📄 macOS 10.12.2 XNU Kernel Privilege Escalation

This proof of concept targets a race‑condition vulnerability in the XNU kernel affecting macOS/iOS. By forcing a use‑after‑free condition on kernel ports, the exploit manipulates freed memory through a controlled spray, allowing a user‑controlled replacement object. Successful exploitation yields...

EUVD-2007-0729

Malware in sbrugna...

GNU Hurd 竞争条件问题漏洞

Gnu Hurd is a Gnu project replacement for the Unix kernel. It is used to implement file systems, network protocols, file access control, and other features implemented by the Unix kernel or similar kernels such as Linux. A security vulnerability exists in GNU Hurd, which originated in GNU Hurd...

Safari Webkit Proxy Object Type Confusion Exploit

This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the...

Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free Exploit

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=830 When you create a new IOKit user client from userspace you call: kernreturnt IOServiceOpen ioservicet service, taskportt owningTask, uint32t type, ioconnectt connect ; The...

MacOS 10.12 - 'task_t' Privilege Escalation Exploit

Exploit for macOS platform in category local exploits Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=837 TL;DR you cannot hold or use a task struct pointer and expect the euid of that task to stay the same. Many many places in the kernel do this and there are a great many very...

Apple OS X/iOS - 'mach_ports_register' Multiple Memory Safety s

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=882 machportsregister is a kernel task port MIG method. It's defined in MIG like this: routine machportsregister targettask : taskt; initportset : machportarrayt = ^array of machportt; Looking at the generated code for this we noti...

Apple OS XiOS - mach_ports_register Multiple Memory Safety s

Apple OS XiOS - machportsregister Multiple Memory Safety s Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=882 machportsregister is a kernel task port MIG method. It's defined in MIG like this: routine machportsregister targettask : taskt; initportset : machportarrayt = ^array o...

CVE-2016-4698

AppleMobileFileIntegrity in Apple iOS before 10 and OS X before 10.12 mishandles process entitlement and Team ID values in the task port inheritance policy, which allows attackers to execute arbitrary code in a privileged context via a crafted app...

CVE-2016-4698

AppleMobileFileIntegrity in Apple iOS before 10 and OS X before 10.12 mishandles process entitlement and Team ID values in the task port inheritance policy, which allows attackers to execute arbitrary code in a privileged context via a crafted app...

Apple Mac OSX iOS - SUID Binary Logic Error Kernel Code Execution

Apple Mac OSX iOS - SUID Binary Logic Error Kernel Code Execution Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=676 tl;dr The code responsible for loading a suid-binary following a call to the execve syscall invalidates the task port after first swapping the new vmmap into the...

CVE-2007-0732

Unspecified vulnerability in the CoreServices daemon in CarbonCore in Apple Mac OS X 10.4 through 10.4.9 allows local users to gain privileges via unspecified vectors involving "obtaining a send right to the Mach task port."...

CVE-2007-0732

CVE-2007-0732 affects Apple Mac OS X 10.4–10.4.9, via the CoreServices/CarbonCore subsystem. The vulnerability is a local privileges escalation caused by an unspecified flaw that allows a local user to obtain a send right to the Mach task port, enabling elevation of privileges. Affected component...

Apple Mac OSX 10.4.7 - Mach Exception Handling Privilege Escalation

/ excploit.c - 28 Nov 2005 - [email protected] Exploitable Mach Exception Handling Affected: Mac OS X 10.4.6 darwin 8.6.0 and older When a process executes a setuid executable, all existing rights to the task port are invalidated, to make sure unauthorized processes do not retain control o...

Mac OS X <= 10.4.7 Mach Exception Handling Local Root Exploit

Exploit for macOS platform in category local exploits ============================================================= Mac OS X include include include extern booleant excservermachmsgheadert , machmsgheade...