Initial commit

.idea/.gitignore

@@ -0,0 +1,6 @@
+# 默认忽略的文件
+/shelf/
+/workspace.xml
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml

.idea/dataSources.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="DataSourceManagerImpl" format="xml" multifile-model="true">
+    <data-source source="LOCAL" name="BLDatabaseManager" uuid="ce2bbdd9-2f7e-4efe-bf5a-41d0172b403b">
+      <driver-ref>sqlite.xerial</driver-ref>
+      <synchronize>true</synchronize>
+      <jdbc-driver>org.sqlite.JDBC</jdbc-driver>
+      <jdbc-url>jdbc:sqlite:$PROJECT_DIR$/BLDatabaseManager.sqlite</jdbc-url>
+      <working-dir>$ProjectFileDir$</working-dir>
+    </data-source>
+    <data-source source="LOCAL" name="downloads.28" uuid="9f61f5e1-fbb5-4494-9977-4974f6a6ea8a">
+      <driver-ref>sqlite.xerial</driver-ref>
+      <synchronize>true</synchronize>
+      <jdbc-driver>org.sqlite.JDBC</jdbc-driver>
+      <jdbc-url>jdbc:sqlite:$PROJECT_DIR$/downloads.28.sqlitedb</jdbc-url>
+      <working-dir>$ProjectFileDir$</working-dir>
+      <libraries>
+        <library>
+          <url>file://$APPLICATION_CONFIG_DIR$/jdbc-drivers/Xerial SQLiteJDBC/3.45.1/org/xerial/sqlite-jdbc/3.45.1.0/sqlite-jdbc-3.45.1.0.jar</url>
+        </library>
+        <library>
+          <url>file://$APPLICATION_CONFIG_DIR$/jdbc-drivers/Xerial SQLiteJDBC/3.45.1/org/slf4j/slf4j-api/1.7.36/slf4j-api-1.7.36.jar</url>
+        </library>
+      </libraries>
+    </data-source>
+  </component>
+</project>

1.txt

@@ -0,0 +1 @@
+ACB0A0B8-C75D-445A-9B72-DF8605D649E5

README.md

@@ -0,0 +1,24 @@
+# bl_sbx
+## itunesstored & bookassetd Sandbox Escape
+
+This repository contains a proof-of-concept demonstrating how maliciously crafted `downloads.28.sqlitedb` and `BLDatabaseManager.sqlite` databases can escape the sandbox of **itunesstored** and **bookassetd** on iOS. By abusing their download mechanisms, the POC enables writing arbitrary `mobile`-owned files to restricted locations in `/private/var/`, including MobileGestalt cache files—allowing device modifications such as spoofing the device type.
+
+### Key Points
+- Compatible with iOS **26.2b1 and below** (tested on iPhone 12, iOS 26.0.1).
+- **Stage 1 (itunesstored):** Delivers a crafted `BLDatabaseManager.sqlite` to a writable container.
+- **Stage 2 (bookassetd):** Downloads attacker-controlled EPUB payloads to arbitrary file paths.
+- Writable paths include:
+  - `/private/var/containers/Shared/SystemGroup/.../Library/Caches/`
+  - `/private/var/mobile/Library/FairPlay/`
+  - `/private/var/mobile/Media/`
+- Demonstrates modifying `com.apple.MobileGestalt.plist` to validate successful exploitation.
+
+### Outcome
+iOS fails to block crafted download tasks, allowing unauthorized file writes unless the target path requires `root` ownership (or the fileowner is not `mobile`).
+
+**Check the blogpost for more information**
+
+### Disclaimer
+This project is for **educational purposes only**.  
+Do **not** use it for illegal activities.  
+Apple may patch this behavior at any time.