SockPuppet Kernel Exploit For A7/A8 (4K) By GeoSn0wOn top of Ned Williamson's

1. SockPuppet Kernel Exploit For A7/A8 (4K) By GeoSn0w
2. On top of Ned Williamson's exploit!
3.  
4. [D] platform: iPhone9,4 16E227
5. TestKit: Kernel Address Tested: 0xffffffffdeadbeef ----- NOT A KADDR! Bail out
6. TestKit: Kernel Address Tested: 0xffffffe002690bd0 ----- GOT A KADDR!
7. Task port is 0xffffffe002690bd0
8. TestKit: Kernel Address Tested: 0xffffffe0003562c8 ----- GOT A KADDR!
9. Got candidate port: 0xffffffe000354000
10. --> Port IP_BITS: 0x8000001c
11. Got candidate port: 0xffffffe0003540a8
12. --> Port IP_BITS: 0x80000001
13. Got candidate port: 0xffffffe000354150
14. --> Port IP_BITS: 0x80000001
15. Got candidate port: 0xffffffe0003541f8
16. --> Port IP_BITS: 0x80000000
17. Got candidate port: 0xffffffe0003542a0
18. --> Port IP_BITS: 0x80000001
19. Got candidate port: 0xffffffe000354348
20. --> Port IP_BITS: 0x80000000
21. Got candidate port: 0xffffffe0003543f0
22. --> Port IP_BITS: 0x8000001c
23. Got candidate port: 0xffffffe000354498
24. --> Port IP_BITS: 0x80000001
25. Got candidate port: 0xffffffe000354540
26. --> Port IP_BITS: 0x80000001
27. Got candidate port: 0xffffffe0003545e8
28. --> Port IP_BITS: 0x8000001c
29. Got candidate port: 0xffffffe000354690
30. --> Port IP_BITS: 0x8000001c
31. Got candidate port: 0xffffffe000354738
32. --> Port IP_BITS: 0x8d78e894
33. Got candidate port: 0xffffffe0003547e0
34. --> Port IP_BITS: 0x80000001
35. Got candidate port: 0xffffffe000354888
36. --> Port IP_BITS: 0x80000000
37. Got candidate port: 0xffffffe000354930
38. --> Port IP_BITS: 0x80000000
39. Got candidate port: 0xffffffe0003549d8
40. --> Port IP_BITS: 0x80000000
41. Got candidate port: 0xffffffe000354a80
42. --> Port IP_BITS: 0x80000001
43. Got candidate port: 0xffffffe000354b28
44. --> Port IP_BITS: 0x80000001
45. Got candidate port: 0xffffffe000354bd0
46. --> Port IP_BITS: 0x80000001
47. Got candidate port: 0xffffffe000354c78
48. --> Port IP_BITS: 0x80000000
49. Got candidate port: 0xffffffe000354d20
50. --> Port IP_BITS: 0x8000001c
51. Got candidate port: 0xffffffe000354dc8
52. --> Port IP_BITS: 0x80000001
53. Got candidate port: 0xffffffe000354e70
54. --> Port IP_BITS: 0x8000001c
55. Got candidate port: 0xffffffe000354f18
56. --> Port IP_BITS: 0x80000001
57. Got candidate port: 0xffffffe000354fc0
58. --> Port IP_BITS: 0x80000001
59. Got candidate port: 0xffffffe000355068
60. --> Port IP_BITS: 0x80000001
61. Got candidate port: 0xffffffe000355110
62. --> Port IP_BITS: 0x80000001
63. Got candidate port: 0xffffffe0003551b8
64. --> Port IP_BITS: 0x80000001
65. Got candidate port: 0xffffffe000355260
66. --> Port IP_BITS: 0x80000001
67. Got candidate port: 0xffffffe000355308
68. --> Port IP_BITS: 0x80000000
69. Got candidate port: 0xffffffe0003553b0
70. --> Port IP_BITS: 0x80000001
71. Got candidate port: 0xffffffe000355458
72. --> Port IP_BITS: 0x80000001
73. Got candidate port: 0xffffffe000355500
74. --> Port IP_BITS: 0x80000001
75. Got candidate port: 0xffffffe0003555a8
76. --> Port IP_BITS: 0x80000001
77. Got candidate port: 0xffffffe000355650
78. --> Port IP_BITS: 0x80008008
79. Got candidate port: 0xffffffe0003556f8
80. --> Port IP_BITS: 0x80000001
81. Got candidate port: 0xffffffe0003557a0
82. --> Port IP_BITS: 0x80000001
83. Got candidate port: 0xffffffe000355848
84. --> Port IP_BITS: 0x80000001
85. Got candidate port: 0xffffffe0003558f0
86. --> Port IP_BITS: 0x80000001
87. Got candidate port: 0xffffffe000355998
88. --> Port IP_BITS: 0x80000013
89. Got candidate port: 0xffffffe000355a40
90. --> Port IP_BITS: 0x8000001a
91. Got candidate port: 0xffffffe000355ae8
92. --> Port IP_BITS: 0x80000019
93. Got candidate port: 0xffffffe000355b90
94. --> Port IP_BITS: 0x80000001
95. Got candidate port: 0xffffffe000355c38
96. --> Port IP_BITS: 0x80000001
97. Got candidate port: 0xffffffe000355ce0
98. --> Port IP_BITS: 0x80000001
99. Got candidate port: 0xffffffe000355d88
100. --> Port IP_BITS: 0x80000001
101. Got candidate port: 0xffffffe000355e30
102. --> Port IP_BITS: 0x80000001
103. Got candidate port: 0xffffffe000355ed8
104. --> Port IP_BITS: 0x80000001
105. Got candidate port: 0xffffffe000355f80
106. --> Port IP_BITS: 0x80000001
107. Got candidate port: 0xffffffe000356028
108. --> Port IP_BITS: 0x80000005
109. Got candidate port: 0xffffffe0003560d0
110. --> Port IP_BITS: 0x80000007
111. Got candidate port: 0xffffffe000356178
112. --> Port IP_BITS: 0x80000006
113. Got candidate port: 0xffffffe000356220
114. --> Port IP_BITS: 0x80000004
115. Got candidate port: 0xffffffe0003562c8
116. --> Port IP_BITS: 0x80000003
117. Got candidate port: 0xffffffe000356370
118. --> Port IP_BITS: 0x80000011
119. Got candidate port: 0xffffffe000356418
120. --> Port IP_BITS: 0x80000028
121. Got candidate port: 0xffffffe0003564c0
122. --> Port IP_BITS: 0x80000002
123. --> Task: 0xffffffe00037dc20
124. --> PID: 0
125. TestKit: Kernel Address Tested: 0xffffffe002690bd0 ----- GOT A KADDR!
126. Found a KADDR
127. [-] mach_vm_read_overwrite returned 1: (os/kern) invalid address
128. [-] could not read address 0xffffffe005e08800
129. Trying next potential kernel_task port...
130. [-] mach_vm_read_overwrite returned 1: (os/kern) invalid address
131. [-] could not read address 0xffffffe005e08800
132. Trying next potential kernel_task port...
133. [-] mach_vm_read_overwrite returned 1: (os/kern) invalid address
134. [-] could not read address 0xffffffe005e08800
135. Trying next potential kernel_task port...
136. [-] mach_vm_read_overwrite returned 1: (os/kern) invalid address
137. [-] could not read address 0xffffffe005e08800
138. Trying next potential kernel_task port...
139. kernel_task port found; read 0xffffffe004d87648 from 0xffffffe005e08800
140. Copied fake kernel_task port to its own page, cleaning up...
141. Exploit succeeded
142. Got: tfp0 0x25607
143. iPhone9,4 Cat 18.5.0 Darwin Darwin Kernel Version 18.5.0: Tue Mar 5 19:52:17 PST 2019; root:xnu-4903.252.2~1/RELEASE_ARM64_T8010
144. Page size is 0x4000