tin-z

Index

• #prepreqs

• #roadmap

  • #iot
  • #chrome-and-friends: Chrome, V8, Blink, Mojo, etc.
  • Linux kernel #todo
  • expdev #todo

• fuzzing #todo

theevilbit

#!/bin/zsh

echo "++ Stopping locationd"

sudo launchctl stop com.apple.locationd

echo "++ Dropping swiftliverpool"

echo z/rt/gcAAAEDAAAAAgAAAB4AAACwDQAAhQAgAAAAAAAZAAAASAAAAF9fUEFHRVpFUk8AAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAA+AQAAF9fVEVYVAAAAAAAAAAAAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAUAAAAFAAAADwAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAALAtAAABAAAAa0AAAAAAAACwLQAABAAAAAAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAF9fc3R1YnMAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAHG4AAAEAAACiAAAAAAAAABxuAAABAAAAAAAAAAAAAAAIBACAAAAAAAYAAAAAAAAAX19zdHViX2hlbHBlcgAAAF9fVEVYVAAAAAAAAAAAAADAbgAAAQAAAB4BAAAAAAAAwG4AAAIAAAAAAAAAAAAAAAAEAIAAAAAAAAAAAAAAAABfX2NvbnN0AAAAAAAAAAAAX19URVhUAAAAAAAAAAAAAOBvAAABAAAALgEAAAAAAADgbwAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fc3dpZnQ1X3R5cGVyZWZfX1RFWFQAAAAAAAAAAAAADnEAAAEAAAAkAAAAAAAAAA5xAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX19vYmpjX21ldGhuYW1lAF9fVEVYVAAAAAAAAAAAAAAycQAAAQAAACwBAAAAAAAAMnEAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19UR

pagabuc

# Written by pagabuc, run with the following:
# gdb --batch --nx -q -x extract_offsets.py ./vmlinux
# This script finds kernel objects that contain function pointers and with size between 1024 and 2048. 
# Nested structure types are traversed recursively. 

import gdb
import re

struct_regex = re.compile("(struct [a-zA-Z0-9_]*)")

jakeajames

#include <stdlib.h>
#include <stdio.h>
#include <pthread/pthread.h>
#include <mach/mach.h>

struct ool_msg  {
    mach_msg_header_t hdr;
    mach_msg_body_t body;
    mach_msg_ool_ports_descriptor_t ool_ports[];
};

PsychoTea

import idc

def define_func(addr, name):               
        idc.MakeCode(addr)
        idc.MakeFunction(addr)

        idc.MakeNameEx(addr, name, idc.SN_NOWARN)

        print("%s @ %s" % (name, hex(addr)))

d4em0n

#define _GNU_SOURCE
#include <err.h>
#include <stdint.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <asm/unistd_64.h>
#include <sys/types.h>

0x36

#if 0
Reported : 19-Jan-2020
Fixed in iOS 13.4 with CVE-2020-9768
AppleJPEGDriverUserClient : mach port use-after-free/type-confusion via race condition 

AppleJPEGDriverUserClient external methods can be used synchronously or asynchronously, when used asynchronously, 
it brings the registered mach port (via registerNotificationPort()) and put it inside jpegRequest data structure,
and no reference count was taken for this operation. since registerNotificationPort() is not gated, it is 
possible to release the port (if the port got substituted)  during the processing of jpeg request and end up
with dangling pointer passed to _mach_msg_send_from_kernel_proper().

zcutlip

Importing Hand-Rolled C Header Files in LLDB

Scenario

• We're debugging a dylib, libhello.dylib
• The dylib is linked from hello
• The exported function is helloworld()
• We do not have source, but have reversed a struct from the library and created a hand-crafted header file

Header File

PsychoTea

import sys
import json
import re

kslide = 0x0

if len(sys.argv) < 2:
  print("Usage: PanicParser.py [file path]")
  exit()

jakeajames

addr_t Find_platform_profile() {
    uint64_t string = Find_strref("\"failed to initialize platform sandbox", 1, 0, false);
    if (!string) {
        string = Find_strref("\"failed to initialize platform sandbox", 1, 1, false);
        if (!string) {
            return 0;
        }
    }
    string -= KernDumpBase;