Exploit for CVE-2021-30807

Overview

Write up is here: https://jsherman212.github.io/2021/11/28/popping_ios14_with_iomfb.html

Exploit for CVE-2021-30807. If you really want to build a jailbreak out of it, it will require tuning for your device and iOS version because I have no info leak to use for this.

To tune for A11 and below, use pongo to load xnuspy and build with SAMPLING_MEMORY=1 make -B. This will enable a test that gathers the memory returned by kernel_memory_allocate, sorts those pointers, then spits out a range. You'll see something like this:

sample_kernel_map: 0xffffffe8ebe9c000 [0x10000 bytes from behind]
sample_kernel_map: to add to alloc_averager:
[0xffffffe8ce934000, 0xffffffe8ebf98000],

(just ignore the warnings it spits out)

The test is meant to be ran 30 seconds after the device boots.

Inside alloc_averager.py is a couple of samples I already ran for my phones. It takes the average of all the averages of each range. Create a "samples list" for your device and add the range to it. Repeat the test a couple times until you have 5-10 entries in that list. alloc_averager.py will report a success rate for the guess it generates based on the list. If you like the success rate, take the guess and replace the value for GUESSED_OSDATA_BUFFER_PTR at the top of IOMobileFramebufferUserClient.c with it.

It is very important to not include outliers in this list. After running the test a couple times you'll likely run into a range that sticks out from the rest of the ranges you already have.

You will need to find offsets for your device/version to run this test.

First, to find kernel_memory_allocate, simply xref kernel_memory_allocate: VM is not ready. When you have the offset set kma's value to it inside install_kernel_memory_alloc_hook.

Second, to isolate the test from the other allocations XNU makes, I test for a specific return address. That address is inside OSData::initWithCapacity. You can easily find OSData's vtable by xrefing the string "OSData". The first xref to that string will be in a function that has an xref to the vtable for OSData::MetaClass. Right above that vtable is OSData's vtable, and OSData::initWithCapacity is at +0x78.

Once you have OSData::initWithCapacity, find the only BL to kernel_memory_allocate and take the offset of the instruction right below it. Inside kernel_hooks.c, use that offset in the only if statement in the only function in that file.

A12+ will need to use something like Correlium.

You might also like...
desc_race exploit for iOS 15.0 - 15.1.1 (with stable kernel r/w primitives) (CVE-2021-30955)

desc_race "desc_race" (CVE-2021-30955) exploit for iOS 15.0 - 15.1.1 (with stable kernel r/w primitives) Tested to work on iPhone13,2 running iOS 15.1

Some hypervisor research notes. There is also a useful exploit template that you can use to verify / falsify any assumptions you may make while auditing code, and for exploit development.

Introduction Over the past few weeks, I've been doing some hypervisor research here and there, with most of my focus being on PCI device emulation cod

Demo exploit code for CVE-2020-27904, a tfp0 bug.

xattr-oob-swap CVE-2020-27904: a tfp0 bug for macOS 10.15.x and below. Demo exploit code for my talk at BlackHat ASIA 2021. The vulnerability has been

Make CVE-2020-0668 exploit work for version < win10 v1903 and version >= win10 v1903
Make CVE-2020-0668 exploit work for version win10 v1903 and version = win10 v1903

CVE-2020-0668 Made CVE-2020-0668 exploit work for version win10 v1903 and version = win10 v1903 Diaghub Exploit ( v1903) powershell exploit works

A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.

This repository contains a personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to

Exploit for Dirty-Pipe (CVE-2022-0847)
Exploit for Dirty-Pipe (CVE-2022-0847)

Dirty-Pipe (PoC) What is it? Dirty-Pipe is a vulnerability which allows us to overwrite files even if they have read-only permissions. This vulnerabil

PoC for CVE-2021-28476 a guest-to-host
PoC for CVE-2021-28476 a guest-to-host "Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys.

CVE-2021-28476: a guest-to-host "Microsoft Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys. This is a proof of concept for CVE-2021-28476

Local Privilege Escalation Edition for CVE-2021-1675
Local Privilege Escalation Edition for CVE-2021-1675

Local Privilege Escalation Edition of CVE-2021-1675/CVE-2021-34527 Local Privilege Escalation implementation of the CVE-2021-1675/CVE-2021-34527 (a.k.

PoC (DoS) for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)
PoC (DoS) for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell DoS PoC for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Comments
  • Segfault

    Segfault

    Device: iPhone10,6 Running the exploit executable is failing with a segfault, the output until this point is "20.4.0 Darwin Kernel Version 20.4.0: Sun Feb 28 21:05:16 PST 2021; root:xnu-7195.100.367~3/RELEASE_ARM64_T8015 iPhone10,6 sample_kernel_map: to add to alloc_averager.py:". Running it with LLDB is saying, that the "stop reason = EXC_BAD_ACCESS (code=1, address=0xfffffffffffffff8)". Any help?

    opened by legendary-cookie 3
Owner
Justin Sherman
CS student, interested in security research & exploit dev
Justin Sherman
Exploit to SYSTEM for CVE-2021-21551

CVE-2021-21551 Exploit to SYSTEM for CVE-2021-21551 SpoolPrinter Privesc using SeImpersonatePrivileges was made thanks to

null 235 Nov 9, 2022
a reliable C based exploit for CVE-2021-3560.

CVE-2021-3560 a reliable C based exploit for CVE-2021-3560. Summary: Yestreday i stumbled upon this blog post by Kevin Backhouse (discovered this vuln

hakivvi 34 Jun 21, 2022
My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal.

CVE-2021-40449 My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal. short wu along with the UAF vulnerabilty other

hakivvi 31 Oct 19, 2022
Exploit for CVE-2021-40449

CVE-2021-40449 More info here: https://kristal-g.github.io/2021/11/05/CVE-2021-40449_POC.html Compiling I did a bit of a hack with the MinHook library

null 48 Nov 9, 2022
Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell Exploit for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 425 Nov 19, 2022
CVE-2021-4034 One day for the polkit privilege escalation exploit

CVE-2021-4034 One day for the polkit privilege escalation exploit Just execute make, ./cve-2021-4034 and enjoy your root shell. The original advisory

Davide Berardi 1.7k Nov 26, 2022
Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation

PwnKit Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation Usage Should work out of the box on Linux distributions based on U

Oliver Lyak 679 Nov 25, 2022
This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexec

pwnkit (CVE-2021-4034) Privilege Escalation exploit sample This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexe

Peter Gottesman 28 Nov 6, 2022
An exploit for CVE-2021-4034 aka Pwnkit: Local Privilege Escalation in polkit's pkexec

CVE-2021-4034 Exploit Usage $ git clone https://github.com/whokilleddb/CVE-2021-4034 $ cd CVE-2021-4034 $ make [!] CVE-2021-4034 Exploit By whokilledd

whokilleddb 3 Jun 30, 2022