├── downloads.28.sqlitedb
├── iTunesMetadata.plist
├── BLDatabaseManager.sqlite
├── iPhone13,2_26.0.1_MobileGestalt.epub
└── README.md


/downloads.28.sqlitedb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hanakim3945/bl_sbx/HEAD/downloads.28.sqlitedb


--------------------------------------------------------------------------------
/iTunesMetadata.plist:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hanakim3945/bl_sbx/HEAD/iTunesMetadata.plist


--------------------------------------------------------------------------------
/BLDatabaseManager.sqlite:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hanakim3945/bl_sbx/HEAD/BLDatabaseManager.sqlite


--------------------------------------------------------------------------------
/iPhone13,2_26.0.1_MobileGestalt.epub:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hanakim3945/bl_sbx/HEAD/iPhone13,2_26.0.1_MobileGestalt.epub


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # bl_sbx
 2 | ## itunesstored & bookassetd Sandbox Escape
 3 | 
 4 | This repository contains a proof-of-concept demonstrating how maliciously crafted `downloads.28.sqlitedb` and `BLDatabaseManager.sqlite` databases can escape the sandbox of **itunesstored** and **bookassetd** on iOS. By abusing their download mechanisms, the POC enables writing arbitrary `mobile`-owned files to restricted locations in `/private/var/`, including MobileGestalt cache files—allowing device modifications such as spoofing the device type.
 5 | 
 6 | ### Key Points
 7 | - Compatible with iOS **26.2b1 and below** (tested on iPhone 12, iOS 26.0.1).
 8 | - **Stage 1 (itunesstored):** Delivers a crafted `BLDatabaseManager.sqlite` to a writable container.
 9 | - **Stage 2 (bookassetd):** Downloads attacker-controlled EPUB payloads to arbitrary file paths.
10 | - Writable paths include:
11 |   - `/private/var/containers/Shared/SystemGroup/.../Library/Caches/`
12 |   - `/private/var/mobile/Library/FairPlay/`
13 |   - `/private/var/mobile/Media/`
14 | - Demonstrates modifying `com.apple.MobileGestalt.plist` to validate successful exploitation.
15 | 
16 | ### Outcome
17 | iOS fails to block crafted download tasks, allowing unauthorized file writes unless the target path requires `root` ownership (or the fileowner is not `mobile`).
18 | 
19 | **Check the blogpost for more information**
20 | 
21 | ### Disclaimer
22 | This project is for **educational purposes only**.  
23 | Do **not** use it for illegal activities.  
24 | Apple may patch this behavior at any time.
25 | 


--------------------------------------------------------------------------------