Last active
May 10, 2024 14:33
-
-
Save jipegit/da73d423c2c57c071cc1b9bd0b9f6fe7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Quick and Dirty iOS Exploits/Implant IoC from Google Project Zero blog posts | |
Date | |
2019-08-30 | |
References | |
https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html | |
https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-1.html | |
https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-2.html | |
https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-3.html | |
https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-4.html | |
https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-5.html | |
https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html | |
Artifacts | |
System Live | |
kern.bootargs | |
iopl | |
iop114 | |
kern.maxfilesperproc | |
0x27ff | |
Diff kernel CDHash trust cache | |
Filesystem | |
/tmp/updateserver | |
\/tmp\/[0-9A-F]{8}\-[0-9A-F]{4}\-[0-9A-F]{4}\-[0-9A-F]{4}\-[0-9A-F]{12} #UUID | |
Syslog (Note: %@ == .+) | |
Exploits | |
"to sleep ..." | |
"Connections cannot be directly embedded in messages. You must create an endpoint from the connection." | |
Implant | |
"uploadDevice" | |
"postFile %@ Error: " | |
"postFile success " | |
"timer trig" | |
"cmds" | |
"finally" | |
"Json data " | |
"data Result:" | |
"cmds:" | |
"s_url:" | |
"cookies:" | |
"requestSystemMail" | |
"requestLocation" | |
Network | |
HTTP | |
POST | |
http://X.X.X.X:1234/upload/info | |
9ff7172192b7 in POST request (boundary) | |
GET | |
http://X.X.X.X:1234/list/ | |
http://X.X.X.X:1234/list/suc?name= |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment