Skip to content
This repository has been archived by the owner on Sep 28, 2022. It is now read-only.
/ Vulnerable-Kext Public archive

A WIP "Vulnerable by Design" kext for iOS/macOS to play & learn *OS kernel exploitation

License

Notifications You must be signed in to change notification settings

ant4g0nist/Vulnerable-Kext

Repository files navigation

Vulnerable Kext

License: MIT Github Stars PRs Welcome

A WIP (work-in progress) "Vulnerable by Design" kext for iOS/macOS to play/learn with *OS kernel exploitation

Usage

  • Documentation can be found at https://fuzzing.science/vulnerable-kext

  • Basic setup requirements

    • iOS device that can be jailbroken with checkra1n
    • Currently the make files are made to be used on a Mac. So, a macOS device or a VM.
  • Running the following command causes checkra1n to listen for attached iOS devices in DFU mode and boot pongoOS:

/Applications/checkra1n.app/Contents/MacOS/checkra1n -c -p
  • Run run.sh to build kext_loader, pongo_module, and the vulnerable kext and to start kext_loader kext_loader waits for a device that's booted pongo shell!
./run.sh

For more details about ktrw, check ktrw

Disclaimer

Vulnerable-Kext is an intentionally vulnerable kext for iOS/macOS, meant for educational purpose only.

TODO

  • Add IOKit stuff
  • Add vulnerabilities from reported XNU/IOKit bugs? 🤔
  • Maybe improve stability of loading kexts
  • Fix the bugs in the vulnerabilities I implemented 🧐
  • Add Writeups for exploitation

credits

  • @_bazad for the super awesome ktrw
  • checkra1n team for the jailbreak
  • Used the kext template from twic