nganhkhoa/iOS
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Added Writeups

Browse Source
This commit is contained in:
Joseph Shenton
2018-06-11 17:42:03 +10:00
parent 723fe9a514
commit 47d21cf4da
56 changed files with 30474 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
iOS Resources/papers/README.md Executable file
View File

@ -0,0 +1,70 @@
# OS X / iOS Technical Papers
This list includes many technical papers about OS X and iOS exploitation/researching/reversing.
<br>
The papers you see listed here have been published publicly and are free to redistribute.
### Contributing
Instead of uploading a big chunk of PDFs to some hosting website or directly here on GitHub, I decided to link every entry directly. If a link is dead, and you have the original copy of the document, feel free to re-upload it and submit a pull request with the new URL.
<br>
Similarly, if you want to add documents, please submit a pull request with your entry/entries, added to the correct section with working URL/URLs.
# OS X
## Exploitation
| *Document* | *Related Talk* | *Author* | *Year* |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------|------------------------------------|--------|
| [Attacking the XNU Kernel in El Capitan](https://www.blackhat.com/docs/eu-15/materials/eu-15-Todesco-Attacking-The-XNU-Kernal-In-El-Capitain.pdf) | [Attacking The XNU Kernel In El Capitan](https://www.youtube.com/watch?v=k550C0V79ts) | Luca Todesco | 2015 |
| [OS X Kernel is As Strong as its Weakest Part](https://papers.put.as/papers/macosx/2015/poc2015osxkernelisasstrongasitsweakestpartliangshuaitian.pdf) | N/A | Liang Chen, ShuaiTian Zhao | 2015 |
| [Memory corruption is for wussies!](https://papers.put.as/papers/macosx/2016/SyScan360_SG_2016_-_Memory_Corruption_is_for_wussies.pdf) | N/A | fG! | 2016 |
| [Dont Trust Your Eye: Apple Graphics is Compromised!](https://papers.put.as/papers/macosx/2016/CanSecWest2016_Apple_Graphics_Compromised.pdf) | N/A | Liang Chen, Marco Grassi, Qidan He | 2016 |
| [OS X El Capitan sinking the Ship](https://papers.put.as/papers/macosx/2016/syscan360stefanesserosxelcapitansinkingtheship.pdf) | N/A | Stefan Esser | 2016 |
|[XNU:A Security Evaluation](https://papers.put.as/papers/macosx/2012/XNU_-a-security-evaluation-Daan_Keuper_2012-12-14-xnu.pdf)| N/A | Daan_Keuper | 2012 |
## Technical
| *Document* | *Related Talk* | *Author* | *Year* |
|-----------------------------------------------------------------------------------------------------------|----------------|----------------|--------|
| [DYLIB HIJACKING ON OS X](https://papers.put.as/papers/macosx/2015/vb201503-dylib-hijacking.pdf) | N/A | Patrick Wardle | 2015 |
| [Code Signing Hashed Out](https://papers.put.as/papers/macosx/2015/CodeSigning-RSA.pdf) | N/A | Jonathan Levin | 2015 |
| [The ARMs race to TrustZone](http://technologeeks.com/files/TZ.pdf) | N/A | Jonathan Levin | 2016 |
# iOS
## Exploitation
| *Document* | *Related Talk* | *Author* | *Year* |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------|--------|
| [iOS Kernel Exploitation](https://papers.put.as/papers/ios/2011/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf) | [BlackHat 2011 - iOS Kernel Exploitation](https://www.youtube.com/watch?v=fQHkA_s3d2o) | Stefan Esser | 2011 |
| [iOS Kernel Exploitation -- IOKit Edition](https://papers.put.as/papers/ios/2011/SyScanTaipei2011_StefanEsser_iOS_Kernel_Exploitation_IOKit_Edition.pdf) | N/A | Stefan Esser | 2011 |
| [iOS 5 An Exploitation Nightmare?](https://papers.put.as/papers/ios/2012/CSW2012_StefanEsser_iOS5_An_Exploitation_Nightmare_FINAL.pdf) | N/A | Stefan Esser | 2012 |
| [iOS Kernel Heap Armageddon](https://papers.put.as/papers/ios/2012/SyScan2012_StefanEsser_iOS_Kernel_Heap_Armageddon.pdf) | N/A | Stefan Esser | 2012 |
| [iOS 6 Kernel Security: A Hackers Guide](https://conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Mark%20Dowd%20&%20Tarjei%20Mandt%20-%20iOS6%20Security.pdf) | [#HITB2012KUL D1T2 - Mark Dowd & Tarjei Mandt - iOS 6 Security](https://www.youtube.com/watch?v=O-WZinEoki4) | Mark Dowd, Tarjei Mandt | 2012 |
| [Find Your Own iOS Kernel Bug](https://papers.put.as/papers/ios/2012/Xu-Hao-Xiabo-Chen-Find-Your-Own-iOS-Kernel-Bug.pdf) | N/A | Chen Xiaobo, Xu Hao | 2012 |
| [Attacking the iOS Kernel: A Look at evasi0n](https://papers.put.as/papers/ios/2013/NISlecture201303.pdf) | N/A | Tarjei Mandt | 2013 |
| [SWIPING THROUGH MODERN SECURITY FEATURES](https://papers.put.as/papers/ios/2013/D2T1-Pod2g-Planetbeing-Musclenerd-and-Pimskeks-aka-Evad3rs-Swiping-Through-Modern-Security-Features.pdf) | [#HITB2013AMS D2T1 Evad3rs - Swiping Through Modern Security Features](https://www.youtube.com/watch?v=brrIquvUR4M) | evad3rs | 2013 |
| [Exploiting Unpatched iOS Vulnerabilities for Fun and Profit](https://papers.put.as/papers/ios/2014/iosjb_slide.pdf) | N/A | Yeongjin Jang, Tielei Wang, Byoungyoung Lee, Billy Lau | 2014 |
| [iOS 6/7/8 Security - A Study in Fail](https://papers.put.as/papers/ios/2015/SyScan15_Stefan_Esser_-_iOS_678_Security_-_A_Study_in_Fail.pdf) | N/A | Stefan Esser | 2015 |
| [OPTIMIZED FUZZING IOKIT IN iOS](https://papers.put.as/papers/ios/2015/us-15-Lei-Optimized-Fuzzing-IOKit-In-iOS-wp.pdf) | [Optimized Fuzzing IOKit In iOS](https://www.youtube.com/watch?v=XDT9Cn8GjJU) | Lei Long | 2015 |
| [Review and Exploit Neglected Attack Surface in iOS 8](https://papers.put.as/papers/ios/2015/us-15-Wang-Review-And-Exploit-Neglected-Attack-Surface-In-iOS-8.pdf) | N/A | Pangu Team | 2015 |
| [Hacking from iOS 8 to iOS 9](https://papers.put.as/papers/ios/2015/POC2015_RUXCON2015.pdf) | N/A | Pangu Team | 2015 |
| [Dig Into The Attack Surface Of PDF And Gain 100 CVEs In 1 Year](https://www.blackhat.com/docs/asia-17/materials/asia-17-Liu-Dig-Into-The-Attack-Surface-Of-PDF-And-Gain-100-CVEs-In-1-Year.pdf)| N/A | Tencent XuanWu Lab | 2017 |
|[Diving into the iOS Kernel: Breaking Entitlements](https://sparkes.zone/blog/jekyll/update/2018/04/06/diving-into-the-kernel-entitlements.html)| N/A | @iBSparkes | 2018|
## Technical
| *Document* | *Related Talk* | *Author* | *Year* |
|-----------------------------------------------------------------------------------------------------------|----------------|----------------|--------|
| [Security Enclave](http://mista.nu/research/sep-paper.pdf) | N/A | Tarjei Mandt, Mathew Solnik, and David Wang | N/A |
## Exploit Write-ups
| *CVEIDs* | *LINK* |
|-------------|----------------|
|CVE-2016-4655 CVE-2016-4656| <https://jndok.github.io/2016/10/04/pegasus-writeup/> |
|CVE-2016-7644 CVE-2016-7637 CVE-2016-7661|<https://bugs.chromium.org/p/project-zero/issues/detail?id=965> |
|CVE-2017-2370|<https://googleprojectzero.blogspot.co.uk/2017/04/exception-oriented-exploitation-on-ios.html>|
|CVE-2017-2416|<https://blog.flanker017.me/cve-2017-2416-gif-remote-exec/>|
|CVE-2017-2533 CVE-2017-2535 CVE-2017-2534|<https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc> <https://phoenhex.re/2017-07-06/pwn2own-sandbox-escape>|
|CVE-2018-4087|https://blog.zimperium.com/cve-2018-4087-poc-escaping-sandbox-misleading-bluetoothd/|
|CVE-2B-DETERMINED|http://bazad.github.io/2018/04/kernel-pointer-crash-log-ios/|
## External Links
Here you can find external list of papers and documents, most of which are not listed here.
* [@osxreverser](https://twitter.com/osxreverser)'s list: https://papers.put.as/
* [@snakeninny](https://twitter.com/snakeninny)'s iOSRE Book for beginners: https://github.com/iosre/iOSAppReverseEngineering

14
iOS Resources/scripts/Install Commonly Used Utilities/Hopper.py Executable file
View File

@ -0,0 +1,14 @@
#!/usr/bin/env python
import urllib2
import urllib
import json
headers = { 'User-Agent' : 'Mozilla/5.0' }
req = urllib2.Request('http://hopperapp.com/include/files-api.php?request=releases',None,headers)
print "Loading Hopper URL API"
response = urllib2.urlopen(req)
the_page = response.read()
JSON=json.loads(the_page)
OSXJSON=JSON["OS X"]
url=OSXJSON["filename"]
print "Downloading Hopper Latest With Size:",OSXJSON["file_length"]
urllib.urlretrieve (url, "Hoppper-Latest.zip")

79
iOS Resources/scripts/Install Commonly Used Utilities/Installer.sh Executable file
View File

@ -0,0 +1,79 @@
#/bin/bash
echo "Installing Xcode Commandline Tools"
xcode-select --install
if ! type "brew" > /dev/null; then
# install Homebrew
echo "Installing Homebrew"
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
else
echo "Homebrew already installed"
fi
if ! type "dpkg" > /dev/null; then
# install dpkg
echo "Installing dpkg"
brew install dpkg
else
echo "dpkg already installed"
fi
if ! type "ldid" > /dev/null; then
# install ldid
echo "Installing ldid"
brew install ldid
else
echo "ldid already installed"
fi
export THEOS=/opt/theos
if [ ! -d "$THEOS" ]; then
# Theos isn't existe
echo "Installing Theos"
echo "export THEOS=/opt/theos" >>~/.bash_profile
source ~/.bash_profile
sudo git clone --recursive https://github.com/theos/theos.git $THEOS
sudo git clone https://github.com/theos/headers.git $THEOS/Headers
sudo cp -r $THEOS/Headers/ $THEOS/include
sudo rm -rf $THEOS/Headers/
else
# Theos existe
echo "Theos already installed"
fi
if ! type "wget" > /dev/null; then
# install wget
echo "Installing wget"
brew install wget
else
echo "wget already installed"
fi
if [ ! -d "/Applications/Reveal.app" ]; then
# Reveal app isn't existe
echo "Installing Reveal"
wget http://download.revealapp.com/Reveal.app.zip
unzip -XK ./Reveal.app.zip
chmod +x ./Reveal.app/Contents/MacOS/Reveal
mv ./Reveal.app /Applications/Reveal.app
rm -rf ./Reveal.app
rm -rf ./Reveal.app.zip
else
echo "Reveal app already installed"
fi
if [ ! -d "/Applications/Hopper Disassembler v3.app" ]; then
# Hopper app isn't existe
echo "Installing Hopper"
sudo ./Hopper.py
unzip -XK ./Hoppper-Latest.zip
mv './Hopper Disassembler v3.app' '/Applications/Hopper Disassembler v3.app'
else
echo "Hopper app already installed"
fi
sudo ./debugserver.py
git clone https://github.com/nygard/class-dump.git class-dump
xcodebuild -project ./class-dump/class-dump.xcodeproj #Compile classdump
mv ./class-dump/build/Release/class-dump /usr/local/bin
rm -rf ./class-dump

8
iOS Resources/scripts/Install Commonly Used Utilities/README.md Executable file
View File

@ -0,0 +1,8 @@
# iOSRETools
>>YOU MUST cd TO THIS FOLDER BEFORE DOING ANYTHING!!!
>>Then Just ./Installer.sh
A collection of commonly used iOSRE Tools
Pull Requests Are Favoured
>>Naville.Zhang

28
iOS Resources/scripts/Install Commonly Used Utilities/debugserver.py Executable file
View File

@ -0,0 +1,28 @@
#!/usr/bin/env python
import subprocess
import string
import os
Path = subprocess.check_output(['xcode-select', '-p'])
Path = Path + "/Platforms/iPhoneOS.platform/DeviceSupport"
Path = string.replace(Path, "\n", "")
print "Developer Images Located At:", Path
for Sub in os.listdir(Path):
SubDire = os.path.join(Path, Sub)
if (os.path.isdir(SubDire)):
print "Loading Developer Disk Image At:\n",SubDire
os.system("hdiutil mount "+"\""+SubDire+"\""+"/DeveloperDiskImage.dmg -mountpoint /Volumes/DeveloperDiskImage")
DebugSrvPath=SubDire+"/debugserver"
print DebugSrvPath
print "Current DebugServer Copied To:\n"+DebugSrvPath
os.system("cp /Volumes/DeveloperDiskImage/usr/bin/debugserver "+"\""+SubDire+"\"")
os.system("codesign -s - --entitlements ./debugsrvEntitle.xml -f "+"\""+DebugSrvPath+"\"")
Version=os.path.basename(os.path.normpath(SubDire))#Thanks http://stackoverflow.com/questions/3925096/how-to-get-only-the-last-part-of-a-path-in-python
print "Version For Current DebugServer:\n"+Version
os.system("cp "+"\""+DebugSrvPath+"\""+" ./DebugServer"+"\""+Version+"\"")
print "Unloading Developer Disk Image At:\n",SubDire
os.system("hdiutil unmount /Volumes/DeveloperDiskImage")
os.remove(DebugSrvPath)

14
iOS Resources/scripts/Install Commonly Used Utilities/debugsrvEntitle.xml Executable file
View File

@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.springboard.debugapplications</key>
<true/>
<key>run-unsigned-code</key>
<true/>
<key>get-task-allow</key>
<true/>
<key>task_for_pid-allow</key>
<true/>
</dict>
</plist>

51
iOS Resources/scripts/Install XPwn/build_xpwn.sh Executable file
View File

@ -0,0 +1,51 @@
#!/bin/bash
#######################################################################
#
# Project......: build_xpwn.sh
# Creator......: matteyeux
# Description..: Script to install XPwn tools
#
######################################################################
# Language :
# bash
# Version : 0.3
if [[ "$(whoami)" != "root" ]]; then
echo "Please run this script as root"
exit 1
fi
if [[ $(uname) != 'Linux' ]]; then
echo "This script is only for Linux"
exit 1
fi
apt-get -y install binutils
apt-get -y install p7zip-full
apt-get -y install git
apt-get -y install build-essential
apt-get -y install make
apt-get -y install cmake
apt-get -y install openssl
apt-get -y install libcrypto++-dev:q
apt-get -y install bsdiff
apt-get -y install libbz2-dev
apt-get -y install libpng3
apt-get -y install libusb-1.0.0
apt-get -y install libusb-1.0.0-dev
apt-get -y install libssl-dev
apt-get -y install libcurl3
apt-get -y install python-pip
cd ~
git clone https://github.com/xerub/xpwn.git
mkdir ~/build
cd ~/build
cmake ~/xpwn
make
make package
tar xvjf XPwn-0.5.8-Linux.tar.bz2
cd XPwn-0.5.8-Linux
cp dmg hdutil hfsplus ipsw ticket xpwntool validate /usr/local/bin/
echo "XPwn binaries installed to /usr/local/bin/"

227
iOS Resources/scripts/Install libimobiledevice/libinstaller.sh Executable file
View File

@ -0,0 +1,227 @@
#!/bin/bash
#######################################################################
#
# Project......: libinstaller.sh
# Creator......: matteyeux
# Description..: Script to install libimobiledevice on OS X & Debian Distros
# initials scripts: brew.sh & autobuild.sh by DarkMalloc
# Type.........: Public
#
######################################################################
# Language :
# bash
# Version : 0.2
#
# Change Log
# ==========
#
# ===============================================================
# Date | Who | What
# ---------------------------------------------------------------
# 27/12/15 | Mathieu Hautebas | Script creation
# ---------------------------------------------------------------
# 10/03/16 | HanSheng Zhang | Fix Stack overflow caused by naming issues
# ---------------------------------------------------------------
function apt-get(){
sudo apt-get install -y git
sudo apt-get install -y build-essential
sudo apt-get install -y make
sudo apt-get install -y autoconf
sudo apt-get install -y automake
sudo apt-get install -y libtool
sudo apt-get install -y openssl
sudo apt-get install -y tar
sudo apt-get install -y perl
sudo apt-get install -y binutils
sudo apt-get install -y gcc
sudo apt-get install -y libstdc++6-dev
sudo apt-get install -y libc6-dev
sudo apt-get install -y libssl-dev
sudo apt-get install -y libusb-1.0
sudo apt-get install -y gcc4.2
sudo apt-get install -y g++
sudo apt-get install -y libcurl4-gnutls-dev
sudo apt-get install -y fuse
sudo apt-get install -y libxml2-dev
sudo apt-get install -y libgfortran1
sudo apt-get install -y libgfortran2
sudo apt-get install -y libgfortran
sudo apt-get install -y libgcc1
sudo apt-get install -y libreadline-dev
sudo apt-get install -y libglib2.0-dev
sudo apt-get install -y libzip-dev
sudo apt-get install -y libclutter-1.0-dev
sudo apt-get install -y libgtk2.0-dev
sudo apt-get install -y libclutter-gtk-1.0-dev
sudo apt-get install -y lib32bz2-dev
sudo apt-get install -y libfuse-dev
sudo apt-get install -y subversion
sudo apt-get install -y cython
sudo apt-get install -y python-2.7
sudo apt-get install -y python2.7-numpy
sudo apt-get install -y libncurses4
sudo apt-get install -y libncurses5
sudo apt-get install -y ncurses-base
}
function brewfunc(){
# Install Hombrew.
if ! type "brew" > /dev/null; then
echo "brew Doesn't Exist.Installing"
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
else
echo "Brew Exists. Using"
fi
# Install command-line tools using Homebrew.
# Ask for the administrator password upfront.
sudo -v
# Keep-alive: update existing `sudo` time stamp until the script has finished.
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null &
echo "Make sure were using the latest Homebrew."
brew update
echo "Upgrade any already-installed formulae."
brew upgrade
echo "Install GNU core utilities (those that come with OS X are outdated)".
echo "Dont forget to add `$(brew --prefix coreutils)/libexec/gnubin` to `$PATH`".
brew install coreutils
sudo ln -s /usr/local/bin/gsha256sum /usr/local/bin/sha256sum
echo " Install some other useful utilities like `sponge`".
brew install moreutils
echo "Install GNU `find`, `locate`, `updatedb`, and `xargs`, `g`-prefixed".
brew install findutils
echo "Install GNU `sed`, overwriting the built-in `sed`".
brew install gnu-sed --with-default-names
echo "Install Development Packages";
brew install libxml2
brew install libzip
brew install libplist
brew install openssl
brew install clutter
brew install cogl
brew install usbmuxd
# Install Software;
brew install automake
brew install cmake
brew install colormake
brew install autoconf
brew install libtool
brew install pkg-config
brew install gcc
brew install libusb
brew install homebrew/fuse/ifuse
brew install glib
# Install Optional;
brew install screenfetch
brew install Caskroom/cask/osxfuse
# Install extras;
brew install bfg
brew install binutils
brew install binwalk
brew install cifer
brew install dex2jar
brew install dns2tcp
brew install fcrackzip
brew install foremost
brew install hashpump
brew install hydra
brew install john
brew install knock
brew install nmap
brew install pngcheck
brew install socat
brew install sqlmap
brew install tcpflow
brew install tcpreplay
brew install tcptrace
brew install ucspi-tcp # `tcpserver` etc.
brew install xz
# Install other useful binaries.
brew install ack
#brew install exiv2
brew install git
#brew install imagemagick --with-webp
brew install lua
brew install lynx
brew install p7zip
brew install pigz
# Install Node.js. Note: this installs `npm` too, using the recommended
# installation method.
brew install node
# Remove outdated versions from the cellar.
brew cleanup
}
function autobuild(){
successlibs=()
failedlibs=()
libs=( "libplist" "libusbmuxd" "libimobiledevice" "usbmuxd" "libirecovery" \
"ideviceinstaller" "libideviceactivation" "idevicerestore" "sbmanager" "ifuse" )
spinner() {
# What On Earth Is This?
local pid=$1
local delay=0.75
local spinstr='|/-\'
echo "$pid" > "/tmp/.spinner.pid"
while [ "$(ps a | awk '{print $1}' | grep $pid)" ]; do
local temp=${spinstr#?}
printf " [%c] " "$spinstr"
local spinstr=$temp${spinstr%"$temp"}
sleep $delay
printf "\b\b\b\b\b\b"
done
printf " \b\b\b\b"
}
buildlibs() {
for i in "${libs[@]}"
do
echo -e "\033[1;32mFetching $i..."
git clone https://github.com/libimobiledevice/${i}.git
cd $i
echo -e "\033[1;32mConfiguring $i..."
./autogen.sh
./configure
echo -e "\033[1;32mBuilding $i..."
make && sudo make install
echo -e "\033[1;32mInstalling $i..."
cd ..
done
echo -e "\033[0m"
}
function buildr {
buildlibs
}
echo -e "\033[1;37mLibimobiledevice library build script - Elrhk 2015"
buildr
}
if [[ $(uname) == 'Linux' ]]; then
apt-get
autobuild
exit 1
elif [[ $(uname) == 'Darwin' ]]; then
brewfunc
autobuild
fi