diff options
| author | spv420 <unomilliono@gmail.com> | 2022-05-31 20:02:20 -0400 |
|---|---|---|
| committer | spv420 <unomilliono@gmail.com> | 2022-05-31 20:02:20 -0400 |
| commit | b99c9f63097e7337250b7fd50492430a05634ae5 (patch) | |
| tree | d41193b5d34e46355d66d0d5ce35a194c8b6b057 /README.md | |
| parent | faee2212875b92440f87be7b16e60c87d7415eae (diff) | |
lol
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -7,6 +7,6 @@ current offsets are included for `iPhone4,1` on `9.3.6 (13G37)`. it may work on clarification: the actual racoon exploit should work on any device/firmware with the same ipsec-tools version (and maybe build :P), but the JSC call portion is currently specific to one dyld_shared_cache, which is usually device & build unique. the underlying bug should work on any firmware before ~ iOS 12. my exploit is 32-bit only prolly, at least practically, due to less ASLR slides. the exploit to get arbitrary mem write should work on < iOS 12 as well (i think), but the ROP chain's gadget addresses are currently hardcoded to one build.
-current need is just to get a better call primitive, from what i can tell the phoenix bugs can't be exploited with only 4 args to functions. not sure how to get that better primitive working tho, so we'll see. :P
+~~current need is just to get a better call primitive, from what i can tell the phoenix bugs can't be exploited with only 4 args to functions. not sure how to get that better primitive working tho, so we'll see. :P~~ nevermind lol, 26 (and maybe more) should be enough, kek
greetz to @tihmstar for help with 935csbypass
\ No newline at end of file |