Halo-Michael

const struct dynamic_info kern_versions[] = {
    {
        .kern_version = "Darwin Kernel Version 22.1.0: Thu Oct  6 19:32:38 PDT 2022; root:xnu-8792.42.7~1/RELEASE_ARM64_T8030",
        .fileglob__fg_ops = 0x0028,
        .fileglob__fg_data = 0x0038,
        .fileops__fo_kqfilter = 0x0030,
        // .fileproc__fp_iocount = 0x0000,
        // .fileproc__fp_vflags = 0x0004,
        // .fileproc__fp_flags = 0x0008,
        // .fileproc__fp_guard_attrs = 0x000a,

Halo-Michael

/*
Written By Pan ZhenPeng(@peterpan980927) of Alibaba Security Pandora Lab
use it on macOS: cc poc.c -o poc while True; do ./poc ; done
*/

#include <errno.h>
#include <signal.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>

Halo-Michael

/*
 Bug demo of Taurine
 CFPreferences family functions will always handles preferences files from euid user container instead of specified user container.
 This demo will generate demo.bundleid.plist file in root container (/var/root/Library/Preferences/demo.bundleid.plist) instead of mobile container (/var/mobile/Library/Preferences/demo.bundleid.plist).
 To run this demo correctly, you should follow these steps:
 1. Build and codesign
    xcrun -sdk iphoneos clang -arch arm64 demo.c -framework CoreFoundation -o demo
    ldid -S demo
 2. Put the demo file into /usr/bin
 3. Set owner as root, group as wheel, permission as 6755

Halo-Michael

//A7~A9, use SHA1 algorithm to generate apnonce.
unsigned long buf = 0x1111111111111111;
unsigned char result[CC_SHA1_DIGEST_LENGTH];
CC_SHA1(&buf, sizeof(buf), result);
for (int i = 0; i < CC_SHA1_DIGEST_LENGTH; i++)
  printf("%02" PRIx32, result[i]);
putchar('\n');

//A10~A11, use SHA384 algorithm, but only take the first 32 bits to generate apnonce.
unsigned long buf = 0x1111111111111111;

Halo-Michael

#import <Foundation/Foundation.h>
#import <Foundation/NSTask.h>

int main(){
    for (NSString *file in [[NSFileManager defaultManager] subpathsAtPath:@"/etc/rc.d"]) {
        NSString *path = [@"/etc/rc.d/" stringByAppendingString:file];
        if ([[NSFileManager defaultManager] isExecutableFileAtPath:path]) {
            [[NSTask launchedTaskWithLaunchPath:path arguments:@[]] waitUntilExit];
        }
    }

Halo-Michael

#!/usr/bin/env python3
import struct
import os,sys

extfun=lambda x: x

def read_file_hex(file_path):
    file_object = open(file_path,'rb')
    file_object.seek(0,0)
    hex_str =''

Halo-Michael

#if 0
IOAccelContext2::finish_fence_event() race condition OOB read/write

This is a method exposed to user space, it takes a kernel read-only shared memory
(type 2 via clientMemoryForType())  address and treats it as an IOAccelEvents Array.

The user supplied index is checked against the IOAccelEvents array bounds,since there are no
locks held in this method,it is possible to change the array bounds by calling
IOAccelContext2::clientMemoryForType() again in a separate thread, this will expand the size by
multiplying the older size by 2, but we still have a reference to the old shared memory address

Halo-Michael

#import <Foundation/Foundation.h>
__asm__("\
        _paciza:\n \
            paciza x0\n \
            ret\n \
        _autiza:\n \
            autiza x0\n \
            ret\n \
        ");
uint64_t paciza(uint64_t);

Halo-Michael

#include <CoreFoundation/CoreFoundation.h>
#include <mach/mach.h>
#include <IOKit/IOKitLib.h>

#if 0
AppleM2ScalerCSCDriver Infoleak:

IOSurfaceAcceleratorClient::user_get_histogram takes a userspace pointer and writes histogram data back to that address.
IOSurfaceAcceleratorClient::initClient allocates this histogram buffer, but does not zero the memory.
When the external method IOSurfaceAcceleratorClient::user_get_histogram is called, this uninitialised memory is then sent back to userspace.

Halo-Michael

#include <CoreFoundation/CoreFoundation.h>
#include <pthread.h>

void* foo(void *foo) {
    return NULL;
}

int main(int argc, char **argv) {
    pthread_t thread;
    pthread_create(&thread, NULL, &foo, NULL);