From 31e37a51023af3655e88f12c01c3f50f8789b8e5 Mon Sep 17 00:00:00 2001 From: spv420 Date: Wed, 1 Jun 2022 18:13:00 -0400 Subject: plsreadmebb.mdtxt --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3c7b6bb..f17ca41 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ this is a work-in-progress. gets ROP in racoon, then gets JS code exec with RWC primitives (arbitrary r/w, currently up to 26-arg call primitive) -current offsets are included for `iPhone4,1` on `9.3.6 (13G37)`. it may work on other devices and/or firmwares, but that's unlikely. (besides maybe `9.3.5 (13G36)` on `iPhone4,1`?) +current offsets are included for `iPhone4,1` on `9.3.6 (13G37)` & `iPod5,1` on `9.3.5 (13G36)`. it may work on other devices and/or firmwares, but that's unlikely. (besides maybe `9.3.5 (13G36)` on `iPhone4,1`?) clarification: the actual racoon exploit should work on any device/firmware with the same ipsec-tools version (and maybe build :P), but the JSC call portion is currently specific to one dyld_shared_cache, which is usually device & build unique. the underlying bug should work on any firmware before ~ iOS 12. my exploit is 32-bit only prolly, at least practically, due to less ASLR slides. the exploit to get arbitrary mem write should work on < iOS 12 as well (i think), but the ROP chain's gadget addresses are currently hardcoded to one build. -- cgit v1.2.3