Reverse engineering STAR jailbreakme

[Gecko_UK]

So I downloaded the exploit PDF's used in the Star Jailbreak tool
after decompressing the pdf ( decompressed PDF) from 14kb > 31kb i can see the following

Type1c font exploit > jumps through IOSURFACE hole then it's in ur kernelz
it is not dependant on the browser. so if someone embeds this code into any PDF, repurposed to do something more sinister than root your phone, your in trouble. In theory you can jailbreak simply by dragging a PDF from here http://www.pdaviet.123viet.net/data2/vipboy/]Index of /data2/vipboy
into itunes and then ibooks, or mail it to yourself

then you can see it works in the same manner, the wad.bin is a 3.7mb file which is downloaded from the jailbreakme.m o d m y i . com/wad.bin
(remove spaces) you can patch your own server from what i can see very easily

font

Quote:

(1, '\n'), (2, '<<'), (1, '\n'), (2, '/Subtype'), (2, '/Type1C'

Framebuffer

Quote:

./System/Library/PrivateFrameworks/IOSurface.framework/IOSurface./System/Library/Frameworks/IOKit.framework/IOKit................AppleM2CLCD.....<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>IOSurfaceAllocSize</key><integer>176348</integer><key>IOSurfaceBufferTileMode</key><false/><key>IOSurfaceBytesPerElement</key><integer>4</integer><key>IOSurfaceBytesPerRow</key><integer>3045852016</integer><key>IOSurfaceHeight</key><integer>3221270467</integer><key>IOSurfaceIsGlobal</key><true/><key>IOSurfaceMemoryRegion</key><string>PurpleGfxMem</string><key>IOSurfacePixelFormat</key><integer>1095911234</integer><key>IOSurfaceWidth</key><integer>3982688476</integer></dict></plist>..........

priv

Quote:

.security.mac.proc_enforce......./sbin/launchd...*.......DYLD_INSERT_LIBRARIES=..¸.

Quote:

downloading.....This might take a while.....Cancel..http://jailbreakme.*****i.com/wad.bi.....Retry...File received was truncated.....File received was invalid.../tmp/install.dylib..Jailbreaking....Sit tight...(*yawn*)....(Come on, it's only a few megs!)....This might

quote from an earlier article regarding a private exploit at pwn2own on stock iphone, non jailbroken

Quote:

“Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control,” Weinmann explained

The payload used chained return-into-libc (“return oriented programming”) on ARM to execute in spite of code signing. As far as we know, this is the first public demonstration of chainged return-into-libc on thre ARM platform.

In addition to hijacking the SMS database, Weinmann said the winning Pwn2Own exploit could have exfiltrated the phone contact list, the email database, photographs and iTunes music files.



In the iPhone sandbox, Weinmann said there’s a non-root user called ‘mobile’ with certain user privileges. “With this exploit, I can do anything that ‘mobile’ can do.”

If you can do that without root privileges, then surely allowing unpatched FW will be a huge security concern, with root priveleges an attacker would have the same control over the phone as a user... I can't imagine it will be long before someone a lot smarter and with darker intent re purposes this exploit, perhaps embedded into captive portal/mobile hotspot, or mass mailed as attachments etc.


any more info is appreciated, I'm trying to learn what i can with this tool, very

[Gecko_UK]

If you would like to protect your device in the mean time

" download this exploitwarner file copy to your device, open it on your device using either Terminal cmd

-Terminal
dpkg -i file.deb

- Using iFile:
Navigate to /var/mobile and double tap on the .deb file to install it.

you can also use ssh or cydia auto-install...I'm sure a repo will be up by tomorrow

you will now receive a warning on any site that attempts the flatedecode/ font loader exploit, and you choose whether to allow PDF's. this applies globally in iOS as far as i know. since the problem is not isolated to just the browser,



courtest of Will strafach Will Strafach (cdevwill) on Twitter

[Gecko_UK]

.
.

[Alegz]

Hi there,
I've tried to create my own PDF xploit. However after I copied to my website and ran, it only creates installui.lib in tmp but doesnt run it, just blank pdf... whats wrong?

[Gecko_UK]

Quote:

Hi there,
I've tried to create my own PDF xploit. However after I copied to my website and ran, it only creates installui.lib in tmp but doesnt run it, just blank pdf... whats wrong?

Hi, Please detail the steps you've taken. Check you are using the right version also. This usually means the PDF hasn't unpacked/ repacked correctly

[dest]

@gecko
I see the PDF execution at detector.js, but can we possible enter the url to jailbreakme.com/_/....pdf and will execute the code automatically?
If not then is that the purpose of star.js?
What about wad.bin? I believe that is Cydia, is that correct?

[Alegz]

Quote:

Originally Posted by Gecko_UK

Hi, Please detail the steps you've taken. Check you are using the right version also. This usually means the PDF hasn't unpacked/ repacked correctly

1. Copied all the files from Jailbreakme.com to my temp website jb.********.com:

_ slider.js wad.bin
detector.js star.css wallpaper-ipad.jpg
faq.html star.js wallpaper-iphone.jpg
index.html sunspider-3dcube.js wallpaper-retina.jpg
slider.css ui_normal.css

and folder "_" with:

iPad1,1_3.2.1.pdf iPhone2,1_3.1.3.pdf iPod2,1_3.1.2.pdf
iPad1,1_3.2.pdf iPhone2,1_4.0.1.pdf iPod2,1_3.1.3.pdf
iPhone1,x_3.1.2.pdf iPhone2,1_4.0.pdf iPod2,1_4.0.pdf
iPhone1,x_3.1.3.pdf iPhone3,1_4.0.1.pdf iPod3,1_3.1.2.pdf
iPhone1,x_4.0.1.pdf iPhone3,1_4.0.pdf iPod3,1_3.1.3.pdf
iPhone1,x_4.0.pdf iPod1,1_3.1.2.pdf iPod3,1_4.0.pdf
iPhone2,1_3.1.2.pdf iPod1,1_3.1.3.pdf

2. Decompressed iPhone1,x_4.0.1 using PDFTK 1.41 on Mac Snow Leo with this command in terminal:
pdftk iPhone1,x_4.0.1.pdf output iPhone_decompr.pdf uncompress

3. Opened decompressed PDF with Hex Fiend editor on my Mac and replaced "jailbreakme.com" to "jb.********.com" using overwrite mode. Saved.

4. Compressed iPhone_decompr.pdf using this command:
pdftk iPhone_decompr.pdf output iPhone_1,x_4.0.1.pdf compress

5. Uploaded modified PDF to the website to folder "_".

6. Opened my website on my iPhone 3G 4.0.1 and went to the "http://jb.********.com/_/" folder and ran the modified iPhone1,x_4.0.1.pdf. It opened, but just blank document, blank page and nothing happens, but the file "installui.dylib" copied to the tmp folder in my iPhone.

What steps did I miss or maybe I do something wrong? Thank you!

[Gecko_UK]

Quote:

I see the PDF execution at detector.js, but can we possible enter the url to jailbreakme.com/_/....pdf and will execute the code automatically?

yep, you don't to incorporate the javascript, the exploit itself is in the PDF. Just pointing browser at the correct file manually is enough.

Alegz, copy the normal PDF without unpacking, or any modifications to you're server and try running it. I'm sure you will see a blank document too

then try running it from jailbreakme.com/_

[Alegz]

Quote:

Originally Posted by Gecko_UK

Alegz, copy the normal PDF without unpacking, or any modifications to you're server and try running it. I'm sure you will see a blank document too

then try running it from jailbreakme.com/_

Yes, if I copy the normal PDF or modified one to my website I see a blank document. However it works alright when I open them from jailbreakme.com/_

I'm still don't understand why...

[Filterer]

Quote:

Originally Posted by Alegz

Yes, if I copy the normal PDF or modified one to my website I see a blank document. However it works alright when I open them from jailbreakme.com/_

I'm still don't understand why...

I noticed the same thing the other night - I haven't looked any further into it but I assume it relates to the HTTP headers -

Either that or there is another url check in the exploit to ensure it is only coming from jailbreakme - I guess a cheap security mechanism to stop the exploit being used for other purposes - shouldn't be too hard to find and replace the url if that is the case

[dest]

anyone figured out why the pdf won't run on any site other than jailbreak me?

[dest]

The only reason why I would want to do this is to understand the jailbreak process of the pdf, and how jailbreakme.com managed to protect it. any clue?

[indiemax314]

FYI comex has released the code for star: comex's star at master - GitHub the cff dir contains the stuff for building the pdf's. will have to try to recreate pdf from scratch sometime when I get chance. Also being able to make mirrors of jailbreakme.com is useful if down the road we need to reinstall our iphone4's back to ios4 and jailbreak (and the real site is gone or something), oh other way I thought of making a (personal) mirror is setting up isolated network w AP and DNS svr and tell DNS server it is controller for jailbreakme.com then can point to our own web server. big pita but should work.

[Gecko_UK]

apart from changing the wad.bin location was to change the expected URL as well..in one of the uncompressed PDF's open with a hex editor search as a hex value

Quote:

25 75 5F 25 66 00 00 00 6A 61 69 6C 62 72 65 61 6B 6D 65 2E 63 6F 6D

the jailbreakme URL is right there right next to the wad.bin defined location that is the expected URL you see below in the source code to Star, and as you can see it checks that it matches before proceeding

Quote:

6a61696c627265616b6d652e636f6d

paste this string in http://www.string-functions.com/hex-string.aspx click convert to see string output

Code:

#define WAD_URL @"http://jailbreakme.com/wad.bin"
#define EXPECTED_DOMAIN @"jailbreakme.com"

Code:

 NSString *host = [[tabDocument URL] host];
    if(![host isEqualToString:EXPECTED_DOMAIN] && ![host isEqualToString:[@"www." stringByAppendingString:EXPECTED_DOMAIN]]) return;
    if(!access("/bin/bash", F_OK)) {

[hackthatphone]

With the issues the jbme.com site has been having recently it has become ever more important that this valuable resource not disappear.

I would love to be able to localize this so that we can all continue to jb on 4.0/4.0.1 without reliance on the site itself.

Is all the information we need to do this in this thread right now?

It seems we need to also edit the wad.bin to localize this as a check is being made in that file. Is this correct?

Could some smart person out there please explain whatever else we need to know to do this ourselves?