MTJailed
commented
6 years ago Can you provide the panic log from that time? I think your offset may be incorrect.
Open luoei opened 6 years ago
MTJailed
commented
6 years ago Can you provide the panic log from that time? I think your offset may be incorrect.
luoei
commented
6 years ago ██╗ ██╗ ██████╗ ██████╗ ██████╗ ███████╗
╚██╗██╔╝██╔════╝██╔═══██╗██╔══██╗██╔════╝
╚███╔╝ ██║ ██║ ██║██║ ██║█████╗
██╔██╗ ██║ ██║ ██║██║ ██║██╔══╝
██╔╝ ██╗╚██████╗╚██████╔╝██████╔╝███████╗
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝Hello there debugger, thanks for debugging me, but I might be unreliable with big brother watching me (kernel panics).
Debug server process id: 356 group process id: 357 Stage 1: Exploiting the kernel. offsets selected for iOS 11.3 or above build_id: 15E302 sysname: Darwin nodename: Luoei-5s release: 17.5.0 version: Darwin Kernel Version 17.5.0: Tue Mar 13 21:32:12 PDT 2018; root:xnu-4570.52.2~8/RELEASE_ARM64_S5L8960X machine: iPhone6,2 Your device isn't supported yet, find your offsets and add them to offsets.m in the project. Initializing multipath_kfree bug... Filling the zone with 10,000 machports... Filling the zone with another 0x20 machports serving as our first port for corruption... Creating our first socket... Our first socket descriptor is: 3 Filling our the zone and our first port array with the remaining 68 ports... Creating the rest of our 15 sockets... Initializing empty messages for all of our potential first ports... Freeing first and second in our socket struct and praying that we are still here... Finding corrupt port in that zone so we can leak the kernel ASLR shift later... Port 0x26d603 is corrupt! Corrupt port: 0026D603 31 Filling ports to serve as a zone spray for finding the kASLR slide and getting r/w... Initializing empty messages for all of our sprayed ports... Receiving the response message from our corrupt port, leaking the address of our new contained port... Refill port is at 0xfffffff1136c07a0 Sending an empty message to our corrupted port... Freeing the contained port using multipath bug... Port 0x26d603 is corrupt! Leaking kASLR by filling the zone with userclients to AGXCommandQueue... Receiving back from our corrupt port, leaking the address of the userclient... Calculating the address of the vtable of AGXCommandQueue from the leaked userclient... AGXCommandQueue vtable is at: 0xfffffff00b48d8c0 Calculating kaslr_shift, if this displays 0xffff(something) then check if the vtable offset is correct! kaslr shift: 0xfffffff00b48d8c0 Destroying the corrupted port as we now have the kASLR slide... Filling the zone again with some random ports so we can get kernel read write... Setting up kernel r/w access using s1guza's gadgets...
luoei
commented
6 years ago @MTJailed
Log: Corrupt port: 0026D903 26 refill port is at 0xfffffff0066507a0 AGXCommandQueue vtable: 0xfffffff01ae8d8c0 kaslr shift: 0x13eaff48
and reboot