# bl_sbx
## itunesstored & bookassetd Sandbox Escape

This repository contains a proof-of-concept demonstrating how maliciously crafted `downloads.28.sqlitedb` and `BLDatabaseManager.sqlite` databases can escape the sandbox of **itunesstored** and **bookassetd** on iOS. By abusing their download mechanisms, the POC enables writing arbitrary `mobile`-owned files to restricted locations in `/private/var/`, including MobileGestalt cache files—allowing device modifications such as spoofing the device type.

### Key Points
- Compatible with iOS **26.2b1 and below** (tested on iPhone 12, iOS 26.0.1).
- **Stage 1 (itunesstored):** Delivers a crafted `BLDatabaseManager.sqlite` to a writable container.
- **Stage 2 (bookassetd):** Downloads attacker-controlled EPUB payloads to arbitrary file paths.
- Writable paths include:
  - `/private/var/containers/Shared/SystemGroup/.../Library/Caches/`
  - `/private/var/mobile/Library/FairPlay/`
  - `/private/var/mobile/Media/`
- Demonstrates modifying `com.apple.MobileGestalt.plist` to validate successful exploitation.

### Outcome
iOS fails to block crafted download tasks, allowing unauthorized file writes unless the target path requires `root` ownership (or the fileowner is not `mobile`).

**Check the blogpost for more information**

### Disclaimer
This project is for **educational purposes only**.  
Do **not** use it for illegal activities.  
Apple may patch this behavior at any time.