Skip to content

Instantly share code, notes, and snippets.

@MrARM

MrARM/crash.log

Created December 22, 2017 16:14
Show Gist options
  • Save MrARM/60f38be944b9457d603a3e5c679d5640 to your computer and use it in GitHub Desktop.
Save MrARM/60f38be944b9457d603a3e5c679d5640 to your computer and use it in GitHub Desktop.
Download ZIP
Crash log for mterminal
Raw
crash.log
#LOG 1
build_id: 15A372
sysname: Darwin
nodename: iPad-Air
release: 17.0.0
version: Darwin Kernel Version 17.0.0: Fri Sep 1 14:59:18 PDT 2017; root:xnu-4570.2.5~167/RELEASE_ARM64_S5L8960X
machine: iPad4,1
unknown kernel build. If this is iOS 11 it might still be able to get tfp0, trying anyway
message size for kalloc.4096: 2956
got user client: 0x6307
[+] prepared kqueue
task self: 0xfffffff003781a00
our task port is at 0xfffffff003781a00
found target port with suitable allocation page offset: 0xfffffff004f85a40
replacer_body_size: 0xb74
message_body_offset: 0x448
0
e00002c9
0
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
got replaced with replacer port 58
found kernel vm_map: 0xfffffff122d866e0
second time got replaced with replacer port 0
will try to read from second port (fake kernel)
kernel read via fake kernel task port worked?
0x0000000000420000
0x0000000000000000
0xfffffff122d906b0
0xfffffff122d90750
about to build safer tfp0
message buffer: fffffff002356000
fake_kernel_task_kaddr: fffffff002356000
read fake_task_refs: d00d
about to test new tfp0
kernel read via second tfp0 port worked?
0x0000000000420000
0x0000000000000000
0xfffffff122d906b0
0xfffffff122d90750
built safer tfp0
about to clear up
cleared up
tfp0: 188900b
slide: 0x000000001c000000
Created fake_vtable at fffffff00085d000
Copied some of the vtable over
Created fake_client at fffffff00085e000
Copied the user client over
Wrote the `add x0, x0, #0x40; ret;` gadget over getExternalTrapForIndex
found amfid - getting task
our proc is at 0xfffffff00141e860
kern proc is at 0xfffffff023609950
our uid is 0
wrote test file: 0x101201ed8
remounting: 0
File already exists!
Did we mount / as read+write? yes
Trusting '/bootstrap/tar'
spawn '/bootstrap/tar': pid=237
rv=0
empower
message buffer: fffffff002287000
kcall object allocated via early_kalloc at fffffff002287000
it freezes at thzt lat line and I got a panic about a minute later.
#LOG 2
build_id: 15A372
sysname: Darwin
nodename: iPad-Air
release: 17.0.0
version: Darwin Kernel Version 17.0.0: Fri Sep 1 14:59:18 PDT 2017; root:xnu-4570.2.5~167/RELEASE_ARM64_S5L8960X
machine: iPad4,1
unknown kernel build. If this is iOS 11 it might still be able to get tfp0, trying anyway
message size for kalloc.4096: 2956
got user client: 0x6307
[+] prepared kqueue
task self: 0xfffffff003412848
our task port is at 0xfffffff003412848
found target port with suitable allocation page offset: 0xfffffff00507be70
replacer_body_size: 0xb74
message_body_offset: 0x448
0
e00002c9
0
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
got replaced with replacer port 57
found kernel vm_map: 0xfffffff124d86b60
second time got replaced with replacer port 0
will try to read from second port (fake kernel)
kernel read via fake kernel task port worked?
0x0000000000420000
0x0000000000000000
0xfffffff124d90610
0xfffffff124d90660
about to build safer tfp0
message buffer: fffffff001c9e000
fake_kernel_task_kaddr: fffffff001c9e000
read fake_task_refs: d00d
about to test new tfp0
kernel read via second tfp0 port worked?
0x0000000000420000
0x0000000000000000
0xfffffff124d90610
0xfffffff124d90660
built safer tfp0
about to clear up
cleared up
tfp0: 188960b
slide: 0x000000001e000000
Created fake_vtable at fffffff000807000
Copied some of the vtable over
Created fake_client at fffffff000808000
Copied the user client over
Wrote the `add x0, x0, #0x40; ret;` gadget over getExternalTrapForIndex
found amfid - getting task
our proc is at 0xfffffff001170180
kern proc is at 0xfffffff025609950
our uid is 0
wrote test file: 0x14de019a8
remounting: 0
File already exists!
Did we mount / as read+write? yes
Trusting '/bootstrap/tar'
spawn '/bootstrap/tar': pid=228
rv=0
empower
message buffer: fffffff002426000
kcall object allocated via early_kalloc at fffffff002426000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment