From 7caa231e0b0fa607080586725fbbc9628a1cc031 Mon Sep 17 00:00:00 2001 From: spv Date: Wed, 20 Apr 2022 14:10:27 -0400 Subject: hello and welcome back to hell --- tools/build.sh | 8 ++++ tools/ent.xml | 15 ++++++ tools/envdump.c | 17 +++++++ tools/envrun.c | 25 ++++++++++ tools/fuck_aslr.c | 114 +++++++++++++++++++++++++++++++++++++++++++++ tools/fuck_aslr2.c | 86 ++++++++++++++++++++++++++++++++++ tools/fuck_ptr.c | 60 ++++++++++++++++++++++++ tools/jit_all_the_things.c | 11 +++++ tools/jsc_fun | Bin 0 -> 51824 bytes tools/lol.js | 15 ++++++ tools/test.c | 61 ++++++++++++++++++++++++ 11 files changed, 412 insertions(+) create mode 100755 tools/build.sh create mode 100755 tools/ent.xml create mode 100644 tools/envdump.c create mode 100644 tools/envrun.c create mode 100755 tools/fuck_aslr.c create mode 100644 tools/fuck_aslr2.c create mode 100755 tools/fuck_ptr.c create mode 100755 tools/jit_all_the_things.c create mode 100755 tools/jsc_fun create mode 100644 tools/lol.js create mode 100755 tools/test.c (limited to 'tools') diff --git a/tools/build.sh b/tools/build.sh new file mode 100755 index 0000000..5baab83 --- /dev/null +++ b/tools/build.sh @@ -0,0 +1,8 @@ +mkdir bin +xcrun -sdk iphoneos clang -arch armv7 fuck_aslr.c -o bin/fuck_aslr; ldid -Sent.xml bin/fuck_aslr; cat bin/fuck_aslr | ssh root@localhost -p 2222 "rm fuck_aslr; cat > fuck_aslr; chmod +x fuck_aslr" +xcrun -sdk iphoneos clang -arch armv7 fuck_aslr2.c -o bin/fuck_aslr2; ldid -Sent.xml bin/fuck_aslr2; cat bin/fuck_aslr2 | ssh root@localhost -p 2222 "rm fuck_aslr2; cat > fuck_aslr2; chmod +x fuck_aslr2" +xcrun -sdk iphoneos clang -arch armv7 fuck_ptr.c -o bin/fuck_ptr; ldid -S bin/fuck_ptr; cat bin/fuck_ptr | ssh root@localhost -p 2222 "rm fuck_ptr; cat > fuck_ptr; chmod +x fuck_ptr" +xcrun -sdk iphoneos clang -arch armv7 jit_all_the_things.c -o bin/jit_all_the_things; ldid -S bin/jit_all_the_things; cat bin/jit_all_the_things | ssh root@localhost -p 2222 "rm jit_all_the_things; cat > jit_all_the_things; chmod +x jit_all_the_things" +xcrun -sdk iphoneos clang -arch armv7 jsc_fun.c -framework JavaScriptCore -o bin/jsc_fun; ldid -S bin/jsc_fun; cat bin/jsc_fun | ssh root@localhost -p 2222 "rm jsc_fun; cat > jsc_fun; chmod +x jsc_fun" + +scp -P 2222 lol.js root@localhost:/var/root/lol.js \ No newline at end of file diff --git a/tools/ent.xml b/tools/ent.xml new file mode 100755 index 0000000..35801e8 --- /dev/null +++ b/tools/ent.xml @@ -0,0 +1,15 @@ + + + + platform-application + + com.apple.private.security.no-container + + com.apple.system-task-ports + + task_for_pid-allow + + get-task-allow + + + \ No newline at end of file diff --git a/tools/envdump.c b/tools/envdump.c new file mode 100644 index 0000000..4536d00 --- /dev/null +++ b/tools/envdump.c @@ -0,0 +1,17 @@ +#include +#include + +int main(int argc, char* argv[], char* envp[]) { + char** environ_ = envp; + + FILE* fp = fopen("/tmp/envdump.txt", "w"); + + while (*environ_) { + fprintf(fp, "%s\n", *environ_); + environ_++; + } + + fclose(fp); + + return 0; +} \ No newline at end of file diff --git a/tools/envrun.c b/tools/envrun.c new file mode 100644 index 0000000..bc5dd08 --- /dev/null +++ b/tools/envrun.c @@ -0,0 +1,25 @@ +#include +#include + +int main(int argc, char* argv[]) { + char* argv_[] = { + "/bin/sh", + NULL + }; + + char* envp_[] = { + "SHELL=/bin/sh", + "USER=mobile", + "HOME=/var/mobile", + "XPC_FLAGS=0x0", + "XPC_SERVICE_NAME=0", + "LOGNAME=mobile", + "PATH=/usr/bin:/bin:/usr/sbin:/sbin", + "__CF_USER_TEXT_ENCODING=0x1F5:0:0", + NULL + }; + + execle("/bin/sh", "/bin/sh", NULL, envp_); + + return 0; +} \ No newline at end of file diff --git a/tools/fuck_aslr.c b/tools/fuck_aslr.c new file mode 100755 index 0000000..c8e9714 --- /dev/null +++ b/tools/fuck_aslr.c @@ -0,0 +1,114 @@ +/* + * fuck_aslr + */ + +#include +#include + +task_t tfp0; +#define LC_SIZE 0x0000000f + +uint8_t lol[] = { + 0x40, 0xf2, 0x69, 0x00 +}; + +mach_port_t get_kernel_task_port() { + mach_port_t kernel_task; + kern_return_t kr; + if ((kr = task_for_pid(mach_task_self(), 0, &kernel_task)) != KERN_SUCCESS) { + return -1; + } + return kernel_task; +} + +uint32_t do_kernel_read(uint32_t addr) { + size_t size = 4; + uint32_t data = 0; + + kern_return_t kr = vm_read_overwrite(get_kernel_task_port(),(vm_address_t)addr,size,(vm_address_t)&data,&size); + if (kr != KERN_SUCCESS) { + printf("[!] Read failed. %s\n",mach_error_string(kr)); + return -1; + } + return data; +} + +void do_kernel_write(uint32_t addr, uint32_t data) { + kern_return_t kr = vm_write(get_kernel_task_port(),(vm_address_t)addr,(vm_address_t)&data,sizeof(data)); + + if (kr != KERN_SUCCESS) { + printf("Error writing!\n"); + return; + } +} + +uint32_t get_kernel_slide() { + uint32_t slide; + uint32_t base = 0x80001000; + uint32_t slid_base; + + for (int slide_byte = 256; slide_byte >= 1; slide_byte--) { + slide = 0x01000000 + 0x00200000 * slide_byte; + slid_base = base + slide; + + if (do_kernel_read(slid_base) == 0xfeedface) { + if (do_kernel_read(slid_base + 0x10) == LC_SIZE) { + return slide; + } + } + } + return -1; +} + +int main(int argc, char* argv[]) { + printf("[*] fuck aslr\n"); + task_for_pid(mach_task_self(), 0, &tfp0); + uint8_t lol_slide; + /* + * LAB_8029c06e XREF[1]: 8029c04e(j) + * 8029c06e 4c a8 add r0,sp,#0x130 + * 8029c070 04 21 movs r1,#0x4 + * 8029c072 15 f6 d5 bl _read_random void _read_random(void * buf + * fb + * 8029c076 c4 f1 14 rsb.w r0,r4,#0x14 + * 00 + * 8029c07a 01 21 movs r1,#0x1 + * 8029c07c 01 fa 00 lsl.w r8,r1,r0 + * f8 + * 8029c080 4c 98 ldr r0,[sp,#local_190] + * 8029c082 4f ea e8 asr.w r11,r8, asr #0x1f + * 7b + * 8029c086 00 21 movs r1,#0x0 + * 8029c088 20 f0 00 bic r0,r0,#0x80000000 + * 40 + * 8029c08c 42 46 mov r2,r8 + * 8029c08e 5b 46 mov r3,r11 + * 8029c090 f7 f0 b6 bl FUN_80393200 undefined FUN_80393200() + * f8 + * 8029c094 82 46 mov r10,r0 + * 8029c096 0e 46 mov r6,r1 + * 8029c098 2c 46 mov r4,r5 + * 8029c09a 00 2d cmp r5,#0x0 + * 8029c09c 01 d0 beq LAB_8029c0a2 + * 8029c09e e5 6a ldr r5,[r4,#0x2c] + * 8029c0a0 00 e0 b LAB_8029c0a4 + + */ + uint32_t patch_addy = 0x8029c088; // iPad2,1 9.3.5 + if (argc < 2) { + lol_slide = 0x0; + } else { + lol_slide = strtoul(argv[1], NULL, 16); + } + if (argc != 3) { + lol[2] = lol_slide; + printf("[*] vm_write returned %d\n", vm_write(tfp0, patch_addy + get_kernel_slide(), (vm_address_t)lol, sizeof(lol))); + } else { + lol[0] = 0x20; + lol[1] = 0xf0; + lol[2] = 0x00; + lol[3] = 0x40; + printf("[*] vm_write returned %d\n", vm_write(tfp0, patch_addy + get_kernel_slide(), (vm_address_t)lol, sizeof(lol))); + } + return 0; +} \ No newline at end of file diff --git a/tools/fuck_aslr2.c b/tools/fuck_aslr2.c new file mode 100644 index 0000000..9181bcc --- /dev/null +++ b/tools/fuck_aslr2.c @@ -0,0 +1,86 @@ +/* + * fuck_aslr + */ + +#include +#include + +task_t tfp0; +#define LC_SIZE 0x0000000f + +uint8_t lol[] = { + 0x40, 0xf2, 0x69, 0x00 +}; + +mach_port_t get_kernel_task_port() { + mach_port_t kernel_task; + kern_return_t kr; + if ((kr = task_for_pid(mach_task_self(), 0, &kernel_task)) != KERN_SUCCESS) { + return -1; + } + return kernel_task; +} + +uint32_t do_kernel_read(uint32_t addr) { + size_t size = 4; + uint32_t data = 0; + + kern_return_t kr = vm_read_overwrite(get_kernel_task_port(),(vm_address_t)addr,size,(vm_address_t)&data,&size); + if (kr != KERN_SUCCESS) { + printf("[!] Read failed. %s\n",mach_error_string(kr)); + return -1; + } + return data; +} + +void do_kernel_write(uint32_t addr, uint32_t data) { + kern_return_t kr = vm_write(get_kernel_task_port(),(vm_address_t)addr,(vm_address_t)&data,sizeof(data)); + + if (kr != KERN_SUCCESS) { + printf("Error writing!\n"); + return; + } +} + +uint32_t get_kernel_slide() { + uint32_t slide; + uint32_t base = 0x80001000; + uint32_t slid_base; + + for (int slide_byte = 256; slide_byte >= 1; slide_byte--) { + slide = 0x01000000 + 0x00200000 * slide_byte; + slid_base = base + slide; + + if (do_kernel_read(slid_base) == 0xfeedface) { + if (do_kernel_read(slid_base + 0x10) == LC_SIZE) { + return slide; + } + } + } + return -1; +} + +int main(int argc, char* argv[]) { + vm_size_t segment = 0x800; + uint32_t lol = get_kernel_slide(); + task_t tfp0 = get_kernel_task_port(); + uint32_t len = 32 * 1024 * 1024; + uint8_t* kdata = (uint8_t*)malloc(len); + for (int i = 0; i < len / segment; i++) { + /* + * DUMP DUMP DUMP + */ + + vm_read_overwrite(tfp0, + 0x80001000 + lol + (i * segment), + segment, + (vm_address_t)kdata + (i * segment), + &segment); + } + + FILE* fp = fopen("dump.bin", "wb"); + fwrite(kdata, 1, len, fp); + fclose(fp); + + return 0; +} \ No newline at end of file diff --git a/tools/fuck_ptr.c b/tools/fuck_ptr.c new file mode 100755 index 0000000..25eab56 --- /dev/null +++ b/tools/fuck_ptr.c @@ -0,0 +1,60 @@ +#include +#include +#include + +#include + +#include + +int lol; + +int main(void) { +// printf("[*] aslr better be a cripple now: &lol = %p, malloc(...) = %p\n", &lol, malloc(0x4)); +// printf("[*] lol2=0x%08x\n", *(uint32_t*)0x800000); + task_t kek = mach_task_self(); + uint8_t* page = malloc(0x1000); + + for (int i = 0; i < _dyld_image_count(); i++) { + printf("%s: 0x%x (slid 0x%x)\n", _dyld_get_image_name(i), _dyld_get_image_header(i), _dyld_get_image_vmaddr_slide(i)); + } + + printf("begin\n"); + fflush(stdout); + + printf("%p\n", dlopen("/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore", RTLD_GLOBAL)); + + printf("RTLD_LAZY=%d RTLD_NOW=%d RTLD_GLOBAL=%d RTLD_LOCAL=%d RTLD_NODELETE=%d RTLD_NOLOAD%d\n", RTLD_LAZY, RTLD_NOW, RTLD_GLOBAL, RTLD_LOCAL, RTLD_NODELETE, RTLD_NOLOAD); + +#if 0 + for (int i = 0xb4000; i < 0xb5000; i += 4) { +// uint32_t* lol = (uint32_t*)(0x1fe6a58c + (i << 12)); + uint32_t lol = *(uint32_t*)i; + if (lol >= 0x1fe00000 && lol <= 0x1ff00000) { + printf("0x%08x 0x%08x\n", i, lol); + } + (void)fflush(__stdoutp); + } + + + if (*lol == 0xb5f0) break; + } +#endif + + printf("success\n"); + /* + size_t size; + for (uint32_t pagen = 0x0; pagen < (0xffffffff >> 12); pagen++) { + + if (pagen % ((0xffffffff >> 12) / 100) == 0) { + //printf("%d\n", pagen / ((0xffffffff >> 12) / 100)); + } + + uint32_t page_start = pagen << 12; + if (vm_read_overwrite(kek, page_start, 0x1000, (vm_address_t)page, &size)) + continue; // page isn't allocated + +// printf("0x%08x\n", page_start); + } + */ + return 0; +} diff --git a/tools/jit_all_the_things.c b/tools/jit_all_the_things.c new file mode 100755 index 0000000..d955ea1 --- /dev/null +++ b/tools/jit_all_the_things.c @@ -0,0 +1,11 @@ +#include +#include + +#define PT_TRACE_ME 0 +int ptrace(int, pid_t, caddr_t, int); +int main(int argc, char* argv[]) { + ptrace(PT_TRACE_ME, 0, NULL, 0); + exit(0); + + return 0; +} \ No newline at end of file diff --git a/tools/jsc_fun b/tools/jsc_fun new file mode 100755 index 0000000..83f9b13 Binary files /dev/null and b/tools/jsc_fun differ diff --git a/tools/lol.js b/tools/lol.js new file mode 100644 index 0000000..b11a54d --- /dev/null +++ b/tools/lol.js @@ -0,0 +1,15 @@ +` +Bye bye, ROP... +Now we have JavaScript code execution in racoon. + +From now on, all of our doings should be possible from within JSC, +ROP should no longer be an issue. + +We have a pretty stable arbitrary memory r/w primitive, which I believe +should be able to facilitate creation of an arbitrary call primitive, +at which point ROP is basically *actually* done for. + + with love from spv. <3 +` + +//write_u32(0x41414141, 0x42424242); \ No newline at end of file diff --git a/tools/test.c b/tools/test.c new file mode 100755 index 0000000..6682971 --- /dev/null +++ b/tools/test.c @@ -0,0 +1,61 @@ +#include +#include +#include + +#include + +#define LC_DEFAULT_CF SYSCONFDIR "/racoon.conf" + +typedef char vchar_t; + +#define LC_PATHTYPE_INCLUDE 0 +#define LC_PATHTYPE_PSK 1 +#define LC_PATHTYPE_CERT 2 +#define LC_PATHTYPE_BACKUPSA 3 +#define LC_PATHTYPE_SCRIPT 4 +#define LC_PATHTYPE_PIDFILE 5 +#define LC_PATHTYPE_LOGFILE 6 +#define LC_PATHTYPE_MAX 7 + +#define LC_DEFAULT_PAD_MAXSIZE 20 +#define LC_DEFAULT_PAD_RANDOM TRUE +#define LC_DEFAULT_PAD_RANDOMLEN FALSE +#define LC_DEFAULT_PAD_STRICT FALSE +#define LC_DEFAULT_PAD_EXCLTAIL TRUE +#define LC_DEFAULT_RETRY_COUNTER 5 +#define LC_DEFAULT_RETRY_INTERVAL 10 +#define LC_DEFAULT_COUNT_PERSEND 1 +#define LC_DEFAULT_RETRY_CHECKPH1 30 +#define LC_DEFAULT_WAIT_PH2COMPLETE 30 +#define LC_DEFAULT_NATT_KA_INTERVAL 20 + +#define LC_DEFAULT_SECRETSIZE 16 /* 128 bits */ + +#define LC_IDENTTYPE_MAX 5 /* XXX */ + +#define LC_GSSENC_UTF16LE 0 /* GSS ID in UTF-16LE */ +#define LC_GSSENC_LATIN1 1 /* GSS ID in ISO-Latin-1 */ +#define LC_GSSENC_MAX 2 + +#define LC_AUTOEXITSTATE_SET 0x00000001 +#define LC_AUTOEXITSTATE_CLIENT 0x00000010 +#define LC_AUTOEXITSTATE_ENABLED 0x00000011 /* both VPN client and set */ + +struct a { + char *logfile_param; /* from command line */ + char *pathinfo[LC_PATHTYPE_MAX]; + vchar_t *ident[LC_IDENTTYPE_MAX]; /* base of Identifier payload. */ + + int pad_random; + int pad_randomlen; + int pad_maxsize; + int pad_strict; + int pad_excltail; +}; + +int main() { + int* a = malloc(0x100); + *a = 0x1; + printf("%x", *(int*)a + 0xa4); + printf("%x\n", sizeof(struct a)); +} \ No newline at end of file -- cgit v1.2.3