Skip to content

Instantly share code, notes, and snippets.

@uroboro

uroboro/offsets.c

Forked from anonymous/offsets.c
Last active December 19, 2016 02:05
Show Gist options
  • Save uroboro/8a23844e811c5a18bc4a83845d6062fb to your computer and use it in GitHub Desktop.
Save uroboro/8a23844e811c5a18bc4a83845d6062fb to your computer and use it in GitHub Desktop.
Download ZIP
Proper Indentation
Raw
offsets.c
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <sys/utsname.h>
//#include "offsets.h"
// offsets from the main kernel 0xfeedfacf
uint64_t allproc_offset;
uint64_t kernproc_offset;
// offsets in struct proc
uint64_t struct_proc_p_pid_offset;
uint64_t struct_proc_task_offset;
uint64_t struct_proc_p_uthlist_offset;
uint64_t struct_proc_p_ucred_offset;
uint64_t struct_proc_p_comm_offset;
// offsets in struct kauth_cred
uint64_t struct_kauth_cred_cr_ref_offset;
// offsets in struct uthread
uint64_t struct_uthread_uu_ucred_offset;
uint64_t struct_uthread_uu_list_offset;
// offsets in struct task
uint64_t struct_task_ref_count_offset;
uint64_t struct_task_itk_space_offset;
// offsets in struct ipc_space
uint64_t struct_ipc_space_is_table_offset;
// offsets in struct ipc_port
uint64_t struct_ipc_port_ip_kobject_offset;
#pragma mark - arm64
void init_arm64() {
struct_proc_p_pid_offset = 0x10;
struct_proc_task_offset = 0x18;
struct_proc_p_uthlist_offset = 0x98;
struct_proc_p_ucred_offset = 0x100;
struct_proc_p_comm_offset = 0x26c;
struct_kauth_cred_cr_ref_offset = 0x10;
struct_uthread_uu_ucred_offset = 0x168;
struct_uthread_uu_list_offset = 0x170;
struct_task_ref_count_offset = 0x10;
struct_task_itk_space_offset = 0x300;
struct_ipc_space_is_table_offset = 0x20;
struct_ipc_port_ip_kobject_offset = 0x68;
}
#pragma mark - iPhone
void init_iPhone6_1_S5L8960X() {
allproc_offset = 0x5a4128;
kernproc_offset = 0x5aa0e0;
}
void init_iPhone7_1_T7000() {
allproc_offset = 0x5b4168;
kernproc_offset = 0x5ba0e0;
}
void init_iPhone7_1_S8000() {
allproc_offset = 0x5a4148;
kernproc_offset = 0x5aa0e0;
}
void init_iPhone7_2_T7000() {
allproc_offset = 0x5b4168;
kernproc_offset = 0x5ba0e0;
}
void init_iPhone7_2_S8000() {
allproc_offset = 0x5a4148;
kernproc_offset = 0x5aa0e0;
}
void init_iPhone8_1_T7000() {
allproc_offset = 0x5b4168;
kernproc_offset = 0x5ba0e0;
}
void init_iPhone8_1_S8000() {
allproc_offset = 0x5a4148;
kernproc_offset = 0x5aa0e0;
}
void init_iPhone8_2_T7000() {
allproc_offset = 0x5b4168;
kernproc_offset = 0x5ba0e0;
}
void init_iPhone8_2_S8000() {
allproc_offset = 0x5a4148;
kernproc_offset = 0x5aa0e0;
}
void init_iPhone8_4_S8000() {
allproc_offset = 0x5a4148;
kernproc_offset = 0x5aa0e0;
}
void init_iPhone9_1_T8010() {
allproc_offset = 0x5ec178;
kernproc_offset = 0x5f20e0;
}
void init_iPhone9_3_T8010() {
allproc_offset = 0x5ec178;
kernproc_offset = 0x5f20e0;
}
void init_iPhone9_4_T8010() {
allproc_offset = 0x5ec178;
kernproc_offset = 0x5f20e0;
}
#pragma mark - iPod
void init_iPod7_1_T7000() {
allproc_offset = 0x5b4168;
kernproc_offset = 0x5ba0e0;
}
#pragma mark - iPad
void init_iPad4_3_S5L8960X() {
allproc_offset = 0x5a4128;
kernproc_offset = 0x5aa0e0;
}
void init_iPad4_4_S5L8960X() {
allproc_offset = 0x5a4128;
kernproc_offset = 0x5aa0e0;
}
void init_iPad5_1_T7000() {
allproc_offset = 0x5b4168;
kernproc_offset = 0x5ba0e0;
}
void init_iPad5_1_T7001() {
allproc_offset = 0x5b4228;
kernproc_offset = 0x5ba0e0;
}
void init_iPad5_1_S5L8960X() {
allproc_offset = 0x5a4128;
kernproc_offset = 0x5aa0e0;
}
void init_iPad5_4_S5L8960X() {
allproc_offset = 0x5a4128;
kernproc_offset = 0x5aa0e0;
}
void init_iPad5_4_T7000() {
allproc_offset = 0x5b4168;
kernproc_offset = 0x5ba0e0;
}
void init_iPad5_4_T7001() {
allproc_offset = 0x5b4228;
kernproc_offset = 0x5ba0e0;
}
void init_iPad6_3_S8000() {
allproc_offset = 0x5a4148;
kernproc_offset = 0x5aa0e0;
}
void init_iPad6_4_S8000() {
allproc_offset = 0x5a4148;
kernproc_offset = 0x5aa0e0;
}
void init_iPad6_8_S8000() {
allproc_offset = 0x5a4148;
kernproc_offset = 0x5aa0e0;
}
//here end
void unknown_build() {
printf("This is an unknown kernel build - the offsets are likely to be incorrect and it's very unlikely this exploit will work\n");
printf("You need to find these two kernel symbols:\n");
printf(" allproc\n");
printf(" kernproc\n\n");
printf("and update the code\n");
}
#pragma mark - init_offsets
void init_offsets() {
struct utsname u = { 0 };
int err = uname(&u);
if (err == -1) {
printf("uname failed - what platform is this?\n");
printf("there's no way this will work, but trying anyway!\n");
init_iPad4_3_S5L8960X();
return;
}
printf("sysname: %s\n", u.sysname);
printf("nodename: %s\n", u.nodename);
printf("release: %s\n", u.release);
printf("version: %s\n", u.version);
printf("machine: %s\n", u.machine);
init_arm64();
#pragma mark - iPhone
if (strstr(u.machine, "iPhone6,1")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_S5L8960X")) {
printf("device iPhone6,1 matched\n");
init_iPhone6_1_S5L8960X();
return;
}
}
if (strstr(u.machine, "iPhone7,1")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_T7000")) {
printf("device iPhone7,1 matched\n");
init_iPhone7_1_T7000();
return;
}
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_S8000")) {
printf("device iPhone7,1 matched\n");
init_iPhone7_1_S8000();
return;
}
}
if (strstr(u.machine, "iPhone7,2")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_T7000")) {
printf("device iPhone7,2 matched\n");
init_iPhone7_2_T7000();
return;
}
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_S8000")) {
printf("device iPhone7,2 matched\n");
init_iPhone7_2_S8000();
return;
}
}
if (strstr(u.machine, "iPhone8,1")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_T7000")) {
printf("device iPhone8,1 matched\n");
init_iPhone8_1_T7000();
return;
}
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_S8000")) {
printf("device iPhone8,1 matched\n");
init_iPhone8_1_S8000();
return;
}
}
if (strstr(u.machine, "iPhone8,2")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_T7000")) {
printf("device iPhone8,2 matched\n");
init_iPhone8_2_T7000();
return;
}
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_S8000")) {
printf("device iPhone8,2 matched\n");
init_iPhone8_2_S8000();
return;
}
}
if (strstr(u.machine, "iPhone8,4")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_S8000")) {
printf("device iPhone8,4 matched\n");
init_iPhone8_4_S8000();
return;
}
}
if (strstr(u.machine, "iPhone9,1")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_T8010")) {
printf("device iPhone9,1 matched\n");
init_iPhone9_1_T8010();
return;
}
}
if (strstr(u.machine, "iPhone9,3")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_T8010")) {
printf("device iPhone9,3 matched\n");
init_iPhone9_3_T8010();
return;
}
}
if (strstr(u.machine, "iPhone9,4")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_T8010")) {
printf("device iPhone9,4 matched\n");
init_iPhone9_4_T8010();
return;
}
}
#pragma mark - iPod
if (strstr(u.machine, "iPod7,1")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_T7000")) {
printf("device iPod7,1 matched\n");
init_iPod7_1_T7000();
return;
}
}
#pragma mark - iPad
if (strstr(u.machine, "iPad4,3")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_S5L8960X")) {
printf("device iPad4,3 matched\n");
init_iPad4_3_S5L8960X();
return;
}
}
if (strstr(u.machine, "iPad4,4")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_S5L8960X")) {
printf("device iPad4,4 matched\n");
init_iPad4_4_S5L8960X();
return;
}
}
if (strstr(u.machine, "iPad5,1")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_T7000")) {
printf("device iPad5,1 matched\n");
init_iPad5_1_T7000();
return;
}
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_T7001")) {
printf("device iPad5,1 matched\n");
init_iPad5_1_T7001();
return;
}
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_S5L8960X")) {
printf("device iPad5,1 matched\n");
init_iPad5_1_S5L8960X();
return;
}
}
if (strstr(u.machine, "iPad5,4")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_T7000")) {
printf("device iPad5,4 matched\n");
init_iPad5_4_T7000();
return;
}
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_T7001")) {
printf("device iPad5,4 matched\n");
init_iPad5_4_T7001();
return;
}
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_S5L8960X")) {
printf("device iPad5,4 matched\n");
init_iPad5_4_S5L8960X();
return;
}
}
if (strstr(u.machine, "iPad6,3")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_S8000")) {
printf("device iPad6,3 matched\n");
init_iPad6_3_S8000();
return;
}
}
if (strstr(u.machine, "iPad6,4")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_S8000")) {
printf("device iPad6,4 matched\n");
init_iPad6_4_S8000();
return;
}
}
if (strstr(u.machine, "iPad6,8")) {
if (strstr(u.version, "root:xnu-3789.22.3~1/RELEASE_ARM64_S8000")) {
printf("device iPad6,8 matched\n");
init_iPad6_8_S8000();
return;
}
}
printf("don't recognize this platform\n");
unknown_build();
init_iPad4_3_S5L8960X(); // this won't work!
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment