Exploiting Userland Vulnerabilities to Get Rogue App Installed Remotely on iOS 11

Explore advanced iOS exploitation techniques in this 55-minute Recon Conference talk. Delve into the strategies used to remotely pwn iOS 11 systems, breaking Apple's sandbox and installing persistent rogue applications without kernel exploits. Learn about the double free vulnerability (CVE-2017-7162) in the IOKit framework, advanced exploit techniques for 100% reliable exploitation, and methods for bypassing code signing requirements. Gain insights into sandbox escape technology, browser exploitation, and the challenges of chaining vulnerabilities to defeat iOS defenses. Witness a live demonstration of these techniques and compare them to Android exploitation. Examine the Pegasus APT case study and discuss iOS 12 sandbox hardening measures.

Intro
Agenda
Typical exploit chain (mobile Pwn20wn) 1/2
Why not a kernel bug to escape the sandbox?
iOS sandbox overview
Our strategy on sandbox bypass
General approach to exploit double free
Problem 1: fill in object B
Problem 2: stable race to fill
CF object fill into vm_allocate
The strategy doesn't work
Android Comparison
Pegasus APT
Initial Step: Setting up the required files
Final step, showing the app
Examining the roadblocks
iOS 12 sandbox hardening