The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "User:Aker"
m (→Absinthe (5.0 iPhone 4S only / 5.0.1 iPad 2 and iPhone 4S)) |
(→Absinthe 2.0 (5.1.1): named exploits...) |
||
Line 17: | Line 17: | ||
* [[HFS Heap Overflow]] |
* [[HFS Heap Overflow]] |
||
− | === [[Absinthe|Absinthe 2.0]] (5.1.1) === |
+ | === [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) === |
{{Section Stub}} |
{{Section Stub}} |
||
+ | * a new Packet Filter Kernel Exploit (CVE-2012-3728) |
||
− | * [[Rocky Racoon]] |
||
+ | * Racoon DNS4 table buffer overflow (CVE-2012-3727) |
||
− | |||
== Exploits which are used in order to jailbreak 6.x == |
== Exploits which are used in order to jailbreak 6.x == |
Revision as of 19:13, 2 December 2014
Contents
- 1 Jailbreak Exploits
- 1.1 Missing
- 1.2 Exploits which are used in order to jailbreak different versions of iOS
- 1.3 Exploits which are used in order to jailbreak 5.x
- 1.4 Exploits which are used in order to jailbreak 6.x
- 1.5 Exploits which are used in order to jailbreak 7.x
- 1.6 Exploits which are used in order to jailbreak 8.x
Jailbreak Exploits
Missing
- UnthreadedJB
Exploits which are used in order to jailbreak different versions of iOS
- limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
- limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPod touch 3G, iPad, iPhone 4, and iPod touch 4G)
Exploits which are used in order to jailbreak 5.x
Absinthe (5.0 on iPhone 4S only / 5.0.1 on iPad 2 and iPhone 4S)
- Racoon String Format Overflow Exploit (used both for payload injection and untether)
- HFS Heap Overflow
Corona Untether (5.0.1)
Absinthe 2.0 and Rocky Racoon Untether (5.1.1)
This section is a stub; it is incomplete. Please add more content to this section and remove this tag.
- a new Packet Filter Kernel Exploit (CVE-2012-3728)
- Racoon DNS4 table buffer overflow (CVE-2012-3727)
Exploits which are used in order to jailbreak 6.x
evasi0n (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2)
- limera1n's bootrom exploit (Tethered jailbreak) on iPhone 3GS with new bootrom, iPhone 4, and iPod touch 4G)
- limera1n's bootrom exploit + 0x24000 Segment Overflow (together for untethered jailbreak on iPhone 3GS with old bootrom)
- Symbolic Link Vulnerability
- Timezone Vulnerability
- Shebang Trick
- AMFID code signing evasion
- launchd.conf untether
- IOUSBDeviceFamily Vulnerability
- ARM Exception Vector Info Leak
- dynamic memmove() locating
- vm_map_copy_t corruption for arbitrary memory disclosure
- kernel memory write via ROP gadget
p0sixspwn (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6)
- posix_spawn kernel information leak (by i0n1c)
- posix_spawn kernel exploit (CVE-2013-3954) (by i0n1c)
- mach_msg_ool_descriptor_ts for heap shaping
- AMFID_code_signing_evasi0n7
- DeveloperDiskImage race condition (by comex)
- launchd.conf untether
Exploits which are used in order to jailbreak 7.x
This section is a stub; it is incomplete. Please add more content to this section and remove this tag.
evasi0n7 (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6)
Geeksn0w (7.1 / 7.1.1 / 7.1.2)
- limera1n's bootrom exploit (Tethered jailbreak) on iPhone 4
Pangu (7.1 / 7.1.1 / 7.1.2)
- i0n1c's Infoleak vulnerability (Pangu v1.0.0)
- break_early_random (by i0n1c and Tarjei Mandt of Azimuth) (Pangu v1.1.0)
- LightSensor / ProxALSSensor kernel exploit (Pangu 1.0.0)
- TempSensor kernel exploit (Pangu 1.1.0)
- "syslogd chown" vulnerability
- enterprise certificate (no real exploit, used for initial "unsigned" code execution)
- "foo_extracted" symlink vulnerability (used to write to /var)
- /tmp/bigfile (a big file for improvement of the reliability of a race condition)
- VoIP backgrounding trick (used to auto restart the app)
- hidden segment attack
Exploits which are used in order to jailbreak 8.x
This section is a stub; it is incomplete. Please add more content to this section and remove this tag.
Pangu8 (8.0 / 8.0.1 / 8.0.2 / 8.1)
- an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
- enterprise certificate (inside the IPA)
- a kind of dylib injection into a system process (see IPA)
- a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
- a sandboxing problem in debugserver (CVE-2014-4457)
- the same/a similar kernel exploit as used in Pangu (CVE-2014-4461) (source @iH8sn0w)
- enable-dylibs-to-override-cache
- CVE-2014-4455
TaiG (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1)
- LightSensor / ProxALSSensor kernel exploit (Also used in Pangu 1.0.0)
- DeveloperDiskImage race condition (by comex) (source: https://twitter.com/iH8sn0w/status/538602532088860672; also used in p0sixspwn)
- enable-dylibs-to-override-cache (Also used in Pangu8)
- a kind of dylib injection into a system process (see IPA) (Also used in Pangu8 but tweaked slightly)