pattern-f
@pattern_F_
Followers
15,172
Following
143
Media
29
Statuses
120
Explore trending content on Musk Viewer
#咲き誇るみこち
• 215197 Tweets
期日前投票
• 144477 Tweets
#WOWOWESTꓸやねん
• 120105 Tweets
日本シリーズ
• 85681 Tweets
YINWAR X DESTINY CLINIC
• 72546 Tweets
SB19 ANIMBERSARY CONCERT
• 68386 Tweets
マイク納め
• 66376 Tweets
FY RECAP BLANK SS2EP5
• 50747 Tweets
#祝NIKKE2周年生放送
• 44181 Tweets
#sbhawks
• 41046 Tweets
RAIN WILL REIGN
• 31853 Tweets
シンデレラ
• 29986 Tweets
ALEXA RAVISHING PBBHOST
• 28773 Tweets
最高のライブ
• 26255 Tweets
コンパス
• 22601 Tweets
Patrick🥄
• 21422 Tweets
Delicious Friend Patrick
• 20745 Tweets
ムビチケ
• 15730 Tweets
ジャクソン
• 13505 Tweets
メイドインアビス
• 12512 Tweets
ボンドルド
• 11995 Tweets
iOS 14.0 "remote jailbreak" demo.😎 (RCE + LPE exploit)
Don't stay on versions on or below iOS 14.3. If you click a malicious link, bad guys would steal everything on your iPhone.
66
955
3K
Stable kernel r/w technique for iOS 14. Useful to researchers.
134
317
2K
iOS 15.x demo. Run 3 cmds: ls, id, sw_vers.
There is a lot of trouble in ios15. Still a long way from a real jailbreak.
iPhone XS, iOS 15.0: using cve-2021-30883 (written months ago)
iPhone 13 Pro, iOS 15.1: using cve-2021-30955 (thanks
@realBrightiup
)
I don't promise anything
72
206
1K
Write a jailbreak demo for CVE-2021-30883 (fixed in iOS 15.0.2, by
@AmarSaar
) on an iPhone 11 iOS 14.0.
Why iOS 14.0? I just want to verify if the vulnerability is exploitable. The code is based on the old ipc_kmsg hack. The exploit has better speed than cicuta_virosa.
57
217
1K
Got 6 CVEs from Apple😁
CVE-2021-1867, CVE-2021-1877, CVE-2021-1852, CVE-2021-1874, CVE-2021-1828, CVE-2021-1840
53
54
671
MD5 (TQ-pre-jailbreak .zip) = 49161ccfc399f2036dda8d654bd808f5
I'm planning to release it in a few days.
117
70
560
iOS 14.1, iPhone 12 (A12+ device), LPE exploit demo. Not a real
#Jailbreak
About the video: I find an iPhone 12 stayed on iOS 14.1 from my co-worker. I borrowed it and made a demo for the newest iPhone.😆
(英语太难了)
71
105
552
Update: make the exploit faster (cicuta_virosa
@ModernPwner
). Reduce the pain of running the exploit. Useful for researchers.
iPhone 12: 65s -> 10s
iPhone 6s: 188s -> 68s
41
78
510
Here is the slides.
Everything has Changed in iOS 14, but Jailbreak is Eternal
27
95
353
Everything is OK. Now I'm waiting for "something special".🤪
It's time to go home.
(世事难料)
41
47
314
My talk was accepted by BlackHat USA 2021.
No new vulnerability. Just the story of my iOS Learning Journey.
11
25
303
Update: Eliminate hardcoded offsets. No need to care about the offset things. Theoretically, works on every iOS [14.0 ~ 14.3] device.
20
46
254
Reproduced
@CodeColorist
's RCE (CVE-2021-1748).
Never wrote userspace exploit before. I had to learn too many concepts about Objective-C and JavaScriptCore in these days. It's really a painful experience.
12
32
234
uid=0(root), see you again!
a LPE exploit demo runs on the latest macOS 11.3.1, with an Intel-based MacBook. Reported to Apple
#security
11
29
234
Return from New Year's holiday yestday. It's time to do something interesting.🤪
Thanks for
@ModernPwner
's exploitation technique. Source code comes latter. It looks ugly now, need some time to make it readable for human.
14
27
220
xattr-oob-swap, a macOS tfp0 bug found by me.
Release this for BlackHat. This is a very interesting vuln. In some sense, I convert a very limited bug to a perfect exploit.😆
Special thanks to
@_bazad
, I learn a lot from his blog.🙏
22
35
219
I'm sorry the slides is not shown in my session recording. I think the code is the better way to express my thought.
Update the amfid_bypass part. See the function "uPAC_bypass_strategy_3"
19
58
213
slides “Write a SEP app for iOS”
4
44
211
CVE-2021-30914
I used this one to complete my first iOS LPE exploit demo, on 2021-02-09, . Unfortunately, it is not easy to exploit it in iOS 14.2 and above.
10
25
148
Can't stand dyld_shared_cache anymore. I tried hard to fix it. Here is an example. Almost perfect but the merged OBJC_RO/RW sections.
15
18
114
breaking news: Anonymous opened a door to iOS 14.
Amazing!
(新年快乐)
cicuta_virosa - iOS 14.3 kernel LPE for ALL devices.
@FCE365
@RazMashat
@CStar_OW
please share it across jailbreak community.
We are Anonymous. We are Legion.
87
364
1K
15
7
104
An important thread. I recommend iOS hackers to read this.
iOS 15.2 fixed many bugs in IOMobileFrameBuffer (IOMBF), one of my favorite attack surfaces, and brought me a lot of good memories regarding IOMBF.
3
53
317
6
18
105
These are the last two. Have stopped doing iOS vulnerability hunt for several months. So, no CVEs next time.
7
0
76
I can't use this bundle id now. 😭 No idea what happened.
It seems that when the certificate expired, others could register the used bundle id.
5
2
65
Good job!
A better release will hopefully come later, but for those who are interested, this code should work.
Enjoy!
2 untether bugs are included, should support 9.x -> 14.x
(no full jailbreak released yet, no kernel exploits dropped, obviously)
goodnight
27
93
340
2
8
65
retwit this for myself
Again, English is hard for me.😂
In this Briefing,
@pattern_F_
will give an overview of the techniques behind Apple's filesystem implementation, then detail the vulnerabilities (CVE-2020-27904, CVE-2019-8852) they have found. Learn more here:
0
9
42
8
9
63
With
@chenliang0817
's paper "Exploiting IOSurface 0", I figured out how to achieve arbitrary read/write with a kalloc_large uaf.
Know nothing about PPL, trust cache, PAC, etc. I need to learn them all next week.
#iOS14
#jailbreak
2
11
59
I hate debugging kernel. The only useful information is register values left in panic log.
1
8
62
proc_entitlement_is_bool_true(".container-manager") is changed to AppleMobileFileIntegrity::AMFIEntitlementGetBool in iOS 16.4. So the hack adding entitlements to the backend OSDictionary of OSEntitlements is not working.
4
11
59
me too🤣
5
2
56
@foxfortmobile
@AmarSaar
The original poc will trigger a co-processor fault, other than an AP kernel panic on A14 and A15. I don't know if it will work on these devices. Need lots of reverse engineering to confirm it.
3
11
51
😂😂😂
If every person on Earth aimed a laser pointer at the Moon at the same time, would it change color?
—Peter Lipowicz
4
3
53
PS: sshd crashed on iPhone 12 pro (iOS 14.3), so I can not log in now.
3
2
43
I've been a little busy lately. Hope I could get back to the vulnhunt things soon.
2
0
40
@CodeColorist
@tihmstar
Exact answer from the author of RCE.
Or just block itms:// and itmss:// scheme in MobileStore.
3
4
36
@S0rryMybad
No, I use this app to show the system version and iPhone model, so I don't need to open settings to display these infos.
0
2
31
@LinusHenze
@opa334dev
Don't be discouraged. Everybody has his favorite programming language. 😂
1
1
10
0
0
10
Reported long long ago, and finally fixed.
CVE-2020-27904, a LPE bug on macOS
0
1
8
@littlelailo
I'm not ready. It's only a home-made tool with ugly code. Someone says there is a tool "arandomdev / DyldExtractor" on github.
5
1
8
Starting macOS security research on Dec 2019. My first vulnerability, mark it.
2
0
6
3
1
6
@shogunpwnd
@ModernPwner
I leave the corrupted heap here on purpose. iPhone reboots very quickly, so I think it has little impact.
About the iPhone 7, I'm sorry I can't be of more help.
1
0
3
@AyyItzRob123
@foxfortmobile
@CStar_OW
But he/she said "Only works on iOS 14.0 - 14.2 FYI for A12+". Do I misunderstand the message? I'm not sure.🤔
1
1
2
@sickcodes
Maybe, $1,500,000 is real.😆
----
Issues that are unknown to Apple and are unique to designated developer betas and public betas, including regressions, can result in a 50% bonus payment.
1
0
2
@joinedserver
@zhuowei
Sometimes, Apple writes wrong/confusing bug description. It is not CVE-2022-42861. I think I'm not able to find such good bug as "MacDirtyCow". (sad)
0
0
2
