Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-7047 PoC — 多款Apple产品libxpc 安全漏洞

Source
https://github.com/JosephShenton/Triple_Fetch-Kernel-Creds
Associated Vulnerability
Title:多款Apple产品libxpc 安全漏洞 (CVE-2017-7047)
Description:An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. macOS before 10.12.6 is affected. tvOS before 10.2.2 is affected. watchOS before 3.2.3 is affected. The issue involves the "libxpc" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
Description
Attempt to steal kernelcredentials from launchd + task_t pointer (Based on: CVE-2017-7047)
Readme
# Triple-Fetch-Kernel-Creds
Attempt to steal kernelcredentials from launchd + task_t pointer (Based on: CVE-2017-7047)

# About Triple Fetch (by Ian Beer from Google Project Zero)
Triple Fetch is an exploit for iOS devices prior to iOS 10.3.3
It exploits a logic error in libxpc that allows attackers to send malious messages with xpc_data objects that are backed by shared memory.

# What have is in the original exploit
The original exploit targets a lowlevel daemon on iOS that uses NSXPC. CoreAuthenticationd.
The exploit patches AMFID to allow arbitrary code execution and it also gains a send_right for launchd, allowing us to do task_for_pid 1.
Which gives us full permissions over the lowest daemon on the system, launchd.

# What you can achieve using the exploit
As the exploit comes with an example already called hello_world for using the launchd task to dump the memory of launchd with the memory regions (read/write/execute).
It will not be hard to do the following:
- Launchd has a bunch of kernel credentials. Those can be stolen from launchd in order to perform kernel patches later.
- Launchd has kernel send rights. Yes, launchd has a task_t pointer for the kernel. Which leaves us with a perfect situation to gain task_for_pid 0.

# Why this exploit is more valueable then we first thought.
As the exploit runs from userspace directly and gains root without patching the kernel, this exploit can perfectly be used for jailbreak purposes. However, since the bug is a race condition that seems to occur rarely correct. Users will have to reboot-and-retry many times before they will be jailbroken again.

# Contributions
You can always create a pull request if you want to contribute code to the repository.
We will be adding a file with a lot of offsets needed for future kernel patches.
We will be working on code that helps stealing the kernel credentials of launchd.

# Tricks
Using Apple's VoIP API's we will be trying to make the exploit automatically run in the background after each reboot.
A nice settings bundle will be added to the app so you can set a bootNonce from the settings app for future downgrade purposes.
A toggle will be added for disabling and enabling OTA updates.
Code will be added for automatically saving SHSH2-blobs using cron jobs.
I will be doing my very best to integrate tor in the jailbreak toggelable from the Settings, because everyone needs his privacy.
A content blocker is added just for fun to get rid of anoying ads in Safari.

### WE CAN NOT SUCCEED IN THIS ALONE, WE NEED YOUR SUPPORT!
File Snapshot

 [4.0K]  /data/pocs/9779627444bb194dbf7bfea64f657cb2dd713f23
├── [  27]  _config.yml
├── [2.5K]  README.md
└── [4.0K]  triple_fetch
    ├── [4.0K]  nsxpc2pc
    │   ├── [ 143]  AppDelegate.h
    │   ├── [2.2K]  AppDelegate.m
    │   ├── [4.0K]  Assets.xcassets
    │   │   ├── [4.0K]  AppIcon.appiconset
    │   │   │   ├── [3.2K]  Contents.json
    │   │   │   ├── [ 603]  Icon-App-20x20@1x.png
    │   │   │   ├── [1.4K]  Icon-App-20x20@2x.png
    │   │   │   ├── [2.3K]  Icon-App-20x20@3x.png
    │   │   │   ├── [ 942]  Icon-App-29x29@1x.png
    │   │   │   ├── [2.2K]  Icon-App-29x29@2x.png
    │   │   │   ├── [3.7K]  Icon-App-29x29@3x.png
    │   │   │   ├── [1.4K]  Icon-App-40x40@1x.png
    │   │   │   ├── [3.3K]  Icon-App-40x40@2x.png
    │   │   │   ├── [5.6K]  Icon-App-40x40@3x.png
    │   │   │   ├── [2.2K]  Icon-App-57x57@1x.png
    │   │   │   ├── [5.2K]  Icon-App-57x57@2x.png
    │   │   │   ├── [5.6K]  Icon-App-60x60@2x.png
    │   │   │   ├── [9.6K]  Icon-App-60x60@3x.png
    │   │   │   ├── [2.9K]  Icon-App-72x72@1x.png
    │   │   │   ├── [7.2K]  Icon-App-72x72@2x.png
    │   │   │   ├── [3.0K]  Icon-App-76x76@1x.png
    │   │   │   ├── [7.7K]  Icon-App-76x76@2x.png
    │   │   │   ├── [8.7K]  Icon-App-83.5x83.5@2x.png
    │   │   │   ├── [1.8K]  Icon-Small-50x50@1x.png
    │   │   │   ├── [4.5K]  Icon-Small-50x50@2x.png
    │   │   │   └── [ 80K]  iTunesArtwork@2x.png
    │   │   ├── [  62]  Contents.json
    │   │   ├── [4.0K]  iTunesArtwork.imageset
    │   │   │   ├── [ 396]  Contents.json
    │   │   │   ├── [ 80K]  iTunesArtwork@2x.png
    │   │   │   ├── [111K]  iTunesArtwork@3x.png
    │   │   │   └── [ 32K]  iTunesArtwork.png
    │   │   ├── [4.0K]  trash.imageset
    │   │   │   ├── [ 372]  Contents.json
    │   │   │   ├── [1.0K]  trash@2x.png
    │   │   │   ├── [1.5K]  trash@3x.png
    │   │   │   └── [ 574]  trash.png
    │   │   └── [4.0K]  Triple_FETCH.imageset
    │   │       ├── [ 309]  Contents.json
    │   │       └── [396K]  Triple_FETCH.png
    │   ├── [4.0K]  Base.lproj
    │   │   ├── [1.7K]  LaunchScreen.storyboard
    │   │   └── [ 45K]  Main.storyboard
    │   ├── [ 20M]  bootstrap.tar
    │   ├── [9.8K]  cdhash.c
    │   ├── [ 674]  cdhash.h
    │   ├── [ 307]  consoleAreaViewController.h
    │   ├── [1.7K]  consoleAreaViewController.m
    │   ├── [2.8M]  crashtext.txt
    │   ├── [4.0K]  debugger_support.c
    │   ├── [ 207]  debugger_support.h
    │   ├── [ 14M]  debugserver
    │   ├── [ 54K]  debugserver.diff
    │   ├── [ 547]  dropbear.plist
    │   ├── [ 13K]  drop_payload.c
    │   ├── [ 422]  drop_payload.h
    │   ├── [1.1K]  ExploiterTableViewController.h
    │   ├── [ 15K]  ExploiterTableViewController.m
    │   ├── [1.5K]  Info.plist
    │   ├── [4.0K]  liboxpc
    │   │   ├── [3.6K]  oxpc_array.c
    │   │   ├── [ 266]  oxpc_array.h
    │   │   ├── [1.8K]  oxpc_data.c
    │   │   ├── [ 249]  oxpc_data.h
    │   │   ├── [4.4K]  oxpc_dictionary.c
    │   │   ├── [ 306]  oxpc_dictionary.h
    │   │   ├── [ 270]  oxpc.h
    │   │   ├── [1.4K]  oxpc_mach_send.c
    │   │   ├── [ 237]  oxpc_mach_send.h
    │   │   ├── [6.4K]  oxpc_object.c
    │   │   ├── [1.7K]  oxpc_object.h
    │   │   ├── [1.8K]  oxpc_ool_data.c
    │   │   ├── [ 267]  oxpc_ool_data.h
    │   │   ├── [2.1K]  oxpc_string.c
    │   │   ├── [ 511]  oxpc_string.h
    │   │   ├── [1.4K]  oxpc_uint64.c
    │   │   ├── [ 219]  oxpc_uint64.h
    │   │   ├── [ 277]  oxpc_utils.c
    │   │   ├── [ 143]  oxpc_utils.h
    │   │   ├── [1.3K]  oxpc_uuid.c
    │   │   └── [ 211]  oxpc_uuid.h
    │   ├── [  61]  log.h
    │   ├── [ 201]  main.m
    │   ├── [ 11K]  minibplist16.c
    │   ├── [1.1K]  minibplist16.h
    │   ├── [ 20K]  patch_amfid.c
    │   ├── [ 124]  patch_amfid.h
    │   ├── [4.0K]  pocs
    │   │   └── [ 52K]  hello_world
    │   ├── [2.0K]  post_exploit.c
    │   ├── [ 140]  post_exploit.h
    │   ├── [ 12K]  README
    │   ├── [6.3K]  remote_call.c
    │   ├── [1.6K]  remote_call.h
    │   ├── [3.2K]  remote_file.c
    │   ├── [ 406]  remote_file.h
    │   ├── [3.1K]  remote_memory.c
    │   ├── [1.1K]  remote_memory.h
    │   ├── [3.9K]  remote_ports.c
    │   ├── [ 440]  remote_ports.h
    │   ├── [ 30K]  sploit.c
    │   ├── [ 113]  sploit.h
    │   ├── [345K]  tar
    │   ├── [5.8K]  task_ports.c
    │   ├── [ 255]  task_ports.h
    │   ├── [3.3K]  xpc_handshake.c
    │   └── [ 187]  xpc_handshake.h
    ├── [4.0K]  nsxpc2pc.xcodeproj
    │   ├── [ 31K]  project.pbxproj
    │   ├── [4.0K]  project.xcworkspace
    │   │   ├── [ 153]  contents.xcworkspacedata
    │   │   └── [4.0K]  xcuserdata
    │   │       ├── [4.0K]  ianbeer.xcuserdatad
    │   │       │   └── [453K]  UserInterfaceState.xcuserstate
    │   │       ├── [4.0K]  Joseph.xcuserdatad
    │   │       │   └── [120K]  UserInterfaceState.xcuserstate
    │   │       └── [4.0K]  justin.xcuserdatad
    │   │           └── [ 16K]  UserInterfaceState.xcuserstate
    │   └── [4.0K]  xcuserdata
    │       ├── [4.0K]  ianbeer.xcuserdatad
    │       │   ├── [4.0K]  xcdebugger
    │       │   │   └── [3.9K]  Breakpoints_v2.xcbkptlist
    │       │   └── [4.0K]  xcschemes
    │       │       ├── [3.2K]  nsxpc2pc.xcscheme
    │       │       └── [ 480]  xcschememanagement.plist
    │       ├── [4.0K]  Joseph.xcuserdatad
    │       │   ├── [4.0K]  xcdebugger
    │       │   │   └── [  91]  Breakpoints_v2.xcbkptlist
    │       │   └── [4.0K]  xcschemes
    │       │       └── [ 331]  xcschememanagement.plist
    │       └── [4.0K]  justin.xcuserdatad
    │           └── [4.0K]  xcschemes
    │               ├── [3.2K]  nsxpc2pc.xcscheme
    │               └── [ 480]  xcschememanagement.plist
    └── [4.0K]  triple_fetch_sdk
        ├── [ 212]  build.sh
        ├── [ 52K]  hello_world
        ├── [1.7K]  hello_world.c
        ├── [7.1K]  remote_call.c
        ├── [1.8K]  remote_call.h
        ├── [3.1K]  remote_memory.c
        ├── [1.1K]  remote_memory.h
        ├── [5.4K]  remote_ports.c
        ├── [ 829]  remote_ports.h
        ├── [5.9K]  task_ports.c
        └── [ 322]  task_ports.h

26 directories, 124 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →