diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 0e259d4..0000000 --- a/LICENSE +++ /dev/null @@ -1,121 +0,0 @@ -Creative Commons Legal Code - -CC0 1.0 Universal - - CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE - LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN - ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS - INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES - REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS - PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM - THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED - HEREUNDER. - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator -and subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for -the purpose of contributing to a commons of creative, cultural and -scientific works ("Commons") that the public can reliably and without fear -of later claims of infringement build upon, modify, incorporate in other -works, reuse and redistribute as freely as possible in any form whatsoever -and for any purposes, including without limitation commercial purposes. -These owners may contribute to the Commons to promote the ideal of a free -culture and the further production of creative, cultural and scientific -works, or to gain reputation or greater distribution for their Work in -part through the use and efforts of others. - -For these and/or other purposes and motivations, and without any -expectation of additional consideration or compensation, the person -associating CC0 with a Work (the "Affirmer"), to the extent that he or she -is an owner of Copyright and Related Rights in the Work, voluntarily -elects to apply CC0 to the Work and publicly distribute the Work under its -terms, with knowledge of his or her Copyright and Related Rights in the -Work and the meaning and intended legal effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not -limited to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, - communicate, and translate a Work; - ii. moral rights retained by the original author(s) and/or performer(s); -iii. publicity and privacy rights pertaining to a person's image or - likeness depicted in a Work; - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - v. rights protecting the extraction, dissemination, use and reuse of data - in a Work; - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation - thereof, including any amended or successor version of such - directive); and -vii. other similar, equivalent or corresponding rights throughout the - world based on applicable law or treaty, and any national - implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention -of, applicable law, Affirmer hereby overtly, fully, permanently, -irrevocably and unconditionally waives, abandons, and surrenders all of -Affirmer's Copyright and Related Rights and associated claims and causes -of action, whether now known or unknown (including existing as well as -future claims and causes of action), in the Work (i) in all territories -worldwide, (ii) for the maximum duration provided by applicable law or -treaty (including future time extensions), (iii) in any current or future -medium and for any number of copies, and (iv) for any purpose whatsoever, -including without limitation commercial, advertising or promotional -purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each -member of the public at large and to the detriment of Affirmer's heirs and -successors, fully intending that such Waiver shall not be subject to -revocation, rescission, cancellation, termination, or any other legal or -equitable action to disrupt the quiet enjoyment of the Work by the public -as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason -be judged legally invalid or ineffective under applicable law, then the -Waiver shall be preserved to the maximum extent permitted taking into -account Affirmer's express Statement of Purpose. In addition, to the -extent the Waiver is so judged Affirmer hereby grants to each affected -person a royalty-free, non transferable, non sublicensable, non exclusive, -irrevocable and unconditional license to exercise Affirmer's Copyright and -Related Rights in the Work (i) in all territories worldwide, (ii) for the -maximum duration provided by applicable law or treaty (including future -time extensions), (iii) in any current or future medium and for any number -of copies, and (iv) for any purpose whatsoever, including without -limitation commercial, advertising or promotional purposes (the -"License"). The License shall be deemed effective as of the date CC0 was -applied by Affirmer to the Work. Should any part of the License for any -reason be judged legally invalid or ineffective under applicable law, such -partial invalidity or ineffectiveness shall not invalidate the remainder -of the License, and in such case Affirmer hereby affirms that he or she -will not (i) exercise any of his or her remaining Copyright and Related -Rights in the Work or (ii) assert any associated claims and causes of -action with respect to the Work, in either case contrary to Affirmer's -express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - b. Affirmer offers the Work as-is and makes no representations or - warranties of any kind concerning the Work, express, implied, - statutory or otherwise, including without limitation warranties of - title, merchantability, fitness for a particular purpose, non - infringement, or the absence of latent or other defects, accuracy, or - the present or absence of errors, whether or not discoverable, all to - the greatest extent permissible under applicable law. - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without - limitation any person's Copyright and Related Rights in the Work. - Further, Affirmer disclaims responsibility for obtaining any necessary - consents, permissions or other rights required for any use of the - Work. - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to - this CC0 or use of the Work. diff --git a/README.md b/README.md deleted file mode 100644 index 6a774ad..0000000 --- a/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# iOS Kernel UAF - -This repository documents **methods** for analyzing memory corruption primitives within the XNU kernel on iOS. - -**⚠️ No executable exploit code is provided in this repo.** This is a research framework for defensive security analysis and vulnerability research training. - ---- -![](poc.png) -## Research Scope - -The content here focuses on: - -- Identifying use-after-free (UAF) conditions in Mach messaging -- Memory allocator behavior analysis (kalloc, zalloc) -- Race conditions between userland and kernel threads -- Post-free reuse pattern detection - -Nothing in this repository is intended for active exploitation. All methods are presented for **educational defense research** and **patch verification**. - ---- - -## Why This Matters - -Most public research focuses on *results* (working exploits). This repository focuses on *process* — the thought patterns, edge case hunting, and allocator behavior mapping that leads to discovery. - -Understanding ***how*** an attacker thinks is more valuable for defenders than a pre-written exploit. - ---- - -## Core Research Areas - -### 1. Mach Port Lifecycle Analysis - -Method: Identify ports manipulated from userland while the kernel maintains a stale reference. The gap between `mach_port_destroy()` and kernel cleanup routines is wider than documented. - -### 2. Memory Allocator Entropy Reduction - -Method: Heap spraying to make freed memory regions predictable. The XNU zone allocator has deterministic behavior under specific allocation/deallocation patterns. - -### 3. Race Window Enlargement - -Method: Thread manipulation to increase the window between free and reuse. Scheduler control via priority inversion and CPU core pinning. - -### 4. Pointer Validation Bypass - -Method: PAC (Pointer Authentication) operates on specific signing schemas. Blind signing with predictable context values remains viable. - ---- - -## Methodologies - -| Technique | Difficulty | Description | -|-----------|------------|-------------| -| Cross-zone reuse | Extreme | Forcing allocation from a different zone into freed memory from another zone | -| Entropy exhaustion | High | Repeated allocations to collapse KASLR randomness | -| Scheduler poisoning | Medium | Manipulating runqueues to control which thread reuses freed memory | -| Double-free interleaving | Extreme | Two independent frees of the same memory with controlled operations between | - ---- - -## Affected Versions - -Based on public bug reports and diff analysis: - -| iOS Version | Status | -|-------------|--------| -| 16.x - 17.4.1 | UAF candidates present | -| 26.4+ | UAF candidates present | - ---- - -## Repository Structure -├── methods/ # Research notes -├── allocator/ # Zone allocator behavior -├── poc/ # PoC structure -└── offsets/ # Version offsets - - - ---- - -## Community - -Join our security research group: [t.me/iospentest](https://t.me/iospentest) - ---- - -*Research archive.* diff --git a/c.c b/c.c deleted file mode 100644 index c350fd0..0000000 --- a/c.c +++ /dev/null @@ -1 +0,0 @@ -// commented out diff --git a/c.swift b/c.swift deleted file mode 100644 index c350fd0..0000000 --- a/c.swift +++ /dev/null @@ -1 +0,0 @@ -// commented out diff --git a/poc.png b/poc.png deleted file mode 100644 index fe3b0cd..0000000 Binary files a/poc.png and /dev/null differ