Categories: Kali Linux

Rootless Jailbreakd – Jailbreakd Offering Some More Functionality To The Jailbreak

Rootless Jailbreakd is A small jailbreakd offering some more functionality to the jailbreak. Uses CPDisctributedMessageCenter. To compile you need theos (why? cus why not? and I like theos. If you’re smart enough you can still compile it manually very easily so yeah)

Also Read whatweb – Tool to Discover Security Vulnerabilities With Your Web Application

Setup Rootless Jailbreakd

  • Grab AppSupport headers and add them into your include path (https://github.com/theos/headers/tree/05405174749d912f7726121fcb5f27de73af0f08/AppSupport)
  • Include “AppSupport/CPDistributedMessagingCenter.h” on your main.m file
  • Link with https://github.com/jakeajames/rootme-tutorial/blob/master/AppSupport.tbd
  • The general syntax follows as this: 
    CPDistributedMessagingCenter *messageCenter = [CPDistributedMessagingCenter centerNamed:@"com.jakeashacks.rootme"];
[messageCenter sendMessageAndReceiveReplyName:@"MESSAGE_NAME" userInfo:[NSDictionary dictionaryWithObject:[NSString stringWithFormat:@"%d", getpid()] forKey:@"pid"]];

    Compiling

    ./make.sh

    Commands

    At the moment these commands are available

    1. “rootme”: does setuid(0) and setgid(0) for you
    2. “unsandbox”: gets rid of most of the sandbox (This will not be any useful right now since to call jailbreakd you have to be unsandboxed already)
    3. “platformize”: marks your binary as platform by setting TF_PLATFORM and CS_PLATFORM_BINARY
    4. “setcsflags”: Sets some flags such as CS_PLATFORM_BINARY, CS_GET_TASK_ALLOW, CS_DEBUGGED etc
    5. “entitle”: Set entitlement to true or false. Example:
    CPDistributedMessagingCenter *messageCenter = [CPDistributedMessagingCenter centerNamed:@"com.jakeashacks.rootme"];
NSMutableDictionary *dict = [NSMutableDictionary dictionary];
[dict setValue:@"com.apple.private.skip-library.validation" forKey:@"ent"]; //entitlement name
[dict setValue:@"true" forKey:@"value"]; //true or false
[dict setValue:[NSString stringWithFormat:@"%d", getpid()] forKey:@"pid"];
[messageCenter sendMessageAndReceiveReplyName:@"entitle" userInfo:dict];

    Do binaries need suid permissions or root ownership?

    No. I didn’t bother with that because

  • There isn’t a package manager so all binaries are controlled by you,
  • there’s no root remount thus nothing can cause a big mess,
  • you need to be unsandboxed to make a call to jailbreakd (all binaries you run via SSH satisfy this requirement) and that’s enough for me. Is it coming? Probably yes

R K

Share
Published by
R K
Tags: JailbreakJailbreakdRootless
7 years ago

Recent Posts

How to Install Docker on Ubuntu (Step-by-Step Guide)

Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…

5 days ago

Uninstall Docker on Ubuntu

Docker is one of the most widely used containerization platforms. But there may come a…

5 days ago

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

6 days ago

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

7 days ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

1 week ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

1 week ago