MOXiI 2 - State of the union - new

Important news

Re: MOXiI 2 - State of the union - new

Postby Siguza » Thu Feb 23, 2017 10:01 pm

So, finally found the time to read this. :)

J wrote:Did you understand it? from 0%-100%?

On a high/conceptual level, I think I understood pretty much all of it. On a lower/implementation level, I got everything except the parts that directly deal with mach ports/messages, as I've simply never touched these, except through wrappers (such as IOKit, which abstract the implementation details away from you). I'd say that makes about... 80%?
As someone who is (at least to some extent) "fluent in kernel inner workings", the parts dealing with XNU were quite understandable for me, but I found myself in complete lack of knowledge about KPP - I understand now how the bypass works (and I gotta say it's brilliant), but up until now I had no idea how or when KPP is even invoked, or how it technically could be entered at all. That will be covered in Vol. II though, I take it?

J wrote:How could I improve?

Apart from completing Volumes I and II, you mean? :P
Overall I find it very well written and densely packed with information, which I like.
The code listings were a little short on colours/highlighting for my taste (in particular: multi-line comments, keywords and types), but I was able to follow them anyway.
After the initial explanation of the KPP bypass, I assumed that topic was done, and I was left with a question that was only answered at the very end: How did Apple patch it? So yeah, they didn't. :P Which leaves me with a new question: How could they?
Other than that I have no questions which I think won't be answered by either Vol. I or II. :)

J wrote:Did you spot another potential design flaw in KPP? :-)

Haha, I wish. I'm still trying to work my way to EL1.
Got a sandbox escape though, which... is something, I guess. At least I can talk to IOHIDFamily. :D
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: MOXiI 2 - State of the union - new

Postby backendbilly » Fri Feb 24, 2017 4:23 am

Second round: 60%

Page 9 - spelling
This bug's very existence is simply ubelievable


Page 12 - spelling
(lest it crash the process)


Page 14 - repeat words
(the first bytes bytes of the overflow)


Page 17 - spelling
// Only need ports fro 300 to 379


Page 19 - Does this refer getting kernel_task in chapter 21 or other 9.x Pangu?
The coup de grace is in obtaining the kernel_task itself - which the exploit does in a
manner similar to the 9.x Pangu jailbreaks: Calling pid_for_task after setting the
bsdtask_info to kernproc (- 0x10) + 0x18 will retrieve the actual kernel_task
address.


Page 20 - Why doesn't Yalu 10.2 support iPhone 7 if the same technique should work on iPhone 7?
What's truly innovative is that it works roughly along the same lines in iPhone 7



Billy
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: MOXiI 2 - State of the union - new

Postby morpheus » Fri Feb 24, 2017 6:12 pm

so.. 'lest' is actually proper English. But unbelievable I had another typo with ubelievable. #$%#$%


Page 19 does refer to Pangu 9

and reason things don't work in 7 is because it's not KPP, but AMCC (memory controller hardware) that guards kernel
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: MOXiI 2 - State of the union - new

Postby nottab0t » Fri Feb 24, 2017 8:20 pm

I attached a pic of a couple things (some of which is already noted here).

Glad someone brought up qwerty's quote. haha. I also disagree with him.

I'm a surgeon, and someone once asked me how I reconcile programming and medicine. Specifically, programming (ESPECIALLY in the kernel) is such an exact process and medicine is often such an inexact process, one that is unpredictable, often intertwined with personalities, and varying from person to person.

I told them, that, to me: "Science is everything that we'll eventually be able to teach a computer, everything else is art. I appreciate medicine as both an art and a science. The day that a computer can mimic the humanistic relationship between a physician and a patient will be the day I leave it."

I think someday a computer will readily be able to scan for exploit chains in software that even humans aren't clever enough to find. To me, that makes exploit development the epitome of a science. That doesn't mean I can't appreciate the gracefulness, tact, and beauty of it. Good science is all of those things.
Attachments
Moxil-Errata.png
Moxil-Errata.png (87.48 KiB) Viewed 2911 times
nottab0t
 
Posts: 9
Joined: Thu Dec 22, 2016 1:17 am

Re: MOXiI 2 - State of the union - new

Postby morpheus » Fri Feb 24, 2017 9:38 pm

Thanks for the list. Vae, vae , these damn typos. I should quit using vim past 1AM at night. Thankfully nobody has yet to claim the BTC reward for factual errors! :-) With BTC twice what it was when I started, I'm relieved (so far!)
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: MOXiI 2 - State of the union - new

Postby backendbilly » Sat Feb 25, 2017 4:10 am

J, do we get coupons for next purchase for reviewing your doc? :P . Just kidding, my company buys them books
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: MOXiI 2 - State of the union - new

Postby nottab0t » Sat Feb 25, 2017 8:34 am

backendbilly wrote:J, do we get coupons for next purchase for reviewing your doc? :P . Just kidding, my company buys them books


^ Yeah J! Do We?!

Haha. I'm kidding. More than happy to support your work when it comes to such a niche hobby. I actually think I found a factual error.. I spent about an hour working out one of your listings without success. I even got to the point of busting out a hex calculator to make sure I was doing everything correctly and still couldn't get it to work. I'll have to play with it again before I bring it to your attention in case there is something glaringly obvious I'm doing wrong. Then again, this might not even count as a factual error. When you say "factual error" do you mean us catching you dropping a blatant lie? haha.
nottab0t
 
Posts: 9
Joined: Thu Dec 22, 2016 1:17 am

Re: MOXiI 2 - State of the union - new

Postby backendbilly » Sat Feb 25, 2017 8:46 am

I'm I confused?

6.png
6.png (387.87 KiB) Viewed 2902 times
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: MOXiI 2 - State of the union - new

Postby morpheus » Sun Feb 26, 2017 2:38 am

Factual error is something I state as factual, but ends up erroneous. Not a lie, nor alternative fact - just an error made on my part for whatever reason, that is not a typo. Note, however, the reward doesn't apply to behavior that gets modified in a certain version of MacOS (although I will certainly make note of any such version behavior differences if you tell me about them!). And Billy's note on 24-1 counts as a typo.. (blush)
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: MOXiI 2 - State of the union - new

Postby miku2007 » Tue Feb 28, 2017 1:13 am

I have been lazy and generally unmotivated as of late, but the thought of getting a SPECIAL 1337 H4X0R COLOR EDITION!!! just makes my day that much brighter :D

Will be eagerly holding out for the '1337' edition. The additional cost should be okay...
miku2007
 
Posts: 4
Joined: Mon Dec 05, 2016 1:35 am

PreviousNext

Return to Fresh off the press

Who is online

Users browsing this forum: No registered users and 1 guest