From: Jay Freeman (saurik) Date: Wed, 28 Oct 2015 13:48:34 +0000 (-0700) Subject: Cobble injection into heavily sandboxed processes. X-Git-Tag: v0.9.503^0 X-Git-Url: https://git.saurik.com/cycript.git/commitdiff_plain/f8d45a204f506bb2398a7c807b1bc1bd1e7cd3a9 Cobble injection into heavily sandboxed processes. --- diff --git a/Console.cpp b/Console.cpp index f963757..eeda0f9 100644 --- a/Console.cpp +++ b/Console.cpp @@ -608,7 +608,7 @@ static void Console(CYOptions &options) { } } -void InjectLibrary(pid_t pid); +void InjectLibrary(pid_t, int, const char *[]); int Main(int argc, char * const argv[], char const * const envp[]) { bool tty(isatty(STDIN_FILENO)); @@ -836,7 +836,14 @@ int Main(int argc, char * const argv[], char const * const envp[]) { memset(&address, 0, sizeof(address)); address.sun_family = AF_UNIX; - sprintf(address.sun_path, "/tmp/.s.cy.%u", getpid()); + const char *tmp; +#if defined(__APPLE__) && (defined(__arm__) || defined(__arm64__)) + tmp = "/Library/Caches"; +#else + tmp = "/tmp"; +#endif + + sprintf(address.sun_path, "%s/.s.cy.%u", tmp, getpid()); unlink(address.sun_path); struct File { @@ -856,7 +863,7 @@ int Main(int argc, char * const argv[], char const * const envp[]) { _syscall(chmod(address.sun_path, 0777)); _syscall(listen(server, 1)); - InjectLibrary(pid); + InjectLibrary(pid, 1, (const char *[]) {address.sun_path, NULL}); client_ = _syscall(accept(server, NULL, NULL)); } #else diff --git a/Handler.mm b/Handler.mm index ebd96b9..bbda7df 100644 --- a/Handler.mm +++ b/Handler.mm @@ -25,6 +25,7 @@ #include #include +#include #include #include #include @@ -141,22 +142,24 @@ extern "C" void CYHandleClient(int socket) { _assert(pthread_create(&client->thread_, NULL, &OnClient, client) == 0); } -static void CYHandleProcess(pid_t pid) { - CYInitializeDynamic(); - +static void CYHandleSocket(const char *path) { int socket(_syscall(::socket(PF_UNIX, SOCK_STREAM, 0))); struct sockaddr_un address; memset(&address, 0, sizeof(address)); address.sun_family = AF_UNIX; - sprintf(address.sun_path, "/tmp/.s.cy.%u", pid); + strcpy(address.sun_path, path); _syscall(connect(socket, reinterpret_cast(&address), SUN_LEN(&address))); + + CYInitializeDynamic(); CYHandleClient(socket); } extern "C" void CYHandleServer(pid_t pid) { try { - CYHandleProcess(pid); + char path[1024]; + sprintf(path, "/tmp/.s.cy.%u", pid); + CYHandleSocket(path); } catch (const CYException &error) { CYPool pool; fprintf(stderr, "%s\n", error.PoolCString(pool)); @@ -164,11 +167,7 @@ extern "C" void CYHandleServer(pid_t pid) { try { extern "C" char *MSmain0(int argc, char *argv[]) { try { _assert(argc == 2); - auto arg(argv[1]); - - char *end; - pid_t pid(strtoul(arg, &end, 10)); - _assert(end == arg + strlen(arg)); + CYHandleSocket(argv[1]); static void *handle(NULL); if (handle == NULL) { @@ -177,8 +176,6 @@ extern "C" char *MSmain0(int argc, char *argv[]) { try { handle = dlopen(info.dli_fname, RTLD_NOLOAD); } - CYHandleProcess(pid); - return NULL; } catch (const CYException &error) { CYPool pool; diff --git a/Mach/Inject.cpp b/Mach/Inject.cpp index 3e30ae5..ace75cd 100644 --- a/Mach/Inject.cpp +++ b/Mach/Inject.cpp @@ -19,6 +19,7 @@ **/ /* }}} */ +#include #include #include @@ -52,7 +53,7 @@ Type_ *shift(Type_ *data, size_t size) { return reinterpret_cast(reinterpret_cast(data) + size); } -void InjectLibrary(pid_t pid) { +void InjectLibrary(int pid, int argc, const char *argv[]) { auto cynject(LibraryFor(reinterpret_cast(&main))); auto slash(cynject.rfind('/')); _assert(slash != std::string::npos); @@ -107,7 +108,10 @@ void InjectLibrary(pid_t pid) { library += ".dylib"; #endif - CYPool pool; - int status(system(pool.sprintf(1024, "%s %u %s %u", cynject.c_str(), pid, library.c_str(), getpid()))); - _assert(status == 0); + std::ostringstream inject; + inject << cynject << " " << std::dec << pid << " " << library; + for (decltype(argc) i(0); i != argc; ++i) + inject << " " << argv[i]; + + _assert(system(inject.str().c_str()) == 0); }