Requirements:
Jailbroken iPhone with at least the following packages installed:
OpenSSH
Warm Up:
First, we must understand the syscall value of execve on XNU platform:
https://opensource.apple.com/source/xnu/xnu-7195.81.3/bsd/kern/syscalls.master.auto.html
As we can see, the syscall number for execve is 59.
Note: On Linux environment this number is 221, this is where it become a rabbit hole for me to have a running script.
Action:
Now we can switch to our shellcode application:
.global _main
.align 2
.text
_main:
// execve("/bin/sh", NULL, NULL);
adr x0, sh // x0 = "/bin/bash"
eor x1, x1, x1 // x1 = NULL
eor x2, x2, x2 // x2 = NULL
mov x16, 59 // x16 = execve
svc 0
sh:
.ascii "/bin/bash\0"
Let’s compile it:
clang shell.s -o shell -isysroot
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS14.4.sdk
-arch arm64 -mios-version-min=9.0
Knock out:
After compilation, transfer the “shell” binary into the iOS platform. After connecting to the phone via SSH, you should make it runnable and signed.
chmod +x hello
ldid -S hello
Now you can see the program in action:
References:
https://stackoverflow.com/questions/67256680/execve-assembly-shellcode-for-aarch64-ios-darwin