Attempt to steal kernelcredentials from launchd + task_t pointer (Based on: CVE-2017-7047)# Triple-Fetch-Kernel-Creds
Attempt to steal kernelcredentials from launchd + task_t pointer (Based on: CVE-2017-7047)
# About Triple Fetch (by Ian Beer from Google Project Zero)
Triple Fetch is an exploit for iOS devices prior to iOS 10.3.3
It exploits a logic error in libxpc that allows attackers to send malious messages with xpc_data objects that are backed by shared memory.
# What have is in the original exploit
The original exploit targets a lowlevel daemon on iOS that uses NSXPC. CoreAuthenticationd.
The exploit patches AMFID to allow arbitrary code execution and it also gains a send_right for launchd, allowing us to do task_for_pid 1.
Which gives us full permissions over the lowest daemon on the system, launchd.
# What you can achieve using the exploit
As the exploit comes with an example already called hello_world for using the launchd task to dump the memory of launchd with the memory regions (read/write/execute).
It will not be hard to do the following:
- Launchd has a bunch of kernel credentials. Those can be stolen from launchd in order to perform kernel patches later.
- Launchd has kernel send rights. Yes, launchd has a task_t pointer for the kernel. Which leaves us with a perfect situation to gain task_for_pid 0.
# Why this exploit is more valueable then we first thought.
As the exploit runs from userspace directly and gains root without patching the kernel, this exploit can perfectly be used for jailbreak purposes. However, since the bug is a race condition that seems to occur rarely correct. Users will have to reboot-and-retry many times before they will be jailbroken again.
# Contributions
You can always create a pull request if you want to contribute code to the repository.
We will be adding a file with a lot of offsets needed for future kernel patches.
We will be working on code that helps stealing the kernel credentials of launchd.
# Tricks
Using Apple's VoIP API's we will be trying to make the exploit automatically run in the background after each reboot.
A nice settings bundle will be added to the app so you can set a bootNonce from the settings app for future downgrade purposes.
A toggle will be added for disabling and enabling OTA updates.
Code will be added for automatically saving SHSH2-blobs using cron jobs.
I will be doing my very best to integrate tor in the jailbreak toggelable from the Settings, because everyone needs his privacy.
A content blocker is added just for fun to get rid of anoying ads in Safari.
### WE CAN NOT SUCCEED IN THIS ALONE, WE NEED YOUR SUPPORT!
[4.0K] /data/pocs/9779627444bb194dbf7bfea64f657cb2dd713f23
├── [ 27] _config.yml
├── [2.5K] README.md
└── [4.0K] triple_fetch
├── [4.0K] nsxpc2pc
│ ├── [ 143] AppDelegate.h
│ ├── [2.2K] AppDelegate.m
│ ├── [4.0K] Assets.xcassets
│ │ ├── [4.0K] AppIcon.appiconset
│ │ │ ├── [3.2K] Contents.json
│ │ │ ├── [ 603] Icon-App-20x20@1x.png
│ │ │ ├── [1.4K] Icon-App-20x20@2x.png
│ │ │ ├── [2.3K] Icon-App-20x20@3x.png
│ │ │ ├── [ 942] Icon-App-29x29@1x.png
│ │ │ ├── [2.2K] Icon-App-29x29@2x.png
│ │ │ ├── [3.7K] Icon-App-29x29@3x.png
│ │ │ ├── [1.4K] Icon-App-40x40@1x.png
│ │ │ ├── [3.3K] Icon-App-40x40@2x.png
│ │ │ ├── [5.6K] Icon-App-40x40@3x.png
│ │ │ ├── [2.2K] Icon-App-57x57@1x.png
│ │ │ ├── [5.2K] Icon-App-57x57@2x.png
│ │ │ ├── [5.6K] Icon-App-60x60@2x.png
│ │ │ ├── [9.6K] Icon-App-60x60@3x.png
│ │ │ ├── [2.9K] Icon-App-72x72@1x.png
│ │ │ ├── [7.2K] Icon-App-72x72@2x.png
│ │ │ ├── [3.0K] Icon-App-76x76@1x.png
│ │ │ ├── [7.7K] Icon-App-76x76@2x.png
│ │ │ ├── [8.7K] Icon-App-83.5x83.5@2x.png
│ │ │ ├── [1.8K] Icon-Small-50x50@1x.png
│ │ │ ├── [4.5K] Icon-Small-50x50@2x.png
│ │ │ └── [ 80K] iTunesArtwork@2x.png
│ │ ├── [ 62] Contents.json
│ │ ├── [4.0K] iTunesArtwork.imageset
│ │ │ ├── [ 396] Contents.json
│ │ │ ├── [ 80K] iTunesArtwork@2x.png
│ │ │ ├── [111K] iTunesArtwork@3x.png
│ │ │ └── [ 32K] iTunesArtwork.png
│ │ ├── [4.0K] trash.imageset
│ │ │ ├── [ 372] Contents.json
│ │ │ ├── [1.0K] trash@2x.png
│ │ │ ├── [1.5K] trash@3x.png
│ │ │ └── [ 574] trash.png
│ │ └── [4.0K] Triple_FETCH.imageset
│ │ ├── [ 309] Contents.json
│ │ └── [396K] Triple_FETCH.png
│ ├── [4.0K] Base.lproj
│ │ ├── [1.7K] LaunchScreen.storyboard
│ │ └── [ 45K] Main.storyboard
│ ├── [ 20M] bootstrap.tar
│ ├── [9.8K] cdhash.c
│ ├── [ 674] cdhash.h
│ ├── [ 307] consoleAreaViewController.h
│ ├── [1.7K] consoleAreaViewController.m
│ ├── [2.8M] crashtext.txt
│ ├── [4.0K] debugger_support.c
│ ├── [ 207] debugger_support.h
│ ├── [ 14M] debugserver
│ ├── [ 54K] debugserver.diff
│ ├── [ 547] dropbear.plist
│ ├── [ 13K] drop_payload.c
│ ├── [ 422] drop_payload.h
│ ├── [1.1K] ExploiterTableViewController.h
│ ├── [ 15K] ExploiterTableViewController.m
│ ├── [1.5K] Info.plist
│ ├── [4.0K] liboxpc
│ │ ├── [3.6K] oxpc_array.c
│ │ ├── [ 266] oxpc_array.h
│ │ ├── [1.8K] oxpc_data.c
│ │ ├── [ 249] oxpc_data.h
│ │ ├── [4.4K] oxpc_dictionary.c
│ │ ├── [ 306] oxpc_dictionary.h
│ │ ├── [ 270] oxpc.h
│ │ ├── [1.4K] oxpc_mach_send.c
│ │ ├── [ 237] oxpc_mach_send.h
│ │ ├── [6.4K] oxpc_object.c
│ │ ├── [1.7K] oxpc_object.h
│ │ ├── [1.8K] oxpc_ool_data.c
│ │ ├── [ 267] oxpc_ool_data.h
│ │ ├── [2.1K] oxpc_string.c
│ │ ├── [ 511] oxpc_string.h
│ │ ├── [1.4K] oxpc_uint64.c
│ │ ├── [ 219] oxpc_uint64.h
│ │ ├── [ 277] oxpc_utils.c
│ │ ├── [ 143] oxpc_utils.h
│ │ ├── [1.3K] oxpc_uuid.c
│ │ └── [ 211] oxpc_uuid.h
│ ├── [ 61] log.h
│ ├── [ 201] main.m
│ ├── [ 11K] minibplist16.c
│ ├── [1.1K] minibplist16.h
│ ├── [ 20K] patch_amfid.c
│ ├── [ 124] patch_amfid.h
│ ├── [4.0K] pocs
│ │ └── [ 52K] hello_world
│ ├── [2.0K] post_exploit.c
│ ├── [ 140] post_exploit.h
│ ├── [ 12K] README
│ ├── [6.3K] remote_call.c
│ ├── [1.6K] remote_call.h
│ ├── [3.2K] remote_file.c
│ ├── [ 406] remote_file.h
│ ├── [3.1K] remote_memory.c
│ ├── [1.1K] remote_memory.h
│ ├── [3.9K] remote_ports.c
│ ├── [ 440] remote_ports.h
│ ├── [ 30K] sploit.c
│ ├── [ 113] sploit.h
│ ├── [345K] tar
│ ├── [5.8K] task_ports.c
│ ├── [ 255] task_ports.h
│ ├── [3.3K] xpc_handshake.c
│ └── [ 187] xpc_handshake.h
├── [4.0K] nsxpc2pc.xcodeproj
│ ├── [ 31K] project.pbxproj
│ ├── [4.0K] project.xcworkspace
│ │ ├── [ 153] contents.xcworkspacedata
│ │ └── [4.0K] xcuserdata
│ │ ├── [4.0K] ianbeer.xcuserdatad
│ │ │ └── [453K] UserInterfaceState.xcuserstate
│ │ ├── [4.0K] Joseph.xcuserdatad
│ │ │ └── [120K] UserInterfaceState.xcuserstate
│ │ └── [4.0K] justin.xcuserdatad
│ │ └── [ 16K] UserInterfaceState.xcuserstate
│ └── [4.0K] xcuserdata
│ ├── [4.0K] ianbeer.xcuserdatad
│ │ ├── [4.0K] xcdebugger
│ │ │ └── [3.9K] Breakpoints_v2.xcbkptlist
│ │ └── [4.0K] xcschemes
│ │ ├── [3.2K] nsxpc2pc.xcscheme
│ │ └── [ 480] xcschememanagement.plist
│ ├── [4.0K] Joseph.xcuserdatad
│ │ ├── [4.0K] xcdebugger
│ │ │ └── [ 91] Breakpoints_v2.xcbkptlist
│ │ └── [4.0K] xcschemes
│ │ └── [ 331] xcschememanagement.plist
│ └── [4.0K] justin.xcuserdatad
│ └── [4.0K] xcschemes
│ ├── [3.2K] nsxpc2pc.xcscheme
│ └── [ 480] xcschememanagement.plist
└── [4.0K] triple_fetch_sdk
├── [ 212] build.sh
├── [ 52K] hello_world
├── [1.7K] hello_world.c
├── [7.1K] remote_call.c
├── [1.8K] remote_call.h
├── [3.1K] remote_memory.c
├── [1.1K] remote_memory.h
├── [5.4K] remote_ports.c
├── [ 829] remote_ports.h
├── [5.9K] task_ports.c
└── [ 322] task_ports.h
26 directories, 124 files