A WIP "Vulnerable by Design" kext for iOS/macOS to play & learn *OS kernel exploitation

Overview

Vulnerable Kext

License: MIT Github Stars PRs Welcome

A WIP (work-in progress) "Vulnerable by Design" kext for iOS/macOS to play/learn with *OS kernel exploitation

Usage

  • Documentation can be found at https://fuzzing.science/vulnerable-kext

  • Basic setup requirements

    • iOS device that can be jailbroken with checkra1n
    • Currently the make files are made to be used on a Mac. So, a macOS device or a VM.
  • Running the following command causes checkra1n to listen for attached iOS devices in DFU mode and boot pongoOS:

/Applications/checkra1n.app/Contents/MacOS/checkra1n -c -p
  • Run run.sh to build kext_loader, pongo_module, and the vulnerable kext and to start kext_loader kext_loader waits for a device that's booted pongo shell!
./run.sh

For more details about ktrw, check ktrw

Disclaimer

Vulnerable-Kext is an intentionally vulnerable kext for iOS/macOS, meant for educational purpose only.

TODO

  • Add IOKit stuff
  • Add vulnerabilities from reported XNU/IOKit bugs? 🤔
  • Maybe improve stability of loading kexts
  • Fix the bugs in the vulnerabilities I implemented 🧐
  • Add Writeups for exploitation

credits

  • @_bazad for the super awesome ktrw
  • checkra1n team for the jailbreak
  • Used the kext template from twic
Issues
  • Kext doesn't appear to be loaded.

    Kext doesn't appear to be loaded.

    Hi, i followed the link and the blog you posted on getting set up with the Kext.

    From Here

    The device appears to be successful with checkra1n and

    make[1]: vulnerable_kext.ikext' is up to date. [f03] Found pongoOS device [f03] Loading pongoOS kextload module [f03] Loading kernel symbols [f03] Loading kernel extensions [f03] Closing pongoOS device

    However, if i run ./kextstat on the iDevice it appears no new kernel extension is installed.

    opened by R3zk0n 1
Owner
Chaithu
Independent Security Researcher
Chaithu
[WIP] A Riru module tries to enable Magisk hide for isolated processes.

Riru-IsolatedMagiskHider Background Many applications now detect Magisk for security, Magisk provided "Magisk Hide" to prevent detection, but isolated

残页 490 Jun 23, 2022
Play Doh Windows ACL Tools

PDAcl 是一个支持Windows活动目录扩展权限设置、Windows活动目录常规权限设置、Windows服务权限设置的命令工具。

倾旋 58 Jun 25, 2022
A library to play Commodore 64 music

libsidplayfp ============ https://github.com/libsidplayfp/libsidplayfp libsidplayfp is a C64 music player library which integrates the reSID SID chi

null 24 Apr 28, 2022
Haxe bindings for raylib, a simple and easy-to-use library to learn videogame programming

Haxe bindings for raylib, a simple and easy-to-use library to learn videogame programming, Currently works only for windows but feel free the expand t

FSasquatch 28 Mar 19, 2022
A cross-platform protocol library to communicate with iOS devices

libimobiledevice A library to communicate with services on iOS devices using native protocols. Features libimobiledevice is a cross-platform software

libimobiledevice 5k Jun 21, 2022
The lightweight and modern Map SDK for Android and iOS

Open Mobile Maps The lightweight and modern Map SDK for Android (6.0+) and iOS (10+) openmobilemaps.io Getting started Readme Android Readme iOS Featu

Open Mobile Maps 90 Jun 13, 2022
iOS 10.x 32 and 64 bit jailbreak with spicy autoexecution

ap0110 ap0110 is an autoexecuting jailbreak for iOS 10.x, on 32 and 64-bit. Developed by the Athenus Dev Team and w212. <3 Credits tihmstar - h

Athenus Dev Team 22 Oct 11, 2021
Random stuff about lower level iOS

Lower Level iOS Random stuff about lower level iOS Topics Macho Parser - study note of Mach-O format Dynamic Linking Exported Symbol - details of how

Qing Yang 77 Jun 24, 2022
Open Source iOS 15 Jailbreak Project

Fugu Fugu is the first open source jailbreak tool based on the checkm8 exploit. UPDATE: Fugu will now install Sileo, SSH and Substitute automatically!

epeth0mus 72 Jun 19, 2022
An asynchronous directory file change watcher module for Windows, macOS and Linux wrapped for V

A V module for asynchronously watching for file changes in a directory. The module is essentially a wrapper for septag/dmon. It works for Windows, macOS and Linux.

null 15 Jun 23, 2022
UClamp backports and custom tunings for different kernel versions/devices

Linux kernel ============ This file was moved to Documentation/admin-guide/README.rst Please notice that there are several guides for kernel develop

null 25 Jan 14, 2022
This project aims to facilitate debugging a kernel driver in windows by adding support for a code change on the fly without reboot/unload, and more!

BSOD Survivor Tired of always telling yourself when you got a BSOD that what if I could just return to the caller function which caused the BSOD, and

Ido Westler 142 Jun 20, 2022
Linux Kernel module-less implant (backdoor)

0 KOPYCAT - Linux Kernel module-less implant (backdoor) Usage $ make $ sudo insmod kopycat.ko insmod: ERROR: could not insert module kopycat.ko: Inapp

Ilya V. Matveychikov 41 Jun 18, 2022
A LKM rootkit targeting 4.x and 5.x kernel versions which opens a backdoor that can be used to spawn a reverse shell to a remote host and more.

Umbra Umbra (/ˈʌmbrə/) is an experimental LKM rootkit for kernels 4.x and 5.x (up to 5.7) which opens a network backdoor that spawns reverse shells to

Marcos S. Bajo 76 Jun 18, 2022
Windows kernel hacking framework, driver template, hypervisor and API written on C++

Windows kernel hacking framework, driver template, hypervisor and API written on C++

Александр 1.2k Jun 21, 2022
Quick check of NT kernel exported&unexported functions/global variable offset

NT内核导出以及未导出函数-全局变量偏移速查 Quick check of NT kernel exported&unexported functions/global variable offset System目录下有已经完成的偏移 可以在线速查 There are already comple

不想加班劉 65 Jun 12, 2022
A simple Windows kernel rootkit.

Venom RootKit A simple windows rootkit that I have wrote, In order to explore a bit about the world of rootkits and windows kernel in general. The Ven

Amit Schendel 49 Jun 20, 2022
A proposition for a fully intergrated kext for all Surface Pro hardwares

BigSurface The name comes from macOS Big Sur. Big Sur + Surface -> Big Surface (LOL) PS:If you have a better name, please let me know. A proposition f

null 65 Jun 25, 2022
A modern-day Boss Key software tool. Switch instantly from work to play & play to work with Bosky.

Bosky By: Seanpm2001, Bosky-dev Et; Al. Top README.md Read this article in a different language Sorted by: A-Z Sorting options unavailable ( af Afrika

Sean P. Myrick V19.1.7.2 1 Nov 11, 2021
A list of excellent resources for anyone to deepen their understanding with regards to Windows Kernel Exploitation and general low level security.

WinKernel-Resources A list of excellent resources for anyone trying to deepen their understanding with regards to Windows Kernel Exploitation and gene

Vector Security 36 May 30, 2022
Learn basic elements in C++ and learn CMake

learn-cpp-cmake Learn basic elements in C++ and learn CMake This repo has code from several sources. If you think we have violated any copyright law o

mafiaboy009 6 Mar 1, 2022
CatFrida is a macOS tool for inspecting a running iOS app.

CatFrida CatFrida is a macOS tool for inspecting a running iOS app. Building with frida-swift, CatFrida provide an awesome easy way to dive into an ap

neilwu 94 May 12, 2022
Interactive, thoroughly customizable maps in native Android, iOS, macOS, Node.js, and Qt applications, powered by vector tiles and OpenGL

Mapbox GL Native A C++ library that powers customizable vector maps in native applications on multiple platforms by taking stylesheets that conform to

Mapbox 4.1k Jun 29, 2022
A cross-platform (Android/iOS/Windows/macOS) cronet plugin for Flutter via `dart:ffi`

cronet_flutter A cross-platform (Android/iOS/Windows/macOS) cronet plugin for Flutter via dart:ffi

null 20 Jun 15, 2022
A CMake toolchain file for iOS, macOS, watchOS & tvOS C/C++/Obj-C++ development

A CMake toolchain file for iOS, macOS, watchOS & tvOS C/C++/Obj-C++ development

Alexander Widerberg 1.3k Jun 29, 2022
Modern c++17 unit testing framework on Microsoft Windows, Apple macOS, Linux, iOS and android.

tunit Modern c++17 unit testing framework on Windows, macOS, Linux, iOS and android. Continuous Integration build status Operating system Status Windo

Gammasoft 8 Apr 5, 2022
Custom FFMpeg build script which support cross-compile to macOS/iOS/android

FFmpegCompileScript Custom FFMpeg build script which support cross-compile to macOS/iOS/Android Usage: First, init all submodule: git submodule update

RagnarokStack 3 Apr 20, 2022
FFmpeg Kit for applications. Supports Android, Flutter, iOS, macOS, React Native and tvOS. Supersedes MobileFFmpeg, flutter_ffmpeg and react-native-ffmpeg.

FFmpeg Kit for applications. Supports Android, Flutter, iOS, macOS, React Native and tvOS. Supersedes MobileFFmpeg, flutter_ffmpeg and react-native-ffmpeg.

Taner Şener 1.5k Jun 28, 2022