summaryrefslogtreecommitdiff
path: root/tools
diff options
context:
space:
mode:
Diffstat (limited to 'tools')
-rwxr-xr-xtools/build.sh8
-rwxr-xr-xtools/ent.xml15
-rw-r--r--tools/envdump.c17
-rw-r--r--tools/envrun.c25
-rwxr-xr-xtools/fuck_aslr.c114
-rw-r--r--tools/fuck_aslr2.c86
-rwxr-xr-xtools/fuck_ptr.c60
-rwxr-xr-xtools/jit_all_the_things.c11
-rwxr-xr-xtools/jsc_funbin0 -> 51824 bytes
-rw-r--r--tools/lol.js15
-rwxr-xr-xtools/test.c61
11 files changed, 412 insertions, 0 deletions
diff --git a/tools/build.sh b/tools/build.sh
new file mode 100755
index 0000000..5baab83
--- /dev/null
+++ b/tools/build.sh
@@ -0,0 +1,8 @@
+mkdir bin
+xcrun -sdk iphoneos clang -arch armv7 fuck_aslr.c -o bin/fuck_aslr; ldid -Sent.xml bin/fuck_aslr; cat bin/fuck_aslr | ssh root@localhost -p 2222 "rm fuck_aslr; cat > fuck_aslr; chmod +x fuck_aslr"
+xcrun -sdk iphoneos clang -arch armv7 fuck_aslr2.c -o bin/fuck_aslr2; ldid -Sent.xml bin/fuck_aslr2; cat bin/fuck_aslr2 | ssh root@localhost -p 2222 "rm fuck_aslr2; cat > fuck_aslr2; chmod +x fuck_aslr2"
+xcrun -sdk iphoneos clang -arch armv7 fuck_ptr.c -o bin/fuck_ptr; ldid -S bin/fuck_ptr; cat bin/fuck_ptr | ssh root@localhost -p 2222 "rm fuck_ptr; cat > fuck_ptr; chmod +x fuck_ptr"
+xcrun -sdk iphoneos clang -arch armv7 jit_all_the_things.c -o bin/jit_all_the_things; ldid -S bin/jit_all_the_things; cat bin/jit_all_the_things | ssh root@localhost -p 2222 "rm jit_all_the_things; cat > jit_all_the_things; chmod +x jit_all_the_things"
+xcrun -sdk iphoneos clang -arch armv7 jsc_fun.c -framework JavaScriptCore -o bin/jsc_fun; ldid -S bin/jsc_fun; cat bin/jsc_fun | ssh root@localhost -p 2222 "rm jsc_fun; cat > jsc_fun; chmod +x jsc_fun"
+
+scp -P 2222 lol.js root@localhost:/var/root/lol.js \ No newline at end of file
diff --git a/tools/ent.xml b/tools/ent.xml
new file mode 100755
index 0000000..35801e8
--- /dev/null
+++ b/tools/ent.xml
@@ -0,0 +1,15 @@
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>platform-application</key>
+ <true/>
+ <key>com.apple.private.security.no-container</key>
+ <true/>
+ <key>com.apple.system-task-ports</key>
+ <true/>
+ <key>task_for_pid-allow</key>
+ <true/>
+ <key>get-task-allow</key>
+ <true/>
+</dict>
+</plist> \ No newline at end of file
diff --git a/tools/envdump.c b/tools/envdump.c
new file mode 100644
index 0000000..4536d00
--- /dev/null
+++ b/tools/envdump.c
@@ -0,0 +1,17 @@
+#include <unistd.h>
+#include <stdio.h>
+
+int main(int argc, char* argv[], char* envp[]) {
+ char** environ_ = envp;
+
+ FILE* fp = fopen("/tmp/envdump.txt", "w");
+
+ while (*environ_) {
+ fprintf(fp, "%s\n", *environ_);
+ environ_++;
+ }
+
+ fclose(fp);
+
+ return 0;
+} \ No newline at end of file
diff --git a/tools/envrun.c b/tools/envrun.c
new file mode 100644
index 0000000..bc5dd08
--- /dev/null
+++ b/tools/envrun.c
@@ -0,0 +1,25 @@
+#include <unistd.h>
+#include <stdio.h>
+
+int main(int argc, char* argv[]) {
+ char* argv_[] = {
+ "/bin/sh",
+ NULL
+ };
+
+ char* envp_[] = {
+ "SHELL=/bin/sh",
+ "USER=mobile",
+ "HOME=/var/mobile",
+ "XPC_FLAGS=0x0",
+ "XPC_SERVICE_NAME=0",
+ "LOGNAME=mobile",
+ "PATH=/usr/bin:/bin:/usr/sbin:/sbin",
+ "__CF_USER_TEXT_ENCODING=0x1F5:0:0",
+ NULL
+ };
+
+ execle("/bin/sh", "/bin/sh", NULL, envp_);
+
+ return 0;
+} \ No newline at end of file
diff --git a/tools/fuck_aslr.c b/tools/fuck_aslr.c
new file mode 100755
index 0000000..c8e9714
--- /dev/null
+++ b/tools/fuck_aslr.c
@@ -0,0 +1,114 @@
+/*
+ * fuck_aslr
+ */
+
+#include <stdio.h>
+#include <mach/mach.h>
+
+task_t tfp0;
+#define LC_SIZE 0x0000000f
+
+uint8_t lol[] = {
+ 0x40, 0xf2, 0x69, 0x00
+};
+
+mach_port_t get_kernel_task_port() {
+ mach_port_t kernel_task;
+ kern_return_t kr;
+ if ((kr = task_for_pid(mach_task_self(), 0, &kernel_task)) != KERN_SUCCESS) {
+ return -1;
+ }
+ return kernel_task;
+}
+
+uint32_t do_kernel_read(uint32_t addr) {
+ size_t size = 4;
+ uint32_t data = 0;
+
+ kern_return_t kr = vm_read_overwrite(get_kernel_task_port(),(vm_address_t)addr,size,(vm_address_t)&data,&size);
+ if (kr != KERN_SUCCESS) {
+ printf("[!] Read failed. %s\n",mach_error_string(kr));
+ return -1;
+ }
+ return data;
+}
+
+void do_kernel_write(uint32_t addr, uint32_t data) {
+ kern_return_t kr = vm_write(get_kernel_task_port(),(vm_address_t)addr,(vm_address_t)&data,sizeof(data));
+
+ if (kr != KERN_SUCCESS) {
+ printf("Error writing!\n");
+ return;
+ }
+}
+
+uint32_t get_kernel_slide() {
+ uint32_t slide;
+ uint32_t base = 0x80001000;
+ uint32_t slid_base;
+
+ for (int slide_byte = 256; slide_byte >= 1; slide_byte--) {
+ slide = 0x01000000 + 0x00200000 * slide_byte;
+ slid_base = base + slide;
+
+ if (do_kernel_read(slid_base) == 0xfeedface) {
+ if (do_kernel_read(slid_base + 0x10) == LC_SIZE) {
+ return slide;
+ }
+ }
+ }
+ return -1;
+}
+
+int main(int argc, char* argv[]) {
+ printf("[*] fuck aslr\n");
+ task_for_pid(mach_task_self(), 0, &tfp0);
+ uint8_t lol_slide;
+ /*
+ * LAB_8029c06e XREF[1]: 8029c04e(j)
+ * 8029c06e 4c a8 add r0,sp,#0x130
+ * 8029c070 04 21 movs r1,#0x4
+ * 8029c072 15 f6 d5 bl _read_random void _read_random(void * buf
+ * fb
+ * 8029c076 c4 f1 14 rsb.w r0,r4,#0x14
+ * 00
+ * 8029c07a 01 21 movs r1,#0x1
+ * 8029c07c 01 fa 00 lsl.w r8,r1,r0
+ * f8
+ * 8029c080 4c 98 ldr r0,[sp,#local_190]
+ * 8029c082 4f ea e8 asr.w r11,r8, asr #0x1f
+ * 7b
+ * 8029c086 00 21 movs r1,#0x0
+ * 8029c088 20 f0 00 bic r0,r0,#0x80000000
+ * 40
+ * 8029c08c 42 46 mov r2,r8
+ * 8029c08e 5b 46 mov r3,r11
+ * 8029c090 f7 f0 b6 bl FUN_80393200 undefined FUN_80393200()
+ * f8
+ * 8029c094 82 46 mov r10,r0
+ * 8029c096 0e 46 mov r6,r1
+ * 8029c098 2c 46 mov r4,r5
+ * 8029c09a 00 2d cmp r5,#0x0
+ * 8029c09c 01 d0 beq LAB_8029c0a2
+ * 8029c09e e5 6a ldr r5,[r4,#0x2c]
+ * 8029c0a0 00 e0 b LAB_8029c0a4
+
+ */
+ uint32_t patch_addy = 0x8029c088; // iPad2,1 9.3.5
+ if (argc < 2) {
+ lol_slide = 0x0;
+ } else {
+ lol_slide = strtoul(argv[1], NULL, 16);
+ }
+ if (argc != 3) {
+ lol[2] = lol_slide;
+ printf("[*] vm_write returned %d\n", vm_write(tfp0, patch_addy + get_kernel_slide(), (vm_address_t)lol, sizeof(lol)));
+ } else {
+ lol[0] = 0x20;
+ lol[1] = 0xf0;
+ lol[2] = 0x00;
+ lol[3] = 0x40;
+ printf("[*] vm_write returned %d\n", vm_write(tfp0, patch_addy + get_kernel_slide(), (vm_address_t)lol, sizeof(lol)));
+ }
+ return 0;
+} \ No newline at end of file
diff --git a/tools/fuck_aslr2.c b/tools/fuck_aslr2.c
new file mode 100644
index 0000000..9181bcc
--- /dev/null
+++ b/tools/fuck_aslr2.c
@@ -0,0 +1,86 @@
+/*
+ * fuck_aslr
+ */
+
+#include <stdio.h>
+#include <mach/mach.h>
+
+task_t tfp0;
+#define LC_SIZE 0x0000000f
+
+uint8_t lol[] = {
+ 0x40, 0xf2, 0x69, 0x00
+};
+
+mach_port_t get_kernel_task_port() {
+ mach_port_t kernel_task;
+ kern_return_t kr;
+ if ((kr = task_for_pid(mach_task_self(), 0, &kernel_task)) != KERN_SUCCESS) {
+ return -1;
+ }
+ return kernel_task;
+}
+
+uint32_t do_kernel_read(uint32_t addr) {
+ size_t size = 4;
+ uint32_t data = 0;
+
+ kern_return_t kr = vm_read_overwrite(get_kernel_task_port(),(vm_address_t)addr,size,(vm_address_t)&data,&size);
+ if (kr != KERN_SUCCESS) {
+ printf("[!] Read failed. %s\n",mach_error_string(kr));
+ return -1;
+ }
+ return data;
+}
+
+void do_kernel_write(uint32_t addr, uint32_t data) {
+ kern_return_t kr = vm_write(get_kernel_task_port(),(vm_address_t)addr,(vm_address_t)&data,sizeof(data));
+
+ if (kr != KERN_SUCCESS) {
+ printf("Error writing!\n");
+ return;
+ }
+}
+
+uint32_t get_kernel_slide() {
+ uint32_t slide;
+ uint32_t base = 0x80001000;
+ uint32_t slid_base;
+
+ for (int slide_byte = 256; slide_byte >= 1; slide_byte--) {
+ slide = 0x01000000 + 0x00200000 * slide_byte;
+ slid_base = base + slide;
+
+ if (do_kernel_read(slid_base) == 0xfeedface) {
+ if (do_kernel_read(slid_base + 0x10) == LC_SIZE) {
+ return slide;
+ }
+ }
+ }
+ return -1;
+}
+
+int main(int argc, char* argv[]) {
+ vm_size_t segment = 0x800;
+ uint32_t lol = get_kernel_slide();
+ task_t tfp0 = get_kernel_task_port();
+ uint32_t len = 32 * 1024 * 1024;
+ uint8_t* kdata = (uint8_t*)malloc(len);
+ for (int i = 0; i < len / segment; i++) {
+ /*
+ * DUMP DUMP DUMP
+ */
+
+ vm_read_overwrite(tfp0,
+ 0x80001000 + lol + (i * segment),
+ segment,
+ (vm_address_t)kdata + (i * segment),
+ &segment);
+ }
+
+ FILE* fp = fopen("dump.bin", "wb");
+ fwrite(kdata, 1, len, fp);
+ fclose(fp);
+
+ return 0;
+} \ No newline at end of file
diff --git a/tools/fuck_ptr.c b/tools/fuck_ptr.c
new file mode 100755
index 0000000..25eab56
--- /dev/null
+++ b/tools/fuck_ptr.c
@@ -0,0 +1,60 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <mach/mach.h>
+
+#include <mach-o/dyld.h>
+
+#include <dlfcn.h>
+
+int lol;
+
+int main(void) {
+// printf("[*] aslr better be a cripple now: &lol = %p, malloc(...) = %p\n", &lol, malloc(0x4));
+// printf("[*] lol2=0x%08x\n", *(uint32_t*)0x800000);
+ task_t kek = mach_task_self();
+ uint8_t* page = malloc(0x1000);
+
+ for (int i = 0; i < _dyld_image_count(); i++) {
+ printf("%s: 0x%x (slid 0x%x)\n", _dyld_get_image_name(i), _dyld_get_image_header(i), _dyld_get_image_vmaddr_slide(i));
+ }
+
+ printf("begin\n");
+ fflush(stdout);
+
+ printf("%p\n", dlopen("/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore", RTLD_GLOBAL));
+
+ printf("RTLD_LAZY=%d RTLD_NOW=%d RTLD_GLOBAL=%d RTLD_LOCAL=%d RTLD_NODELETE=%d RTLD_NOLOAD%d\n", RTLD_LAZY, RTLD_NOW, RTLD_GLOBAL, RTLD_LOCAL, RTLD_NODELETE, RTLD_NOLOAD);
+
+#if 0
+ for (int i = 0xb4000; i < 0xb5000; i += 4) {
+// uint32_t* lol = (uint32_t*)(0x1fe6a58c + (i << 12));
+ uint32_t lol = *(uint32_t*)i;
+ if (lol >= 0x1fe00000 && lol <= 0x1ff00000) {
+ printf("0x%08x 0x%08x\n", i, lol);
+ }
+ (void)fflush(__stdoutp);
+ }
+
+
+ if (*lol == 0xb5f0) break;
+ }
+#endif
+
+ printf("success\n");
+ /*
+ size_t size;
+ for (uint32_t pagen = 0x0; pagen < (0xffffffff >> 12); pagen++) {
+
+ if (pagen % ((0xffffffff >> 12) / 100) == 0) {
+ //printf("%d\n", pagen / ((0xffffffff >> 12) / 100));
+ }
+
+ uint32_t page_start = pagen << 12;
+ if (vm_read_overwrite(kek, page_start, 0x1000, (vm_address_t)page, &size))
+ continue; // page isn't allocated
+
+// printf("0x%08x\n", page_start);
+ }
+ */
+ return 0;
+}
diff --git a/tools/jit_all_the_things.c b/tools/jit_all_the_things.c
new file mode 100755
index 0000000..d955ea1
--- /dev/null
+++ b/tools/jit_all_the_things.c
@@ -0,0 +1,11 @@
+#include <sys/types.h>
+#include <stdio.h>
+
+#define PT_TRACE_ME 0
+int ptrace(int, pid_t, caddr_t, int);
+int main(int argc, char* argv[]) {
+ ptrace(PT_TRACE_ME, 0, NULL, 0);
+ exit(0);
+
+ return 0;
+} \ No newline at end of file
diff --git a/tools/jsc_fun b/tools/jsc_fun
new file mode 100755
index 0000000..83f9b13
--- /dev/null
+++ b/tools/jsc_fun
Binary files differ
diff --git a/tools/lol.js b/tools/lol.js
new file mode 100644
index 0000000..b11a54d
--- /dev/null
+++ b/tools/lol.js
@@ -0,0 +1,15 @@
+`
+Bye bye, ROP...
+Now we have JavaScript code execution in racoon.
+
+From now on, all of our doings should be possible from within JSC,
+ROP should no longer be an issue.
+
+We have a pretty stable arbitrary memory r/w primitive, which I believe
+should be able to facilitate creation of an arbitrary call primitive,
+at which point ROP is basically *actually* done for.
+
+ with love from spv. <3
+`
+
+//write_u32(0x41414141, 0x42424242); \ No newline at end of file
diff --git a/tools/test.c b/tools/test.c
new file mode 100755
index 0000000..6682971
--- /dev/null
+++ b/tools/test.c
@@ -0,0 +1,61 @@
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#include <vproc.h>
+
+#define LC_DEFAULT_CF SYSCONFDIR "/racoon.conf"
+
+typedef char vchar_t;
+
+#define LC_PATHTYPE_INCLUDE 0
+#define LC_PATHTYPE_PSK 1
+#define LC_PATHTYPE_CERT 2
+#define LC_PATHTYPE_BACKUPSA 3
+#define LC_PATHTYPE_SCRIPT 4
+#define LC_PATHTYPE_PIDFILE 5
+#define LC_PATHTYPE_LOGFILE 6
+#define LC_PATHTYPE_MAX 7
+
+#define LC_DEFAULT_PAD_MAXSIZE 20
+#define LC_DEFAULT_PAD_RANDOM TRUE
+#define LC_DEFAULT_PAD_RANDOMLEN FALSE
+#define LC_DEFAULT_PAD_STRICT FALSE
+#define LC_DEFAULT_PAD_EXCLTAIL TRUE
+#define LC_DEFAULT_RETRY_COUNTER 5
+#define LC_DEFAULT_RETRY_INTERVAL 10
+#define LC_DEFAULT_COUNT_PERSEND 1
+#define LC_DEFAULT_RETRY_CHECKPH1 30
+#define LC_DEFAULT_WAIT_PH2COMPLETE 30
+#define LC_DEFAULT_NATT_KA_INTERVAL 20
+
+#define LC_DEFAULT_SECRETSIZE 16 /* 128 bits */
+
+#define LC_IDENTTYPE_MAX 5 /* XXX */
+
+#define LC_GSSENC_UTF16LE 0 /* GSS ID in UTF-16LE */
+#define LC_GSSENC_LATIN1 1 /* GSS ID in ISO-Latin-1 */
+#define LC_GSSENC_MAX 2
+
+#define LC_AUTOEXITSTATE_SET 0x00000001
+#define LC_AUTOEXITSTATE_CLIENT 0x00000010
+#define LC_AUTOEXITSTATE_ENABLED 0x00000011 /* both VPN client and set */
+
+struct a {
+ char *logfile_param; /* from command line */
+ char *pathinfo[LC_PATHTYPE_MAX];
+ vchar_t *ident[LC_IDENTTYPE_MAX]; /* base of Identifier payload. */
+
+ int pad_random;
+ int pad_randomlen;
+ int pad_maxsize;
+ int pad_strict;
+ int pad_excltail;
+};
+
+int main() {
+ int* a = malloc(0x100);
+ *a = 0x1;
+ printf("%x", *(int*)a + 0xa4);
+ printf("%x\n", sizeof(struct a));
+} \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 20:51:51 +0000