From be1e0441e8aa6036af1696993f78a723fd190564 Mon Sep 17 00:00:00 2001 From: DeSunDo Date: Wed, 27 Mar 2019 15:02:11 -0400 Subject: [PATCH 1/3] Add iPhone 7 12.1.1 template --- offsets.js | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/offsets.js b/offsets.js index e001c69..5e52c41 100644 --- a/offsets.js +++ b/offsets.js @@ -4,6 +4,8 @@ var offsets = new Array(); offsets[12.01] = new Array(); +offsets[12.11] = new Array(); + offsets[12.01]["iPhone XR"] ={ nativejitcode: MISSING_OFFSET, // JSC::NativeJITCode::~NativeJITCode() from JavaScriptCore vtable: MISSING_OFFSET, // HTMLDivElement vtable from JavaScriptCore @@ -368,3 +370,31 @@ offsets[12.01]["iPhone 5S"] ={ task_set_mach_voucher: MISSING_OFFSET, // From libsystem_kernel.dylib (For voucher_swap) task_get_mach_voucher: MISSING_OFFSET // From libsystem_kernel.dylib (For voucher_swap) }; + +offsets[12.11]["iPhone 7"] ={ + nativejitcode: MISSING_OFFSET, // JSC::NativeJITCode::~NativeJITCode() from JavaScriptCore + vtable: MISSING_OFFSET, // HTMLDivElement vtable from JavaScriptCore + dlopen: MISSING_OFFSET, // From libdyld.dylib (For @5aelo's new mach-o approach) + confstr: MISSING_OFFSET, // From libsystem_c.dylib (For @5aelo's new mach-o approach) + disableprimitivegigacage: MISSING_OFFSET, // From JavaScriptCore + g_gigacagebaseptrs: MISSING_OFFSET, // From JavaScriptCore + g_jsarraybufferpoison: MISSING_OFFSET, // From JavaScriptCore (For XOR with leaked buffer) + g_jitcodepoison: MISSING_OFFSET, // From JavaScriptCore (For XOR with leaked code) + g_typedarraypoisons: MISSING_OFFSET, // Removed as of iOS 11.4 + startfixedmempool: MISSING_OFFSET, // From JavaScriptCore (For copying shellcode) + endfixedmempool: MISSING_OFFSET, // From JavaScriptCore (For copying shellcode) + jit_writeseperateheaps_func: MISSING_OFFSET, // From JavaScriptCore (For detecting below i8) + usefastpermissions_jitcopy: MISSING_OFFSET, // From JavaScriptCore (For detecting i8 and up) + ptr_stack_check_guard: MISSING_OFFSET, // To make our JITMemCpy work + dlsym: MISSING_OFFSET, // For our shellcode + linkage + longjmp: MISSING_OFFSET, + callbacks: MISSING_OFFSET, + modelio_popx8: MISSING_OFFSET, // For our Return Oriented Programming chain + coreaudio_popx2: MISSING_OFFSET, + jscbase: MISSING_OFFSET, // _TEXT segment of JavaScriptCore + linkcode_gadget: MISSING_OFFSET, // From JavaScriptCore + dyld_shared_cache: MISSING_OFFSET, // Just so we can parse any mach-o and find gadgets + thread_swap_mach_voucher: MISSING_OFFSET, // From libsystem_kernel.dylib (For voucher_swap) + task_set_mach_voucher: MISSING_OFFSET, // From libsystem_kernel.dylib (For voucher_swap) + task_get_mach_voucher: MISSING_OFFSET // From libsystem_kernel.dylib (For voucher_swap) +}; From f46221ca5b5f3677a6f5158e15b2aca708aaee00 Mon Sep 17 00:00:00 2001 From: DeSunDo Date: Wed, 27 Mar 2019 16:37:11 -0400 Subject: [PATCH 2/3] Some offsets --- offsets.js | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/offsets.js b/offsets.js index 5e52c41..edcd180 100644 --- a/offsets.js +++ b/offsets.js @@ -372,19 +372,19 @@ offsets[12.01]["iPhone 5S"] ={ }; offsets[12.11]["iPhone 7"] ={ - nativejitcode: MISSING_OFFSET, // JSC::NativeJITCode::~NativeJITCode() from JavaScriptCore + nativejitcode: 0x1888bd210, // JSC::NativeJITCode::~NativeJITCode() from JavaScriptCore vtable: MISSING_OFFSET, // HTMLDivElement vtable from JavaScriptCore - dlopen: MISSING_OFFSET, // From libdyld.dylib (For @5aelo's new mach-o approach) + dlopen: 0x180921bd8, // From libdyld.dylib (For @5aelo's new mach-o approach) confstr: MISSING_OFFSET, // From libsystem_c.dylib (For @5aelo's new mach-o approach) - disableprimitivegigacage: MISSING_OFFSET, // From JavaScriptCore - g_gigacagebaseptrs: MISSING_OFFSET, // From JavaScriptCore - g_jsarraybufferpoison: MISSING_OFFSET, // From JavaScriptCore (For XOR with leaked buffer) - g_jitcodepoison: MISSING_OFFSET, // From JavaScriptCore (For XOR with leaked code) + disableprimitivegigacage: 0x188211ba0, // From JavaScriptCore + g_gigacagebaseptrs: 0x1b8c58000, // From JavaScriptCore + g_jsarraybufferpoison: 0x1b8c5c1a0, // From JavaScriptCore (For XOR with leaked buffer) + g_jitcodepoison: 0x1b8c5c190, // From JavaScriptCore (For XOR with leaked code) g_typedarraypoisons: MISSING_OFFSET, // Removed as of iOS 11.4 - startfixedmempool: MISSING_OFFSET, // From JavaScriptCore (For copying shellcode) - endfixedmempool: MISSING_OFFSET, // From JavaScriptCore (For copying shellcode) - jit_writeseperateheaps_func: MISSING_OFFSET, // From JavaScriptCore (For detecting below i8) - usefastpermissions_jitcopy: MISSING_OFFSET, // From JavaScriptCore (For detecting i8 and up) + startfixedmempool: 0x1bad790c0, // From JavaScriptCore (For copying shellcode) + endfixedmempool: 0x1bad790c8, // From JavaScriptCore (For copying shellcode) + jit_writeseperateheaps_func: 0x1bad790d0, // From JavaScriptCore (For detecting below i8) + usefastpermissions_jitcopy: 0x1b8c5c018, // From JavaScriptCore (For detecting i8 and up) ptr_stack_check_guard: MISSING_OFFSET, // To make our JITMemCpy work dlsym: MISSING_OFFSET, // For our shellcode + linkage longjmp: MISSING_OFFSET, From d5634fab97e0cf56bf0f3aaa8937089f3a6e3f5e Mon Sep 17 00:00:00 2001 From: DeSunDo Date: Thu, 28 Mar 2019 22:40:07 -0400 Subject: [PATCH 3/3] Update offsets.js --- offsets.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/offsets.js b/offsets.js index edcd180..b56fff1 100644 --- a/offsets.js +++ b/offsets.js @@ -385,13 +385,13 @@ offsets[12.11]["iPhone 7"] ={ endfixedmempool: 0x1bad790c8, // From JavaScriptCore (For copying shellcode) jit_writeseperateheaps_func: 0x1bad790d0, // From JavaScriptCore (For detecting below i8) usefastpermissions_jitcopy: 0x1b8c5c018, // From JavaScriptCore (For detecting i8 and up) - ptr_stack_check_guard: MISSING_OFFSET, // To make our JITMemCpy work + ptr_stack_check_guard: 0x1b2396f28, // To make our JITMemCpy work dlsym: MISSING_OFFSET, // For our shellcode + linkage longjmp: MISSING_OFFSET, callbacks: MISSING_OFFSET, modelio_popx8: MISSING_OFFSET, // For our Return Oriented Programming chain coreaudio_popx2: MISSING_OFFSET, - jscbase: MISSING_OFFSET, // _TEXT segment of JavaScriptCore + jscbase: 0x1881b9000, // _TEXT segment of JavaScriptCore linkcode_gadget: MISSING_OFFSET, // From JavaScriptCore dyld_shared_cache: MISSING_OFFSET, // Just so we can parse any mach-o and find gadgets thread_swap_mach_voucher: MISSING_OFFSET, // From libsystem_kernel.dylib (For voucher_swap)