Reverse engineering STAR jailbreakme So I downloaded the exploit PDF's used in the Star Jailbreak tool after decompressing the pdf ( decompressed PDF) from 14kb > 31kb i can see the following Type1c font exploit > jumps through IOSURFACE hole then it's in ur kernelz it is not dependant on the browser. so if someone embeds this code into any PDF, repurposed to do something more sinister than root your phone, your in trouble. In theory you can jailbreak simply by dragging a PDF from here http://www.pdaviet.123viet.net/data2/vipboy/]Index of /data2/vipboy into itunes and then ibooks, or mail it to yourself then you can see it works in the same manner, the wad.bin is a 3.7mb file which is downloaded from the jailbreakme.m o d m y i . com/wad.bin (remove spaces) you can patch your own server from what i can see very easily font Quote:
Quote:
Quote:
Quote:
quote from an earlier article regarding a private exploit at pwn2own on stock iphone, non jailbroken Quote:
any more info is appreciated, I'm trying to learn what i can with this tool, very |
If you would like to protect your device in the mean time " download this exploitwarner file copy to your device, open it on your device using either Terminal cmd -Terminal dpkg -i file.deb - Using iFile: Navigate to /var/mobile and double tap on the .deb file to install it. you can also use ssh or cydia auto-install...I'm sure a repo will be up by tomorrow you will now receive a warning on any site that attempts the flatedecode/ font loader exploit, and you choose whether to allow PDF's. this applies globally in iOS as far as i know. since the problem is not isolated to just the browser, http://c0660312.cdn.cloudfiles.racks.../PDF%20Fix.jpg courtest of Will strafach Will Strafach (cdevwill) on Twitter |
|
Hi there, I've tried to create my own PDF xploit. However after I copied to my website and ran, it only creates installui.lib in tmp but doesnt run it, just blank pdf... whats wrong? |
Quote:
|
@gecko I see the PDF execution at detector.js, but can we possible enter the url to jailbreakme.com/_/....pdf and will execute the code automatically? If not then is that the purpose of star.js? What about wad.bin? I believe that is Cydia, is that correct? |
Quote:
_ slider.js wad.bin detector.js star.css wallpaper-ipad.jpg faq.html star.js wallpaper-iphone.jpg index.html sunspider-3dcube.js wallpaper-retina.jpg slider.css ui_normal.css and folder "_" with: iPad1,1_3.2.1.pdf iPhone2,1_3.1.3.pdf iPod2,1_3.1.2.pdf iPad1,1_3.2.pdf iPhone2,1_4.0.1.pdf iPod2,1_3.1.3.pdf iPhone1,x_3.1.2.pdf iPhone2,1_4.0.pdf iPod2,1_4.0.pdf iPhone1,x_3.1.3.pdf iPhone3,1_4.0.1.pdf iPod3,1_3.1.2.pdf iPhone1,x_4.0.1.pdf iPhone3,1_4.0.pdf iPod3,1_3.1.3.pdf iPhone1,x_4.0.pdf iPod1,1_3.1.2.pdf iPod3,1_4.0.pdf iPhone2,1_3.1.2.pdf iPod1,1_3.1.3.pdf 2. Decompressed iPhone1,x_4.0.1 using PDFTK 1.41 on Mac Snow Leo with this command in terminal: pdftk iPhone1,x_4.0.1.pdf output iPhone_decompr.pdf uncompress 3. Opened decompressed PDF with Hex Fiend editor on my Mac and replaced "jailbreakme.com" to "jb.********.com" using overwrite mode. Saved. 4. Compressed iPhone_decompr.pdf using this command: pdftk iPhone_decompr.pdf output iPhone_1,x_4.0.1.pdf compress 5. Uploaded modified PDF to the website to folder "_". 6. Opened my website on my iPhone 3G 4.0.1 and went to the "http://jb.********.com/_/" folder and ran the modified iPhone1,x_4.0.1.pdf. It opened, but just blank document, blank page and nothing happens, but the file "installui.dylib" copied to the tmp folder in my iPhone. What steps did I miss or maybe I do something wrong? Thank you! |
Quote:
Alegz, copy the normal PDF without unpacking, or any modifications to you're server and try running it. I'm sure you will see a blank document too then try running it from jailbreakme.com/_ |
Quote:
I'm still don't understand why... |
Quote:
Either that or there is another url check in the exploit to ensure it is only coming from jailbreakme - I guess a cheap security mechanism to stop the exploit being used for other purposes - shouldn't be too hard to find and replace the url if that is the case |
anyone figured out why the pdf won't run on any site other than jailbreak me? |
The only reason why I would want to do this is to understand the jailbreak process of the pdf, and how jailbreakme.com managed to protect it. any clue? |
FYI comex has released the code for star: comex's star at master - GitHub the cff dir contains the stuff for building the pdf's. will have to try to recreate pdf from scratch sometime when I get chance. Also being able to make mirrors of jailbreakme.com is useful if down the road we need to reinstall our iphone4's back to ios4 and jailbreak (and the real site is gone or something), oh other way I thought of making a (personal) mirror is setting up isolated network w AP and DNS svr and tell DNS server it is controller for jailbreakme.com then can point to our own web server. big pita but should work. |
apart from changing the wad.bin location was to change the expected URL as well..in one of the uncompressed PDF's open with a hex editor search as a hex value Quote:
Quote:
Code: #define WAD_URL @"http://jailbreakme.com/wad.bin" Code: NSString *host = [[tabDocument URL] host]; |
With the issues the jbme.com site has been having recently it has become ever more important that this valuable resource not disappear. I would love to be able to localize this so that we can all continue to jb on 4.0/4.0.1 without reliance on the site itself. Is all the information we need to do this in this thread right now? It seems we need to also edit the wad.bin to localize this as a check is being made in that file. Is this correct? Could some smart person out there please explain whatever else we need to know to do this ourselves? |
All times are GMT +1. The time now is 03:23. |
vBulletin Optimisation provided by
vB Optimise (Pro) -
vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2023 -