Home
Welcome to the PurpleSmoke wiki!
Here you can see in detail how the project works and how it progresses.
This project is work in progress towards software capable of escalating to the highest privileges on Apple's operating system for mobile devices.
It is focussing on support for all devices that have iOS 11.2 up to 11.2.6.
The project makes use of vulnerabilities in these specific versions and will eventually patch existing security policies.
When having the highest privileges in an operating system it is possible to control all hardware and software that it works with.
Therefore PurpleSmoke may be useful to individuals interested in development, research and machine learning of mobile devices.
The current state of the project is in the second stage of the stages of research: Working with collected information.
For you this might mean that this project is still useless to you.
If you are a developer or want to follow the latest developments of this project, this project might be interesting to you as it currently is.
The project currently combines several proof of concepts by security researchers that can be used for escalating privileges.
Steps have been taken for providing useful code to be used in exploitation making use of the proof of concepts.
A kernel infoleak is used to calculate the kernel address space layout randomization slide and the base address of the kernel.
The project makes use of two kernel memory corruption vulnerabilities caused by kernel zone overflows.
The first zone overflow can only be triggered by the root user from outside the sandbox and therefore another vulnerability is being used thanks to the proof of concept provided by zimperium.
This proof of concept corrupts memory in the clients of the bluetoothd.
A callback address (process counter) and additional data (register x3) can be provided to the clients to gain arbitrary code execution and later memory read and write access.
What currently needs to be done is that a ropchain needs to be written for gaining access to the clients task so full memory access is gained to them and our exploit is able to run in that context.
The second heap overflow is modified to overflow just enough to trigger a Use after Free vulnerability in zone k.alloc 80.
More work needs to be done to gain control using this vulnerability and a good start would be to write a heapspray that sprays k.alloc 80 after freeing the zone element.
If you are not that skilled in exploitation you could try finding the kernel offsets needed for the kernel info leak if they are not in offsets.c yet for your debice.
The offsets are the leaked pointer by this project and the text base you find shortly after the reboot in the panic log, which you can find in the Settings app under Privacy under analytics.
It would also be helpful if someone could look into adding KPPLess for future purposes and offset finder and QiLin as well.