Compiling the 3.0 star_ exploit – episode 2

Previous episode – episode 0

Previous episode – episode 1

We left off last time trying to run the final, ultimate command:

./ pdf

And it failed with BANGing errors. Well, it took me some time to realize what the main problem was: in Python you need to first declare global variables, and only then can you use them in ‘functions’ or whatever you call them in Python (yeah, my Python knowledge is, um, somewhat ‘limited’ to say the least :D).

So all I had to do is copy the declarations of each global variable from all the ‘functions’ to the top of the file. After that it continued, but just to hit me again now with a “No such file or directory” error.

Turns out, that in the latest SDK gcc isn’t called gcc-4.2 anymore, but just simply gcc. So I needed to change that, then change the path because it wasn’t good either, then correct everything inside of the ‘functions’ too.

After that I needed to create a symbolic link named cur inside of config pointing to SOURCE/bs.

After that I just needed to add some more changes, because the regexp used to construct the current target device and build number didn’t work, so I harcoded in my values: (I know it is dirty, sorry…):

#device, version, build_num = re.match('(i[A-Z][a-z]+[0-9],[0-9x])_([0-9\.]+)_([A-Z0-9]+)', firm$
device = "iPod3,1"
version = "4.3.3"

After all this, it seemed to be fine… but only for some seconds:

./ pdf

Assertion failed: (things[i].r_length == 2), function relocate_area, file mach-o/link.c, line 30.
fabricate: 'python' exited with status -6

I had a look at the file in question (SOURCE/data/mach-o/link.c), it is quite a simple one, but the function is quite complicated. As far as I know (right now) it gets (a) binary object(s) and some other parameters and it does some work with these: first of all it creates an array of relocation_info structures with the parameters loaded in, then it goes through all the array items with a for-loop. The first step of the for-loop is the assertion:

        assert(things[i].r_length == 2);

So, the things array’s (that contains relocation_info structures) i-th item’s r_length needs to be 2. Looking at the header file it means “Long”. Well, for me (I put some printfs in the file to see what is going on) it works fine, but then it gets a 0 instead of 2. BANG, there is the error.

Sadly I don’t know yet how to continue, the error could be caused either by the input file (kernel cache) or the code itself. I am pretty sure it is the input file, but still not 100% sure about it, so I will keep digging.

See you in the next episode (I hope there will be a next one :)).