Exploit for CVE-2021-30807Write up is here: https://jsherman212.github.io/2021/11/28/popping_ios14_with_iomfb.html
Exploit for CVE-2021-30807. If you really want to build a jailbreak out
of it, it will require tuning for your device and iOS version because I
have no info leak to use for this.
To tune for A11 and below, use pongo to load xnuspy and build with
`SAMPLING_MEMORY=1 make -B`. This will enable a test that gathers
the memory returned by `kernel_memory_allocate`, sorts those pointers,
then spits out a range. You'll see something like this:
```
sample_kernel_map: 0xffffffe8ebe9c000 [0x10000 bytes from behind]
sample_kernel_map: to add to alloc_averager:
[0xffffffe8ce934000, 0xffffffe8ebf98000],
```
(just ignore the warnings it spits out)
The test is meant to be ran 30 seconds after the device boots.
Inside `alloc_averager.py` is a couple of samples I already ran for
my phones. It takes the average of all the averages of each range.
Create a "samples list" for your device and add the range to it.
Repeat the test a couple times until you have 5-10 entries in that
list. `alloc_averager.py` will report a success rate for the guess it
generates based on the list. If you like the success rate, take the guess
and replace the value for `GUESSED_OSDATA_BUFFER_PTR` at the top of
`IOMobileFramebufferUserClient.c` with it.
It is very important to not include outliers in this list. After running
the test a couple times you'll likely run into a range that sticks
out from the rest of the ranges you already have.
You will need to find offsets for your device/version to run this test.
First, to find `kernel_memory_allocate`, simply xref
`kernel_memory_allocate: VM is not ready`. When you have the offset
set `kma`'s value to it inside `install_kernel_memory_alloc_hook`.
Second, to isolate the test from the other allocations XNU makes,
I test for a specific return address. That address is inside
`OSData::initWithCapacity`. You can easily find OSData's vtable
by xrefing the string `"OSData"`. The first xref to that string
will be in a function that has an xref to the vtable for OSData::MetaClass.
Right above that vtable is OSData's vtable, and `OSData::initWithCapacity`
is at `+0x78`.
Once you have `OSData::initWithCapacity`, find the only `BL` to
`kernel_memory_allocate` and take the offset of the instruction *right below
it*. Inside `kernel_hooks.c`, use that offset in the only if statement
in the only function in that file.
A12+ will need to use something like Correlium.
[4.0K] /data/pocs/aa209eca5bd708c2895d7e3b813076c3a5dcd279
├── [1.7K] alloc_averager.py
├── [2.8K] array.c
├── [ 937] array.h
├── [ 620] ent.xml
├── [7.6K] iokit.h
├── [ 46K] IOMobileFramebufferUserClient.c
├── [ 401] IOMobileFramebufferUserClient.h
├── [ 967] kernel_hooks.c
├── [ 339] kernel_hooks.h
├── [1.0K] LICENSE
├── [ 785] Makefile
├── [2.4K] README.md
└── [ 15K] xnuspy_ctl.h
0 directories, 13 files