Categories: Kali Linux

Rootless Jailbreakd – Jailbreakd Offering Some More Functionality To The Jailbreak

Rootless Jailbreakd is A small jailbreakd offering some more functionality to the jailbreak. Uses CPDisctributedMessageCenter. To compile you need theos (why? cus why not? and I like theos. If you’re smart enough you can still compile it manually very easily so yeah)

Also Read whatweb – Tool to Discover Security Vulnerabilities With Your Web Application

Setup Rootless Jailbreakd

  • Grab AppSupport headers and add them into your include path (https://github.com/theos/headers/tree/05405174749d912f7726121fcb5f27de73af0f08/AppSupport)
  • Include “AppSupport/CPDistributedMessagingCenter.h” on your main.m file
  • Link with https://github.com/jakeajames/rootme-tutorial/blob/master/AppSupport.tbd
  • The general syntax follows as this: 
    CPDistributedMessagingCenter *messageCenter = [CPDistributedMessagingCenter centerNamed:@"com.jakeashacks.rootme"];
[messageCenter sendMessageAndReceiveReplyName:@"MESSAGE_NAME" userInfo:[NSDictionary dictionaryWithObject:[NSString stringWithFormat:@"%d", getpid()] forKey:@"pid"]];

    Compiling

    ./make.sh

    Commands

    At the moment these commands are available

    1. “rootme”: does setuid(0) and setgid(0) for you
    2. “unsandbox”: gets rid of most of the sandbox (This will not be any useful right now since to call jailbreakd you have to be unsandboxed already)
    3. “platformize”: marks your binary as platform by setting TF_PLATFORM and CS_PLATFORM_BINARY
    4. “setcsflags”: Sets some flags such as CS_PLATFORM_BINARY, CS_GET_TASK_ALLOW, CS_DEBUGGED etc
    5. “entitle”: Set entitlement to true or false. Example:
    CPDistributedMessagingCenter *messageCenter = [CPDistributedMessagingCenter centerNamed:@"com.jakeashacks.rootme"];
NSMutableDictionary *dict = [NSMutableDictionary dictionary];
[dict setValue:@"com.apple.private.skip-library.validation" forKey:@"ent"]; //entitlement name
[dict setValue:@"true" forKey:@"value"]; //true or false
[dict setValue:[NSString stringWithFormat:@"%d", getpid()] forKey:@"pid"];
[messageCenter sendMessageAndReceiveReplyName:@"entitle" userInfo:dict];

    Do binaries need suid permissions or root ownership?

    No. I didn’t bother with that because

  • There isn’t a package manager so all binaries are controlled by you,
  • there’s no root remount thus nothing can cause a big mess,
  • you need to be unsandboxed to make a call to jailbreakd (all binaries you run via SSH satisfy this requirement) and that’s enough for me. Is it coming? Probably yes

R K

Share
Published by
R K
Tags: JailbreakJailbreakdRootless
6 years ago

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

19 hours ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

20 hours ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

3 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

4 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago