Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I used Fiddler to sniff traffic between iPad 2 and Jailbreakme during jailbreaking but I did not found where the PDF files are located. Could you help me find out where are PDFs that contains the exploits?


There is no PDF file, the pdf is a base64 encoded data-uri in the javascript, in the page itself, not even in a separate asset.

For those who fancy doing some analysis, here's the curl command with the required ipad UA string:

    curl -A "Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5" http://www.jailbreakme.com
EDIT: here's the b64 pdf: http://pastebin.com/69tnPMdV

the PDF is very invalid, because it never needs to masquerade as a real document, it doesn't have to pretend to implement the PDF spec correctly. This makes it somewhat resistant to analysis, it doesn't even have the required '%%EOF' marker so many tools choke on it immediately.

EDIT: There's an unterminated stream object in there which doesn't have a type, and it also has a declared length of 61 bytes and an actual length of well over 400. I think we have a winner... Unfortunately iOS shellcode analysis is waaaay over my head so I'll have to do something useful instead.


I decoded base64 & got this: https://gist.github.com/1067129

bunch of random gibberish?


When decoding to ASCII instead of UTF-8 (like you've done) I got this. It makes a little bit more sense at least, but not much.

http://pastebin.com/YuPrMhiE


I guess the actual shell code starts from line 40 ">>stream..."

It must be using some other encoding, only if we knew which!


It's a PDF FlateDecode block, i.e. it's DEFLATEd. The actual payload within may be different, but this much has been used before.

http://digdog.tumblr.com/post/894317027/jailbreak-with-pdf-f...


It's presumably just a lump of binary ARM opcodes.


We need a debugger or a disassmbler like IDA Pro to make reverse engineering of that code


It's compressed with FlateDecode; if you decompress it you can see the embedded .pfb, which has the actual exploit.


thank you comex, I did not actually found how to decompress it, I keep trying with pdf-parser with no luck


I've succesfully extraced the font with pdf-parser with this command: "python pdf-parser.py --object 4 --filter --raw pdfexploit.pdf > font.pfb" everything is documented here http://www.bufferoverflow.it/2011/07/06/jailbreakme-ecco-com...


Is there a way to decompile the base64 code into the actual script? I'm guessing the shellcode is the bits after the AAAAAAA's?


http://pastebin.com/YuPrMhiE

It doesn't make that much more sense to me, but atleast you can see some commands.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: