├── .gitignore
├── Makefile
├── README.md
├── Tweak.xm
├── control
├── kuzz.plist
└── theos


/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | packages/
3 | .theos
4 | theos/
5 | obj/


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | export THEOS_DEVICE_IP=localhost
 2 | export THEOS_DEVICE_PORT=2222
 3 | 
 4 | include theos/makefiles/common.mk
 5 | export SDKVERSION=8.1
 6 | 
 7 | TWEAK_NAME = kuzz
 8 | kuzz_FILES = Tweak.xm
 9 | kuzz_PRIVATE_FRAMEWORKS = IOKit
10 | 
11 | include $(THEOS_MAKE_PATH)/tweak.mk
12 | 
13 | after-install::
14 | 	install.exec "killall -9 backboardd"
15 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # kuzz
 2 | an ios iokit fuzzer
 3 | 
 4 | most of this code used and concepts executed are from Ian Beers research for google's project zero.
 5 | 
 6 | the MS dylib redirects any IOConnectCallMethod usage to a "fake" replacement that randomly fuzzes the input data. 
 7 | this is pretty fucking smart, thanks Ian. 
 8 | 
 9 | change the MS filters in kuzz.plist to control what you're fuzzing, by default its filtered into IOMobileFramebuffer and IOSurface.
10 | by default you will fuzz all the things. 
11 | 
12 | feel free to fuzz away. 
13 | 
14 | 
15 | i see a few stars now, if anyone has suggestions to improve please feell free to contact me, submit an issue, or create a pull request. 
16 | thanks,
17 | haifisch
18 | 


--------------------------------------------------------------------------------
/Tweak.xm:
--------------------------------------------------------------------------------
 1 | /* 
 2 | 	Uh, greetz to Ian Beer of ProjectZero n shit.
 3 | 	http://googleprojectzero.blogspot.com/2014/11/pwn4fun-spring-2014-safari-part-ii.html
 4 | 	most of this code is his, i just wanted it to be injected into all of the things on my ipad so thanks to him
 5 | 
 6 | 	greets to dat boi ethan & sn0w for help
 7 | */
 8 | #import <IOKit/IOKitLib.h>
 9 | #import <substrate.h>
10 | #import <Foundation/Foundation.h>
11 | 
12 | int maybe(){
13 |   static int seeded = 0;
14 |   if(!seeded){
15 |     srand(time(NULL));
16 |     seeded = 1;
17 |   }
18 |   return !(rand() % 100);
19 | }
20 | 
21 | void flip_bit(void* buf, size_t len){
22 |   if (!len)
23 |     return;
24 |   size_t offset = rand() % len;
25 |   ((uint8_t*)buf)[offset] ^= (0x01 << (rand() % 8));
26 | }
27 | 
28 | static kern_return_t (*old_IOConnectCallMethod)(
29 | 	mach_port_t connection,
30 |   uint32_t    selector,
31 |   uint64_t   *input,
32 |   uint32_t    inputCnt,
33 |   void       *inputStruct,
34 |   size_t      inputStructCnt,
35 |   uint64_t   *output,
36 |   uint32_t   *outputCnt,
37 |   void       *outputStruct,
38 |   size_t     *outputStructCntP);
39 | 
40 | kern_return_t fake_IOConnectCallMethod(
41 |   mach_port_t connection,
42 |   uint32_t    selector,
43 |   uint64_t   *input,
44 |   uint32_t    inputCnt,
45 |   void       *inputStruct,
46 |   size_t      inputStructCnt,
47 |   uint64_t   *output,
48 |   uint32_t   *outputCnt,
49 |   void       *outputStruct,
50 |   size_t     *outputStructCntP)
51 | {
52 | 	bool didFuzz = 0;
53 | 	if (((arc4random() % 2000) % 7) == 0)
54 | 	{
55 | 		didFuzz = 1;
56 | 		NSLog(@"fake_IOConnectCallMethod called, we up in this bitch... flipping #1\n");
57 | 		flip_bit(input, sizeof(input) * inputCnt);
58 | 	}
59 | 	if (((arc4random() % 2000) % 7) == 0)
60 | 	{
61 | 		didFuzz = 1;
62 | 		NSLog(@"fake_IOConnectCallMethod called, we up in this bitch... flipping #2\n");
63 | 		flip_bit(inputStruct, inputStructCnt);
64 | 	}
65 | 
66 | 	if (didFuzz)
67 | 	{
68 | 		NSMutableArray *caseData = [[NSMutableArray alloc] init];
69 | 		[caseData addObject:@"testcase"];
70 | 		[caseData addObject:@(selector)];
71 | 
72 | 		NSLog(@"TESTCASE ::: %@", caseData);
73 | 	}
74 | 	
75 | 	return old_IOConnectCallMethod(
76 | 		connection,
77 | 		selector,
78 | 		input,
79 | 		inputCnt,
80 | 		inputStruct,
81 | 		inputStructCnt,
82 | 		output,
83 | 		outputCnt,
84 | 		outputStruct,
85 | 		outputStructCntP);
86 | }
87 | 
88 | 
89 | %ctor {
90 | 	MSHookFunction((int *)&IOConnectCallMethod, (int *)&fake_IOConnectCallMethod, (void **)&old_IOConnectCallMethod);
91 | }


--------------------------------------------------------------------------------
/control:
--------------------------------------------------------------------------------
 1 | Package: kuzz
 2 | Name: kuzz
 3 | Depends: mobilesubstrate
 4 | Version: 0.0.1
 5 | Architecture: iphoneos-arm
 6 | Description: An awesome MobileSubstrate tweak!
 7 | Maintainer: haifisch
 8 | Author: haifisch
 9 | Section: Tweaks
10 | 


--------------------------------------------------------------------------------
/kuzz.plist:
--------------------------------------------------------------------------------
1 | Filter = {
2 |   Bundles = ( "com.apple.IOSurface", "com.apple.IOMobileFramebuffer" );
3 |   Mode = "Any";
4 | };


--------------------------------------------------------------------------------
/theos:
--------------------------------------------------------------------------------
1 | /opt/theos


--------------------------------------------------------------------------------