Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- How to jailbreak iOS 9.3.2
- This document describes a theoretical chain of vulnerabilities
- which could theoretically be exploited by an experienced security
- researcher in order to theoretically preform a tethered jailbreak
- of iOS 9.3.2, install Cydia, obtain root access. After a reboot,
- any devices on which this method are applied will need to be
- subject to a restore in order to restore functionality, thus
- updating said devices to the latest version of iOS. For this
- reason, it is highly not recommended that this guide be followed
- by anyone who does not wish to bare the consequences of such a
- device restore.
- Prerequisits
- In order to preform this jailbreak, it is necisary that we exploit
- a bug in the WebCore which requires an Apache (or simular) web
- server. It is also necisary that you have a method of sending
- raw TCP and UDP packets over a network to the device, an SSH
- client, and software such as telnet, netcat, or simular software.
- Setting up WebCore
- It is next required to test your exploitation environment. Set up
- a basic implementation of the WebCore bug. The code for this
- vulnerability can be found on GitHub, but a sample is available
- below for convenience. A file should be created at the index of
- the web server: index.html
- <html>
- <script>
- document.write('<iframe src="1.html"</iframe>');
- </script>
- </html>
- another file with the name 1.html should then be created, with
- the following contents:
- <html>
- <iframe src='2.html'></iframe>
- <iframe src='3.html'></iframe>
- </html>
- 2.html will contain the following code:
- <html>
- <script>
- parent.stop();
- </script>
- </html>
- finally, 3.html should contain
- <html>
- </html>
- This vulnerability will create an OutOfMemoryException, which,
- unless other action (detailed below) is taken, will cause the
- WebCore process to stop.
- Memory manipulation in preparation for arbitrary code execution
- It is the next required step to manipulate the contents of the
- memory assiciated with the WebCore process. This can be achieved
- by the utilization of arbitrary and seemingly random webpage
- content being loaded into the memory. Upon the occurance fo the
- OutOfMemoryException, the process would usually be killed, unless
- it continues to respond to prompts from the kernel. First, a small
- binary should be compiled that will be downloaded into the memory
- in order to cause the process to continue to seem to respond, even
- after the original process has crashed. This procedure is known
- as process hijacking, or the arbitrary replacement of a process
- by another process. A binary file should be downloaded to the
- device from the web server before the execution of the WebCore
- crash. This will cause the process to seem to continue to respond
- as normal. This arbitrary process zombie should then contact the
- web server, requrest a larger payload containing further
- vulnerabilities (detailed below) and execute said payload.
- Further exploitation
- At this point, a payload containing the GasGague (or simular)
- vulnerability can be executed, with the permissions of the
- mobile user. In effect, this serves as the sandbox
- escape that this vulnerability requires. The memory maps obtained
- from this vulnerability can then be used to exploit the kernel.
- Kernel access
- The kernel vulnerability that is utilized for the completion of
- this jailbreak is CVE-2016-1863. The memory maps obtained by
- GasGague can be used to locate a memory position where this
- vulnerability can then be implemented. This will allow for the
- execution of code with kernel priveleges. At this point, more
- binaries can be downloaded from the web server, verified with
- AMFID, and executed with AMFI (vuln due to a recent change).
- The cydia binary could then be downloaded and installed onto
- the system, allowing for the installation of pachages and tweaks.
- Now if only I could compile English into Objective-C :/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement