1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
# p0laris untether
*this is a work-in-progress.*
gets ROP in racoon, then gets JS code exec with RWC primitives (arbitrary r/w,
currently up to 26-arg call primitive), then loads in another JS file & execs
it
current offsets are included for `iPhone4,1` on `9.3.6 (13G37)` & `iPod5,1` on
`9.3.5 (13G36)`. it may work on other devices and/or firmwares, but that's
unlikely. (besides maybe `9.3.5 (13G36)` on `iPhone4,1`?)
clarification: the actual racoon exploit should work on any device/firmware with
the same ipsec-tools version (and maybe build :P), but the JSC call portion is
currently specific to one dyld_shared_cache, which is usually device & build
unique. the underlying bug should work on any firmware before ~ iOS 12. my
exploit is 32-bit only prolly, at least practically, due to less ASLR slides.
the exploit to get arbitrary mem write should work on < iOS 12 as well (i
think), but the ROP chain's gadget addresses are currently hardcoded to one
build.
inside the `boot-args` nvram variable, `p0laris_options` is a variable you can
set that is JSON deserialized & used as an object in `stage3` and `stage4`.
keep `p0laris_options` as the last boot-arg, or it will be parsed incorrectly.
example:
`debug=0x1 -v p0laris_options='{"sleep_spin":true}'`
don't do:
`p0laris_options='{"sleep_spin":true}' debug=0x1 -v`
### current install steps
- procure an `iPhone4,1` on `9.3.6 (13G37)`
- jailbreak with p0laris (or Phoenix if you're old fashioned)
- install GCC, git, etc
- `git clone https://github.com/p0larisdev/untether.git`
- `cd untether`
- `./build_native.sh`
- `./install_native.sh`
- `/usr/libexec/dhcpd -q -cf old_exp.conf` <- run the racoon exploit once
- or instead `/usr/libexec/dhcpd -q -cf exploit.conf` <- run the racoon exploit
forever, ctrl+c when it starts
tools include:
- `fuck_aslr` *should* fix the ASLR slide for all new processes on the kernel
level, offsets are for `iPhone4,1` `9.3.6 (13G37)` atm
- `jsc_fun` was a tool to test JavaScriptCore arb r/w prims, source got deleted
tho, i'll prolly rewrite it sometime
- `shit` includes mostly thread-based call prim testing code
- `shc/` contains WIP C shellcode compilation
- and prolly more
~~current need is just to get a better call primitive, from what i can tell the
phoenix bugs can't be exploited with only 4 args to functions. not sure how to
get that better primitive working tho, so we'll see. :P~~ nevermind lol, 26 (and
maybe more) should be enough, kek
greetz to @tihmstar for help with 935csbypass
|
