jtool & corrupted mach-o's handling

Used for discussing the various tools in the book as well as encouraging members to share tools

jtool & corrupted mach-o's handling

Postby stek29 » Sat Feb 03, 2018 3:54 pm

1) Overflowing lc_str's
Offset specified by lc_str should be smaller than cmdsize.
See attached file for example with LC_LOAD_DYLIB. Proper handling is needed everywhere where lc_str is used: in LC_LOAD_DYLINKER, LC_RPATH, etc.
- otool: truncated or malformed object (load command 1 LC_LOAD_DYLIB name.offset field extends past the end of the load command)
- jtool: segmentation fault

2) cmdsize not rounded to 8
cmdsize should be a multiple of 8. It is always multiple of 8, except when lc_str is used. See attached file for example.
- otool: truncated or malformed object (load command 1 cmdsize not a multiple of 8)
- jtool: prints like file is valid.

3) lc_str's not ending with 0.
lc_str's don't specify their lengths, so they must end with '\0', or they'll overflow into next load command/into file.
kernel, dyld and otool think that mach-o is malformed:
- kernel kills process
- otool: load command 1 LC_LOAD_DYLINKER dyld name extends past the end of the load command
- dyld: malformed mach-o image: dylib load command #X string extends beyond end of load command
- jtool: LC 01: LC_LOAD_DYLINKER ////////usr/lib/dyldOVERFLOWOVERFLOWOVERFLOWOVERFLOW
See attached file for example
stek29
 
Posts: 18
Joined: Sat Oct 07, 2017 12:55 pm

Re: jtool & corrupted mach-o's handling

Postby stek29 » Sat Feb 03, 2018 3:55 pm

uh, I guess attaching files didn't work. I'll try again.
stek29
 
Posts: 18
Joined: Sat Oct 07, 2017 12:55 pm

Re: jtool & corrupted mach-o's handling

Postby stek29 » Sat Feb 03, 2018 4:08 pm

Ok, I'm unable to attach files at all, so I've dropped them to 0x0.st.

1: https://0x0.st/sbdP.bin for segfault, https://0x0.st/sbdZ.bin for another interesting example :P
2: https://0x0.st/sbd-.bin
3: https://0x0.st/sbdH.bin

J says: Thank you so much!!All were a super quick fix and will be put into v1.0 this week. I appreciate you reporting it rather than bitching or mocking on Twitter like others! :-)
stek29
 
Posts: 18
Joined: Sat Oct 07, 2017 12:55 pm


Return to Tools

Who is online

Users browsing this forum: No registered users and 4 guests

cron