• Stars
    star
    443
  • Rank 98,504 (Top 2 %)
  • Language
    C
  • Created almost 7 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

IOHIDFamily 0day

IOHIDeous

A macOS kernel exploit based on an IOHIDFamily 0day.

Write-up here.

Notice

The prefetch timing attack I'm using for hid for some reason doesn't work on High Sierra 10.13.2 anymore, and I don't feel like investigating that. Maybe patched, maybe just the consequence of a random change, I neither know nor care. The vuln is still there and my code does both info leak and kernel r/w, just not in the same binary - reason is explained in the write-up. If you want that feature, consider it an exercise for the reader.

Usage

The exploit consists of three parts:

  • poc panics the kernel to demonstrate the presence of a memory corruption, should work on all macOS versions.
  • leak leaks the kernel slide, could be adapted to other versions but as-is works only on High Sierra.
  • hid achieves full kernel r/w, tested only on Sierra and High Sierra (up to & including 10.13.1), might work on earlier versions too.

poc and leak need to be run as the user that is currently logged in via the GUI, and they log you out in order to perform the exploit. hid on the other hand, gives you four options for a first argument:

  • steal requires to be run as root and SIP to be disabled, but leaves you logged in the entire time.
  • kill requires root and forces a dirty logout by killing WindowServer.
  • logout if executed as root or the currently logged in user, logs you out via launchctl. Otherwise tries to log you out via AppleScript, and then falls back to wait.
  • wait simply waits for a logout, shutdown or reboot to occur.

Additionally you can specify a second argument persist. If given, hid will permanently disable SIP and AMFI, and install a root shell in /System/pwned.

leak and hid should be run either via SSH or from a screen session, if you wish to observe their output.

Building

Should all be self-explanatory:

make all
make poc
make leak
make hid
make clean

More Repositories

1

ios-resources

Useful resources for iOS hacking
1,579
star
2

psychicpaper

iOS <13.5 sandbox escape/entitlement 0day
C
327
star
3

iometa

arm64 IOKit class dumper
C
256
star
4

v0rtex

IOSurface exploit
Objective-C
215
star
5

iokit-utils

Dev tools for probing IOKit
C
192
star
6

libkrw

Lib kernel r/w
C
188
star
7

imobax

iOS Mobile Backup Extractor
C
178
star
8

cl0ver

tfp0 for iOS 9.0-9.3.4
C
154
star
9

APRR

Apple hardware secrets
Assembly
111
star
10

PhoenixNonce

64-bit nonce setter for iOS 9.3.4-9.3.5
Objective-C
96
star
11

hsp4

macOS kext for host_special_port(4) patch
C
89
star
12

tbdump

Utility to create tbd's off dylibs
C
77
star
13

dt

DeviceTree
C
73
star
14

IOKernelRW

Insecurity as an IOService
C++
63
star
15

cuck00

Twenty-twenty, bugs aplenty!
C
53
star
16

ios-scripts

iOS-related command line goodies
Shell
50
star
17

nordump

Apple Silicon NOR dumper
C++
41
star
18

lz4dec

Tiny arm64 LZ4 decompressor
C
40
star
19

ld64

Apple ld64 for Debian
Makefile
40
star
20

ios-build

Build files for things related to iOS
C
36
star
21

misc

C
34
star
22

siguza.github.io

Siguza's Blog
HTML
28
star
23

fscmp

CLI frontend for com.apple.decmpfs / AppleFSCompression.framework
C
27
star
24

UserScripts

My Tampermonkey scripts
JavaScript
14
star
25

aea1meta

AEA metadata dumper
C
12
star
26

libprovision

Library for dealing with Apple provisioning profiles and code signatures
10
star
27

StackScripts

My Tampermonkey scripts I use on StackExchange sites
JavaScript
7
star
28

VirtualPack

Bukkit Plugin "VirtualPack"
Java
7
star
29

recfg

C
6
star
30

Stash

Random stuff
Shell
6
star
31

lz4hc

C
3
star
32

libcrippy-1

Forked from openjailbreak.org
Makefile
2
star
33

NBTLib

A version-presistent bridge between Bukkit and Minecraft
Java
1
star
34

libpartialzip-1

Forked from openjailbreak.org
C
1
star
35

InvisiNOT

Bukkit Plugin "InvisiNOT"
Java
1
star