Skip to content

Instantly share code, notes, and snippets.

View 0x36's full-sized avatar

Mohamed Ghannam 0x36

372 followers · 0 following
View GitHub Profile
@0x36
0x36 / depac.py
Created May 7, 2021 23:50
# Fixing LC_DYLD_CHAINED_FIXUPS for macOS M1 kext drivers
# -*- coding: utf-8 -*-
#@category macOS.kext
from generic.continues import RethrowContinuesFactory
from ghidra.app.script import GhidraScript
from ghidra.app.util.bin import ByteProvider, RandomAccessByteProvider, BinaryReader
from ghidra.app.util.bin.format.macho import MachHeader,Section, commands
from ghidra.program.model.address import Address
from java.io import File
@0x36
0x36 / oob_events.c
Created November 5, 2020 23:16
IOAccelContext2::finish_fence_event() race condition OOB read/write
#if 0
IOAccelContext2::finish_fence_event() race condition OOB read/write
This is a method exposed to user space, it takes a kernel read-only shared memory
(type 2 via clientMemoryForType()) address and treats it as an IOAccelEvents Array.
The user supplied index is checked against the IOAccelEvents array bounds,since there are no
locks held in this method,it is possible to change the array bounds by calling
IOAccelContext2::clientMemoryForType() again in a separate thread, this will expand the size by
multiplying the older size by 2, but we still have a reference to the old shared memory address
@0x36
0x36 / metacast.py
Created April 25, 2020 15:26
# Fix a metacast output in iOS kernelcache
#@author simo
#@category iOS.kernel
#@keybinding Meta Shift M
#@toolbar logos/m.png
# -*- coding: utf-8 -*-
# This script can be only used in GHIDRA 9.2, so grab the source code and compile it yourself
@0x36
0x36 / jpeg.c
Created March 25, 2020 21:51
#if 0
Reported : 19-Jan-2020
Fixed in iOS 13.4 with CVE-2020-9768
AppleJPEGDriverUserClient : mach port use-after-free/type-confusion via race condition
AppleJPEGDriverUserClient external methods can be used synchronously or asynchronously, when used asynchronously,
it brings the registered mach port (via registerNotificationPort()) and put it inside jpegRequest data structure,
and no reference count was taken for this operation. since registerNotificationPort() is not gated, it is
possible to release the port (if the port got substituted) during the processing of jpeg request and end up
with dangling pointer passed to _mach_msg_send_from_kernel_proper().
@0x36
0x36 / afuu.c
Created November 22, 2019 11:02
AppleFirmwareUpdateKext::loadFirmware() : Missing lock leads to double object release
#if 0
// Fixed in iOS 13.1 with CVE-2019-8747
__thiscall
AppleFirmwareUpdateKext::loadFirmware
(AppleFirmwareUpdateKext *this,IOMemoryDescriptor *Memory,void *off_0x10,uint off_0x18)
{
uint uVar1;
byte addr;
byte len;
@0x36
0x36 / ApplePPM_oobw.c
Created November 22, 2019 10:59
ApplePPM::setProperties() OOB writes
#if 0
Fixed in iOS 13.0 with CVE-2019-8712.
ApplePPM::setProperties() : OSArray::initWithArray called without locks leads to OOB Writes
__thiscall ApplePPM::setProperties(ApplePPM *this,OSDictionary *param_1)
{
...
...
@0x36
0x36 / l2tp_infoleak.c
Created July 23, 2018 23:51
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <arpa/inet.h>
#include <linux/in.h>
#include <linux/in6.h>
#include <linux/if.h>
@0x36
0x36 / xfrm.c
Created November 28, 2017 17:35
CVE-2017-16939
#define _GNU_SOURCE
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <asm/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <linux/netlink.h>
#include <linux/xfrm.h>