simo
@_simo36
Followers
7,247
Following
108
Media
6
Statuses
37
Explore trending content on Musk Viewer
Leyen
• 304922 Tweets
#TheBoys
• 81615 Tweets
INTRO
• 78555 Tweets
Papa Dali
• 67844 Tweets
Kamari
• 64208 Tweets
Ali Koç
• 63387 Tweets
DAOUOFFROAD COL EP4
• 60199 Tweets
岸田総理
• 43297 Tweets
Mehmet Büyükekşi
• 35896 Tweets
डिब्रूगढ़ एक्सप्रेस
• 35481 Tweets
#素のまんま
• 35200 Tweets
JAM X THEWALLSONG
• 32345 Tweets
国立公園
• 28528 Tweets
#TrainAccident
• 28347 Tweets
AMIA
• 28271 Tweets
रेल मंत्री
• 27520 Tweets
マンション爆発
• 24458 Tweets
高級リゾートホテル誘致
• 20235 Tweets
西川口の爆発
• 16674 Tweets
#THE夜会
• 16640 Tweets
What's your color
• 14568 Tweets
İbra
• 13367 Tweets
ODIs
• 12841 Tweets
Kimiko
• 12832 Tweets
テレ東BIZ
• 11199 Tweets
I've audited the Android kernel in late 2023, and reported 10+ kernel bugs to Google, along with 2 exploits. Today, I'm releasing the first exploit, targeting the Mali GPU on Pixel devices, accessible from an untrusted_app context.
23
269
1K
+16 kernel bugs I reported to Apple have been fixed in iOS 16/16.1. I'll give a talk on how I chained some bugs to achieve kernel r/w at
#POC2022
next month, and the kernel exploit for iOS 15 will be released along with a some other high impact vulns after the conference.
32
152
797
powerd exploit : Sandbox escape to root for Apple iOS < 12.2 on A11 devices
16
192
585
PoC for iOS kernel bug reachable from within the sandbox, I may drop the exploit later
18
170
544
Here is a PoC kernel exploit, it demonstrates how to get kernel task port on iOS 13.7. I will update the PoC with a writeup later.
27
124
478
I'm sharing two other iOS kernel vulnerabilities reachable from the default app sandbox that don’t require you to open a UserClient:
16
123
477
a POC of an iOS kernel UAF I found last year, CVE-2018-4420 fixed in 12.1, this requires host_priv port to be triggered. more bugs soon
6
128
337
In iOS 15.5 beta 3, Apple removed IOMallocAligned(KHEAP_DEFAULT,...) from IOSharedDataQueue/IODataQueue::initWithCapacity() ( now uses kernel_memory_allocate() with KMA_DATA flag). It was an elegant technique to groom the kernel default heap with user controlled data. RIP
8
38
287
CVE-2022-32932 is another vulnerability I discovered in the ANE kernel interface; this is a double fetch issue that resulted in an interesting OOB write.
9
71
277
a POC trigger for my CVE-2020-9768, Apple description is not acurate, this is a kernel bug in AppleJPEGDriverUserClient
6
69
260
Apple fixed two nasty sandbox escapes bugs I reported in iOS CVE-2019-8549 & CVE-2019-8552 , full exploit of CVE-2019-8549 will be released soon in coordination with
@SecuriTeam_SSD
6
29
241
I've updated oob_events exploit and it should work fine in on A12+ devices (with 60 % of success rate) and ~95% in devices with lower ram size i.e A10.
Tested on iPhone 11 and iPhone 7.
19
19
154
ghidra_kernelcache: a Ghidra iOS kernelcache framework for reverse engineering
6
37
138
I’ve updated ghidra_kernelcache! now it’s compatible with Ghidra 10.1+, macOS KEXT/Kernelcache support, PAC Xrefs, better class definition with custom class construction feature, dwarf4 and more ... check it out.
2
26
132
iOS ApplePPM::setProperties() OOB writes
1
8
71
iOS AppleFirmwareUpdateKext::loadFirmware() : Missing lock leads to double object release
1
11
69
I dont recommend using it in your personal device or to use it for a jailbreak. it may leave your device in unstable state. You’ve been warned.
3
4
57
The exploit in arm64e is not quite reliable unlike iPhone 9,3 (which works 9/10 times), expect a lot of kernel panics, it needs some work and it’s hard to make such exploit generic and working across all devices.
3
10
51
The exploit demonstrates how to get powerd's task port by bootstrapping a fake service and communicate with it via ROP/JOP
1
6
43
if you want to debug the exploit just uncomment MEMDBG/MEMDUMP, if you want to debug the ROP chains enable LOCAL_EXP, and if someone wants to port it to another device or wants to chain it with a kernel bug to have a tfp0, I'll be glad to help
4
6
42
I've checked iOS 14.1 shipped with IOGPU Family (the successor of IOAcceleratorFamily) and didn't find a matching pattern to trigger the bug, so it works only on iOS 13.x and all devices using IOAcceleratorFamily i.e: macOS.
5
8
36
and of course the exploit can work on all iDevices including iOS10.x,11.x with some slight modifications.
2
0
27
Looks like Ghidra does not support LC_DYLD_CHAINED_FIXUPS for macOS M1 KEXTs, here is a dirty script to fix it .
1
4
25
The is updated here with more ROP/JOP gadgets, showing how we can interact with the target process to leak Mach ports
0
1
21
And if you lean more toward IDA, you can also import the C header from Ghidra and parse it there :-)
0
1
16
@0x6d696368
@ArrrCaptain
you have to work with pcode, this script might help : . see fix_metacast() function.
Note that you need to compiler GHIDRA 9.2_dev to use it
0
0
9
@ahsucnneh
@Externalist
I use emacs + helm + gtags for coding and quick browsing, and
@scitools
for auditing.
1
0
3
@iBSparkes
They are reviewing applications afaik,I believe concerned people got an e-mail already
0
0
3