From 630aecdb5082b7aabf38c4d5594fb236bebcceff Mon Sep 17 00:00:00 2001 From: spv420 Date: Sat, 30 Jul 2022 23:32:19 -0400 Subject: hell --- README.md | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index f17ca41..eb48d5c 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,22 @@ # p0laris untether -this is a work-in-progress. +*this is a work-in-progress.* -gets ROP in racoon, then gets JS code exec with RWC primitives (arbitrary r/w, currently up to 26-arg call primitive) +gets ROP in racoon, then gets JS code exec with RWC primitives (arbitrary r/w, +currently up to 26-arg call primitive), then uses qwertyoruiop's 935csbypass to +get native code execution -current offsets are included for `iPhone4,1` on `9.3.6 (13G37)` & `iPod5,1` on `9.3.5 (13G36)`. it may work on other devices and/or firmwares, but that's unlikely. (besides maybe `9.3.5 (13G36)` on `iPhone4,1`?) +current offsets are included for `iPhone4,1` on `9.3.6 (13G37)` & `iPod5,1` on +`9.3.5 (13G36)`. it may work on other devices and/or firmwares, but that's +unlikely. (besides maybe `9.3.5 (13G36)` on `iPhone4,1`?) -clarification: the actual racoon exploit should work on any device/firmware with the same ipsec-tools version (and maybe build :P), but the JSC call portion is currently specific to one dyld_shared_cache, which is usually device & build unique. the underlying bug should work on any firmware before ~ iOS 12. my exploit is 32-bit only prolly, at least practically, due to less ASLR slides. the exploit to get arbitrary mem write should work on < iOS 12 as well (i think), but the ROP chain's gadget addresses are currently hardcoded to one build. +clarification: the actual racoon exploit should work on any device/firmware with +the same ipsec-tools version (and maybe build :P), but the JSC call portion is +currently specific to one dyld_shared_cache, which is usually device & build +unique. the underlying bug should work on any firmware before ~ iOS 12. my +exploit is 32-bit only prolly, at least practically, due to less ASLR slides. +the exploit to get arbitrary mem write should work on < iOS 12 as well (i +think), but the ROP chain's gadget addresses are currently hardcoded to one +build. ### current install steps - procure an `iPhone4,1` on `9.3.6 (13G37)` @@ -16,15 +27,21 @@ clarification: the actual racoon exploit should work on any device/firmware with - `./build_native.sh` - `./install_native.sh` - `/usr/libexec/dhcpd -q -cf old_exp.conf` <- run the racoon exploit once -- or instead `/usr/libexec/dhcpd -q -cf exploit.conf` <- run the racoon exploit forever, ctrl+c when it exits +- or instead `/usr/libexec/dhcpd -q -cf exploit.conf` <- run the racoon exploit +forever, ctrl+c when it starts tools include: -- `fuck_aslr` *should* fix the ASLR slide for all new processes on the kernel level, offsets are for `iPhone4,1` `9.3.6 (13G37)` atm -- `jsc_fun` was a tool to test JavaScriptCore arb r/w prims, source got deleted tho, i'll prolly rewrite it sometime +- `fuck_aslr` *should* fix the ASLR slide for all new processes on the kernel + level, offsets are for `iPhone4,1` `9.3.6 (13G37)` atm +- `jsc_fun` was a tool to test JavaScriptCore arb r/w prims, source got deleted + tho, i'll prolly rewrite it sometime - `shit` includes mostly thread-based call prim testing code - `shc/` contains WIP C shellcode compilation - and prolly more -~~current need is just to get a better call primitive, from what i can tell the phoenix bugs can't be exploited with only 4 args to functions. not sure how to get that better primitive working tho, so we'll see. :P~~ nevermind lol, 26 (and maybe more) should be enough, kek +~~current need is just to get a better call primitive, from what i can tell the +phoenix bugs can't be exploited with only 4 args to functions. not sure how to +get that better primitive working tho, so we'll see. :P~~ nevermind lol, 26 (and +maybe more) should be enough, kek greetz to @tihmstar for help with 935csbypass -- cgit v1.2.3