Open rikumi opened 6 years ago
Please checkout my fork for it as it has your corresponding offsets and is at this time a bit more straightforward, 6S 11.3.1 only tho
@MTJailed It worked after several trials. Next thing is to wait for the filesystem remount...
I'm just half an iOS developer and have no knowledge in this...
Itβs out but you need to construct the gagets yourself tho itβs well documented on weiboo by Zhengmin
@MTJailed Using your library, the following log appears:
βββ βββ βββββββ βββββββ βββββββ ββββββββ
βββββββββββββββββββββββββββββββββββββββββ
ββββββ βββ βββ ββββββ βββββββββ
ββββββ βββ βββ ββββββ βββββββββ
ββββ ββββββββββββββββββββββββββββββββββββ
βββ βββ βββββββ βββββββ βββββββ ββββββββ
Hello there debugger, thanks for debugging me, but I might be unreliable with big brother watching me (kernel panics).
Debug server process id: 265 group process id: 266 Stage 1: Exploiting the kernel. offsets selected for iOS 11.3 or above build_id: 15E302 sysname: Darwin nodename: Luoei-5s release: 17.5.0 version: Darwin Kernel Version 17.5.0: Tue Mar 13 21:32:12 PDT 2018; root:xnu-4570.52.2~8/RELEASE_ARM64_S5L8960X machine: iPhone6,2 Your device isn't supported yet, find your offsets and add them to offsets.m in the project. Initializing multipath_kfree bug... Filling the zone with 10,000 machports... Filling the zone with another 0x20 machports serving as our first port for corruption... Creating our first socket... Our first socket descriptor is: 3 Filling our the zone and our first port array with the remaining 68 ports... Creating the rest of our 15 sockets... Initializing empty messages for all of our potential first ports... Freeing first and second in our socket struct and praying that we are still here... Finding corrupt port in that zone so we can leak the kernel ASLR shift later... Port 0x26cf03 is corrupt! Corrupt port: 0026CF03 19 Filling ports to serve as a zone spray for finding the kASLR slide and getting r/w... Initializing empty messages for all of our sprayed ports... Receiving the response message from our corrupt port, leaking the address of our new contained port... Refill port is at 0xfffffff1192307a0 Sending an empty message to our corrupted port... Freeing the contained port using multipath bug... Port 0x26cf03 is corrupt! Leaking kASLR by filling the zone with userclients to AGXCommandQueue... Receiving back from our corrupt port, leaking the address of the userclient... Calculating the address of the vtable of AGXCommandQueue from the leaked userclient... AGXCommandQueue vtable is at: 0xfffffff01128d8c0 Calculating kaslr_shift, if this displays 0xffff(something) then check if the vtable offset is correct! kaslr shift: 0xfffffff01128d8c0 Destroying the corrupted port as we now have the kASLR slide... Filling the zone again with some random ports so we can get kernel read write... Setting up kernel r/w access using s1guza's gadgets...
and reboot
Yep thats because the kaslr calculation is wrong. I'll update the project soon.
Model: iPhone 6s Failed at
IOConnectGetService(_ucs[i], &service);
extra_recipe_utils.c:279 wheni
equals2
Is it because of lazy (as mentioned in the code)? π€