Skip to content

Instantly share code, notes, and snippets.

View ddz's full-sized avatar

Dino Dai Zovi ddz

View GitHub Profile
@ddz
ddz / Lambda.java
Created March 21, 2023 16:52
PWN2OWN 2007 Winning Exploit (QTJava on MacOS and Windows when iTunes is installed)
/*
* Lambda
*
* QTJava, a Java extension made available to Java applets has some
* parameter validation problems when calling native memory copying
* methods. This allows us to read and write out of the bounds of our
* heap allocated QTObject. With some tricks, we are able to turn
* this into a write4 primative allowing us to write arbitrary values
* to chosen locations. Insert the shellcode in a writable and
* executable page, spam the stack with that address, and owned.
@ddz
ddz / ios_lockdown_diag_services.md
Last active May 12, 2023 15:14
iOS Lockdown Diagnostic Services

TL;DR

  • Pairing an iOS device to a host (computer running iTunes) gives that host significant access to data on the iOS device and requires connecting the unlocked iOS device to a host over USB
  • Once paired, that host (or another host that has stolen its pairing record) can access significant amounts of user personal data from the iOS device over USB and Wi-Fi through the com.apple.mobile.file_relay and com.apple.mobile.house_arrest lockdown services
  • These services will not return user data files that are encrypted and locked by iOS Data Protection but the files returned by file_relay are not protected by iOS Data Protection and do include significant amounts of personal user data that would otherwise be encrypted in iTunes encrypted backups ("Encrypt Backup" is enabled)
  • The com.apple.mobile.file_relay service is not used or referenced by any public Apple software so its intended client software is unknown outside of Apple
  • Apple released a [Knowledge Base article](https://support.apple.co