Undecimus by
@Pwn20wnd
is totally research friendly; just tried it on a 12.4 XR and happy to see so many things exported for exploring and playing around, who needs Apple's "research" devices anyway.
There you go:
iBoot.d421.RELEASE.im4p, iPhone 11 Pro, 13.4 17E255
d15a611e6792e13f68fd340df5e27558b589eb9332452086ec40b5a54cd5353a4ffc8425860beba3f380e884c1a2b683
There are 220 sandbox profiles in iOS 13.3.1; there were 193 in iOS 12.4. Here's the diff (all dumped/decompiled with my sandboxhelper IDA Python tool):
Nice paper on causing bit flips in Firefox arrays on Android
by abusing WebGL shader textures:
The authors use & reference my previously published in Phrack exploitation primitives for leveraging the bit flips to ASLR leak & RCE:
I refactored my iBoot64helper to be an IDA loader; it can help you start reversing iBoot64. Here it is against version 4513.260.81 decrypted with the key released by
@doadam
;)
Just pushed to github a major update of my iBoot64helper tool for IDA; use it to help you in reversing AArch64 iBoot, iBEC, and SecureROM. You can use it both as a loader and as an ordinary script.
While reversing the recent iOS 16.0 beta 2 build 20A5303i sandbox kext, I found a new set of profiles seemingly named “protobox” for various services and daemons all being “allow default”; here’s an excerpt from one picked randomly ;)
Apple had accidentally (again ;) left in code related to a new A12/A13 kernel integrity implementation called CTRR (KERNEL_INTEGRITY_CTRR). But there are also more interesting things in the diff.
If you diff the XNU 6153.41.3 sources that were taken down (tar.gz md5: 374aedd280f4ba812ec3796445a3d8b8) vs the ones available now (tar.gz md5: 6e111e534c5a80b6edd737d9c4c880eb ), you will understand the reason they were quickly deleted ;)
My IDAPython sandbox profiles dumper / decompiler against the sandbox kext from iOS 13.1.3; I have implemented handling for all operations and filters.
The plan is to use it for something cool in
@checkra1n
; stay tuned!
Ghidra decompiler view -> right click on a (possible) ptr to a struct -> "Auto Create Structure": base struct and fields created from its uses.
Then viewable under Data Type Manager -> auto_structs. Right click it there to get "Find Uses of" and "Find Uses of Field".
Handy!
Look for __ARM_KERNEL_PROTECT__ in XNU kernel's code to see Apple's changes to protect against microarchitectural attacks on ARM64; basically kernel mappings are removed when switching to userland (EL0) from kernel (EL1):
iOS 12.0 beta2 sandbox kext profiles finally dumped; my IDAPython script takes ~20 minutes to unpack and dump them all (190 in iOS 12b2).
"darwin-notification-post" is one of the new operations added in iOS 12.0b; here's the operations' diff with 11.4:
If you diff the XNU 6153.41.3 sources that were taken down (tar.gz md5: 374aedd280f4ba812ec3796445a3d8b8) vs the ones available now (tar.gz md5: 6e111e534c5a80b6edd737d9c4c880eb ), you will understand the reason they were quickly deleted ;)
You can find how to exploit jemalloc double frees in mine and
@yung_vats
' Infiltrate talk from last year. Although our work was Android-specific, the methodology applies to all targets that use jemalloc:
"The university of Minnesota has been banned from making any commits to the Linux kernel after it was found out they'd been submitting bogus patches to the LKML to knowingly introduce security issues:"
My iOS sandbox kext IDAPython dumper / profile decompiler against version 12.1 b2 (16B5068i); I have implemented full support for all operations and filters.
In contrast to almost all process-specific sandbox profiles, the iOS platform profile (which serves as the default policy for all processes) is "allow default"; it enumerates the baseline of what processes are not allowed to do, here's an excerpt from it:
Happy Malloc Maleficarum anniversary! I’ll celebrate by completing a somewhat old Firefox/jemalloc exploit I left unfinished because the underlying UAF bug was fixed in a release.
Good to see
@LambdaConcept
using my iBoot64helper for loading SecureROM to IDA and attaching to a
#checkm8
demoted device:
I plan to push more commits to it today:
I'm on the PC of the Reversing & Offensive-oriented Trends Symposium (ROOTS), and the CFP is now open (deadline Aug. 20)!
Contrary to academic CON practice, lodgings and travel expenses are covered for accepted authors.
Submit your offensive work now!
Don’t use unofficial and/or re-packed versions of checkra1n! It’s not that hard for someone to include malicious functionality!
Always get your checkra1n from:
we are excited to announce that we added support in Windows Kernel to run DTrace. DTrace is now officially supported on Windows 10! Full details on how to use DTrace on Insider builds, along with links to GitHub to our source code. cc
@JenMsft
@gvnn3