Skip to content

jsherman212/iomfb-exploit

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
IOMobileFramebufferUserClient.c
 
 
IOMobileFramebufferUserClient.h
 
 
LICENSE
 
 
Makefile
 
 
README.md
 
 
alloc_averager.py
 
 
array.c
 
 
array.h
 
 
ent.xml
 
 
iokit.h
 
 
kernel_hooks.c
 
 
kernel_hooks.h
 
 
xnuspy_ctl.h
 
 

README.md

Write up is here: https://jsherman212.github.io/2021/11/28/popping_ios14_with_iomfb.html

Exploit for CVE-2021-30807. If you really want to build a jailbreak out of it, it will require tuning for your device and iOS version because I have no info leak to use for this.

To tune for A11 and below, use pongo to load xnuspy and build with SAMPLING_MEMORY=1 make -B. This will enable a test that gathers the memory returned by kernel_memory_allocate, sorts those pointers, then spits out a range. You'll see something like this:

sample_kernel_map: 0xffffffe8ebe9c000 [0x10000 bytes from behind]
sample_kernel_map: to add to alloc_averager:
[0xffffffe8ce934000, 0xffffffe8ebf98000],

(just ignore the warnings it spits out)

The test is meant to be ran 30 seconds after the device boots.

Inside alloc_averager.py is a couple of samples I already ran for my phones. It takes the average of all the averages of each range. Create a "samples list" for your device and add the range to it. Repeat the test a couple times until you have 5-10 entries in that list. alloc_averager.py will report a success rate for the guess it generates based on the list. If you like the success rate, take the guess and replace the value for GUESSED_OSDATA_BUFFER_PTR at the top of IOMobileFramebufferUserClient.c with it.

It is very important to not include outliers in this list. After running the test a couple times you'll likely run into a range that sticks out from the rest of the ranges you already have.

You will need to find offsets for your device/version to run this test.

First, to find kernel_memory_allocate, simply xref kernel_memory_allocate: VM is not ready. When you have the offset set kma's value to it inside install_kernel_memory_alloc_hook.

Second, to isolate the test from the other allocations XNU makes, I test for a specific return address. That address is inside OSData::initWithCapacity. You can easily find OSData's vtable by xrefing the string "OSData". The first xref to that string will be in a function that has an xref to the vtable for OSData::MetaClass. Right above that vtable is OSData's vtable, and OSData::initWithCapacity is at +0x78.

Once you have OSData::initWithCapacity, find the only BL to kernel_memory_allocate and take the offset of the instruction right below it. Inside kernel_hooks.c, use that offset in the only if statement in the only function in that file.

A12+ will need to use something like Correlium.

About

Exploit for CVE-2021-30807

Resources

Readme

License

MIT license

Stars

128 stars

Watchers

5 watching

Forks

30 forks

Releases

No releases published

Packages

No packages published

Languages