Halo Michael Halo-Michael
Halo-Michael
/ 96ae6d6806e974199b1d44ffffca5331.c
Created
September 16, 2021 06:07
— forked from networkextension/96ae6d6806e974199b1d44ffffca5331.c
96ae6d6806e974199b1d44ffffca5331.c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Written By Pan ZhenPeng(@peterpan980927) of Alibaba Security Pandora Lab | |
| use it on macOS: cc poc.c -o poc while True; do ./poc ; done | |
| */ | |
| #include <errno.h> | |
| #include <signal.h> | |
| #include <fcntl.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> |
Halo-Michael
/ oob_events.c
Created
November 6, 2020 07:00
— forked from 0x36/oob_events.c
IOAccelContext2::finish_fence_event() race condition OOB read/write
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #if 0 | |
| IOAccelContext2::finish_fence_event() race condition OOB read/write | |
| This is a method exposed to user space, it takes a kernel read-only shared memory | |
| (type 2 via clientMemoryForType()) address and treats it as an IOAccelEvents Array. | |
| The user supplied index is checked against the IOAccelEvents array bounds,since there are no | |
| locks held in this method,it is possible to change the array bounds by calling | |
| IOAccelContext2::clientMemoryForType() again in a separate thread, this will expand the size by | |
| multiplying the older size by 2, but we still have a reference to the old shared memory address |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Copyright 2017 Adam H. Leventhal. All Rights Reserved. | |
| */ | |
| #include <unistd.h> | |
| #include <fcntl.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <strings.h> |
Halo-Michael
/ loader.c
Created
June 27, 2019 17:05
— forked from pwn20wndstuff/loader.c
Full AMFI/CoreTrust bypass for iOS 11.0-12.1.2 by @Jakeashacks with implementation by @Pwn20wnd
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // loader.c | |
| // Undecimus | |
| // | |
| // Created by Pwn20wnd on 3/16/19. | |
| // Copyright © 2019 Pwn20wnd. All rights reserved. | |
| // Copyright © 2019 Jakeashacks. All rights reserved. | |
| // | |
| #include <common.h> |