Skip to content

p0larisdev/untether

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

143 Commits

src

src

 
 

tools

tools

 
 

work

work

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

build.sh

build.sh

 
 

build_native.sh

build_native.sh

 
 

do_it.sh

do_it.sh

 
 

ent.xml

ent.xml

 
 

exploit.conf

exploit.conf

 
 

install.sh

install.sh

 
 

install_media.sh

install_media.sh

 
 

install_native.sh

install_native.sh

 
 

old_exp.conf

old_exp.conf

 
 

spyware.sh

spyware.sh

 
 

Repository files navigation

p0laris untether

this is a work-in-progress.

gets ROP in racoon, then gets JS code exec with RWC primitives (arbitrary r/w, currently up to 26-arg call primitive), then loads in another JS file & execs it

current offsets are included for iPhone4,1 on 9.3.6 (13G37) & iPod5,1 on 9.3.5 (13G36). it may work on other devices and/or firmwares, but that's unlikely. (besides maybe 9.3.5 (13G36) on iPhone4,1?)

clarification: the actual racoon exploit should work on any device/firmware with the same ipsec-tools version (and maybe build :P), but the JSC call portion is currently specific to one dyld_shared_cache, which is usually device & build unique. the underlying bug should work on any firmware before ~ iOS 12. my exploit is 32-bit only prolly, at least practically, due to less ASLR slides. the exploit to get arbitrary mem write should work on < iOS 12 as well (i think), but the ROP chain's gadget addresses are currently hardcoded to one build.

inside the boot-args nvram variable, p0laris_options is a variable you can set that is JSON deserialized & used as an object in stage3 and stage4.

keep p0laris_options as the last boot-arg, or it will be parsed incorrectly.

example:

debug=0x1 -v p0laris_options='{"sleep_spin":true}'

don't do:

p0laris_options='{"sleep_spin":true}' debug=0x1 -v

sleep_spin causes stage3 to run while (true) {sleep(3600);};, so it will not get to stage4, and exploit the kernel, or whatever in stage4.

current install steps

  • procure an iPhone4,1 on 9.3.6 (13G37)
  • jailbreak with p0laris (or Phoenix if you're old fashioned)
  • install GCC, git, etc
  • git clone https://github.com/p0larisdev/untether.git
  • cd untether
  • ./build_native.sh
  • ./install_native.sh
  • /usr/libexec/dhcpd -q -cf old_exp.conf <- run the racoon exploit once
  • or instead /usr/libexec/dhcpd -q -cf exploit.conf <- run the racoon exploit forever, ctrl+c when it starts

tools include:

  • fuck_aslr should fix the ASLR slide for all new processes on the kernel level, offsets are for iPhone4,1 9.3.6 (13G37) atm
  • jsc_fun was a tool to test JavaScriptCore arb r/w prims, source got deleted tho, i'll prolly rewrite it sometime
  • shit includes mostly thread-based call prim testing code
  • shc/ contains WIP C shellcode compilation
  • and prolly more

current need is just to get a better call primitive, from what i can tell the phoenix bugs can't be exploited with only 4 args to functions. not sure how to get that better primitive working tho, so we'll see. :P nevermind lol, 26 (and maybe more) should be enough, kek

greetz to @tihmstar for help with 935csbypass

About

wip untether for p0laris

Resources

Readme
Activity
Custom properties

Stars

61 stars

Watchers

14 watching

Forks

8 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages