def install_pangu():
lockdown = LockdownClient()
afc = AFCClient(lockdown)
mci = lockdown.startService("com.apple.mobile.installation_proxy")
file_name = "com.pangu.ipa1.ipa"
afc.set_file_contents("/PublicStaging/" + file_name, open("payload/" + file_name,"rb").read())
mci.sendPlist({"Command":"Install", "PackagePath": "/PublicStaging/" + file_name})
while True:
status = mci.recvPlist()
if not status:
break
completion = status.get("PercentComplete")
if completion:
print "Installing, %s: %s %% Complete" % ("com.pangu.ipa1.ipa", status["PercentComplete"])
if status.get("Status") == "Complete":
print "Installation %s\n" % status["Status"]
break
mci.close()
afc.stop_session()
lockdown.stop_session()
def download_caches():
fc = FileRelayClient()
data = fc.request_sources(["Caches"])
fc.stop_session()
if data:
file_path = "./payload/caches.gz"
output_path = "./payload/caches"
open(file_path,"wb").write(data)
print "Data saved to: %s " % file_path
with open(file_path, "r") as f:
gz = gzip.GzipFile(mode="rb", fileobj=f)
cpio = CpioArchive(fileobj=BytesIO(gz.read()))
cpio.extract_files(files=None,outpath=output_path)
else:
print "Fail to get caches"
raise Exception("Fail to get caches")
8.0/8.0.1/8.0.2/8.1 Pangu8 an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w) enterprise certificate (inside the IPA) a kind of dylib injection into a system process (see IPA) a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking) a sandboxing problem in debugserver (CVE-2014-4457) the same/a similar kernel exploit as used in Pangu (CVE-2014-4461) (source @iH8sn0w) enable-dylibs-to-override-cache CVE-2014-4455