Absenthe v2.0 Jailbreak Possible PayLoad

Great news came today for all iOS 5.1.1 users. The jailbreaking tool for this OS will be Absinthe v2.0.  So you may be glad because if you experienced it then you must know that this quick and easy process. Even more easier then previous version.

While using Absinthe v2.0 you don’t need to enter DFU mode and mess with VPN settings. One of pod2g friends @xvolks who is hacker too  tweeted today about that.  You can use this link to get more information about that (with video demonstration of Absinthe v2.0).With Absinthe v2.0 you also will use the same CLI cinject as in first Absinthe tool and also latest version of Redsn0w. So as you see it is almost nothing have changed after first release of GreenPois0n tool.

Untethered jailbreak for iOS 5.1.1 was developed not only by pod2g (however he did the main part of work) but also by iPhone Dev team ‘s members as westbaer with planetbeing. And tested with Absinthe on iPhone 3GS and iPhone 4 by xvolks.

There will be a possibility to download Absinthe v2.0 on geo-location.site or on Greenpoiz0n’s official website in the near future. And it can be on HITB security conference.

Absinthe v 2.0 exploit

Now lets look into the previous exploit used in Absinthe jailbreak. Here is a detailed explanation of incomplete code sign tricks:



Which is using exploit called racoon.

racoon-exploit.conf layout:

sainfo address ::1 icmp6 address ::1 icmp6 {
my_identifier user_fqdn "%243u%619$hhn";
my_identifier user_fqdn "%11u%625$hhn";
my_identifier user_fqdn "%244u%619$hhn";
my_identifier user_fqdn "%217u%625$hhn";
my_identifier user_fqdn "%245u%619$hhn";
my_identifier user_fqdn "%186u%625$hhn";
my_identifier user_fqdn "%246u%619$hhn";
my_identifier user_fqdn "%10u%625$hhn";

Here is the comment by pod2g:

Using a fuzzer, I found after some hours of work that there’s a format string vulnerability in theracoon configuration parsing code! racoon is the IPsec IKE daemon (http://ipsec-tools.sourceforge.net/). It comes by default with iOS and is started when you setup an IPsec connection. Now you got it, Corona is an anagram of racoon 🙂 .

By the way, the exploitation of the format string vulnerability is different than what was done in 2001, check it out if you’re interested !

For the jailbreak to be applied at boot, racoon is started by a launchd plist file, executing the command : racoon -f racoon-exploit.conf is a large configuration file exploiting the format string bug to get the unsigned code started.

The format string bug is utilized to copy the ROP bootstrap payload to the memory and to execute it by overwriting a saved LR in the racoon stack by a stack pivot gadget. The ROP bootstrap payload copies the ROP exploit payload from the payload file which is distributed with Corona then stack pivot to it. The idea is to escape from format strings as fast as possible, because they are CPU time consuming. The ROP exploit payload triggers the kernel exploit.

Download Corona Payload

To download payload use our github source forked from iOnic. Open terminal and type:

git clone git://github.com/LetsUnlockiPhone/Corona-A5-Exploit-Absinthe-Jailbreak.git

Happy code engineering.