Page 1 of 1

A kernel panic when I patch the AMFI MAC policy in 9.2.1

PostPosted: Mon Sep 18, 2017 3:24 pm
by SigNiver
I have a iPhone 6p with iOS 9.2.1.I used the pegasus exploit to modify the net.inet.ip.dummynet.extract_heap sysctl handler and get kernel read\write successfully.The next step I want to do is to patch the AMFI.I want to patch the AMFI policy ops.
Firstly I used joker to find the location of these policy ops:
Code: Select all
...Getting value : 0xffffff800bf28e4b
   Policy name: AMFI
   Flags: 0
   Ops: ffffff800bf50be8
...Getting value : 0xffffff800bf50be8
      0xffffff800bf26948:mpo_cred_check_label_update_execve (6)
      0xffffff800bf26950:mpo_cred_label_associate (11)
      0xffffff800bf269b8:mpo_cred_label_destroy (13)
      0xffffff800bf26a70:mpo_cred_label_init (16)
      0xffffff800bf24fd0:mpo_cred_label_update_execve (18)
      0xffffff800bf24c54:mpo_file_check_mmap (36)
      0xffffff800bf27324:mpo_policy_initbsd (116)
      0xffffff800bf26aac:mpo_proc_check_inherit_ipc_ports (119)
      0xffffff800bf273ec:mpo_proc_check_debug (157)
      0xffffff800bf273ec:mpo_proc_check_get_task (160)
      0xffffff800bf27328:mpo_proc_check_mprotect (164)
      0xffffff800bf27388:mpo_vnode_check_exec (258)
      0xffffff800bf26ed8:mpo_vnode_check_signature (304)
      0xffffff800bf27488:mpo_proc_check_run_cs_invalid (307)
      0xffffff800bf27330:mpo_proc_check_map_anon (315)
      0xffffff800bf27538:mpo_vnode_notify_open (323)
Dumped 334 MAC Policy ops!

Then I used machoview to see these address.I find that address of "mpo_cred_check_label_update_execve" is in prelink_text segment.
However when i write 0x00 to the address 0xffffff800bf26948-0x780000(the slide of my dumped kernel)+slide(the current slide).The kernel panic immediately and the error in panic log is data abort.i'm sure it is not caused by KPP.
so is there any faults in my way. And is there any other way to patch the amfi in iOS 9.2.1 such as PE_I_can_has_debugger?

Re: A kernel panic when I patch the AMFI MAC policy in 9.2.

PostPosted: Mon Sep 18, 2017 8:51 pm
by Siguza
You'd have to patch the page tables to be able to write to __PRELINK_TEXT, but then doing that would trigger KPP unless you patched the kernel to bypass that first.
Instead, if I'm not mistaken, mac_policy_list should be in a non-KPP-checked area on 9.x... could also be another MACF structure though, I haven't personally checked.

Re: A kernel panic when I patch the AMFI MAC policy in 9.2.

PostPosted: Fri Sep 22, 2017 2:20 am
by SigNiver
Yesterday,I patch the page table and successfully write to the policy, but it triggers the KPP.......So I decide to add yalu10.2's KPP bypass technique to it..