iOS 11.1.2 Exploit async_wake | Lucideus Research

ASYNC_WAKE : async_wake is an adaptation of Abraham Masri’s “get uid: 0” project. async_wake can get you root and tfp0 on all 64-bit devices running 11.1.2. This is not a #jailbreak but it might help to create one.

This exploit uses the following CVE’s in conjunction to get the root access.

• CVE-2017-13865
• CVE-2017-13861
• CVE-2016-7612
• CVE-2016-7633

Moreover, the exploit is taking advantage of IOSurface vulnerability released earlier. With the help of this exploit, you can edit /var without bypassing the Kernel Patch Protection (KPP). In order to modify root, it requires to bypass the KPP.

tfp0

In the XNU part, task_for_pid is a capacity that permits a (privileged) process to get the undertaking port of another process on a similar host, with the exception of the kernel task (process ID 0). A tfp0 patch (or task_for_pid(0) patch) evacuates this limitation, enabling any executable running as root to call task_for_pid for pid 0 (thus the name) and afterward utilize vm_read and vm_write to adjust the kernel VM region.

COMPATIBILITY

The exploit is compatible with all the iPhone and iPod models having 64-bit architecture including the iPhone X running iOS 11.1.2. Due to missing offsets few devices were compatible earlier. This issue has been fixed by switching over to an “offsetless” approach.

If you have saved your iOS 11.1.2's SHSH Blobs then it will help you to downgrade your iPhone in future.

Following are the supported devices

IPHONE 

iPhone 5s

iPhone 6/iPhone 6 plus

iPhone 6s/6s plus

iPhone SE

iPhone 7/7 plus

iPhone 8/8 plus

iPhone X

IPAD

iPad Air

iPad Air 2

iPad Pro

iPad mini 2

iPad mini 3

iPad mini 4

IPOD

iPod touch 6

FIRMWARE

Firmware support is for iOS 11.1.2 only. However, this doesn’t mean iOS 11.1.1 and older iOS 11 versions are incompatible.The reason behind this is that this PoC only contains exploits for iOS 11.1.2 right now.

DOWNLOAD ASYNC_WAKE IPA FILE

Click this link to download 

Installing ASYNC_WAKE Using Cydia Impactor

We can side load the IPA file with the standard process.

Step 1 Download the IPA file using this link IPA File.

Step 2 Installing the IPA in iPhone using the Cydia Impactor using the standard sideload procedure. Open the Cydia Impactor.

Step 3 Drag and drop the async.ipa file into the Cydia Impactor.

Step 4 Provide your valid Apple ID details as prompted by impactor.

It will take few moments to side load the application in your iPhone.

Step 5 Once the installation process is complete, you should see the async_wake_ios exploit installed on your iphone.

Step 6 Run the application from your home screen.

Step 7 Once you get white screen as shown below, it means exploit has completed successfully to get root access (tfp0 patch) on your device.

Installing ASYNC_WAKE Using XCODE PROJECT Step 1 Download the project from this link xcode project Step 2 Open the project in xcode by clicking on .xcodeproj file. Step 3 Compile the project using following steps: Call get_root() method Store the uid (user ID) Call setuid(old_uid) Step 4 Run the xcode project to get the root access

HOW TO INSTALL ASYNC_WAKE WITH CYDIA ON IOS 11.1.2

Step 1 Download the FilzaJailed application IPA file using this link here.

Step 2 Install the FilzaJailed application by sideloading the IPA using Cydia Impactor.

Step 3 Once the installation process is finished, launch the application and navigate to the root (/). 

Step 4 Create and save a text file and rename it to .cydia_no_stash.

Step 5 Download the IPA file using the following link.

Step 6 Drag and drop the async_wake_ios.ipa file in Cydia Impactor

Step 7 Provide your valid Apple ID details as prompted by impactor.

It will take few moments to sideload the application in your iPhone. Step 8 Once the installation process is complete, you should see the async_wake_ios exploit installed on your iphone.

Step 9 Run the async_wake_ios application in your device.

Step 10 Restart your device and run the async_wake_ios application again.

Step 11 On successful completion of exploit you should see the Cydia installed on your iPhone device running iOS 11.1.2. However, it doesn’t allow you to add the repositories or install the cydia applications as it requires an update to run the debian packages.

References

https://github.com/benjibobs/async_wake

https://siguza.github.io/v0rtex/