![]() If((objcSelRefs != None or objcMsgRefs != None) and (objcData != None and objcConst != None)) = False:ĭoc.log("could not find necessary Objective-C sections.\n")įor va in range(objcData,objcData,objc2ClassSize):ĬlassRoVA = doc.readUInt64LE(va + objc2ClassInfoOffs) #print ' +++' + sectName, (hex(sect.getStartingAddress()),hex(sect.getStartingAddress()+sect.getLength())) ![]() ObjcConst = (sect.getStartingAddress(),sect.getStartingAddress()+sect.getLength()) ObjcMsgRefs = (sect.getStartingAddress(),sect.getStartingAddress()+sect.getLength()) ObjcSelRefs = (sect.getStartingAddress(),sect.getStartingAddress()+sect.getLength()) ObjcData = (sect.getStartingAddress(),sect.getStartingAddress()+sect.getLength()) If objcSelRefs and x >= objcSelRefs and x =objcMsgRefs and x = objcConst and x 1:Įachxrefs = seg.getReferencesOfAddress(addr) Print 'xreffrom: ' + hex(x) ,'xrefto: ' + hex(namePtr) NamePtr = doc.readUInt64LE(classMethodsVA) #get name field in struct _objc_method, it's selector #author: Kai getRefPtr(doc,classMethodsVA,objcSelRefs, objcMsgRefs, objcConst): ![]() The following is the python script objc2_xrefs_helper_hopper.py. Loading the demo application’s executable file into Hopper Disassembler We load the executable mach-o file of the demo application into Hopper Disassembler, as shown below.įigure 2. The demo application can be downloaded from here. To verify the functionality of objc2_xrefs_helper_hopper.py, I wrote a simple Cocoa application. The relationship between these related data structures of class in Objective-C I have included a figure showing the relationship between these related data structures, as shown below.įigure 1. It’s important that we figure out the data structures of Class in low level in Objective-C, as well as the relationship between these data structures. Before rewriting the python script for Hopper, therefore, we need to walk through the codes in IDAPython script objc2_xrefs_helper.py and understand all the details. Unfortunately, this message sending mechanism causes problems when trying to follow cross-references for selectors in Hopper Disassembler. As mentioned in that article, the function call is implemented by the message sending mechanism in Objective-C. Some background regarding Objective-C can be found from here. I named this Hopper python script objc2_xrefs_helper_hopper.py. This type of exploit can also be used as an anti-analysis measure in an attempt to defeat sandboxes and automated disassembly.I rewrote the IDAPython script named objc2_xrefs_helper.py and developed a python script for the Hopper Disassembler. A malicious threat actor could use a zip file containing the crafted executable to target threat researchers, sent via phishing or file sharing sites. During the parsing of ELF section headers, there is a user controlled size that is not validated, a malicious threat actor could craft an ELF file with specific section headers to trigger this vulnerability, potentially leading to remote code execution. Hopper is a reverse engineering tool for macOS and Linux allowing the user to disassemble and decompile 32/64bit Intel-based Mac, Linux, Windows and iOS executables. Talos has identified an exploitable out-of-bounds write vulnerability in the ELF Section Header parsing functionality of Hopper ( TALOS-2016-0222/CVE-2016-8390). Vulnerability Discovered by Tyler Bohan and Cory Duplantis of Cisco Talos
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |