Use Objective-C to fetch App Group.

uroboro · Dec 20, 2016 · 397df56 · 397df56
1 parent f68be3b
commit 397df56
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 6 deletions.
diff --git a/mach_portal.xcodeproj/project.pbxproj b/mach_portal.xcodeproj/project.pbxproj
@@ -24,6 +24,7 @@
 		B0FB971B1DEB302A00C0D3C4 /* kernel_memory_helpers.c in Sources */ = {isa = PBXBuildFile; fileRef = B0FB97191DEB302A00C0D3C4 /* kernel_memory_helpers.c */; };
 		B0FB971E1DEB305700C0D3C4 /* kernel_sploit.c in Sources */ = {isa = PBXBuildFile; fileRef = B0FB971C1DEB305700C0D3C4 /* kernel_sploit.c */; };
 		B0FB97211DEB309000C0D3C4 /* jailbreak.c in Sources */ = {isa = PBXBuildFile; fileRef = B0FB971F1DEB309000C0D3C4 /* jailbreak.c */; };
+		CF35B8561E08CE8D006B5655 /* AppGroup.m in Sources */ = {isa = PBXBuildFile; fileRef = CF35B8551E08CE8D006B5655 /* AppGroup.m */; };
 		CFEFD3351E073DD1005FBFF4 /* ConsoleView.swift in Sources */ = {isa = PBXBuildFile; fileRef = CFEFD3341E073DD1005FBFF4 /* ConsoleView.swift */; };
 		CFEFD3361E077C41005FBFF4 /* mach_portal.entitlements in Resources */ = {isa = PBXBuildFile; fileRef = B0FB97111DEB2C9A00C0D3C4 /* mach_portal.entitlements */; };
 /* End PBXBuildFile section */
@@ -72,6 +73,8 @@
 		B0FB971C1DEB305700C0D3C4 /* kernel_sploit.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = kernel_sploit.c; sourceTree = "<group>"; };
 		B0FB971D1DEB305700C0D3C4 /* kernel_sploit.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = kernel_sploit.h; sourceTree = "<group>"; };
 		B0FB971F1DEB309000C0D3C4 /* jailbreak.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = jailbreak.c; sourceTree = "<group>"; };
+		CF35B8551E08CE8D006B5655 /* AppGroup.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = AppGroup.m; sourceTree = "<group>"; };
+		CF35B8571E08CF72006B5655 /* AppGroup.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppGroup.h; sourceTree = "<group>"; };
 		CFEFD3341E073DD1005FBFF4 /* ConsoleView.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = ConsoleView.swift; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
@@ -135,6 +138,8 @@
 				B0FB97191DEB302A00C0D3C4 /* kernel_memory_helpers.c */,
 				B0FB97121DEB2EB900C0D3C4 /* mach_portal-Bridging-Header.h */,
 				B0FB971F1DEB309000C0D3C4 /* jailbreak.c */,
+				CF35B8571E08CF72006B5655 /* AppGroup.h */,
+				CF35B8551E08CE8D006B5655 /* AppGroup.m */,
 			);
 			path = mach_portal;
 			sourceTree = "<group>";
@@ -223,6 +228,7 @@
 			buildActionMask = 2147483647;
 			files = (
 				B0C0F9FE1DF4200900B7A3BB /* cdhash.c in Sources */,
+				CF35B8561E08CE8D006B5655 /* AppGroup.m in Sources */,
 				B0FB97021DEB2C8600C0D3C4 /* ViewController.swift in Sources */,
 				B0FB971B1DEB302A00C0D3C4 /* kernel_memory_helpers.c in Sources */,
 				B0FB97141DEB2EB900C0D3C4 /* sandbox_escape.c in Sources */,

diff --git a/mach_portal/AppGroup.h b/mach_portal/AppGroup.h
@@ -0,0 +1,14 @@
+//
+//  AppGroup.h
+//  mach_portal
+//
+//  Created by uroboro on 12/19/16.
+//  Copyright © 2016 uroboro. All rights reserved.
+//
+
+#ifndef AppGroup_h
+#define AppGroup_h
+
+char * copyAppGroup();
+
+#endif /* AppGroup_h */
diff --git a/mach_portal/AppGroup.m b/mach_portal/AppGroup.m
@@ -0,0 +1,16 @@
+//
+//  AppGroup.m
+//  mach_portal
+//
+//  Created by uroboro on 12/19/16.
+//  Copyright © 2016 uroboro. All rights reserved.
+//
+
+#import <Foundation/Foundation.h>
+
+char * copyAppGroup() {
+	NSString * path = [NSBundle.mainBundle pathForResource:@"mach_portal" ofType:@"entitlements"];
+	NSDictionary * dict = [NSDictionary dictionaryWithContentsOfFile:path];
+	NSString * appGroup = [dict[@"com.apple.security.application-groups"] firstObject];
+	return strdup(appGroup.UTF8String);
+}
diff --git a/mach_portal/jailbreak.c b/mach_portal/jailbreak.c
@@ -13,24 +13,21 @@
 #include "unsandboxer.h"
 #include "offsets.h"
 #include "kernel_memory_helpers.h"
+#include "AppGroup.h"
 
 int jb_go() {
   // do platform detection
   init_offsets();
 
   // dynamically get the App Group from bundled entitlement file
-  id bundle = objc_msgSend((id)objc_getClass("NSBundle"), sel_registerName("mainBundle"));
-  id path = objc_msgSend(bundle, sel_registerName("pathForResource:ofType:"), CFSTR("mach_portal"), CFSTR("entitlements"));
-  id dict = objc_msgSend(objc_msgSend((id)objc_getClass("NSDictionary"), sel_registerName("alloc")), sel_registerName("initWithContentsOfFile:"), path);
-  id array = objc_msgSend(dict, sel_registerName("objectForKey:"), CFSTR("com.apple.security.application-groups"));
-  id suiteName = objc_msgSend(array, sel_registerName("firstObject"));
-  char * app_group = (char *)objc_msgSend(suiteName, sel_registerName("UTF8String"));
+  char * app_group = copyAppGroup();
 
   // exploit the urefs saturation bug; target launchd to impersonate a service
   // and get the task port for a root service and use that to get the host_priv port
   // which we need to trigger the kernel bug
   mach_port_t real_service_port, mitm_port;
   mach_port_t host_priv_port = get_host_priv_port(app_group, &real_service_port, &mitm_port);
+  free(app_group);
 
   if (host_priv_port == MACH_PORT_NULL) {
     printf("[-] getting host priv port failed :-( \n");