|
|
Many iOS/MacOS sandbox escapes/privescs due to unexpected shared memory-backed xpc_data objects | |||||||
| Project Member Reported by ianbeer@google.com, Apr 30 2017 | Back to list | |||||||
When XPC serializes large xpc_data objects it creates mach memory entry ports to represent the memory region then transfers that region to the receiving process by sending a send right to the memory entry port in the underlying mach message. By crafting our own xpc message (or using an interposition library as this poc does) we can pass different flags to mach_make_memory_entry_64 such that the memory entry received by the target process actually represents a region of shared memory such that when the xpc_data deserialization code maps the memory entry port the memory region remains mapped in the sender's address space and the sender can still modify it (with the receiver seeing the updates.) Perhaps this is intended behaviour but there's definitely plenty of code which doesn't expect the contents of xpc_data objects to change. In this PoC I target NSXPC, a high-level RPC mechanism which uses XPC for its low-level transport layer. NSXPC is widely used across privilege boundaries. NSXPCDecoder is implemented in Foundation. Clients send serialized NSInvocation objects representing the methods they wish to call on the remote objects. These NSInvocations are serialized using the NSSecureCoding method which ends up creating a bplist16 serialized byte stream. That bplist16 buffer gets sent in an xpc message as an xpc_data object. NSXPCDecoder wraps the bplist16 deserialization and for selectors such as decodeCStringForKey: ,if the key is present, the value returned will be a pointer directly into the xpc_data object in which it was received. By crafting our own memory entry object this means the pointers returned by decodeCStringForKey: actually point into shared memory which can still be modified by the caller. This can be turned directly into controlled memory corruption by targetting the serialized method type signature (key 'ty') which is parsed by [NSMethodSignature signatureWithObjCTypes]. This method is implemented in CoreFoundation. If the method signature string isn't in a cache of parsed signatures then the string is passed to __NSMS1. This function calls __NSGetSizeAndAlignment to determine the size of a buffer required to parse the signature string which __NSMS1 then allocates using calloc before parsing the signature string into the allocated buffer. If we change the types represented by the signature string (which is in shared memory) between these two calls we can cause the parsing code to write out of bounds as it assumes that the length computed by __NSGetSizeAndAlignment is correct. The most direct path to trigger memory controlled memory corruption is to use a type signature like this: @"ABCD" That will cause 7 bytes of buffer space to be allocated for the parsed signature (which will just contain a copy of the string.) If we increase the length of the string in shared memory eg to: @"ABCDOVERFLOW_OVERFLOW_OVERFLOW" then __NSMS1 will copy the extra bytes up until it encounters a '"' character. This PoC targets the airportd daemon which runs as root but should work for any NSXPC service. This is a race condition so you may have to run the PoC multiple times (./run.sh) and also use libgmalloc to see the corruption directly rather than its effects.
Project Member
Comment 1
by
ianbeer@google.com,
Apr 30 2017
,
Jul 30
Fixed in iOS 10.3.3: https://support.apple.com/en-us/HT207923 Fixed in MacOS Sierra 10.12.6: https://support.apple.com/en-us/HT207922
,
Jul 30
triple_fetch - ianbeer This is an exploit for CVE-2017-7047, a logic error in libxpc which allowed malicious message senders to send xpc_data objects that were backed by shared memory. Consumers of xpc messages did not seem to expect that the backing buffers of xpc_data objects could be modified by the sender whilst being processed by the receiver. This project exploits CVE-2017-7047 to build a proof-of-concept remote lldb debugserver stub capable of attaching to and allowing the remote debugging all userspace processes on iOS 10.0 to 10.3.2. Please see the README in the nsxpc2pc folder in the attached archive for further discussion and details.
,
Jul 31
,
Aug 1
For some reason it isn't working anymore. Gets stuck in "exploit running...". Tested in ios 10.2 and 10.3.1. On both used to work before
,
Aug 1
The exploit isn't hugely reliable - the race condition needs quite exact timing and sometimes it just doesn't work or it does but the heap groom fails. You should just hard reboot the device and try again. It may take a couple of attempts but it should work. Once the debugserver is running it should be stable. If you take a look at the xcode stdout/debugger window you can see some more status information.
,
Aug 1
Yeah noticed that... works once in 100 times...
,
Aug 2
If it stop work it get usually stuck at first attempt to send exploid message: 2017-08-02 13:37:14.242343+0200 nsxpc2pc[248:6078] starting exploit 2017-08-02 13:37:14.242499+0200 nsxpc2pc[248:6078] target service: 2017-08-02 13:37:14.242545+0200 nsxpc2pc[248:6078] com.apple.CoreAuthentication.daemon 2017-08-02 13:37:14.242584+0200 nsxpc2pc[248:6078] target selector: 2017-08-02 13:37:14.242623+0200 nsxpc2pc[248:6078] connectToExistingContext:callback:reply: 2017-08-02 13:37:14.242661+0200 nsxpc2pc[248:6078] exploit running... invocation_size: 85, shm_size: 8000 mapped shm port at: 103e78000 shm_port: 6607 shm_size: 8000 started flipper thread mapped fixed addr flipper arg: 0x103e78040 original_q1: 0x4141227262742240 replacement_q1: 0x4141417262742240 original_q2: 0x0120204020414141 original_q3: 0x6573730022000000 replacement_q3: 0x0000000022414141 found at: 18b7d4cd4 target selector address: 18a0b0802 stack pivot: 18a284ad4 found mach_msg epilogue gadget: 18a1a711c found mach_msg gadget: 18a1a70b0 found at: 18a0dd0b0 sent xpc w00t message connected to com.apple.CoreAuthentication.daemon client port: 106f03 reply port: 107003 sent exploit message Sometime reguest multiple restarts.
,
Aug 3
So is there any cydia version that works with it? I mean i can download cydia ipa , after using the exploit , then use AppSync to stop the 7 days cert limit? Did i make myself clear?
,
Aug 3
Hard resetting my iPhone 6s (Home+Power) Usually fixed the app not being able to exploit. And for u/3839894262/, This isn't a jailbreak. This isn't even a kernel exploit I don't think.
,
Aug 3
https://bugs.chromium.org/u/3839894262/ This is a vulnerability. Not a jailbreak.
,
Aug 3
Thanks: 2017-08-03 05:05:51.382920+0300 nsxpc2pc[206:3432] USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 208 98.8 1.6 2249136 16488 ?? Rs 5:01AM 3:33.83 /System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd mobile 56 2.9 1.3 1217908 12792 ?? Ss 5:01AM 0:07.05 /usr/libexec/backboardd root 22 1.3 0.7 1110752 7272 ?? Ss 5:01AM 0:02.67 /usr/libexec/UserEventAgent (System) mobile 53 0.9 4.4 1262448 44116 ?? Ss 5:01AM 0:06.67 /System/Library/CoreServices/SpringBoard.app/SpringBoard mobile 206 0.4 5.1 1157648 50536 ?? RXs 5:01AM 0:55.81 /var/containers/Bundle/Application/88586FE3-461F-4967-94D8-DE074FE5C9D7/nsxpc2pc.app/nsxpc2pc root 63 0.3 0.2 1099488 1744 ?? Ss 5:01AM 0:00.28 /usr/libexec/assertiond _wireless 74 0.2 1.9 1129744 18756 ?? Ss 5:01AM 0:03.61 /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter root 34 0.1 0.2 1098000 2108 ?? Ss 5:01AM 0:00.29 /System/Library/CoreServices/powerd.bundle/powerd mobile 168 0.1 0.3 1099984 2908 ?? Ss 5:01AM 0:00.10 /System/Library/PrivateFrameworks/UserActivity.framework/Agents/useractivityd mobile 203 0.0 0.2 1099984 1724 ?? Ss 5:01AM 0:00.06 /Applications/ServerDocuments.app/PlugIns/ServerFileProvider.appex/ServerFileProvider mobile 202 0.0 0.3 1108480 3316 ?? Ss 5:01AM 0:00.21 /usr/libexec/splashboardd mobile 201 0.0 0.2 1074256 2276 ?? Ss 5:01AM 0:00.16 /System/Library/PrivateFrameworks/CloudDocsDaemon.framework/XPCServices/ContainerMetadataExtractor.xpc/ContainerMetadataExtractor root 200 0.0 0.1 1073072 936 ?? Ss 5:01AM 0:00.03 /System/Library/PrivateFrameworks/MobileSoftwareUpdate.framework/XPCServices/com.apple.MobileSoftwareUpdate.CleanupPreparePathService.xpc/com.apple.MobileSoftwareUpdate.CleanupPreparePathService mobile 199 0.0 0.2 1077360 2460 ?? Ss 5:01AM 0:00.05 /System/Library/PrivateFrameworks/VoiceServices.framework/Support/voiced mobile 198 0.0 0.2 1071888 1720 ?? Ss 5:01AM 0:00.08 /usr/libexec/swcd mobile 197 0.0 0.4 1117088 3660 ?? Ss 5:01AM 0:00.13 /System/Library/PrivateFrameworks/CoreSuggestions.framework/suggestd mobile 196 0.0 0.3 1098544 2912 ?? Ss 5:01AM 0:00.06 /usr/libexec/videosubscriptionsd mobile 194 0.0 0.1 1072432 912 ?? Ss 5:01AM 0:00.02 /usr/libexec/mobile_assertion_agent mobile 193 0.0 0.6 1103728 5848 ?? Ss 5:01AM 0:00.37 /System/Library/PrivateFrameworks/CalendarDaemon.framework/Support/calaccessd mobile 192 0.0 0.6 1080768 6304 ?? Ss 5:01AM 0:00.26 /System/Library/PrivateFrameworks/AGXCompilerConnection.framework/XPCServices/AGXCompilerService.xpc/AGXCompilerService root 191 0.0 0.2 1098976 2340 ?? Ss 5:01AM 0:00.12 /usr/libexec/online-auth-agent root 190 0.0 0.3 1074912 2524 ?? Ss 5:01AM 0:00.05 /usr/sbin/filecoordinationd mobile 189 0.0 0.5 1207136 5416 ?? Ss 5:01AM 0:00.69 /System/Library/PrivateFrameworks/Search.framework/searchd mobile 188 0.0 0.1 1097520 1292 ?? Ss 5:01AM 0:00.02 /System/Library/PrivateFrameworks/StreamingZip.framework/XPCServices/com.apple.StreamingUnzipService.xpc/com.apple.StreamingUnzipService mobile 187 0.0 0.2 1097504 2044 ?? Ss 5:01AM 0:00.04 /usr/libexec/streaming_zip_conduit mobile 186 0.0 0.4 1074288 3856 ?? Ss 5:01AM 0:00.80 /usr/libexec/mobile_installation_proxy root 185 0.0 0.3 1077328 3200 ?? Ss 5:01AM 0:00.06 /System/Library/Frameworks/Metal.framework/XPCServices/MTLCompilerService.xpc/MTLCompilerService root 184 0.0 0.3 1075280 3076 ?? Ss 5:01AM 0:00.05 /System/Library/Frameworks/Metal.framework/XPCServices/MTLCompilerService.xpc/MTLCompilerService root 183 0.0 0.5 1101792 4576 ?? Ss 5:01AM 0:00.69 /Developer/Library/PrivateFrameworks/DVTInstrumentsFoundation.framework/DTServiceHub mobile 182 0.0 0.2 1072048 1692 ?? Ss 5:01AM 0:00.03 /System/Library/PrivateFrameworks/Pasteboard.framework/Support/pasted mobile 181 0.0 0.3 1072272 2956 ?? Ss 5:01AM 0:00.09 /System/Library/PrivateFrameworks/Accessibility.framework/Frameworks/AXHearingSupport.framework/XPCServices/heard.xpc/heard mobile 179 0.0 0.4 1074864 3752 ?? Ss 5:01AM 0:01.80 /System/Library/CoreServices/CacheDeleteAppContainerCaches mobile 178 0.0 0.2 1098384 1720 ?? Ss 5:01AM 0:00.05 /System/Library/CoreServices/CacheDeleteITunesStore mobile 177 0.0 0.2 1098160 2168 ?? Ss 5:01AM 0:00.04 /System/Library/PrivateFrameworks/QuickLookThumbnailing.framework/Support/com.apple.quicklook.ThumbnailsAgent root 176 0.0 0.3 1098832 2544 ?? Ss 5:01AM 0:00.05 /usr/bin/sysdiagnose root 175 0.0 0.1 1073504 1272 ?? Ss 5:01AM 0:00.02 /System/Library/PrivateFrameworks/CoreSymbolication.framework/coresymbolicationd root 174 0.0 0.2 1097920 2020 ?? Ss 5:01AM 0:00.05 /System/Library/PrivateFrameworks/GenerationalStorage.framework/revisiond root 173 0.0 0.1 1072448 1468 ?? Ss 5:01AM 0:00.02 /System/Library/PrivateFrameworks/MobileBackup.framework/MobileBackupCacheDeleteService mobile 172 0.0 0.2 1072368 1836 ?? Ss 5:01AM 0:00.02 /usr/libexec/replayd mobile 171 0.0 0.2 1098320 2280 ?? Ss 5:01AM 0:00.15 /System/Library/PrivateFrameworks/CacheDelete.framework/deleted mobile 170 0.0 0.2 1097984 2428 ?? Ss 5:01AM 0:00.07 /System/Library/PrivateFrameworks/SoftwareUpdateServices.framework/Support/softwareupdateservicesd mobile 169 0.0 0.1 1098656 1308 ?? Ss 5:01AM 0:00.02 /System/Library/PrivateFrameworks/UIFoundation.framework/XPCServices/com.apple.uifoundation-bundle-helper.xpc/com.apple.uifoundation-bundle-helper mobile 167 0.0 0.2 1072576 1832 ?? Ss 5:01AM 0:00.09 /usr/libexec/webbookmarksd mobile 166 0.0 0.3 1098192 2576 ?? Ss 5:01AM 0:00.05 /System/Library/PrivateFrameworks/CoreFollowUp.framework/followupd _captiveagent 165 0.0 0.1 1073072 1004 ?? Ss 5:01AM 0:00.02 /usr/libexec/captiveagent mobile 164 0.0 0.2 1098000 1992 ?? Ss 5:01AM 0:00.05 /System/Library/PrivateFrameworks/CarKit.framework/Support/carkitd mobile 161 0.0 0.3 1072256 2644 ?? Ss 5:01AM 0:00.14 /usr/libexec/languageassetd mobile 160 0.0 0.2 1097968 2004 ?? Ss 5:01AM 0:00.09 /System/Library/PrivateFrameworks/MapsSupport.framework/navd mobile 159 0.0 0.3 1098944 3136 ?? Ss 5:01AM 0:00.15 /usr/libexec/fmflocatord mobile 158 0.0 0.5 1102032 4736 ?? Ss 5:01AM 0:00.39 /System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled mobile 157 0.0 0.9 1104432 8784 ?? Ss 5:01AM 0:01.86 /System/Library/PrivateFrameworks/CloudDocsDaemon.framework/bird mobile 156 0.0 0.2 1098064 2408 ?? Ss 5:01AM 0:00.08 /usr/libexec/fmfd root 154 0.0 0.1 1072576 1428 ?? Ss 5:01AM 0:00.14 /System/Library/PrivateFrameworks/MobileInstallation.framework/XPCServices/com.apple.MobileInstallationHelperService.xpc/com.apple.MobileInstallationHelperService root 153 0.0 0.1 1098288 1296 ?? Ss 5:01AM 0:00.12 /usr/libexec/amfid mobile 152 0.0 0.5 1099008 4912 ?? Ss 5:01AM 0:00.24 /System/Library/PrivateFrameworks/iCloudNotification.framework/ind mobile 151 0.0 0.5 1099552 5064 ?? Ss 5:01AM 0:00.51 /System/Library/PrivateFrameworks/HomeKitDaemon.framework/Support/homed mobile 150 0.0 0.4 1099408 4304 ?? Ss 5:01AM 0:00.16 /System/Library/PrivateFrameworks/HomeSharing.framework/Support/itunescloudd mobile 149 0.0 0.5 1108320 4944 ?? Ss 5:01AM 0:00.45 /usr/libexec/gamed mobile 148 0.0 0.5 1104944 5236 ?? Ss 5:01AM 0:00.63 /System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd mobile 147 0.0 0.2 1102672 2348 ?? Ss 5:01AM 0:00.09 /System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistorySyncHelper mobile 146 0.0 0.2 1072864 1728 ?? Ss 5:01AM 0:00.05 /usr/libexec/limitadtrackingd mobile 145 0.0 0.6 1109920 6420 ?? Ss 5:01AM 0:01.27 /System/Library/PrivateFrameworks/DataAccess.framework/Support/dataaccessd root 144 0.0 0.5 1100032 4560 ?? Ss 5:01AM 0:00.34 /usr/libexec/pkd mobile 143 0.0 0.6 1112464 5504 ?? Ss 5:01AM 0:00.59 /usr/libexec/duetexpertd mobile 142 0.0 0.2 1073424 1532 ?? Ss 5:01AM 0:00.10 /usr/libexec/SafariCloudHistoryPushAgent mobile 141 0.0 0.2 1099408 2348 ?? Ss 5:01AM 0:00.13 /usr/libexec/nfcd mobile 140 0.0 0.5 1099456 4548 ?? Ss 5:01AM 0:00.27 /System/Library/PrivateFrameworks/PassKitCore.framework/passd mobile 139 0.0 0.3 1098160 2544 ?? Ss 5:01AM 0:00.17 /System/Library/TextInput/kbd mobile 138 0.0 0.2 1100432 2176 ?? Ss 5:01AM 0:00.12 /System/Library/PrivateFrameworks/MapsSupport.framework/mapspushd mobile 137 0.0 0.4 1101328 3704 ?? Ss 5:01AM 0:00.26 /usr/libexec/findmydeviced mobile 136 0.0 0.3 1098128 2660 ?? Ss 5:01AM 0:00.08 /System/Library/PrivateFrameworks/StoreBookkeeperClient.framework/Support/storebookkeeperd mobile 135 0.0 0.3 1097680 2548 ?? Ss 5:01AM 0:00.08 /System/Library/PrivateFrameworks/WatchListKit.framework/Support/watchlistd mobile 134 0.0 0.3 1079376 2876 ?? Ss 5:01AM 0:00.05 /System/Library/Frameworks/Metal.framework/XPCServices/MTLCompilerService.xpc/MTLCompilerService mobile 133 0.0 0.5 1078256 4672 ?? Ss 5:01AM 0:00.11 /System/Library/Frameworks/Metal.framework/XPCServices/MTLCompilerService.xpc/MTLCompilerService mobile 132 0.0 0.3 1099280 3184 ?? Ss 5:01AM 0:00.27 /System/Library/PrivateFrameworks/AuthKit.framework/akd mobile 131 0.0 0.2 1098064 1952 ?? Ss 5:01AM 0:00.04 /System/Library/PrivateFrameworks/VisualVoicemail.framework/vmd mobile 130 0.0 0.1 1097776 1244 ?? Ss 5:01AM 0:00.04 /usr/libexec/misagent mobile 129 0.0 0.2 1072880 1788 ?? Ss 5:01AM 0:00.10 /usr/libexec/adid root 128 0.0 0.1 1072416 740 ?? Ss 5:01AM 0:00.01 /usr/libexec/oscard --launchd root 127 0.0 0.2 1099072 1996 ?? Ss 5:01AM 0:00.09 /usr/libexec/biometrickitd --launchd root 125 0.0 0.1 1072000 1232 ?? Ss 5:01AM 0:00.03 /System/Library/Frameworks/Security.framework/KeychainSyncingOverIDSProxy.bundle/KeychainSyncingOverIDSProxy mobile 124 0.0 0.6 1080368 5732 ?? Ss 5:01AM 0:00.86 /System/Library/PrivateFrameworks/AGXCompilerConnection.framework/XPCServices/AGXCompilerService.xpc/AGXCompilerService root 123 0.0 0.1 1072032 1392 ?? Ss 5:01AM 0:00.03 /System/Library/Frameworks/Security.framework/CloudKeychainProxy.bundle/CloudKeychainProxy mobile 122 0.0 0.8 1105728 8084 ?? Ss 5:01AM 0:01.14 /System/Library/PrivateFrameworks/AppStoreDaemon.framework/appstored.bundle/appstored mobile 120 0.0 0.2 1097728 1768 ?? Ss 5:01AM 0:00.09 /usr/libexec/networkserviceproxy mobile 119 0.0 0.1 1072144 1488 ?? Ss 5:01AM 0:00.05 /System/Library/PrivateFrameworks/IMDPersistence.framework/XPCServices/IMDPersistenceAgent.xpc/IMDPersistenceAgent root 117 0.0 0.1 1071888 768 ?? Ss 5:01AM 0:00.08 /usr/libexec/mobile_storage_proxy mobile 115 0.0 0.4 1099696 4180 ?? Ss 5:01AM 0:00.24 /System/Library/PrivateFrameworks/GeoServices.framework/geod mobile 114 0.0 0.1 1071904 1012 ?? Ss 5:01AM 0:00.03 /usr/libexec/notification_proxy mobile 113 0.0 0.1 1074128 928 ?? Ss 5:01AM 0:00.06 /usr/libexec/afcd _networkd 112 0.0 0.4 1105888 4236 ?? Ss 5:01AM 0:00.79 /usr/libexec/symptomsd mobile 111 0.0 0.6 1101408 6236 ?? Ss 5:01AM 0:00.43 /System/Library/PrivateFrameworks/TelephonyUtilities.framework/callservicesd mobile 109 0.0 0.1 1071968 1272 ?? Ss 5:01AM 0:00.02 /usr/libexec/companion_proxy mobile 107 0.0 0.3 1100176 2608 ?? Ss 5:01AM 0:00.18 /System/Library/PrivateFrameworks/TCC.framework/tccd mobile 106 0.0 0.3 1101424 3260 ?? Ss 5:01AM 0:00.14 /System/Library/PrivateFrameworks/MusicLibrary.framework/Support/medialibraryd root 105 0.0 0.1 1073040 644 ?? Ss 5:01AM 0:00.02 /usr/sbin/mDNSResponderHelper _mdnsresponder 104 0.0 0.2 1073424 2136 ?? Ss 5:01AM 0:00.20 /usr/sbin/mDNSResponder root 103 0.0 0.1 1063712 840 ?? Ss 5:01AM 0:00.01 /usr/libexec/OTATaskingAgent server-init root 102 0.0 0.1 1064256 576 ?? Ss 5:01AM 0:00.01 /usr/libexec/pfd mobile 101 0.0 0.1 1079728 984 ?? Ss 5:01AM 0:00.08 /usr/sbin/BlueTool -R mobile 100 0.0 0.2 1073344 2204 ?? Ss 5:01AM 0:00.06 /usr/sbin/WirelessRadioManagerd root 99 0.0 0.1 1072000 904 ?? Ss 5:01AM 0:00.32 /usr/libexec/MobileStorageMounter _securityd 98 0.0 0.5 1105632 5092 ?? Ss 5:01AM 0:02.20 /usr/libexec/securityd mobile 96 0.0 0.3 1100480 3052 ?? Ss 5:01AM 0:00.32 /usr/libexec/nsurlstoraged mobile 95 0.0 0.7 1080336 7352 ?? Ss 5:01AM 0:03.29 /System/Library/Frameworks/Metal.framework/XPCServices/MTLCompilerService.xpc/MTLCompilerService mobile 94 0.0 0.5 1080368 5036 ?? Ss 5:01AM 0:00.46 /System/Library/Frameworks/Metal.framework/XPCServices/MTLCompilerService.xpc/MTLCompilerService mobile 93 0.0 1.1 1115008 10616 ?? Ss 5:01AM 0:01.19 /System/Library/PrivateFrameworks/iTunesStore.framework/Support/itunesstored mobile 92 0.0 0.8 1108928 8348 ?? Ss 5:01AM 0:02.46 /System/Library/Frameworks/Accounts.framework/accountsd mobile 91 0.0 0.1 1071904 1060 ?? Ss 5:01AM 0:00.04 /usr/libexec/MobileGestaltHelper root 90 0.0 0.3 1100080 2976 ?? Ss 5:01AM 0:00.40 /usr/libexec/nehelper root 89 0.0 0.1 1073040 988 ?? Ss 5:01AM 0:00.04 aslmanager mobile 88 0.0 0.2 1073648 1504 ?? Ss 5:01AM 0:00.11 /usr/libexec/mobileactivationd mobile 87 0.0 1.6 1115824 16400 ?? Ss 5:01AM 0:03.30 /usr/libexec/coreduetd mobile 86 0.0 0.4 1103440 4080 ?? Ss 5:01AM 0:00.55 /usr/libexec/DuetHeuristic-BM mobile 85 0.0 0.5 1100512 5372 ?? Ss 5:01AM 0:00.75 /usr/libexec/nsurlsessiond root 84 0.0 0.1 1071888 784 ?? Ss 5:01AM 0:00.01 /usr/libexec/nanoregistrylaunchd mobile 83 0.0 0.3 1099680 3284 ?? Ss 5:01AM 0:00.19 /usr/libexec/nanoregistryd root 82 0.0 0.4 1098112 3788 ?? Ss 5:01AM 0:02.25 /usr/libexec/mobileassetd mobile 81 0.0 0.7 1103488 6560 ?? Ss 5:01AM 0:01.09 /System/Library/PrivateFrameworks/ApplePushService.framework/apsd _wireless 80 0.0 0.2 1073072 2080 ?? Ss 5:01AM 0:00.09 /System/Library/PrivateFrameworks/WirelessDiagnostics.framework/Support/awdd _distnote 79 0.0 0.5 1073936 4616 ?? Ss 5:01AM 0:00.16 /usr/sbin/distnoted daemon mobile 78 0.0 0.4 1100000 4164 ?? Ss 5:01AM 0:02.20 /usr/libexec/lsd mobile 77 0.0 0.1 1072448 932 ?? Ss 5:01AM 0:00.17 /usr/libexec/lockbot root 76 0.0 0.2 1072608 1720 ?? Ss 5:01AM 0:01.01 /usr/sbin/cfprefsd daemon root 75 0.0 0.2 1072800 1836 ?? Ss 5:01AM 0:01.72 /usr/sbin/notifyd mobile 73 0.0 0.5 1090384 5228 ?? Ss 5:01AM 0:00.24 /usr/sbin/fairplayd.H2 mobile 69 0.0 0.8 1103168 7516 ?? Ss 5:01AM 0:02.95 /System/Library/PrivateFrameworks/AggregateDictionary.framework/Support/aggregated mobile 68 0.0 0.3 1098608 3360 ?? Ss 5:01AM 0:00.15 /System/Library/PrivateFrameworks/IAP.framework/Support/iaptransportd mobile 67 0.0 0.2 1100416 1816 ?? Ss 5:01AM 0:00.08 /usr/libexec/ptpd -t usb root 66 0.0 0.3 1098304 2744 ?? Ss 5:01AM 0:01.53 /usr/libexec/lockdownd mobile 65 0.0 0.2 1098000 2104 ?? Ss 5:01AM 0:00.04 /usr/libexec/tipsd mobile 64 0.0 0.1 1072000 1388 ?? Ss 5:01AM 0:00.03 /usr/libexec/cloudpaird mobile 62 0.0 0.4 1099168 3736 ?? Ss 5:01AM 0:00.38 /System/Library/PrivateFrameworks/IMCore.framework/imagent.app/imagent root 61 0.0 0.2 1098528 2420 ?? Ss 5:01AM 0:03.20 /System/Library/PrivateFrameworks/MobileContainerManager.framework/Support/containermanagerd mobile 60 0.0 0.4 1101856 4104 ?? Ss 5:01AM 0:00.18 /usr/sbin/BTServer root 59 0.0 1.8 1133360 18060 ?? Ss 5:01AM 0:02.72 /usr/libexec/locationd mobile 58 0.0 0.2 1098816 2452 ?? Ss 5:01AM 0:00.14 /usr/libexec/timed mobile 57 0.0 0.5 1101024 4896 ?? Ss 5:01AM 0:00.27 /usr/libexec/sharingd mobile 55 0.0 0.1 1097808 1400 ?? Ss 5:01AM 0:00.05 /usr/sbin/wirelessproxd mobile 54 0.0 0.2 1098016 1788 ?? Ss 5:01AM 0:00.03 /System/Library/PrivateFrameworks/AskPermission.framework/askpermissiond mobile 52 0.0 0.2 1098240 1776 ?? Ss 5:01AM 0:00.08 /usr/libexec/wcd root 51 0.0 0.2 1073104 2176 ?? Ss 5:01AM 0:00.04 /System/Library/CoreServices/AppleIDAuthAgent mobile 50 0.0 0.1 1072272 1408 ?? Ss 5:01AM 0:00.03 /System/Library/PrivateFrameworks/TouchRemote.framework/Support/touchsetupd mobile 49 0.0 0.5 1105376 4808 ?? Ss 5:01AM 0:00.39 /System/Library/Frameworks/AssetsLibrary.framework/Support/assetsd mobile 47 0.0 0.8 1107552 7632 ?? Ss 5:01AM 0:00.92 /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/identityservicesd mobile 46 0.0 0.1 1097712 1392 ?? Ss 5:01AM 0:00.04 /usr/libexec/seld mobile 45 0.0 0.1 1072048 700 ?? Ss 5:01AM 0:00.02 /System/Library/PrivateFrameworks/MobileSoftwareUpdate.framework/Support/softwareupdated _installd 44 0.0 0.5 1098752 5372 ?? Ss 5:01AM 0:03.58 /usr/libexec/installd root 42 0.0 0.5 1116096 4624 ?? Ss 5:01AM 0:00.75 /usr/libexec/logd root 41 0.0 0.5 1102992 5092 ?? Ss 5:01AM 0:00.57 /usr/sbin/wifid mobile 39 0.0 0.1 1097888 1324 ?? Ss 5:01AM 0:00.03 /System/Library/PrivateFrameworks/FamilyNotification.framework/familynotificationd root 37 0.0 0.1 1073344 1152 ?? Ss 5:01AM 0:00.12 /usr/libexec/keybagd -t 15 mobile 35 0.0 1.0 1112448 9864 ?? Ss 5:01AM 0:04.03 /usr/libexec/atc mobile 33 0.0 0.4 1099408 3748 ?? Ss 5:01AM 0:00.25 /System/Library/Frameworks/HealthKit.framework/healthd root 32 0.0 0.3 1102160 3332 ?? Ss 5:01AM 0:01.23 /usr/libexec/configd root 31 0.0 0.1 1072608 1108 ?? Ss 5:01AM 0:00.04 /usr/libexec/misd mobile 30 0.0 0.9 1109232 9044 ?? Ss 5:01AM 0:01.11 /usr/libexec/routined mobile 28 0.0 0.2 1098320 2284 ?? Ss 5:01AM 0:00.07 /System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted mobile 27 0.0 1.3 1131152 13052 ?? Ss 5:01AM 0:01.19 /usr/sbin/mediaserverd root 26 0.0 0.1 1074480 1348 ?? Ss 5:01AM 0:00.22 /usr/libexec/fseventsd mobile 24 0.0 0.6 1104496 6220 ?? Ss 5:01AM 0:00.36 /System/Library/PrivateFrameworks/AssistantServices.framework/assistantd mobile 23 0.0 0.1 1071984 888 ?? Ss 5:01AM 0:00.04 /System/Library/PrivateFrameworks/FileProvider.framework/Support/fileproviderd root 21 0.0 0.1 1072832 780 ?? Ss 5:01AM 0:00.04 /usr/sbin/syslogd root 1 0.0 0.8 1081728 8196 ?? Rs 5:01AM 0:03.14 /sbin/launchd root 220 0.0 0.1 1060000 680 ?? R 5:05AM 0:00.00 /bin/ps auxww mobile 219 0.0 0.0 0 0 ?? Z 5:04AM 0:00.00 (hello_world) root 216 0.0 0.2 1072784 2244 ?? Ss 5:04AM 0:00.12 /usr/sbin/spindump mobile 215 0.0 0.1 1072432 804 ?? Ss 5:02AM 0:00.01 /System/Library/PrivateFrameworks/DictionaryServices.framework/XPCServices/com.apple.DictionaryServiceHelper.xpc/com.apple.DictionaryServiceHelper mobile 214 0.0 0.1 1073680 1156 ?? S 5:02AM 0:00.01 debugserver -l stdout -g 0.0.0.0:1234 mobile 213 0.0 0.2 1097984 2256 ?? Ss 5:02AM 0:00.04 /System/Library/Frameworks/CallKit.framework/XPCServices/com.apple.CallKit.CallDirectoryMaintenance.xpc/com.apple.CallKit.CallDirectoryMaintenance mobile 211 0.0 1.0 1124768 9612 ?? Ss 5:02AM 0:01.15 /System/Library/PrivateFrameworks/Accessibility.framework/Frameworks/AccessibilityUI.framework/XPCServices/com.apple.accessibility.AccessibilityUIServer.xpc/com.apple.accessibility.AccessibilityUIServer mobile 207 0.0 1.0 1102496 10420 ?? Ss 5:01AM 0:00.52 /System/Library/PrivateFrameworks/AssistantServices.framework/assistant_service mobile 205 0.0 0.3 1081648 3204 ?? Ss 5:01AM 0:00.82 /Developer/usr/bin/debugserver --lockdown --launch=frontboard mobile 204 0.0 0.1 1072144 672 ?? Ss 5:01AM 0:00.09 /usr/sbin/absd
,
Aug 3
I know it's not a jailbreak but it's an important part of it , my suggestion is to contact Adam Donenfield as he claims a kernel exploit in ios 10.3.1 promising he will release it to public this month , contacting him , gettin the kernel exploit , alongside with this vulnerabilty is _from my point of view_ more than enough to make a full functioning jailbreak , correct me if i'm wrong , and just a little help in exploiting this vulnerability to my device
,
Aug 3
The released exploit spawns a patched version of the lldb debugserver with the ability to attach to and debug any process (including those running as root) on iOS 10.0 through 10.3.2. This is the main purpose of the tool. If you aren't interested in manually debugging system processes on iOS this project probably won't be useful for you. The included "triple_fetch_sdk" includes sample code showing how you can write your own payload to get the task port for any running userspace process (eg launchd, amfid) and read and write memory and call functions remotely. These payloads are not run outside of the sandbox, they just have the ability to get all task ports. See the README in the archive for further details. The ability to run ps is just there to allow you to find the pid you want to attach to.
,
Aug 3
Yeah haven't noticed the readme , but as a suggestion , jailbreak seekers out there are announcing your vulnerability as a jailbreak , so just make yourself clear to people , and tell them in clear words that THIS IS NOT A JAILBREAK , good job anyway
,
Aug 3
u/3839894262/(OKbab) This is a userland exploit meaning system privileges. For a jailbreak, you need a kernel exploit because the kernel is in charge of amfi, kpp, etc. Don't think this is the majority of what a jailbreak needs because this is not, it's really not.
,
Aug 4
You'll need additional exploit to call tfp0, as it can only be called with root privileges. Please read here https://www.reddit.com/r/jailbreak/comments/5kl1o1/question_can_someone_eli5_what_is_tfp0/ |
||||||||
| ► Sign in to add a comment | ||||||||
