Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 10 users
Status: Fixed
Owner:
Closed: Jul 30
Cc:


Show other hotlists

Hotlists containing this issue:
Hotlist-1
Hotlist-1
Hotlist-1
Hotlist-1


Sign in to add a comment
Many iOS/MacOS sandbox escapes/privescs due to unexpected shared memory-backed xpc_data objects
Project Member Reported by ianbeer@google.com, Apr 30 Back to list
When XPC serializes large xpc_data objects it creates mach memory entry ports
to represent the memory region then transfers that region to the receiving process
by sending a send right to the memory entry port in the underlying mach message.

By crafting our own xpc message (or using an interposition library as this poc does)
we can pass different flags to mach_make_memory_entry_64 such that the memory entry
received by the target process actually represents a region of shared memory such that
when the xpc_data deserialization code maps the memory entry port the memory region remains
mapped in the sender's address space and the sender can still modify it (with the receiver
seeing the updates.)

Perhaps this is intended behaviour but there's definitely plenty of code which doesn't expect
the contents of xpc_data objects to change.

In this PoC I target NSXPC, a high-level RPC mechanism which uses XPC for its low-level transport layer.
NSXPC is widely used across privilege boundaries.

NSXPCDecoder is implemented in Foundation. Clients send serialized NSInvocation objects
representing the methods they wish to call on the remote objects. These NSInvocations are serialized
using the NSSecureCoding method which ends up creating a bplist16 serialized byte stream.

That bplist16 buffer gets sent in an xpc message as an xpc_data object.

NSXPCDecoder wraps the bplist16 deserialization and for selectors such as decodeCStringForKey:
,if the key is present, the value returned will be a pointer directly into the
xpc_data object in which it was received.

By crafting our own memory entry object this means the pointers returned by decodeCStringForKey:
actually point into shared memory which can still be modified by the caller.

This can be turned directly into controlled memory corruption by targetting the serialized method
type signature (key 'ty') which is parsed by [NSMethodSignature signatureWithObjCTypes].

This method is implemented in CoreFoundation. If the method signature string isn't in a cache of
parsed signatures then the string is passed to __NSMS1. This function calls __NSGetSizeAndAlignment
to determine the size of a buffer required to parse the signature string which __NSMS1 then allocates
using calloc before parsing the signature string into the allocated buffer. If we change the
types represented by the signature string (which is in shared memory) between these two calls
we can cause the parsing code to write out of bounds as it assumes that the length computed by
__NSGetSizeAndAlignment is correct.

The most direct path to trigger memory controlled memory corruption is to use a type signature like this:
  @"ABCD"

That will cause 7 bytes of buffer space to be allocated for the parsed signature
(which will just contain a copy of the string.)

If we increase the length of the string in shared memory eg to:
  @"ABCDOVERFLOW_OVERFLOW_OVERFLOW"

then __NSMS1 will copy the extra bytes up until it encounters a '"' character.

This PoC targets the airportd daemon which runs as root but should work for any NSXPC service.
This is a race condition so you may have to run the PoC multiple times (./run.sh) and also use
libgmalloc to see the corruption directly rather than its effects.
 
xpc_data_release.zip
4.7 KB Download
Project Member Comment 1 by ianbeer@google.com, Apr 30
Labels: Id-664375422 Reported-2017-Apr-30
Project Member Comment 2 by ianbeer@google.com, Jul 30
Labels: CVE-2017-7047 Fixed-2017-July-19
Status: Fixed
Fixed in iOS 10.3.3: https://support.apple.com/en-us/HT207923
Fixed in MacOS Sierra 10.12.6: https://support.apple.com/en-us/HT207922
Project Member Comment 3 by ianbeer@google.com, Jul 30
triple_fetch - ianbeer

This is an exploit for CVE-2017-7047, a logic error in libxpc which allowed
malicious message senders to send xpc_data objects that were backed by shared memory.
Consumers of xpc messages did not seem to expect that the backing buffers of xpc_data objects
could be modified by the sender whilst being processed by the receiver.

This project exploits CVE-2017-7047 to build a proof-of-concept remote lldb debugserver
stub capable of attaching to and allowing the remote debugging all userspace
processes on iOS 10.0 to 10.3.2.

Please see the README in the nsxpc2pc folder in the attached archive for further discussion and details.
triple_fetch.zip
1.0 MB Download
Project Member Comment 4 by hawkes@google.com, Jul 31
Labels: -Restrict-View-Commit
For some reason it isn't working anymore. Gets stuck in "exploit running...". Tested in ios 10.2 and 10.3.1. On both used to work before
Project Member Comment 6 by ianbeer@google.com, Aug 1
The exploit isn't hugely reliable - the race condition needs quite exact timing and sometimes it just doesn't work or it does but the heap groom fails. You should just hard reboot the device and try again. It may take a couple of attempts but it should work. Once the debugserver is running it should be stable. If you take a look at the xcode stdout/debugger window you can see some more status information.
Yeah noticed that... works once in 100 times...
If it stop work it get usually stuck at first attempt to send exploid message:

2017-08-02 13:37:14.242343+0200 nsxpc2pc[248:6078] starting exploit
2017-08-02 13:37:14.242499+0200 nsxpc2pc[248:6078] target service:
2017-08-02 13:37:14.242545+0200 nsxpc2pc[248:6078] com.apple.CoreAuthentication.daemon
2017-08-02 13:37:14.242584+0200 nsxpc2pc[248:6078] target selector:
2017-08-02 13:37:14.242623+0200 nsxpc2pc[248:6078] connectToExistingContext:callback:reply:
2017-08-02 13:37:14.242661+0200 nsxpc2pc[248:6078] 
exploit running...
invocation_size: 85, shm_size: 8000
mapped shm port at: 103e78000
shm_port: 6607
shm_size: 8000
started flipper thread
mapped fixed addr
flipper arg: 0x103e78040
original_q1:    0x4141227262742240
replacement_q1: 0x4141417262742240
original_q2:    0x0120204020414141
original_q3:    0x6573730022000000
replacement_q3: 0x0000000022414141
found at: 18b7d4cd4
target selector address: 18a0b0802
stack pivot: 18a284ad4
found mach_msg epilogue gadget: 18a1a711c
found mach_msg gadget: 18a1a70b0
found at: 18a0dd0b0
sent xpc w00t message
connected to com.apple.CoreAuthentication.daemon
client port: 106f03
reply port: 107003
sent exploit message

Sometime reguest multiple restarts.
So is there any cydia version that works with it? I mean i can download cydia ipa , after using the exploit , then use AppSync to stop the 7 days cert limit? Did i make myself clear?
Hard resetting my iPhone 6s (Home+Power) Usually fixed the app not being able to exploit. And for u/3839894262/, This isn't a jailbreak. This isn't even a kernel exploit I don't think.
Comment 11 Deleted
https://bugs.chromium.org/u/3839894262/

This is a vulnerability. Not a jailbreak.
Thanks:
2017-08-03 05:05:51.382920+0300 nsxpc2pc[206:3432] USER             PID  %CPU %MEM      VSZ    RSS   TT  STAT STARTED      TIME COMMAND
root             208  98.8  1.6  2249136  16488   ??  Rs    5:01AM   3:33.83 /System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd
mobile            56   2.9  1.3  1217908  12792   ??  Ss    5:01AM   0:07.05 /usr/libexec/backboardd
root              22   1.3  0.7  1110752   7272   ??  Ss    5:01AM   0:02.67 /usr/libexec/UserEventAgent (System)
mobile            53   0.9  4.4  1262448  44116   ??  Ss    5:01AM   0:06.67 /System/Library/CoreServices/SpringBoard.app/SpringBoard
mobile           206   0.4  5.1  1157648  50536   ??  RXs   5:01AM   0:55.81 /var/containers/Bundle/Application/88586FE3-461F-4967-94D8-DE074FE5C9D7/nsxpc2pc.app/nsxpc2pc
root              63   0.3  0.2  1099488   1744   ??  Ss    5:01AM   0:00.28 /usr/libexec/assertiond
_wireless         74   0.2  1.9  1129744  18756   ??  Ss    5:01AM   0:03.61 /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter
root              34   0.1  0.2  1098000   2108   ??  Ss    5:01AM   0:00.29 /System/Library/CoreServices/powerd.bundle/powerd
mobile           168   0.1  0.3  1099984   2908   ??  Ss    5:01AM   0:00.10 /System/Library/PrivateFrameworks/UserActivity.framework/Agents/useractivityd
mobile           203   0.0  0.2  1099984   1724   ??  Ss    5:01AM   0:00.06 /Applications/ServerDocuments.app/PlugIns/ServerFileProvider.appex/ServerFileProvider
mobile           202   0.0  0.3  1108480   3316   ??  Ss    5:01AM   0:00.21 /usr/libexec/splashboardd
mobile           201   0.0  0.2  1074256   2276   ??  Ss    5:01AM   0:00.16 /System/Library/PrivateFrameworks/CloudDocsDaemon.framework/XPCServices/ContainerMetadataExtractor.xpc/ContainerMetadataExtractor
root             200   0.0  0.1  1073072    936   ??  Ss    5:01AM   0:00.03 /System/Library/PrivateFrameworks/MobileSoftwareUpdate.framework/XPCServices/com.apple.MobileSoftwareUpdate.CleanupPreparePathService.xpc/com.apple.MobileSoftwareUpdate.CleanupPreparePathService
mobile           199   0.0  0.2  1077360   2460   ??  Ss    5:01AM   0:00.05 /System/Library/PrivateFrameworks/VoiceServices.framework/Support/voiced
mobile           198   0.0  0.2  1071888   1720   ??  Ss    5:01AM   0:00.08 /usr/libexec/swcd
mobile           197   0.0  0.4  1117088   3660   ??  Ss    5:01AM   0:00.13 /System/Library/PrivateFrameworks/CoreSuggestions.framework/suggestd
mobile           196   0.0  0.3  1098544   2912   ??  Ss    5:01AM   0:00.06 /usr/libexec/videosubscriptionsd
mobile           194   0.0  0.1  1072432    912   ??  Ss    5:01AM   0:00.02 /usr/libexec/mobile_assertion_agent
mobile           193   0.0  0.6  1103728   5848   ??  Ss    5:01AM   0:00.37 /System/Library/PrivateFrameworks/CalendarDaemon.framework/Support/calaccessd
mobile           192   0.0  0.6  1080768   6304   ??  Ss    5:01AM   0:00.26 /System/Library/PrivateFrameworks/AGXCompilerConnection.framework/XPCServices/AGXCompilerService.xpc/AGXCompilerService
root             191   0.0  0.2  1098976   2340   ??  Ss    5:01AM   0:00.12 /usr/libexec/online-auth-agent
root             190   0.0  0.3  1074912   2524   ??  Ss    5:01AM   0:00.05 /usr/sbin/filecoordinationd
mobile           189   0.0  0.5  1207136   5416   ??  Ss    5:01AM   0:00.69 /System/Library/PrivateFrameworks/Search.framework/searchd
mobile           188   0.0  0.1  1097520   1292   ??  Ss    5:01AM   0:00.02 /System/Library/PrivateFrameworks/StreamingZip.framework/XPCServices/com.apple.StreamingUnzipService.xpc/com.apple.StreamingUnzipService
mobile           187   0.0  0.2  1097504   2044   ??  Ss    5:01AM   0:00.04 /usr/libexec/streaming_zip_conduit
mobile           186   0.0  0.4  1074288   3856   ??  Ss    5:01AM   0:00.80 /usr/libexec/mobile_installation_proxy
root             185   0.0  0.3  1077328   3200   ??  Ss    5:01AM   0:00.06 /System/Library/Frameworks/Metal.framework/XPCServices/MTLCompilerService.xpc/MTLCompilerService
root             184   0.0  0.3  1075280   3076   ??  Ss    5:01AM   0:00.05 /System/Library/Frameworks/Metal.framework/XPCServices/MTLCompilerService.xpc/MTLCompilerService
root             183   0.0  0.5  1101792   4576   ??  Ss    5:01AM   0:00.69 /Developer/Library/PrivateFrameworks/DVTInstrumentsFoundation.framework/DTServiceHub
mobile           182   0.0  0.2  1072048   1692   ??  Ss    5:01AM   0:00.03 /System/Library/PrivateFrameworks/Pasteboard.framework/Support/pasted
mobile           181   0.0  0.3  1072272   2956   ??  Ss    5:01AM   0:00.09 /System/Library/PrivateFrameworks/Accessibility.framework/Frameworks/AXHearingSupport.framework/XPCServices/heard.xpc/heard
mobile           179   0.0  0.4  1074864   3752   ??  Ss    5:01AM   0:01.80 /System/Library/CoreServices/CacheDeleteAppContainerCaches
mobile           178   0.0  0.2  1098384   1720   ??  Ss    5:01AM   0:00.05 /System/Library/CoreServices/CacheDeleteITunesStore
mobile           177   0.0  0.2  1098160   2168   ??  Ss    5:01AM   0:00.04 /System/Library/PrivateFrameworks/QuickLookThumbnailing.framework/Support/com.apple.quicklook.ThumbnailsAgent
root             176   0.0  0.3  1098832   2544   ??  Ss    5:01AM   0:00.05 /usr/bin/sysdiagnose
root             175   0.0  0.1  1073504   1272   ??  Ss    5:01AM   0:00.02 /System/Library/PrivateFrameworks/CoreSymbolication.framework/coresymbolicationd
root             174   0.0  0.2  1097920   2020   ??  Ss    5:01AM   0:00.05 /System/Library/PrivateFrameworks/GenerationalStorage.framework/revisiond
root             173   0.0  0.1  1072448   1468   ??  Ss    5:01AM   0:00.02 /System/Library/PrivateFrameworks/MobileBackup.framework/MobileBackupCacheDeleteService
mobile           172   0.0  0.2  1072368   1836   ??  Ss    5:01AM   0:00.02 /usr/libexec/replayd
mobile           171   0.0  0.2  1098320   2280   ??  Ss    5:01AM   0:00.15 /System/Library/PrivateFrameworks/CacheDelete.framework/deleted
mobile           170   0.0  0.2  1097984   2428   ??  Ss    5:01AM   0:00.07 /System/Library/PrivateFrameworks/SoftwareUpdateServices.framework/Support/softwareupdateservicesd
mobile           169   0.0  0.1  1098656   1308   ??  Ss    5:01AM   0:00.02 /System/Library/PrivateFrameworks/UIFoundation.framework/XPCServices/com.apple.uifoundation-bundle-helper.xpc/com.apple.uifoundation-bundle-helper
mobile           167   0.0  0.2  1072576   1832   ??  Ss    5:01AM   0:00.09 /usr/libexec/webbookmarksd
mobile           166   0.0  0.3  1098192   2576   ??  Ss    5:01AM   0:00.05 /System/Library/PrivateFrameworks/CoreFollowUp.framework/followupd
_captiveagent    165   0.0  0.1  1073072   1004   ??  Ss    5:01AM   0:00.02 /usr/libexec/captiveagent
mobile           164   0.0  0.2  1098000   1992   ??  Ss    5:01AM   0:00.05 /System/Library/PrivateFrameworks/CarKit.framework/Support/carkitd
mobile           161   0.0  0.3  1072256   2644   ??  Ss    5:01AM   0:00.14 /usr/libexec/languageassetd
mobile           160   0.0  0.2  1097968   2004   ??  Ss    5:01AM   0:00.09 /System/Library/PrivateFrameworks/MapsSupport.framework/navd
mobile           159   0.0  0.3  1098944   3136   ??  Ss    5:01AM   0:00.15 /usr/libexec/fmflocatord
mobile           158   0.0  0.5  1102032   4736   ??  Ss    5:01AM   0:00.39 /System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled
mobile           157   0.0  0.9  1104432   8784   ??  Ss    5:01AM   0:01.86 /System/Library/PrivateFrameworks/CloudDocsDaemon.framework/bird
mobile           156   0.0  0.2  1098064   2408   ??  Ss    5:01AM   0:00.08 /usr/libexec/fmfd
root             154   0.0  0.1  1072576   1428   ??  Ss    5:01AM   0:00.14 /System/Library/PrivateFrameworks/MobileInstallation.framework/XPCServices/com.apple.MobileInstallationHelperService.xpc/com.apple.MobileInstallationHelperService
root             153   0.0  0.1  1098288   1296   ??  Ss    5:01AM   0:00.12 /usr/libexec/amfid
mobile           152   0.0  0.5  1099008   4912   ??  Ss    5:01AM   0:00.24 /System/Library/PrivateFrameworks/iCloudNotification.framework/ind
mobile           151   0.0  0.5  1099552   5064   ??  Ss    5:01AM   0:00.51 /System/Library/PrivateFrameworks/HomeKitDaemon.framework/Support/homed
mobile           150   0.0  0.4  1099408   4304   ??  Ss    5:01AM   0:00.16 /System/Library/PrivateFrameworks/HomeSharing.framework/Support/itunescloudd
mobile           149   0.0  0.5  1108320   4944   ??  Ss    5:01AM   0:00.45 /usr/libexec/gamed
mobile           148   0.0  0.5  1104944   5236   ??  Ss    5:01AM   0:00.63 /System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd
mobile           147   0.0  0.2  1102672   2348   ??  Ss    5:01AM   0:00.09 /System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistorySyncHelper
mobile           146   0.0  0.2  1072864   1728   ??  Ss    5:01AM   0:00.05 /usr/libexec/limitadtrackingd
mobile           145   0.0  0.6  1109920   6420   ??  Ss    5:01AM   0:01.27 /System/Library/PrivateFrameworks/DataAccess.framework/Support/dataaccessd
root             144   0.0  0.5  1100032   4560   ??  Ss    5:01AM   0:00.34 /usr/libexec/pkd
mobile           143   0.0  0.6  1112464   5504   ??  Ss    5:01AM   0:00.59 /usr/libexec/duetexpertd
mobile           142   0.0  0.2  1073424   1532   ??  Ss    5:01AM   0:00.10 /usr/libexec/SafariCloudHistoryPushAgent
mobile           141   0.0  0.2  1099408   2348   ??  Ss    5:01AM   0:00.13 /usr/libexec/nfcd
mobile           140   0.0  0.5  1099456   4548   ??  Ss    5:01AM   0:00.27 /System/Library/PrivateFrameworks/PassKitCore.framework/passd
mobile           139   0.0  0.3  1098160   2544   ??  Ss    5:01AM   0:00.17 /System/Library/TextInput/kbd
mobile           138   0.0  0.2  1100432   2176   ??  Ss    5:01AM   0:00.12 /System/Library/PrivateFrameworks/MapsSupport.framework/mapspushd
mobile           137   0.0  0.4  1101328   3704   ??  Ss    5:01AM   0:00.26 /usr/libexec/findmydeviced
mobile           136   0.0  0.3  1098128   2660   ??  Ss    5:01AM   0:00.08 /System/Library/PrivateFrameworks/StoreBookkeeperClient.framework/Support/storebookkeeperd
mobile           135   0.0  0.3  1097680   2548   ??  Ss    5:01AM   0:00.08 /System/Library/PrivateFrameworks/WatchListKit.framework/Support/watchlistd
mobile           134   0.0  0.3  1079376   2876   ??  Ss    5:01AM   0:00.05 /System/Library/Frameworks/Metal.framework/XPCServices/MTLCompilerService.xpc/MTLCompilerService
mobile           133   0.0  0.5  1078256   4672   ??  Ss    5:01AM   0:00.11 /System/Library/Frameworks/Metal.framework/XPCServices/MTLCompilerService.xpc/MTLCompilerService
mobile           132   0.0  0.3  1099280   3184   ??  Ss    5:01AM   0:00.27 /System/Library/PrivateFrameworks/AuthKit.framework/akd
mobile           131   0.0  0.2  1098064   1952   ??  Ss    5:01AM   0:00.04 /System/Library/PrivateFrameworks/VisualVoicemail.framework/vmd
mobile           130   0.0  0.1  1097776   1244   ??  Ss    5:01AM   0:00.04 /usr/libexec/misagent
mobile           129   0.0  0.2  1072880   1788   ??  Ss    5:01AM   0:00.10 /usr/libexec/adid
root             128   0.0  0.1  1072416    740   ??  Ss    5:01AM   0:00.01 /usr/libexec/oscard --launchd
root             127   0.0  0.2  1099072   1996   ??  Ss    5:01AM   0:00.09 /usr/libexec/biometrickitd --launchd
root             125   0.0  0.1  1072000   1232   ??  Ss    5:01AM   0:00.03 /System/Library/Frameworks/Security.framework/KeychainSyncingOverIDSProxy.bundle/KeychainSyncingOverIDSProxy
mobile           124   0.0  0.6  1080368   5732   ??  Ss    5:01AM   0:00.86 /System/Library/PrivateFrameworks/AGXCompilerConnection.framework/XPCServices/AGXCompilerService.xpc/AGXCompilerService
root             123   0.0  0.1  1072032   1392   ??  Ss    5:01AM   0:00.03 /System/Library/Frameworks/Security.framework/CloudKeychainProxy.bundle/CloudKeychainProxy
mobile           122   0.0  0.8  1105728   8084   ??  Ss    5:01AM   0:01.14 /System/Library/PrivateFrameworks/AppStoreDaemon.framework/appstored.bundle/appstored
mobile           120   0.0  0.2  1097728   1768   ??  Ss    5:01AM   0:00.09 /usr/libexec/networkserviceproxy
mobile           119   0.0  0.1  1072144   1488   ??  Ss    5:01AM   0:00.05 /System/Library/PrivateFrameworks/IMDPersistence.framework/XPCServices/IMDPersistenceAgent.xpc/IMDPersistenceAgent
root             117   0.0  0.1  1071888    768   ??  Ss    5:01AM   0:00.08 /usr/libexec/mobile_storage_proxy
mobile           115   0.0  0.4  1099696   4180   ??  Ss    5:01AM   0:00.24 /System/Library/PrivateFrameworks/GeoServices.framework/geod
mobile           114   0.0  0.1  1071904   1012   ??  Ss    5:01AM   0:00.03 /usr/libexec/notification_proxy
mobile           113   0.0  0.1  1074128    928   ??  Ss    5:01AM   0:00.06 /usr/libexec/afcd
_networkd        112   0.0  0.4  1105888   4236   ??  Ss    5:01AM   0:00.79 /usr/libexec/symptomsd
mobile           111   0.0  0.6  1101408   6236   ??  Ss    5:01AM   0:00.43 /System/Library/PrivateFrameworks/TelephonyUtilities.framework/callservicesd
mobile           109   0.0  0.1  1071968   1272   ??  Ss    5:01AM   0:00.02 /usr/libexec/companion_proxy
mobile           107   0.0  0.3  1100176   2608   ??  Ss    5:01AM   0:00.18 /System/Library/PrivateFrameworks/TCC.framework/tccd
mobile           106   0.0  0.3  1101424   3260   ??  Ss    5:01AM   0:00.14 /System/Library/PrivateFrameworks/MusicLibrary.framework/Support/medialibraryd
root             105   0.0  0.1  1073040    644   ??  Ss    5:01AM   0:00.02 /usr/sbin/mDNSResponderHelper
_mdnsresponder   104   0.0  0.2  1073424   2136   ??  Ss    5:01AM   0:00.20 /usr/sbin/mDNSResponder
root             103   0.0  0.1  1063712    840   ??  Ss    5:01AM   0:00.01 /usr/libexec/OTATaskingAgent server-init
root             102   0.0  0.1  1064256    576   ??  Ss    5:01AM   0:00.01 /usr/libexec/pfd
mobile           101   0.0  0.1  1079728    984   ??  Ss    5:01AM   0:00.08 /usr/sbin/BlueTool -R
mobile           100   0.0  0.2  1073344   2204   ??  Ss    5:01AM   0:00.06 /usr/sbin/WirelessRadioManagerd
root              99   0.0  0.1  1072000    904   ??  Ss    5:01AM   0:00.32 /usr/libexec/MobileStorageMounter
_securityd        98   0.0  0.5  1105632   5092   ??  Ss    5:01AM   0:02.20 /usr/libexec/securityd
mobile            96   0.0  0.3  1100480   3052   ??  Ss    5:01AM   0:00.32 /usr/libexec/nsurlstoraged
mobile            95   0.0  0.7  1080336   7352   ??  Ss    5:01AM   0:03.29 /System/Library/Frameworks/Metal.framework/XPCServices/MTLCompilerService.xpc/MTLCompilerService
mobile            94   0.0  0.5  1080368   5036   ??  Ss    5:01AM   0:00.46 /System/Library/Frameworks/Metal.framework/XPCServices/MTLCompilerService.xpc/MTLCompilerService
mobile            93   0.0  1.1  1115008  10616   ??  Ss    5:01AM   0:01.19 /System/Library/PrivateFrameworks/iTunesStore.framework/Support/itunesstored
mobile            92   0.0  0.8  1108928   8348   ??  Ss    5:01AM   0:02.46 /System/Library/Frameworks/Accounts.framework/accountsd
mobile            91   0.0  0.1  1071904   1060   ??  Ss    5:01AM   0:00.04 /usr/libexec/MobileGestaltHelper
root              90   0.0  0.3  1100080   2976   ??  Ss    5:01AM   0:00.40 /usr/libexec/nehelper
root              89   0.0  0.1  1073040    988   ??  Ss    5:01AM   0:00.04 aslmanager
mobile            88   0.0  0.2  1073648   1504   ??  Ss    5:01AM   0:00.11 /usr/libexec/mobileactivationd
mobile            87   0.0  1.6  1115824  16400   ??  Ss    5:01AM   0:03.30 /usr/libexec/coreduetd
mobile            86   0.0  0.4  1103440   4080   ??  Ss    5:01AM   0:00.55 /usr/libexec/DuetHeuristic-BM
mobile            85   0.0  0.5  1100512   5372   ??  Ss    5:01AM   0:00.75 /usr/libexec/nsurlsessiond
root              84   0.0  0.1  1071888    784   ??  Ss    5:01AM   0:00.01 /usr/libexec/nanoregistrylaunchd
mobile            83   0.0  0.3  1099680   3284   ??  Ss    5:01AM   0:00.19 /usr/libexec/nanoregistryd
root              82   0.0  0.4  1098112   3788   ??  Ss    5:01AM   0:02.25 /usr/libexec/mobileassetd
mobile            81   0.0  0.7  1103488   6560   ??  Ss    5:01AM   0:01.09 /System/Library/PrivateFrameworks/ApplePushService.framework/apsd
_wireless         80   0.0  0.2  1073072   2080   ??  Ss    5:01AM   0:00.09 /System/Library/PrivateFrameworks/WirelessDiagnostics.framework/Support/awdd
_distnote         79   0.0  0.5  1073936   4616   ??  Ss    5:01AM   0:00.16 /usr/sbin/distnoted daemon
mobile            78   0.0  0.4  1100000   4164   ??  Ss    5:01AM   0:02.20 /usr/libexec/lsd
mobile            77   0.0  0.1  1072448    932   ??  Ss    5:01AM   0:00.17 /usr/libexec/lockbot
root              76   0.0  0.2  1072608   1720   ??  Ss    5:01AM   0:01.01 /usr/sbin/cfprefsd daemon
root              75   0.0  0.2  1072800   1836   ??  Ss    5:01AM   0:01.72 /usr/sbin/notifyd
mobile            73   0.0  0.5  1090384   5228   ??  Ss    5:01AM   0:00.24 /usr/sbin/fairplayd.H2
mobile            69   0.0  0.8  1103168   7516   ??  Ss    5:01AM   0:02.95 /System/Library/PrivateFrameworks/AggregateDictionary.framework/Support/aggregated
mobile            68   0.0  0.3  1098608   3360   ??  Ss    5:01AM   0:00.15 /System/Library/PrivateFrameworks/IAP.framework/Support/iaptransportd
mobile            67   0.0  0.2  1100416   1816   ??  Ss    5:01AM   0:00.08 /usr/libexec/ptpd -t usb
root              66   0.0  0.3  1098304   2744   ??  Ss    5:01AM   0:01.53 /usr/libexec/lockdownd
mobile            65   0.0  0.2  1098000   2104   ??  Ss    5:01AM   0:00.04 /usr/libexec/tipsd
mobile            64   0.0  0.1  1072000   1388   ??  Ss    5:01AM   0:00.03 /usr/libexec/cloudpaird
mobile            62   0.0  0.4  1099168   3736   ??  Ss    5:01AM   0:00.38 /System/Library/PrivateFrameworks/IMCore.framework/imagent.app/imagent
root              61   0.0  0.2  1098528   2420   ??  Ss    5:01AM   0:03.20 /System/Library/PrivateFrameworks/MobileContainerManager.framework/Support/containermanagerd
mobile            60   0.0  0.4  1101856   4104   ??  Ss    5:01AM   0:00.18 /usr/sbin/BTServer
root              59   0.0  1.8  1133360  18060   ??  Ss    5:01AM   0:02.72 /usr/libexec/locationd
mobile            58   0.0  0.2  1098816   2452   ??  Ss    5:01AM   0:00.14 /usr/libexec/timed
mobile            57   0.0  0.5  1101024   4896   ??  Ss    5:01AM   0:00.27 /usr/libexec/sharingd
mobile            55   0.0  0.1  1097808   1400   ??  Ss    5:01AM   0:00.05 /usr/sbin/wirelessproxd
mobile            54   0.0  0.2  1098016   1788   ??  Ss    5:01AM   0:00.03 /System/Library/PrivateFrameworks/AskPermission.framework/askpermissiond
mobile            52   0.0  0.2  1098240   1776   ??  Ss    5:01AM   0:00.08 /usr/libexec/wcd
root              51   0.0  0.2  1073104   2176   ??  Ss    5:01AM   0:00.04 /System/Library/CoreServices/AppleIDAuthAgent
mobile            50   0.0  0.1  1072272   1408   ??  Ss    5:01AM   0:00.03 /System/Library/PrivateFrameworks/TouchRemote.framework/Support/touchsetupd
mobile            49   0.0  0.5  1105376   4808   ??  Ss    5:01AM   0:00.39 /System/Library/Frameworks/AssetsLibrary.framework/Support/assetsd
mobile            47   0.0  0.8  1107552   7632   ??  Ss    5:01AM   0:00.92 /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/identityservicesd
mobile            46   0.0  0.1  1097712   1392   ??  Ss    5:01AM   0:00.04 /usr/libexec/seld
mobile            45   0.0  0.1  1072048    700   ??  Ss    5:01AM   0:00.02 /System/Library/PrivateFrameworks/MobileSoftwareUpdate.framework/Support/softwareupdated
_installd         44   0.0  0.5  1098752   5372   ??  Ss    5:01AM   0:03.58 /usr/libexec/installd
root              42   0.0  0.5  1116096   4624   ??  Ss    5:01AM   0:00.75 /usr/libexec/logd
root              41   0.0  0.5  1102992   5092   ??  Ss    5:01AM   0:00.57 /usr/sbin/wifid
mobile            39   0.0  0.1  1097888   1324   ??  Ss    5:01AM   0:00.03 /System/Library/PrivateFrameworks/FamilyNotification.framework/familynotificationd
root              37   0.0  0.1  1073344   1152   ??  Ss    5:01AM   0:00.12 /usr/libexec/keybagd -t 15
mobile            35   0.0  1.0  1112448   9864   ??  Ss    5:01AM   0:04.03 /usr/libexec/atc
mobile            33   0.0  0.4  1099408   3748   ??  Ss    5:01AM   0:00.25 /System/Library/Frameworks/HealthKit.framework/healthd
root              32   0.0  0.3  1102160   3332   ??  Ss    5:01AM   0:01.23 /usr/libexec/configd
root              31   0.0  0.1  1072608   1108   ??  Ss    5:01AM   0:00.04 /usr/libexec/misd
mobile            30   0.0  0.9  1109232   9044   ??  Ss    5:01AM   0:01.11 /usr/libexec/routined
mobile            28   0.0  0.2  1098320   2284   ??  Ss    5:01AM   0:00.07 /System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted
mobile            27   0.0  1.3  1131152  13052   ??  Ss    5:01AM   0:01.19 /usr/sbin/mediaserverd
root              26   0.0  0.1  1074480   1348   ??  Ss    5:01AM   0:00.22 /usr/libexec/fseventsd
mobile            24   0.0  0.6  1104496   6220   ??  Ss    5:01AM   0:00.36 /System/Library/PrivateFrameworks/AssistantServices.framework/assistantd
mobile            23   0.0  0.1  1071984    888   ??  Ss    5:01AM   0:00.04 /System/Library/PrivateFrameworks/FileProvider.framework/Support/fileproviderd
root              21   0.0  0.1  1072832    780   ??  Ss    5:01AM   0:00.04 /usr/sbin/syslogd
root               1   0.0  0.8  1081728   8196   ??  Rs    5:01AM   0:03.14 /sbin/launchd
root             220   0.0  0.1  1060000    680   ??  R     5:05AM   0:00.00 /bin/ps auxww
mobile           219   0.0  0.0        0      0   ??  Z     5:04AM   0:00.00 (hello_world)
root             216   0.0  0.2  1072784   2244   ??  Ss    5:04AM   0:00.12 /usr/sbin/spindump
mobile           215   0.0  0.1  1072432    804   ??  Ss    5:02AM   0:00.01 /System/Library/PrivateFrameworks/DictionaryServices.framework/XPCServices/com.apple.DictionaryServiceHelper.xpc/com.apple.DictionaryServiceHelper
mobile           214   0.0  0.1  1073680   1156   ??  S     5:02AM   0:00.01 debugserver -l stdout -g 0.0.0.0:1234
mobile           213   0.0  0.2  1097984   2256   ??  Ss    5:02AM   0:00.04 /System/Library/Frameworks/CallKit.framework/XPCServices/com.apple.CallKit.CallDirectoryMaintenance.xpc/com.apple.CallKit.CallDirectoryMaintenance
mobile           211   0.0  1.0  1124768   9612   ??  Ss    5:02AM   0:01.15 /System/Library/PrivateFrameworks/Accessibility.framework/Frameworks/AccessibilityUI.framework/XPCServices/com.apple.accessibility.AccessibilityUIServer.xpc/com.apple.accessibility.AccessibilityUIServer
mobile           207   0.0  1.0  1102496  10420   ??  Ss    5:01AM   0:00.52 /System/Library/PrivateFrameworks/AssistantServices.framework/assistant_service
mobile           205   0.0  0.3  1081648   3204   ??  Ss    5:01AM   0:00.82 /Developer/usr/bin/debugserver --lockdown --launch=frontboard
mobile           204   0.0  0.1  1072144    672   ??  Ss    5:01AM   0:00.09 /usr/sbin/absd
I know it's not a jailbreak but it's an important part of it , my suggestion is to contact Adam Donenfield as he claims a kernel exploit in ios 10.3.1 promising he will release it to public this month , contacting him , gettin the kernel exploit , alongside with this vulnerabilty is _from my point of view_ more than enough to make a full functioning jailbreak , correct me if i'm wrong , and just a little help in exploiting this vulnerability to my device
Project Member Comment 15 by ianbeer@google.com, Aug 3
The released exploit spawns a patched version of the lldb debugserver with the ability to attach to and debug any process (including those running as root) on iOS 10.0 through 10.3.2. This is the main purpose of the tool. If you aren't interested in manually debugging system processes on iOS this project probably won't be useful for you.

The included "triple_fetch_sdk" includes sample code showing how you can write your own payload to get the task port for any running userspace process (eg launchd, amfid) and read and write memory and call functions remotely. These payloads are not run outside of the sandbox, they just have the ability to get all task ports. See the README in the archive for further details.

The ability to run ps is just there to allow you to find the pid you want to attach to.
Yeah haven't noticed the readme , but as a suggestion , jailbreak seekers out there are announcing your vulnerability as a jailbreak , so just make yourself clear to people , and tell them in clear words that THIS IS NOT A JAILBREAK , good job anyway
u/3839894262/(OKbab) This is a userland exploit meaning system privileges. For a jailbreak, you need a kernel exploit because the kernel is in charge of amfi, kpp, etc. Don't think this is the majority of what a jailbreak needs because this is not, it's really not.
Comment 18 Deleted
You'll need additional exploit to call tfp0, as it can only be called with root privileges. Please read here https://www.reddit.com/r/jailbreak/comments/5kl1o1/question_can_someone_eli5_what_is_tfp0/
Sign in to add a comment