so before this there 31 00:02:00,259 --> 00:02:02,630 was a couple of odd things I've noticed 32 00:02:02,630 --> 00:02:06,249 when I was doing my research for example 33 00:02:06,249 --> 00:02:10,209 this kernel extension you can see it is 34 00:02:10,209 --> 00:02:12,709 has a copyright header at the top but 35 00:02:12,709 --> 00:02:14,540 I'm not sure what their copyright in 36 00:02:14,540 --> 00:02:16,550 here because there's nothing there 37 00:02:16,550 --> 00:02:19,490 this entire criminal extinction every 38 00:02:19,490 --> 00:02:28,320 single one of the file is empty so after 39 00:02:28,320 --> 00:02:30,750 a while you can't get it think like this 40 00:02:30,750 --> 00:02:34,410 is a common time so I basically pulled 41 00:02:34,410 --> 00:02:36,920 every single Apple open source code 42 00:02:36,920 --> 00:02:40,080 extracted them the lion counted every 43 00:02:40,080 --> 00:02:43,200 single one sorted ascending order 44 00:02:43,200 --> 00:02:45,060 I'm gonna check to see which ones were 45 00:02:45,060 --> 00:02:47,100 empty and which projects having those 46 00:02:47,100 --> 00:02:53,610 memory ranky file one of them was an old 47 00:02:53,610 --> 00:02:58,130 friend of mine that BP antigen 48 00:02:58,790 --> 00:03:02,970 originally discovered this file when I 49 00:03:02,970 --> 00:03:05,400 was trying to look into it I couldn't 50 00:03:05,400 --> 00:03:09,090 tell why is that dick throwing back in 51 00:03:09,090 --> 00:03:12,510 that wasn't in the binary there is a key 52 00:03:12,510 --> 00:03:16,830 it was called no sandbox looking into 53 00:03:16,830 --> 00:03:18,770 what that he does they basically 54 00:03:18,770 --> 00:03:21,060 redirected it around the sandbox 55 00:03:21,060 --> 00:03:24,959 initialization I wonder why they didn't 56 00:03:24,959 --> 00:03:29,630 want people to find that yeah it's 57 00:03:29,630 --> 00:03:32,580 clearly lighting security through 58 00:03:32,580 --> 00:03:34,620 obscurity of a lot of repeat offenders 59 00:03:34,620 --> 00:03:37,560 we're showing up there UI user said a 60 00:03:37,560 --> 00:03:43,890 lot of course the main one I wanted 61 00:03:43,890 --> 00:03:48,500 we're interested in was the PDP one a 62 00:03:49,610 --> 00:03:55,220 very old software I actually found the 63 00:03:55,220 --> 00:03:58,980 source report on one of the Apple vinci 64 00:03:58,980 --> 00:03:59,989 websites 65 00:03:59,989 --> 00:04:03,209 unfortunately Apple removes a stuffit 66 00:04:03,209 --> 00:04:08,420 expander support so I did not look at it 67 00:04:14,730 --> 00:04:18,579 yeah so then I realized okay so the 68 00:04:18,579 --> 00:04:20,829 entire VPN system is actually built on 69 00:04:20,829 --> 00:04:24,940 this old legacy modems for the next 70 00:04:24,940 --> 00:04:27,400 thing said both do similar things but 71 00:04:27,400 --> 00:04:30,880 one just does it for sound waves either 72 00:04:30,880 --> 00:04:38,530 one does it over right now so how do I 73 00:04:38,530 --> 00:04:41,200 actually get in and by installing these 74 00:04:41,200 --> 00:04:44,320 PPP configurations and EP and stuff to 75 00:04:44,320 --> 00:04:50,080 actually test it there's one thing which 76 00:04:50,080 --> 00:04:52,390 kind of bothered me always whenever you 77 00:04:52,390 --> 00:04:56,320 go up to change your Wi-Fi password for 78 00:04:56,320 --> 00:05:00,790 different networks or DBS they never ask 79 00:05:00,790 --> 00:05:02,110 you for your root password 80 00:05:02,110 --> 00:05:05,110 this stuff is held in very secure 81 00:05:05,110 --> 00:05:07,270 locations something has to be running 82 00:05:07,270 --> 00:05:11,170 this birthday the easiest method I can 83 00:05:11,170 --> 00:05:14,710 was simply go up to your network 84 00:05:14,710 --> 00:05:18,390 configuration files you can select one 85 00:05:18,390 --> 00:05:22,570 export configuration and as it basically 86 00:05:22,570 --> 00:05:26,530 exports a phoebus file containing all 87 00:05:26,530 --> 00:05:28,300 the different settings for T that were 88 00:05:28,300 --> 00:05:31,360 configuration you can actually modify 89 00:05:31,360 --> 00:05:33,940 that and had some extra ones in there 90 00:05:33,940 --> 00:05:38,080 which don't really document this was 91 00:05:38,080 --> 00:05:44,290 mostly just for testing though so beyond 92 00:05:44,290 --> 00:05:47,170 that we have two well the VPN stuff 93 00:05:47,170 --> 00:05:50,620 Renza it's the user so suddenly they get 94 00:05:50,620 --> 00:05:55,630 a little more cartridges so one sticking 95 00:05:55,630 --> 00:05:58,150 around through there I discovered there 96 00:05:58,150 --> 00:06:01,690 was still a UNIX optic in flash bar size 97 00:06:01,690 --> 00:06:07,360 running so a peb company it was seven 98 00:06:07,360 --> 00:06:10,660 seven seven breathable right what's it 99 00:06:10,660 --> 00:06:11,190 for 100 00:06:11,190 --> 00:06:16,360 so let's see 101 00:06:16,360 --> 00:06:20,560 we done this is the basic header format 102 00:06:20,560 --> 00:06:24,110 for the tactics going over the units I 103 00:06:24,110 --> 00:06:29,720 see very simple protocol one thing that 104 00:06:29,720 --> 00:06:32,360 caught my attention that first lap that 105 00:06:32,360 --> 00:06:36,140 would be the bug as you see down or it 106 00:06:36,140 --> 00:06:39,260 says block the very bottom each are any 107 00:06:39,260 --> 00:06:47,150 data one we should not have a character 108 00:06:47,150 --> 00:06:50,810 or an array of size one there yeah 109 00:06:50,810 --> 00:06:52,730 entire structure is now going to be 110 00:06:52,730 --> 00:06:57,500 opposite by seven days look inside the 111 00:06:57,500 --> 00:07:00,350 code you see apple tries to fix this a 112 00:07:00,350 --> 00:07:06,550 couple times they first make a macro 113 00:07:06,550 --> 00:07:09,650 basically just subtract one from it 114 00:07:09,650 --> 00:07:11,930 before parsing it they still did that 115 00:07:11,930 --> 00:07:15,590 wrong put in the code we continually do 116 00:07:15,590 --> 00:07:23,720 call back and then fix that yeah so 117 00:07:23,720 --> 00:07:25,190 these are some of the commands you can 118 00:07:25,190 --> 00:07:29,180 sing to it most of them well I wasn't 119 00:07:29,180 --> 00:07:30,950 sure which one to focus on so I just 120 00:07:30,950 --> 00:07:34,520 focus on them all basically very simple 121 00:07:34,520 --> 00:07:40,040 fuzzy but it was really only one thing 122 00:07:40,040 --> 00:07:50,210 that stood out to me but lots of other 123 00:07:50,210 --> 00:07:52,450 options 124 00:07:56,580 --> 00:08:01,050 more about millions but thinks this 125 00:08:01,050 --> 00:08:03,790 exploit actually did require a building 126 00:08:03,790 --> 00:08:10,240 to be set up as a network device most 127 00:08:10,240 --> 00:08:13,780 people don't have modems able I have had 128 00:08:13,780 --> 00:08:16,920 a hard time trying to acquire one myself 129 00:08:16,920 --> 00:08:19,470 first 130 00:08:19,470 --> 00:08:22,330 yeah Morgan's work extremely complicated 131 00:08:22,330 --> 00:08:26,010 back then every single provider actually 132 00:08:26,010 --> 00:08:28,900 have their own unique specific or they 133 00:08:28,900 --> 00:08:30,600 still do today 134 00:08:30,600 --> 00:08:33,669 these things are pretty Apple but Apple 135 00:08:33,669 --> 00:08:38,039 needed a way to support all these people 136 00:08:38,820 --> 00:08:41,049 fortunately you don't necessarily need a 137 00:08:41,049 --> 00:08:46,540 modem in order to do this so on the 138 00:08:46,540 --> 00:08:49,750 order max every single time you plugged 139 00:08:49,750 --> 00:08:54,160 in a serial to USB adapter it would 140 00:08:54,160 --> 00:08:56,950 automatically create a new serial line 141 00:08:56,950 --> 00:09:01,660 they were configuration in there most of 142 00:09:01,660 --> 00:09:06,550 the sewer line buildings or well since 143 00:09:06,550 --> 00:09:09,280 they're modems are also sewer line it's 144 00:09:09,280 --> 00:09:12,670 very easy to simply modify what second 145 00:09:12,670 --> 00:09:15,640 is you turn in esterline device in 146 00:09:15,640 --> 00:09:20,080 deliver later on when they release the 147 00:09:20,080 --> 00:09:24,760 newer Mac of throws they actually well 148 00:09:24,760 --> 00:09:28,870 it has USB C so you can't really tell 149 00:09:28,870 --> 00:09:32,080 you that but serial line just legalized 150 00:09:32,080 --> 00:09:35,830 to it fortunately every single adapter 151 00:09:35,830 --> 00:09:38,490 the USB Sita a I found would 152 00:09:38,490 --> 00:09:40,630 automatically create a server line 153 00:09:40,630 --> 00:09:43,660 device for that effect so if you had 154 00:09:43,660 --> 00:09:46,360 used USB we didn't even need to have a 155 00:09:46,360 --> 00:09:53,050 moment so you know doesn't like the fuzz 156 00:09:53,050 --> 00:09:56,410 whisker but this is the exploit for the 157 00:09:56,410 --> 00:09:59,460 purpose escalation 158 00:09:59,460 --> 00:10:02,110 even though I closed everything in here 159 00:10:02,110 --> 00:10:05,830 continuously the stupidest bugs I found 160 00:10:05,830 --> 00:10:07,850 was this one right there 161 00:10:07,850 --> 00:10:13,160 the sin PPP connect apparently if you 162 00:10:13,160 --> 00:10:15,740 run it from the socket it watches ppps 163 00:10:15,740 --> 00:10:26,060 root they're not as music yeah so when I 164 00:10:26,060 --> 00:10:28,550 suppose these are typically the error 165 00:10:28,550 --> 00:10:30,620 codes that should have been started at 166 00:10:30,620 --> 00:10:35,120 256 now this is the error results my 167 00:10:35,120 --> 00:10:46,819 buzzer guy and here you can see actually 168 00:10:46,819 --> 00:10:48,500 took me a while because I kept buzzing 169 00:10:48,500 --> 00:10:50,480 it and not realizing what was happening 170 00:10:50,480 --> 00:10:53,870 then I finally realized oh this actually 171 00:10:53,870 --> 00:11:01,420 watching roots not user anymore still 172 00:11:01,420 --> 00:11:07,009 nobody actually EP running is yeah we 173 00:11:07,009 --> 00:11:09,920 either how do we actually gain oh that's 174 00:11:09,920 --> 00:11:18,170 easy for next so back in 1997 Apple 175 00:11:18,170 --> 00:11:20,660 released their I magically and it 176 00:11:20,660 --> 00:11:23,209 included a built-in modem what are the 177 00:11:23,209 --> 00:11:26,839 firstly lake specifically for innovation 178 00:11:26,839 --> 00:11:30,970 by Mac in the next Mac and they included 179 00:11:30,970 --> 00:11:33,620 different logo stuff the CCOs burgers 180 00:11:33,620 --> 00:11:36,949 yeah Apple documented quite well on that 181 00:11:36,949 --> 00:11:42,769 let's see so these scripts handle both 182 00:11:42,769 --> 00:11:45,050 following up and answer any other 183 00:11:45,050 --> 00:11:50,269 telephone so what's in a typical sea 184 00:11:50,269 --> 00:11:53,630 snail bundle really just the folder 185 00:11:53,630 --> 00:11:59,329 within info.plist and ACCC expert the 186 00:11:59,329 --> 00:12:03,939 example of both this is mice info.plist 187 00:12:03,939 --> 00:12:06,230 and you can probably start to get it 188 00:12:06,230 --> 00:12:11,740 where I'm going on the next wave 189 00:12:15,660 --> 00:12:19,120 simply adding a whole bunch of days and 190 00:12:19,120 --> 00:12:22,990 couple little bites into there it 191 00:12:22,990 --> 00:12:24,280 actually allows you to select specific 192 00:12:24,280 --> 00:12:27,640 variables inside of the bundle including 193 00:12:27,640 --> 00:12:35,800 the username password yeah APN oh yeah 194 00:12:35,800 --> 00:12:38,560 and you said a couple variable ones 195 00:12:38,560 --> 00:12:46,660 awesome so those variable strings look 196 00:12:46,660 --> 00:12:49,000 kind of the first day of testing I spent 197 00:12:49,000 --> 00:12:52,570 about two days working on something to 198 00:12:52,570 --> 00:12:55,720 buzz or creates CCL scripts so I can 199 00:12:55,720 --> 00:12:57,640 close it all and I thought you know 200 00:12:57,640 --> 00:12:59,770 let's just try these variable string 201 00:12:59,770 --> 00:13:06,040 things in their insensitive but well 202 00:13:06,040 --> 00:13:07,420 that's that's right at the budget of 203 00:13:07,420 --> 00:13:10,060 mittens and it turns out half of them 204 00:13:10,060 --> 00:13:17,140 are open 13 which one of the strings are 205 00:13:17,140 --> 00:13:22,450 actually passed out strings so it 206 00:13:22,450 --> 00:13:23,530 actually makes it a little more 207 00:13:23,530 --> 00:13:26,170 difficult we can't just overwrite the no 208 00:13:26,170 --> 00:13:29,589 value and then you know reading some 209 00:13:29,589 --> 00:13:37,270 arbitrary data after that like 210 00:13:37,270 --> 00:13:39,520 interesting I've never seen a packet 211 00:13:39,520 --> 00:13:51,670 elsewhere instructor will of my life so 212 00:13:51,670 --> 00:13:54,190 here's the first one and note in the F 213 00:13:54,190 --> 00:13:57,130 there is just a bar string and tonight 214 00:13:57,130 --> 00:14:01,270 to put foster and 2727 together both of 215 00:14:01,270 --> 00:14:04,080 those we gained 255 bytes 216 00:14:04,080 --> 00:14:08,530 this is especially black classic Butler 217 00:14:08,530 --> 00:14:12,430 overflow but with modern sections click 218 00:14:12,430 --> 00:14:17,890 to stack quickly and it goes max 219 00:14:17,890 --> 00:14:19,120 perience we 220 00:14:19,120 --> 00:14:25,209 almost exactly the same and finally 221 00:14:25,209 --> 00:14:29,379 right there's also a good one this one 222 00:14:29,379 --> 00:14:31,029 was actually the one I decided to focus 223 00:14:31,029 --> 00:14:37,240 on because it seemed a lot more fun so 224 00:14:37,240 --> 00:14:40,360 this is a very simple example of a CCL 225 00:14:40,360 --> 00:14:42,819 script all this does is leaders 226 00:14:42,819 --> 00:14:45,699 basically sex really well it looks 227 00:14:45,699 --> 00:14:48,610 similar to a single code similarly what 228 00:14:48,610 --> 00:14:51,730 the top increment number tries my one 229 00:14:51,730 --> 00:14:53,199 write hello world 230 00:14:53,199 --> 00:14:57,970 we'll put a new label check to see if we 231 00:14:57,970 --> 00:15:01,480 had a number of tries is greater than 232 00:15:01,480 --> 00:15:06,040 five it is jump to three otherwise come 233 00:15:06,040 --> 00:15:08,379 back to one and come in again so print 234 00:15:08,379 --> 00:15:13,360 hello world five times these are always 235 00:15:13,360 --> 00:15:14,769 like a manatee get in there 236 00:15:14,769 --> 00:15:20,160 a lot of these are interesting but they 237 00:15:20,160 --> 00:15:23,019 kind of all come into play once you're 238 00:15:23,019 --> 00:15:25,809 trying to create this cooking concept 239 00:15:25,809 --> 00:15:29,800 exploit strip those are some of the more 240 00:15:29,800 --> 00:15:33,459 interesting one so yeah so my first idea 241 00:15:33,459 --> 00:15:37,300 was how about being Note one so I can 242 00:15:37,300 --> 00:15:40,990 somehow grab the stack 30 earlier in 243 00:15:40,990 --> 00:15:43,269 memory there'd be no problem just 244 00:15:43,269 --> 00:15:46,120 rewriting that and then next C is duck 245 00:15:46,120 --> 00:15:47,829 complaint 246 00:15:47,829 --> 00:15:53,410 nothing then boy the interesting one was 247 00:15:53,410 --> 00:15:56,459 slightly more difficult has it had more 248 00:15:56,459 --> 00:16:01,149 constraints these are the basic gadgets 249 00:16:01,149 --> 00:16:05,079 I had to work with the return 250 00:16:05,079 --> 00:16:09,040 the man is essentially a limited 16 hit 251 00:16:09,040 --> 00:16:11,459 read to the script 252 00:16:11,459 --> 00:16:18,149 well it's almost I'll get to that later 253 00:16:18,149 --> 00:16:23,139 jsr 16-bit write some tiny controls we 254 00:16:23,139 --> 00:16:26,410 can almost create a full turn place 255 00:16:26,410 --> 00:16:30,449 machines just on this information 256 00:16:32,260 --> 00:16:35,360 there's some of the pillars so you can 257 00:16:35,360 --> 00:16:39,800 see here it says a crispy taco sack if 258 00:16:39,800 --> 00:16:43,460 it's equal to be a maximum type of start 259 00:16:43,460 --> 00:16:46,850 you can do this if not it doesn't think 260 00:16:46,850 --> 00:16:49,760 what if top stack is greater or less 261 00:16:49,760 --> 00:16:58,010 than and I want to point out that doing 262 00:16:58,010 --> 00:17:01,130 the right overflow we can overwrite but 263 00:17:01,130 --> 00:17:06,050 a sweet type of stack and there is the 264 00:17:06,050 --> 00:17:11,270 script line fantasies there so we 265 00:17:11,270 --> 00:17:12,650 control the stack around the top of 266 00:17:12,650 --> 00:17:16,310 stack so it's very nice 267 00:17:16,310 --> 00:17:21,589 reading reproductive almost other 268 00:17:21,589 --> 00:17:26,450 gadgets so the next feeding memory there 269 00:17:26,450 --> 00:17:30,350 so you want to try and find you know 270 00:17:30,350 --> 00:17:32,900 where our members out of taking space we 271 00:17:32,900 --> 00:17:36,560 can actually compare the bytes there one 272 00:17:36,560 --> 00:17:40,670 we have in a vertical strip we can 273 00:17:40,670 --> 00:17:47,410 actually find where it shows that we're 274 00:17:47,410 --> 00:17:51,520 solving it drives and recharge earlier 275 00:17:51,520 --> 00:17:56,740 easily to use for it well 276 00:17:56,740 --> 00:17:59,360 conditionals I was also thinking you 277 00:17:59,360 --> 00:18:04,930 typically use X to store lots or this 278 00:18:04,930 --> 00:18:08,600 furnishing but might be in doing a 279 00:18:08,600 --> 00:18:12,110 little cheating oh yes and we can also 280 00:18:12,110 --> 00:18:14,570 have these different states but when it 281 00:18:14,570 --> 00:18:20,080 answered when it all started 282 00:18:23,140 --> 00:18:27,690 yeah thanks between these two we had 283 00:18:27,690 --> 00:18:33,040 should be a backswing right fortunately 284 00:18:33,040 --> 00:18:35,920 a Thursday support pitfalls involved in 285 00:18:35,920 --> 00:18:42,400 this so the maximum size of the script 286 00:18:42,400 --> 00:18:45,510 is 32 kilobytes 287 00:18:45,510 --> 00:18:51,970 days 32 tonight sorry doesn't kill mites 288 00:18:51,970 --> 00:18:54,520 of characters for 32 kilobytes of lines 289 00:18:54,520 --> 00:18:56,850 whichever comes first 290 00:18:56,850 --> 00:19:01,240 so we're limited you those reads I said 291 00:19:01,240 --> 00:19:06,070 either under 0 7 ffff and we can only 292 00:19:06,070 --> 00:19:14,440 write 0 X 7 epithet the way it works 293 00:19:14,440 --> 00:19:18,820 it's all based on yes line ever again so 294 00:19:18,820 --> 00:19:22,419 one issue with this it means if you want 295 00:19:22,419 --> 00:19:27,240 to write the value 0 X 2 0 296 00:19:27,240 --> 00:19:30,460 do you want to exact the toxic you would 297 00:19:30,460 --> 00:19:34,390 have to be at line 32 in the script it 298 00:19:34,390 --> 00:19:36,630 also means you cannot read it or write 299 00:19:36,630 --> 00:19:48,280 the same bike it also means that 300 00:19:48,280 --> 00:19:51,910 unfortunately you cannot write to stack 301 00:19:51,910 --> 00:19:57,910 you cannot create those addresses or you 302 00:19:57,910 --> 00:20:00,880 cannot also the gadgets from yeah 303 00:20:00,880 --> 00:20:02,860 dynamic linker because those are two 304 00:20:02,860 --> 00:20:07,299 pardonable but we were in the 305 00:20:07,299 --> 00:20:17,200 overflowing is starts back there's a 306 00:20:17,200 --> 00:20:21,040 string buffer here 256 so everything 307 00:20:21,040 --> 00:20:25,260 below that you can overwrite the stack 308 00:20:25,260 --> 00:20:29,940 top of stack like 309 00:20:30,000 --> 00:20:34,360 interesting thing about this is nesting 310 00:20:34,360 --> 00:20:39,070 when it was only 16 but it was declined 311 00:20:39,070 --> 00:20:42,850 there's a way to do so they're literally 312 00:20:42,850 --> 00:20:49,360 indexing 32 bits and Saturday 16 already 313 00:20:49,360 --> 00:20:54,250 I'm sure for all right but there's some 314 00:20:54,250 --> 00:20:55,360 other fun stuff we can actually 315 00:20:55,360 --> 00:20:58,360 overwrite beyond this one my personal 316 00:20:58,360 --> 00:21:02,190 favorite is Gino stirring down there I 317 00:21:02,190 --> 00:21:07,780 can James an audio and all those defined 318 00:21:07,780 --> 00:21:11,620 as a Pascal string consisting of one 319 00:21:11,620 --> 00:21:15,220 place that one body is a space zero to 320 00:21:15,220 --> 00:21:19,660 zero but since we can overwrite this we 321 00:21:19,660 --> 00:21:22,630 can actually also use it as a scratch 322 00:21:22,630 --> 00:21:25,690 register if you look at how it's the bar 323 00:21:25,690 --> 00:21:30,400 string if we string is greater than your 324 00:21:30,400 --> 00:21:32,770 next on the strings it just returns that 325 00:21:32,770 --> 00:21:41,560 to you know string literal right so as 326 00:21:41,560 --> 00:21:47,860 far as how to exploit this we see Co 327 00:21:47,860 --> 00:21:50,800 engines tight loop that basically is 328 00:21:50,800 --> 00:21:53,830 constantly generating these callbacks 329 00:21:53,830 --> 00:21:57,160 pictures you see it's basically just a 330 00:21:57,160 --> 00:22:01,270 linked list which contains other 331 00:22:01,270 --> 00:22:04,390 call-out structures to be executed in 332 00:22:04,390 --> 00:22:09,330 order almost better than laughs 333 00:22:13,629 --> 00:22:15,979 part of the problem is actually figuring 334 00:22:15,979 --> 00:22:18,259 out a clear and memory these things are 335 00:22:18,259 --> 00:22:20,749 something out of here because it's in a 336 00:22:20,749 --> 00:22:22,239 very tightly 337 00:22:22,239 --> 00:22:25,279 luckily though you can actually delay 338 00:22:25,279 --> 00:22:28,999 this for a bit by adding a character 339 00:22:28,999 --> 00:22:31,669 Glade it's back in the day modems are 340 00:22:31,669 --> 00:22:36,320 really slow well they were slow by 341 00:22:36,320 --> 00:22:38,989 today's standards by their standards 342 00:22:38,989 --> 00:22:41,960 they were really really fast so they had 343 00:22:41,960 --> 00:22:43,940 to go really really slowly defended 344 00:22:43,940 --> 00:22:46,879 something gives you a little bit more 345 00:22:46,879 --> 00:22:53,139 time and controlling the heat finally 346 00:22:53,139 --> 00:22:57,649 position this is one it's actually kind 347 00:22:57,649 --> 00:23:04,519 of a freebie so it includes a resource 348 00:23:04,519 --> 00:23:09,470 file for PvP so if you just crazy that 349 00:23:09,470 --> 00:23:12,729 eg PRC in your home directory so will 350 00:23:12,729 --> 00:23:15,279 automatically launch it shelter for you 351 00:23:15,279 --> 00:23:22,099 whenever he is becomes online okay for 352 00:23:22,099 --> 00:23:23,539 their lecture those routes 353 00:23:23,539 --> 00:23:28,519 let you see it PCC it's probably fifty 354 00:23:28,519 --> 00:23:31,539 guys that's it 355 00:23:38,159 --> 00:23:40,239 but however you still need to code 356 00:23:40,239 --> 00:23:43,889 execution for the persistent like 357 00:23:43,889 --> 00:23:47,950 however lovingly a collection ships 358 00:23:47,950 --> 00:23:51,479 nitpick by default and also next a 359 00:23:51,479 --> 00:23:54,399 yeasty version at least ten excess fuel 360 00:23:54,399 --> 00:23:58,690 exactly it's very simple like that Reina 361 00:23:58,690 --> 00:24:02,019 pipes to tep kok day and you're using 362 00:24:02,019 --> 00:24:05,859 Apple's own sign programs to service 363 00:24:05,859 --> 00:24:22,629 exploit Apple doesn't use Apple Mac OSX 364 00:24:22,629 --> 00:24:26,559 phones I eventually just shared this 365 00:24:26,559 --> 00:24:30,399 with them a quick they even working on 366 00:24:30,399 --> 00:24:34,839 the VPN application they might not go 367 00:24:34,839 --> 00:24:37,359 comfortable I'm quoting all this VPN 368 00:24:37,359 --> 00:24:45,519 bugs so I see reporting the hooked up a 369 00:24:45,519 --> 00:24:47,679 little bit of a reputation within many 370 00:24:47,679 --> 00:24:52,089 years finally got it into the App Store 371 00:24:52,089 --> 00:24:58,169 as the very first beat the entire wall 372 00:24:58,169 --> 00:25:03,839 that was definitely not anything but 373 00:25:03,839 --> 00:25:07,179 this is only a scratch on the surface of 374 00:25:07,179 --> 00:25:09,460 the number of bugs in there this was the 375 00:25:09,460 --> 00:25:13,149 path of least resistance there are other 376 00:25:13,149 --> 00:25:17,849 ones which look like demand injections 377 00:25:19,080 --> 00:25:22,599 quite a few more it's a very very old 378 00:25:22,599 --> 00:25:25,989 portion of only actually very people 379 00:25:25,989 --> 00:25:27,239 even understand it 380 00:25:27,239 --> 00:25:30,309 however you can't really have a VPN 381 00:25:30,309 --> 00:25:33,279 security product if the BPM on the phone 382 00:25:33,279 --> 00:25:34,710 is broken 383 00:25:34,710 --> 00:25:39,129 so really hoping that more people will 384 00:25:39,129 --> 00:25:42,059 start looking into this 385 00:25:46,760 --> 00:25:50,670 we're doing some amazing things here at 386 00:25:50,670 --> 00:25:56,280 13 or 13 I should be out oh especially 387 00:25:56,280 --> 00:26:00,090 out of later next month and I had some 388 00:26:00,090 --> 00:26:03,180 other amazing things in the pipeline so 389 00:26:03,180 --> 00:26:10,920 working on the future and that's about 390 00:26:10,920 --> 00:26:13,160 it