GSM-Forum  

Welcome to the GSM-Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features.
Only registered members may post questions, contact other members or search our database of over 8 million posts.

Registration is fast, simple and absolutely free so please - Click to REGISTER!

If you have any problems with the registration process or your account login, please contact contact us .

Go Back   GSM-Forum > GSM & CDMA Phones / Tablets Software & Hardware Area > iPhone ,iPod & iPad (Apple Inc. Products) > iPhone 4 / 4S

iPhone 4 / 4S iPhone 4 / 4S

Reply
 
LinkBack Thread Tools Display Modes
Old 08-02-2010, 23:16   #1 (permalink)
Moderator
 
Gecko_UK's Avatar
 
Join Date: Feb 2009
Posts: 846
Member: 961957
Status: Offline
Sonork: Jabber: gecko@neko.im
Thanks Meter: 611
Reverse engineering STAR jailbreakme

So I downloaded the exploit PDF's used in the Star Jailbreak tool
after decompressing the pdf ( decompressed PDF) from 14kb > 31kb i can see the following

Type1c font exploit > jumps through IOSURFACE hole then it's in ur kernelz
it is not dependant on the browser. so if someone embeds this code into any PDF, repurposed to do something more sinister than root your phone, your in trouble. In theory you can jailbreak simply by dragging a PDF from here http://www.pdaviet.123viet.net/data2/vipboy/]Index of /data2/vipboy
into itunes and then ibooks, or mail it to yourself

then you can see it works in the same manner, the wad.bin is a 3.7mb file which is downloaded from the jailbreakme.m o d m y i . com/wad.bin
(remove spaces) you can patch your own server from what i can see very easily

font
Quote:
(1, '\n'), (2, '<<'), (1, '\n'), (2, '/Subtype'), (2, '/Type1C'
Framebuffer

Quote:
./System/Library/PrivateFrameworks/IOSurface.framework/IOSurface./System/Library/Frameworks/IOKit.framework/IOKit................AppleM2CLCD.....<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>IOSurfaceAllocSize</key><integer>176348</integer><key>IOSurfaceBufferTileMode</key><false/><key>IOSurfaceBytesPerElement</key><integer>4</integer><key>IOSurfaceBytesPerRow</key><integer>3045852016</integer><key>IOSurfaceHeight</key><integer>3221270467</integer><key>IOSurfaceIsGlobal</key><true/><key>IOSurfaceMemoryRegion</key><string>PurpleGfxMem</string><key>IOSurfacePixelFormat</key><integer>1095911234</integer><key>IOSurfaceWidth</key><integer>3982688476</integer></dict></plist>..........
priv
Quote:
.security.mac.proc_enforce......./sbin/launchd...*.......DYLD_INSERT_LIBRARIES=..¸.
Quote:
downloading.....This might take a while.....Cancel..http://jailbreakme.*****i.com/wad.bi.....Retry...File received was truncated.....File received was invalid.../tmp/install.dylib..Jailbreaking....Sit tight...(*yawn*)....(Come on, it's only a few megs!)....This might


quote from an earlier article regarding a private exploit at pwn2own on stock iphone, non jailbroken

Quote:
“Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control,” Weinmann explained

The payload used chained return-into-libc (“return oriented programming”) on ARM to execute in spite of code signing. As far as we know, this is the first public demonstration of chainged return-into-libc on thre ARM platform.

In addition to hijacking the SMS database, Weinmann said the winning Pwn2Own exploit could have exfiltrated the phone contact list, the email database, photographs and iTunes music files.



In the iPhone sandbox, Weinmann said there’s a non-root user called ‘mobile’ with certain user privileges. “With this exploit, I can do anything that ‘mobile’ can do.”
If you can do that without root privileges, then surely allowing unpatched FW will be a huge security concern, with root priveleges an attacker would have the same control over the phone as a user... I can't imagine it will be long before someone a lot smarter and with darker intent re purposes this exploit, perhaps embedded into captive portal/mobile hotspot, or mass mailed as attachments etc.


any more info is appreciated, I'm trying to learn what i can with this tool, very
  Reply With Quote
The Following 5 Users Say Thank You to Gecko_UK For This Useful Post:
Show/Hide list of the thanked
Old 08-03-2010, 01:28   #2 (permalink)
Moderator
 
Gecko_UK's Avatar
 
Join Date: Feb 2009
Posts: 846
Member: 961957
Status: Offline
Sonork: Jabber: gecko@neko.im
Thanks Meter: 611
If you would like to protect your device in the mean time

" download this exploitwarner file copy to your device, open it on your device using either Terminal cmd

-Terminal
dpkg -i file.deb

- Using iFile:
Navigate to /var/mobile and double tap on the .deb file to install it.

you can also use ssh or cydia auto-install...I'm sure a repo will be up by tomorrow

you will now receive a warning on any site that attempts the flatedecode/ font loader exploit, and you choose whether to allow PDF's. this applies globally in iOS as far as i know. since the problem is not isolated to just the browser,



courtest of Will strafach Will Strafach (cdevwill) on Twitter
  Reply With Quote
The Following 6 Users Say Thank You to Gecko_UK For This Useful Post:
Show/Hide list of the thanked
Old 08-03-2010, 09:44   #3 (permalink)
Moderator
 
Gecko_UK's Avatar
 
Join Date: Feb 2009
Posts: 846
Member: 961957
Status: Offline
Sonork: Jabber: gecko@neko.im
Thanks Meter: 611





.
.
  Reply With Quote
The Following 7 Users Say Thank You to Gecko_UK For This Useful Post:
Show/Hide list of the thanked
Old 08-04-2010, 14:06   #4 (permalink)
Junior Member
 
Join Date: Mar 2010
Location: Auckland, New Zealand
Posts: 10
Member: 1263071
Status: Offline
Thanks Meter: 2
Hi there,
I've tried to create my own PDF xploit. However after I copied to my website and ran, it only creates installui.lib in tmp but doesnt run it, just blank pdf... whats wrong?
  Reply With Quote
Old 08-05-2010, 13:08   #5 (permalink)
Moderator
 
Gecko_UK's Avatar
 
Join Date: Feb 2009
Posts: 846
Member: 961957
Status: Offline
Sonork: Jabber: gecko@neko.im
Thanks Meter: 611
Quote:
Hi there,
I've tried to create my own PDF xploit. However after I copied to my website and ran, it only creates installui.lib in tmp but doesnt run it, just blank pdf... whats wrong?
Hi, Please detail the steps you've taken. Check you are using the right version also. This usually means the PDF hasn't unpacked/ repacked correctly
  Reply With Quote
Old 08-06-2010, 01:08   #6 (permalink)
No Life Poster
 
Join Date: Jun 2004
Age: 29
Posts: 1,028
Member: 67927
Status: Offline
Thanks Meter: 41
@gecko
I see the PDF execution at detector.js, but can we possible enter the url to jailbreakme.com/_/....pdf and will execute the code automatically?
If not then is that the purpose of star.js?
What about wad.bin? I believe that is Cydia, is that correct?
  Reply With Quote
Old 08-06-2010, 02:48   #7 (permalink)
Junior Member
 
Join Date: Mar 2010
Location: Auckland, New Zealand
Posts: 10
Member: 1263071
Status: Offline
Thanks Meter: 2
Quote:
Originally Posted by Gecko_UK View Post
Hi, Please detail the steps you've taken. Check you are using the right version also. This usually means the PDF hasn't unpacked/ repacked correctly
1. Copied all the files from Jailbreakme.com to my temp website jb.********.com:

_ slider.js wad.bin
detector.js star.css wallpaper-ipad.jpg
faq.html star.js wallpaper-iphone.jpg
index.html sunspider-3dcube.js wallpaper-retina.jpg
slider.css ui_normal.css

and folder "_" with:

iPad1,1_3.2.1.pdf iPhone2,1_3.1.3.pdf iPod2,1_3.1.2.pdf
iPad1,1_3.2.pdf iPhone2,1_4.0.1.pdf iPod2,1_3.1.3.pdf
iPhone1,x_3.1.2.pdf iPhone2,1_4.0.pdf iPod2,1_4.0.pdf
iPhone1,x_3.1.3.pdf iPhone3,1_4.0.1.pdf iPod3,1_3.1.2.pdf
iPhone1,x_4.0.1.pdf iPhone3,1_4.0.pdf iPod3,1_3.1.3.pdf
iPhone1,x_4.0.pdf iPod1,1_3.1.2.pdf iPod3,1_4.0.pdf
iPhone2,1_3.1.2.pdf iPod1,1_3.1.3.pdf

2. Decompressed iPhone1,x_4.0.1 using PDFTK 1.41 on Mac Snow Leo with this command in terminal:
pdftk iPhone1,x_4.0.1.pdf output iPhone_decompr.pdf uncompress

3. Opened decompressed PDF with Hex Fiend editor on my Mac and replaced "jailbreakme.com" to "jb.********.com" using overwrite mode. Saved.

4. Compressed iPhone_decompr.pdf using this command:
pdftk iPhone_decompr.pdf output iPhone_1,x_4.0.1.pdf compress

5. Uploaded modified PDF to the website to folder "_".

6. Opened my website on my iPhone 3G 4.0.1 and went to the "http://jb.********.com/_/" folder and ran the modified iPhone1,x_4.0.1.pdf. It opened, but just blank document, blank page and nothing happens, but the file "installui.dylib" copied to the tmp folder in my iPhone.

What steps did I miss or maybe I do something wrong? Thank you!
  Reply With Quote
The Following User Says Thank You to Alegz For This Useful Post:
Old 08-07-2010, 09:26   #8 (permalink)
Moderator
 
Gecko_UK's Avatar
 
Join Date: Feb 2009
Posts: 846
Member: 961957
Status: Offline
Sonork: Jabber: gecko@neko.im
Thanks Meter: 611
Quote:
I see the PDF execution at detector.js, but can we possible enter the url to jailbreakme.com/_/....pdf and will execute the code automatically?
yep, you don't to incorporate the javascript, the exploit itself is in the PDF. Just pointing browser at the correct file manually is enough.

Alegz, copy the normal PDF without unpacking, or any modifications to you're server and try running it. I'm sure you will see a blank document too

then try running it from jailbreakme.com/_
  Reply With Quote
Old 08-07-2010, 10:46   #9 (permalink)
Junior Member
 
Join Date: Mar 2010
Location: Auckland, New Zealand
Posts: 10
Member: 1263071
Status: Offline
Thanks Meter: 2
Quote:
Originally Posted by Gecko_UK View Post

Alegz, copy the normal PDF without unpacking, or any modifications to you're server and try running it. I'm sure you will see a blank document too

then try running it from jailbreakme.com/_
Yes, if I copy the normal PDF or modified one to my website I see a blank document. However it works alright when I open them from jailbreakme.com/_

I'm still don't understand why...
  Reply With Quote
Old 08-07-2010, 10:59   #10 (permalink)
Junior Member
 
Join Date: Aug 2010
Posts: 1
Member: 1362985
Status: Offline
Thanks Meter: 0
Quote:
Originally Posted by Alegz View Post
Yes, if I copy the normal PDF or modified one to my website I see a blank document. However it works alright when I open them from jailbreakme.com/_

I'm still don't understand why...
I noticed the same thing the other night - I haven't looked any further into it but I assume it relates to the HTTP headers -

Either that or there is another url check in the exploit to ensure it is only coming from jailbreakme - I guess a cheap security mechanism to stop the exploit being used for other purposes - shouldn't be too hard to find and replace the url if that is the case
  Reply With Quote
Old 08-08-2010, 21:53   #11 (permalink)
No Life Poster
 
Join Date: Jun 2004
Age: 29
Posts: 1,028
Member: 67927
Status: Offline
Thanks Meter: 41
anyone figured out why the pdf won't run on any site other than jailbreak me?
  Reply With Quote
Old 08-10-2010, 05:51   #12 (permalink)
No Life Poster
 
Join Date: Jun 2004
Age: 29
Posts: 1,028
Member: 67927
Status: Offline
Thanks Meter: 41
The only reason why I would want to do this is to understand the jailbreak process of the pdf, and how jailbreakme.com managed to protect it. any clue?
  Reply With Quote
Old 08-12-2010, 19:29   #13 (permalink)
Junior Member
 
Join Date: Aug 2010
Posts: 1
Member: 1367864
Status: Offline
Thanks Meter: 0
FYI comex has released the code for star: comex's star at master - GitHub the cff dir contains the stuff for building the pdf's. will have to try to recreate pdf from scratch sometime when I get chance. Also being able to make mirrors of jailbreakme.com is useful if down the road we need to reinstall our iphone4's back to ios4 and jailbreak (and the real site is gone or something), oh other way I thought of making a (personal) mirror is setting up isolated network w AP and DNS svr and tell DNS server it is controller for jailbreakme.com then can point to our own web server. big pita but should work.
  Reply With Quote
Old 08-12-2010, 22:35   #14 (permalink)
Moderator
 
Gecko_UK's Avatar
 
Join Date: Feb 2009
Posts: 846
Member: 961957
Status: Offline
Sonork: Jabber: gecko@neko.im
Thanks Meter: 611
apart from changing the wad.bin location was to change the expected URL as well..in one of the uncompressed PDF's open with a hex editor search as a hex value
Quote:
25 75 5F 25 66 00 00 00 6A 61 69 6C 62 72 65 61 6B 6D 65 2E 63 6F 6D
the jailbreakme URL is right there right next to the wad.bin defined location that is the expected URL you see below in the source code to Star, and as you can see it checks that it matches before proceeding

Quote:
6a61696c627265616b6d652e636f6d
paste this string in http://www.string-functions.com/hex-string.aspx click convert to see string output

Code:
#define WAD_URL @"http://jailbreakme.com/wad.bin"
#define EXPECTED_DOMAIN @"jailbreakme.com"
Code:
 NSString *host = [[tabDocument URL] host];
    if(![host isEqualToString:EXPECTED_DOMAIN] && ![host isEqualToString:[@"www." stringByAppendingString:EXPECTED_DOMAIN]]) return;
    if(!access("/bin/bash", F_OK)) {

Last edited by Gecko_UK; 08-12-2010 at 22:44.
  Reply With Quote
The Following User Says Thank You to Gecko_UK For This Useful Post:
Old 08-16-2010, 19:00   #15 (permalink)
Junior Member
 
Join Date: Aug 2010
Location: the southwest
Posts: 17
Member: 1370937
Status: Offline
Thanks Meter: 1
With the issues the jbme.com site has been having recently it has become ever more important that this valuable resource not disappear.

I would love to be able to localize this so that we can all continue to jb on 4.0/4.0.1 without reliance on the site itself.

Is all the information we need to do this in this thread right now?

It seems we need to also edit the wad.bin to localize this as a check is being made in that file. Is this correct?

Could some smart person out there please explain whatever else we need to know to do this ourselves?
  Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
thread Thread Starter Forum Replies Last Post
WHERE ARE MY STAR RATINGS. jj008 Nokia Legacy Phones ( DCT-1 ,2 ,3 ,L ) 3 07-18-2001 13:38
Reverse engineering MCU software kodo Nokia Legacy Phones ( DCT-1 ,2 ,3 ,L ) 0 04-21-2001 11:18
Reverse engineering MCU software kodo Nokia Multimedia 0 04-21-2001 11:16
Fatum your a star .. Pat UK Nokia Legacy Phones ( DCT-1 ,2 ,3 ,L ) 3 02-12-2001 22:36
star TAC 85 bdm pins ?? Cry Motorola Old Legacy (EMMI) 0 07-24-1999 00:07


All times are GMT +1. The time now is 15:23.



Powered by Searchlight © 2014 Axivo Inc.
vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2014 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2014 -
Page generated in 0.74677 seconds with 8 queries

SEO by vBSEO