WebKit Type Confusion Remote Code Execution

This repository is a multi-file Apple WebKit/JSC exploit research collection centered on CVE-2024-23222, with numerous auxiliary HTML PoCs for other Safari/WebKit vulnerabilities. It is not a framework module; it is a standalone research repo containing browser-delivered exploit pages, a local Python HTTP collector, and one native C helper. Structure: - README.md documents the intended full exploit chain: a malicious HTML page triggers CVE-2024-23222 in JavaScriptCore, obtains addrof/read64/write64 primitives, then uses a crafted WebAssembly indirect-call trampoline to invoke native libc functions on an A11 iPhone X running iOS 16.4.1. The documented post-exploitation action is opening and writing /tmp/pwned_cve_2024_23222, presented as proof of sandbox escape. - poc/server.py is the operator-side infrastructure. It serves HTML files over HTTP on port 8765, exposes GET/POST /results for telemetry collection, and GET/POST /signal for auxiliary signaling. - find_gigacage.c is a native Mach-based memory scanner that uses task_for_pid, vm_region_recurse_64, and vm_read to locate JSC/Gigacage-related regions and sentinels in another process. This supports exploit development and address discovery rather than remote exploitation. - poc/exploit_23222.html is an earlier standalone Stage 1 exploit for CVE-2024-23222. It contains the core exploitation logic: WebAssembly modules, type confusion setup, arbitrary read/write primitives, addrof, and JIT/JSC structure offset handling. It posts progress markers and results back to /results. - poc/ironloader_diag.html is a diagnostic page for CVE-2023-32409 (“IronLoader”), reusing similar Stage 1 primitives and adding logic to inspect IPC/GPU-related structures. - The remaining poc/cve-*.html files are mostly self-contained browser PoCs or vulnerability checkers for specific CVEs. They generally trigger a suspicious code path, observe crashes/misbehavior, and POST a verdict plus logs to /results. Several are more detection-oriented than weaponized. Main exploit capabilities: - Browser-based initial access via a malicious HTML page. - JSC/WebAssembly memory corruption leading to arbitrary address disclosure and 64-bit read/write in the renderer. - Arbitrary native function invocation by overwriting a WASM indirect-call target slot. - Demonstrated sandbox escape behavior by calling _open/_write on /tmp/pwned_cve_2024_23222. - Extensive telemetry/logging back to a local HTTP server. Notable targeting details: - Primary target is Apple iPhone X (A11, no PAC), iOS 16.4.1, Safari 16.4.1. - The exploit assumes device/version-specific offsets and an ASLR slide known in advance/offline. - README explicitly notes limitations such as inability to directly read dyld cache from JS and failure of mmap(PROT_EXEC), indicating this is a real exploit-development repo rather than a simple detector. Assessment: - The repository contains genuine exploit code and PoCs. The main CVE-2024-23222 chain is operational but environment-specific, with a basic hardcoded payload (proof-file creation) rather than a flexible post-exploitation framework. Auxiliary files broaden the repo into a WebKit vulnerability lab with multiple browser-based tests and diagnostics.

This repository is a deobfuscated, split-out browser exploit kit for Apple iOS targeting CVE-2024-23222 in WebKit/JavaScriptCore, not a benign analysis tool despite the misleading README. The structure is centered around group_loader.html, which acts as the main entry point and loads the core modules: utility_module.js, platform_module.js, sha256.js, module_loader.js, exploit_trigger.js, and fingerprint.js. The code is clearly organized as a staged exploit chain. Core purpose and flow: fingerprint.js first performs victim profiling by checking the user agent, limiting execution to iOS 13-17, discovering the public IP via icanhazip/ipify, and POSTing telemetry including a campaign code to https://8df7.cc/api/ip-sync/sync. group_loader.html also embeds Google Analytics tracking (G-LKHD0572ES), suggesting campaign measurement. exploit_trigger.js then orchestrates the actual exploitation: it detects platform/version, checks for Lockdown Mode and simulator conditions, loads version-specific stage modules, executes a WebAssembly/JSC memory corruption primitive, detects runtime type, conditionally loads a PAC bypass for ARM64e/PAC-enabled devices, and finally loads one of two sandbox-escape stage3 variants. It reports result codes through a telemetry helper, though the visible path is blank in the provided deobfuscation. module_loader.js implements a custom module system (obChTK) using SHA1-like module IDs and remote loading. It derives remote filenames as SHA256(salt + moduleId).substring(0,40)+'.js', using salt cecd08aa6ff548c2 and a base URL derived from ./7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.min.js. This means additional exploit stages are intended to be fetched dynamically from the same hosting path. The loader executes fetched code with new Function(), caches modules, and supports base64-encoded module registration. The exploitation internals are substantial. utility_module.js provides low-level integer, pointer, typed-array, and conversion helpers needed for memory corruption. platform_module.js performs iOS version parsing, runtime selection, Lockdown Mode and simulator checks, PAC state handling, and Mach-O image parsing support. stage1_wasm_primitives.js contains the main browser exploit primitive: a WebAssembly-based JavaScriptCore type-confusion chain that yields addrof/fakeobj and arbitrary read/write, then scans memory backward from JIT code to locate a Mach-O header. stage2_pac_bypass.js implements a PAC bypass using Intl.Segmenter iterator/vtable corruption and Mach-O/gadget discovery, enabling execution on PAC-protected ARM64e devices. Post-exploitation delivery is represented by stage4_payload_stub.js, stage5_main_payload.js, and stage6_README.md. Stage 4 and Stage 5 both invoke window["qbrdr"] with encrypted base64 payloads; qbrdr is described as a decryption/execution handler registered by earlier stages. Stage 5 is documented as a PLASMAGRID stager/implant loader with persistence, exfiltration, remote access, and C2 behavior. Stage 6 is described as a non-JavaScript encrypted/binary blob loaded later in the chain. Overall, this is a real, multi-stage, operational exploit kit with telemetry, dynamic module retrieval, exploit staging, and encrypted payload delivery.

Repository contains two related but distinct JavaScriptCore/WebKit exploit artifacts plus a helper deobfuscator. The top-level README is a detailed technical write-up of CVE-2024-23222, describing a TOCTOU race in JavaScriptCore DFG constant folding (Graph::tryGetConstantProperty) and how stale JSValue cell pointers can later crash in freeze() or GC marking. The practical Linux PoC is toctou_clean_asan_v2.js, a parameterized jsc-shell harness that warms a property-read probe for DFG compilation, waits for an instrumented race window, then drops references and forces GC to trigger an ASan-visible stale-cell crash. It supports multiple GC modes, pressure strategies, release timing controls, and optional synchronization through the file /tmp/jsc_toctou_signal. This is a real exploit PoC, not just detection, but it is research-oriented and depends on a specially instrumented vulnerable engine. The cassowary-CVE-2024-23222/ directory contains an obfuscated iOS WebKit exploit module and analysis tooling. deobfuscate.js is a Node.js utility that decodes XOR-obfuscated strings/constants, cleans minified literals, renames APIs, and writes a deobfuscated copy. yAerzw_d6cb72f5.js is the original obfuscated exploit. yAerzw_d6cb72f5_deobfuscated.js and yAerzw_d6cb72f5_analytic_rewrite.js show the exploit’s structure clearly: it targets iOS 16.6–17.2.1, uses JIT type confusion plus WebAssembly instances to build an arbitrary read/write primitive in WebContent, warms JIT-compiled functions, triggers confusion via crafted argument/accessor behavior, resolves internal addresses, initializes a Wasm-backed memory primitive, then scans memory from a WebAssembly.Table executable pointer backward by 0x1000 pages until the Mach-O magic 0xfeedfacf is found. No external network C2 or remote URLs are present; the notable observables are local file paths and in-memory target artifacts. Overall, the repository’s purpose is exploit research and analysis for CVE-2024-23222, including both a Linux crash reproducer and a deobfuscated in-the-wild-style iOS exploitation component.

Repository appears to be a partial/deobfuscation-oriented research snapshot of an iOS WebKit/JSC exploit kit chain for CVE-2024-23222. Structure and purpose: - group_loader.html: Browser entry-point HTML that disables caching and loads multiple JavaScript modules (utility/platform/sha256/module loader/exploit trigger/fingerprint). It also embeds Google Analytics and comments describing the original (larger) inline ‘group.html’ and its module IDs. - utility_module.js: Substantial low-level helper library implementing typed-array reinterpret casts, Int64/BigInt conversions, pointer-tag stripping for JSC tagged pointers, encoding/decoding helpers (base64/LZW/LEB128 mentioned), and general primitives typically required to build addrof/fakeobj and pointer arithmetic in JSC exploits. - ConceptualJavaScript.js: High-level, mostly stubbed pseudocode outlining a 3-stage chain: (1) WASM-based memory primitives via type confusion, (2) PAC bypass via Intl.Segmenter iterator vtable corruption, (3) sandbox escape via Mach-O parsing/symbol resolution and payload execution, followed by deliverPayload(). - README.md: Claims iOS 13.0–17.x targeting WebKit/JSC; describes stages 1–6 including payload delivery of an encrypted blob and a “PLASMAGRID” stager; references additional modules (exploit_trigger.js, stage1/2/3 files, fingerprint.js) that are not present in the provided file list. Exploit capabilities (as represented in this snapshot): - Browser-based exploitation path (malicious HTML/JS) intended to trigger a JSC type confusion (CVE-2024-23222) to obtain memory read/write primitives (via WASM), then bypass ARM64e PAC, then escape the WebKit sandbox. - Telemetry/fingerprinting is indicated by comments: an IP fingerprinting IIFE sending telemetry to domain 8df7.cc (implementation file fingerprint.js is referenced but missing here). - Analytics tracking via Google Tag Manager (gtag) is explicitly included. Limitations of the snapshot: - Several key modules referenced by the loader and README (platform_module.js, sha256.js, module_loader.js, exploit_trigger.js, fingerprint.js) are not included in the provided repository contents, and ConceptualJavaScript.js contains placeholders (corruptIterator, parseWebKitMacho, resolveSymbols, buildPayload, executePayload, deliverPayload). As-is, this looks closer to a research/deobfuscation artifact and utility library than a fully runnable exploit kit.