Safari Webkit For iOS 7.1.2 JIT Optimization Bug Exploit

This Metasploit module exploits a JIT optimization bug in Safari Webkit. This allows us to write shellcode to an RWX memory section in JavaScriptCore and execute it. The shellcode contains a kernel exploit CVE-2016-4669 that obtains kernel rw, obtains root and disables code signing. Finally we...

Sony PS4 / FreeBSD ip6_setpktopt Local Privilege Escalation

/ FreeBSD 12.0-RELEASE x64 Kernel Exploit Usage: $ clang -o exploit exploit.c -lpthread $ ./exploit / include include include include include include include include define KERNEL include undef KERNEL define WANTFILE include include include include include define WANTSOCKET include include define...

ASUS Aura Sync 1.07.71 CVE-2019-17603 - Privilege Escalation

ASUS Aura Sync version 1.07.71 ene.sys privilege escalation kernel exploit. // CVE-2019-17603: ASUS Aura Sync 1.07.71 'ene.sys' EoP Kernel Exploit // Discovered by @dhn // Author of PoC: Connor McGarr @33y0re - https://connormcgarr.github.io // Windows 10 RS1 Version 10.0.14393 Build 14393 //...

Exploit for CVE-2019-1458

CVE-2019-1458 Windows LPE Exploit Caution YOU ONLY HA...

Exploit for Type Confusion in Apple Iphone_Os

usedsock Kernel exploit for iO...

Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation

This module attempts to gain root privileges on Linux systems by abusing a NULL pointer dereference in the rdsatomicfreeop function in the Reliable Datagram Sockets RDS kernel module rds.ko. Successful exploitation requires the RDS kernel module to be loaded. If the RDS module is not blacklisted...

Remote iPhone Exploitation Part 3: From Memory Corruption to JavaScript and Back -- Gaining Code Execution

Posted by Samuel Groß, Project Zero This is the third and last post in a series about a remote, interactionless iPhone exploit over iMessage. The first blog post introduced the exploited vulnerability, and the second blog post described a way to perform a heapspray, leaking the shared cache base...

Microsoft Windows 10 (19H1 1901 x64) - 'ws2ifsl.sys' Use After Free Local Privilege Escalation (kASLR kCFG SMEP)

/ The exploit works on 19H1. It was tested with ntoskrnl version 10.0.18362.295 EDB Note: Download https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47935.zip / include include include include include include include pragma commentlib, "ntdll.lib" // run cmd.exe...

SockPuppet: A Walkthrough of a Kernel Exploit for iOS 12.4

Posted by Ned Williamson, 20% on Project Zero Introduction I have a somewhat unique opportunity in this writeup to highlight my experience as an iOS research newcomer. Many high quality iOS kernel exploitation writeups have been published, but those often feature weaker initial primitives combine...

Exploit for Use After Free in Google Android

qu1ckr00t A PoC application demonstrating the power of an Andr...

macOS 18.7.0 Kernel - Local Privilege Escalation

macOS 18.7.0 Kernel - Local Privilege Escalation macOS-Kernel-Exploit DISCLAIMER You need to know the KASLR slide to use the exploit. Also SMAP needs to be disabled which means that it's not exploitable on Macs after 2015. These limitations make the exploit pretty much unusable for in-the-wild...

macOS 18.7.0 Kernel - Local Privilege Escalation

macOS-Kernel-Exploit DISCLAIMER You need to know the KASLR slide to use the exploit. Also SMAP needs to be disabled which means that it's not exploitable on Macs after 2015. These limitations make the exploit pretty much unusable for in-the-wild exploitation but still helpful for security...

Exploit for Out-of-bounds Write in Apple Mac_Os_X

macOS-Kernel-Exploit DISCLAIMER You need to know the KASLR...

Apple will now pay hackers up to $1 million for reporting vulnerabilities

Apple has just updated the rules of its bug bounty program by announcing a few major changes during a briefing at the annual Black Hat security conference yesterday. One of the most attractive updates is… Apple has enormously increased the maximum reward for its bug bounty program from $200,000 t...

Sony PlayStation Vita (PS Vita) - Trinity: PSP Emulator Escape

Trinity is a fully chained exploit for the PS Vita™ consisting of six unique vulnerabilities. It is based on a decade of knowledge and research. The source code of Trinity can be found here. Table of Contents - Table of Contents - Introduction - MIPS Kernel Exploit Type Confusion Double-fetch Rac...

Safari Webkit Proxy Object Type Confusion

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Safari Webkit Proxy Object Type Confusion', 'Description' = %q This module exploits a type confusion bug in the Javascript Proxy object in WebKit...

Android - 'zygote->init;' Chain from USB Privilege Escalation

After reporting https://bugs.chromium.org/p/project-zero/issues/detail?id=1583 Android ID 80436257, CVE-2018-9445, I discovered that this issue could also be used to inject code into the context of the zygote. Additionally, I discovered a privilege escalation path from zygote to init; that...

SonyPlaystation 4 ( #PS4 ) 5.1 - #Kernel Exploit

Exploit for hardware platform in category local exploits log"--- trying kernel exploit --"; function mallocsz var backing = new Uint8Array0x10000+sz; window.nogc.pushbacking; var ptr = p.read8p.leakvalbacking.add320x10; ptr.backing = backing; return ptr; function malloc32sz var backing = new...

SonyPlaystation 4 ( #PS4 ) 5.07 - #Jailbreak #WebKit / bpf v2 Kernel Loader Exploit

Exploit for hardware platform in category local exploits PS4 5.05 Kernel Exploit --- Summary In this project you will find a full implementation of the second "bpf" kernel exploit for the PlayStation 4 on 5.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and...

Sony Playstation 4 (PS4) 5.07 - Jailbreak WebKit bpf v2 Kernel Loader

Sony Playstation 4 PS4 5.07 - Jailbreak WebKit bpf v2 Kernel Loader PS4 5.05 Kernel Exploit --- Summary In this project you will find a full implementation of the second "bpf" kernel exploit for the PlayStation 4 on 5.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking an...