userlandkernel / jailbreakme-unified Goto Github PK

View Code? Open in Web Editor NEW

85.0 20.0 26.0 46.03 MB

Framework for iOS browser exploitation to kernel privileges and rootfs remount

Home Page: https://racecondition.win

License: Other

PHP 0.36% HTML 2.20% JavaScript 93.53% Python 3.23% CSS 0.67%

framework ios apple iphone exploit jailbreak safari webkit javascript

jailbreakme-unified's Introduction

Jailbreak Me 13.37

A webbased jailbreak solution unifying existing jailbreak me solutions and new ones.

Created by Sem Voigtländer

Please read RULES.md as well

Support

8.4.1 & 9.3 up to 9.3.3 & 11.3.1 & 12.0 - 12.0.1 (64-bit)
3.1.2 up to 4.0.1 & 8.4.1 and 9.1 up to 9.3.4 (32-bit)

How it works

Using ModularJS various modules are loaded at runtime.

These modules can be divided into the following stages:

1. Identification

Uses an information leakage (not vulnerability) in WebGL to detect the GPU of the victim device
Uses the browser agent to define what browser and firmware to exploit
Uses size and resolution constraints to detect the specific victim device
Uses various debugging information about the hardware environment using window.performance or window.navigator
Uses benchmarking algorithms and hashing to identify and track the victim device.

2. Eligibility

Using the identification information the victim is checked against various constraints, such as whether the victim is a mobile device or a desktop.

3. Strategy selection

Based on the eligibility constraints and identity the exploit strategy will be selected for the victim device and loaded.

4. Payload retrieval

The strategy will load the payload(s) for the victim device, on iOS this can be for example Cydia, on desktops for example a remote administration tool.
The payload is aligned so it can be used later when the exploit has created an executable region.

5. Exploitation

The exploit is started and carefully sets up read/write primitives in the browser memory.
Once r/w is gained an executable region is created and the payload is aligned / copied into it.
The exploit jumps to the shellcode and starts executing it

6. Post-Exploitation

Various tools and capabilities could be setup after successful completion of the exploit, such as a telnet client to gain a shell on the victim from the browser.

Credits

kudima https://github.com/kudima
5aelo https://twitter.com/5aelo
Niklas B https://twitter.com/_niklasb
Tihmstar https://twitter.com/tihmstar
Coolstar https://twitter.com/coolstarorg
Luca Todesco https://twitter.com/qwertyoruiopz
KJC Research
Comex
PanguTeam https://twitter.com/panguteam
Ian Beer https://twitter.com/i4nbeer
Argp https://twitter.com/_argp
Evad3rs
Jonathan Levin (For the jailbreak toolkit)
Lokihardt (For being able to pwn browsers within a wink)
Sem Voigtländer (just a techie)
(@wwwtyro) https://github.com/wwwtyro/cryptico

jailbreakme-unified's People

Contributors

Stargazers

Watchers

jailbreakme-unified's Issues

iPhone 5s global offset iOS 11.4.1

Credits
Offset finder: Sem Voigtländer
UI: iSn0w

Dyld Shared Cache Slide (ignore):
0x2b50000

disablePrimitiveGigacage:
0x18854ca8c

callbacks:
0x1b33256a0

g_gigacageBasePtrs:
0x1b1d6c000

g_typedArrayPoisons:
0x1b3325728

longjmp:
0x180b126e8

dlsym:
0x18084ef90

startOfExecutableMemoryPool:
0x1b33250b8

endOfExecutableMemoryPool:
0x1b33250c0

jitWriteSeperateHeapsFunction:
0x1b33250c8

useFastPermissionsJITCopy:
0x1b1d68018

stack_check_guard:
0x1b327fef8

LinkCode Gadget:
0x187bf2fb4

iPad 5th Generation Offsets not found

Will support be added for iPads?

Just says
Could not recognize what device this is, are you sure this is iPhone?
Missing offsets for false on 12.01
Exploit initialization failed

when run.

Compiling payloads

I'd like to contribute to this project, but I'm not too familiar with payloads/shellcode(?). How are the payloads (specifically emptylist_ACK.bin) compiled? I'd like to take a stab at compiling multi_path for use in a webkit context, but I'm unsure where to start.

Cheers!

Ios 11.4.1 iphone 6

Credits
Offset finder: Sem Voigtländer
UI: iSn0w

aslr slide (ignore this):
0x140c000

JavaScriptCore base:
0x187a6d000

ModelIO base:
0xfffffffffebf4000

CoreAudio base:
0x183fc3000

disablePrimitiveGigacage:
0x18854aa90

g_gigacageBasePtrs:
0x1b1d58000

g_typedArrayPoisons:
0x1b3311728

startOfFixedExecutableMemoryPool:
0x1b33110b8

endOfFixedExecutableMemoryPool:
0x1b33110c0

jitWriteSeparateHeapsFunction:
0x1b33110c8

useFastPermisionsJITCopy:
0x1b1d54018

ptr_stack_check_guard:
0x1b326bef8

dlsym:
0x18084ef90

longjmp:
0x180b12778

callbacks:
0x1b33116a0

error: could not spawn fake double

Hello, My device is iPhone SE running iOS 12.0.1

The logs:
iPhone SE
OS: 12.01
Build: 15E148
Webkit version: 605.1
DID:
fa8172982fef88bb3a4416f4ea240118516b7f16
Chose Kuduma's jailbreakme
Exploit has been called and is awaiting shellcode.
Shellcode has been received, checking validity.
Received 91792 bytes of shellcode.
Triggering garbage collector
Error: Exploit failed: could not spawn fake double.

ios 8.4.1 iPod 5

https://racecondition.win
exception occured:

Stack trace:

sploit_init@https://racecondition.win/modules/libsploit.strategy.module.js:102:33
sploit_init@https://racecondition.win/modules/libsploit.strategy.module.js:261:24
go@https://racecondition.win/:159:28
go@https://racecondition.win/:195:28
onchange@https://racecondition.win/:225:3

Reason: Can't find variable:
current_device

Error: Exploit failed: could not spawn fake double.

iPhone 6S
OS: 12.01
Build: 15E148
Webkit version: 605.1

Chose Kuduma's jailbreakme
No previous logs, probably first time jailbreaking!
Exploit has been called and is awaiting shellcode.
Shellcode has been received, checking validity.
Received 91792 bytes of shellcode.
Triggering garbage collector
Error: Exploit failed: could not spawn fake double.

Welcome to JaillbreakME Unified, have a nice time!

Missing Offsets for 7+ 12.01

Missing offsets for iPhone 7+ on 12.01
Exploit initialization failed

Offsets for iP 7+ (11.3.1)

Dyld Shared Cache Slide:
0x1c78000

disablePrimitiveGigacage:
0x18851a7d4

callbacks:
0x1b335d698

g_gigacageBasePtrs:
0x1b1d08000

g_typedArrayPoisons:
0x1b335d720

longjmp:
0x180b126e8

startOfExecutableMemoryPool:
0x1b335d0b8

endOfExecutableMemoryPool:
0x1b335d0c0

jitWriteSeperateHeapsFunction:
0x1b335d0c8

useFastPermissionsJITCopy:
0x1b1d04018

stack_check_guard:
0x1b32b7ef8

LinkCode Gadget:
0x187bd11d4

Need help with grabbing offsets

I just need to grab vtable, coreaudio, modelio. I'm adding offsets for 11.4.1 for future support and I need to grab those last offsets. I need some noob help on getting these as I dunno if I could use the offset finder to find the other symbols. If you can get it from the offset finder with a symbol name, please let me know! Otherwise, do I need to find them inside a kernel itself?

Website says “Offsets are missing for iPhone 5s”

Sorry if this isn’t useful. I’m a GitHub noob.

offset 8+

Credits
Offset finder: Sem Voigtländer
UI: iSn0w

aslr slide (ignore this):
0x14798000

JavaScriptCore base:
0x188174000

ModelIO base:
0xffffffffeb868000

CoreAudio base:
0x1842af000

disablePrimitiveGigacage:
0x1881cbf54

g_gigacageBasePtrs:
0x1b8918000

jitWriteSeparateHeapsFunction:
0x1babad0d0

useFastPermisionsJITCopy:
0x1b891c018

ptr_stack_check_guard:
0x1baaf6a18

dlsym:
0x180923d64

longjmp:
0x180adc630

callbacks:
0x1b891c1a8

userlandkernel / jailbreakme-unified Goto Github PK

jailbreakme-unified's Introduction

Jailbreak Me 13.37

Support

How it works

1. Identification

2. Eligibility

3. Strategy selection

4. Payload retrieval

5. Exploitation

6. Post-Exploitation

Credits

jailbreakme-unified's People

Contributors

Stargazers

Watchers

Forkers

jailbreakme-unified's Issues

Recommend Projects

Recommend Topics

Recommend Org