Last week I presented my research about “Adding ASLR to jailbroken iPhones” at the Power of Community 2010 (POC2010) security conference in Seoul. During my talk I explained how one can use a modified ‘rebase’ utility to rebase the dynamic linker dyld on the iPhone. Rebasing dyld is important because it contains enough code gadgets that can be used to kickstart arbitrary shellcode on jailbroken iPhones. A tool called Antid0te will be released until the end of this year that allows normal users to add ASLR to their iPhones. The release of this tool was originally planned for 24th December 2010 but it had to be postponed because I got really ill and also my glasses broke.
Anyway a few days ago I demonstrated how my “rebase dyld” research that was originally done for the iPhone applies directly to the dynamic linker used by Mac OS X Snow Leopard. I released a short article describing how one can rebase his dyld binary with a patched ‘rebase’ utility which I also released. This can be used to rebase your own dyld binary to a different position. Rebasing dyld to an address other than the normal one, improves the security of your Mac because all the public articles/techniques about state of the art Mac OS X exploitation assume/require the dyld binary to be loaded at a fixed address. All attacks based on this will fail once you have rebased your dynamic linker binary.
So enjoy this little christmas present until I am fit enough to release antid0te.