Skip to content

Instantly share code, notes, and snippets.

View sferrini's full-sized avatar
💥
0xfffffff041414141

Simone Ferrini sferrini

💥
0xfffffff041414141
365 followers · 553 following
View GitHub Profile
@steven-michaud
steven-michaud / ThirdPartyKexts.md
Last active November 16, 2024 17:49
Running Third Party Kernel Extensions on Virtualization Framework macOS Guest VMs

Running Third Party Kernel Extensions on Virtualization Framework macOS Guest VMs

As of macOS 12 (Monterey), Apple's Virtualization framework has nice support for macOS guest virtual machines, but with severe limitations: For example you can't install a macOS guest on Intel Macs, install guests with newer versions of macOS than the host, copy and paste between the host and the guest, or install third party kernel extensions in the guest. As usual for Apple, the functionality they do support is nicely implemented, but they've left out so much that the result is only marginally useful -- at least compared to

@guyru
guyru / Security Conferences.md
Last active September 27, 2024 08:11
@LinusHenze
LinusHenze / iOS_16_Launch_Constraints.txt
Created June 15, 2022 16:30
Description of the Launch Constraints introduced in iOS 16
iOS 16 introduced launch constraints, which can be used to constraint the launch of an application.
There are three types of constraints:
Self Constraints, which the launched application itself must meet
Parent Constraints, which the parent process must meet
Responsible Constraints, which the "responsible process" must meet (I assume that the responsible process is the process that asked launchd to launch a service)
Additionally, the TrustCache format was updated (see below) to support assigning each binary a "Constraint Category", which forces Self and Parent Constraints.
Note that Self, Parent and Responsible Constraints can also be set by the process performing the launch and they can be included in the code signature, in the new blob type 0xFADE8181. In both cases, the constraints are DER encoded (just like the DER entitlements).
Constraint Categories (from TrustCache, new in version 2):
@jakeajames
jakeajames / poc.c
Last active May 1, 2023 19:58
CVE-2021-30955 PoC
#include <stdlib.h>
#include <stdio.h>
#include <pthread/pthread.h>
#include <mach/mach.h>
struct ool_msg {
mach_msg_header_t hdr;
mach_msg_body_t body;
mach_msg_ool_ports_descriptor_t ool_ports[];
};
@saagarjha
saagarjha / library_injector.cpp
Last active October 2, 2024 11:26
Load a library into newly spawned processes (using DYLD_INSERT_LIBRARIES and EndpointSecurity)
// To compile: clang++ -arch x86_64 -arch arm64 -std=c++20 library_injector.cpp -lbsm -lEndpointSecurity -o library_injector,
// then codesign with com.apple.developer.endpoint-security.client and run the
// program as root.
#include <EndpointSecurity/EndpointSecurity.h>
#include <algorithm>
#include <array>
#include <bsm/libbsm.h>
#include <cstddef>
#include <cstdint>
@pwn0rz
pwn0rz / fairplay_iokit_uc_run_versioned.c
Created February 2, 2021 05:59
CVE-2021-1791 Fairplay OOB Read POC
#include <IOKit/IOKitLib.h>
#include <mach/mach.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <ctype.h>
void hexdump(void *ptr, int buflen) {
unsigned char *buf = (unsigned char*)ptr;
int i, j;
@marcan
marcan / machodump.py
Created January 29, 2021 07:41
#!/usr/bin/python
import sys
from construct import *
LoadCmdType = "LoadCmdType" / Enum(Int32ul,
UNIXTHREAD = 0x05,
SEGMENT_64 = 0x19,
UUID = 0x1b,
BUILD_VERSION = 0x32,
DYLD_CHAINED_FIXUPS = 0x80000034,
@b1n4r1b01
b1n4r1b01 / AppleH10CamInUserClient.md
Last active May 27, 2024 06:40
Some dumb bugs in AppleH10CamInUserClient

NULL Deref

AppleH10CamIn::ISP_RegisterFirmwareWorkProcessor_gated(AppleH10CamIn *this, uint64_t *inStr, io_user_reference_t *asyncRef, uint64_t this2){
	...
		if ( some_os_array->getCount() ){
			while ( true ){
				unk_object = *(uint64_t*)(some_os_array->getObject());
				idk = unk_object->unk_0xD8();
@nikias
nikias / limd-build-macos.sh
Last active November 8, 2024 13:42
Build libimobiledevice stack for macOS with ease
#!/bin/bash
# If you like this script and my work on libimobiledevice, please
# consider becoming a patron at https://patreon.com/nikias - Thanks <3
REV=1.0.19
if test "`echo -e Test`" != "Test" 2>&1; then
echo Please run this with zsh or bash.
exit 1
@0x36
0x36 / jpeg.c
Created March 25, 2020 21:51
#if 0
Reported : 19-Jan-2020
Fixed in iOS 13.4 with CVE-2020-9768
AppleJPEGDriverUserClient : mach port use-after-free/type-confusion via race condition
AppleJPEGDriverUserClient external methods can be used synchronously or asynchronously, when used asynchronously,
it brings the registered mach port (via registerNotificationPort()) and put it inside jpegRequest data structure,
and no reference count was taken for this operation. since registerNotificationPort() is not gated, it is
possible to release the port (if the port got substituted) during the processing of jpeg request and end up
with dangling pointer passed to _mach_msg_send_from_kernel_proper().