A kernel panic when I patch the AMFI MAC policy in 9.2.1

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

A kernel panic when I patch the AMFI MAC policy in 9.2.1

Postby SigNiver » Mon Sep 18, 2017 3:24 pm

I have a iPhone 6p with iOS 9.2.1.I used the pegasus exploit to modify the net.inet.ip.dummynet.extract_heap sysctl handler and get kernel read\write successfully.The next step I want to do is to patch the AMFI.I want to patch the AMFI policy ops.
Firstly I used joker to find the location of these policy ops:
Code: Select all
...Getting value : 0xffffff800bf28e4b
   Policy name: AMFI
   Flags: 0
   Ops: ffffff800bf50be8
...Getting value : 0xffffff800bf50be8
      0xffffff800bf26948:mpo_cred_check_label_update_execve (6)
      0xffffff800bf26950:mpo_cred_label_associate (11)
      0xffffff800bf269b8:mpo_cred_label_destroy (13)
      0xffffff800bf26a70:mpo_cred_label_init (16)
      0xffffff800bf24fd0:mpo_cred_label_update_execve (18)
      0xffffff800bf24c54:mpo_file_check_mmap (36)
      0xffffff800bf27324:mpo_policy_initbsd (116)
      0xffffff800bf26aac:mpo_proc_check_inherit_ipc_ports (119)
      0xffffff800bf273ec:mpo_proc_check_debug (157)
      0xffffff800bf273ec:mpo_proc_check_get_task (160)
      0xffffff800bf27328:mpo_proc_check_mprotect (164)
      0xffffff800bf27388:mpo_vnode_check_exec (258)
      0xffffff800bf26ed8:mpo_vnode_check_signature (304)
      0xffffff800bf27488:mpo_proc_check_run_cs_invalid (307)
      0xffffff800bf27330:mpo_proc_check_map_anon (315)
      0xffffff800bf27538:mpo_vnode_notify_open (323)
Dumped 334 MAC Policy ops!

Then I used machoview to see these address.I find that address of "mpo_cred_check_label_update_execve" is in prelink_text segment.
However when i write 0x00 to the address 0xffffff800bf26948-0x780000(the slide of my dumped kernel)+slide(the current slide).The kernel panic immediately and the error in panic log is data abort.i'm sure it is not caused by KPP.
so is there any faults in my way. And is there any other way to patch the amfi in iOS 9.2.1 such as PE_I_can_has_debugger?
SigNiver
 
Posts: 5
Joined: Sat Nov 19, 2016 1:19 pm

Re: A kernel panic when I patch the AMFI MAC policy in 9.2.

Postby Siguza » Mon Sep 18, 2017 8:51 pm

You'd have to patch the page tables to be able to write to __PRELINK_TEXT, but then doing that would trigger KPP unless you patched the kernel to bypass that first.
Instead, if I'm not mistaken, mac_policy_list should be in a non-KPP-checked area on 9.x... could also be another MACF structure though, I haven't personally checked.
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: A kernel panic when I patch the AMFI MAC policy in 9.2.

Postby SigNiver » Fri Sep 22, 2017 2:20 am

Yesterday,I patch the page table and successfully write to the policy, but it triggers the KPP.......So I decide to add yalu10.2's KPP bypass technique to it..
SigNiver
 
Posts: 5
Joined: Sat Nov 19, 2016 1:19 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest