Use-after-free in Apple JavaScriptCore/WebKit leading to arbitrary code execution

This repository is a standalone iOS/macOS research PoC for a dyld chained-fixup/page-in-linking attack surface associated with CVE-2026-20700, not a framework module. Its purpose is to demonstrate that dyld can be coerced into producing PAC-valid function pointers and writing them into attacker-chosen slots inside a crafted Mach-O dylib, then show those pointers being executed through normal control flow. Structure: the Makefile orchestrates the full pipeline; src/launcher.c is the main iOS launcher; generators/gen_exports.py creates exports.c with ~N dummy exported symbols; generators/gen_client.py creates client.c with ~N imports and also emits a simple generated launcher variant used to stress dyld with a small-stack dlopen path; generators/gen_malformed_dylib.py is the core exploit generator that builds libmalformed.dylib byte-by-byte with custom LC_DYLD_CHAINED_FIXUPS metadata and malformed/controlled chain data; tools/inspect_fixups.py parses LC_DYLD_CHAINED_FIXUPS for sanity checking; tools/scan_pointers.py inspects Mach-O pointer sections; blog/ contains detailed English and Italian write-ups. Main exploit capabilities: (1) generate a malformed Mach-O dylib whose chained fixups cause dyld to resolve imported symbols and write PAC-valid pointers into selected __DATA offsets such as +0x10 and optionally +0x20; (2) validate the primitive using canaries in the malformed dylib's __DATA; (3) directly call the dyld-written function pointer or, in chain_close mode, register the second written pointer as a dispatch_source_t timer callback so the event loop invokes attacker_hook naturally; (4) stress dyld page-in linking using a second dylib with ~99k imports and a small-stack worker thread; and (5) trigger deterministic crash/reachability behavior in malformed page-in processing for research. The launcher coordinates two threads: Thread A loads libexports.dylib, resolves write_target_value, loads Frameworks/libmalformed.dylib, locates its __DATA via dyld image APIs, and checks whether dyld wrote the expected PAC-valid pointer into the target slot. In chain_close mode it also uses the second slot as a dispatch callback target. Thread B uses a constrained stack and deep recursion before dlopen("@executable_path/libclient.dylib") to exercise the dyld gate/path under stress. The Makefile presets (stress, exploit, chain_close) switch between crash proof, stable intra-image write primitive, and dispatch-based execution demo. No network C2 or remote endpointing is present. The observable endpoints are local Mach-O paths, bundle/package artifacts, and signing/provisioning files. The repository is a real exploit/research PoC rather than a detector: it builds runnable binaries and a crafted dylib to demonstrate a local code-execution-enabling primitive on iOS/arm64e systems.

This repository is a multi-file Apple WebKit/JSC exploit research collection centered on CVE-2024-23222, with numerous auxiliary HTML PoCs for other Safari/WebKit vulnerabilities. It is not a framework module; it is a standalone research repo containing browser-delivered exploit pages, a local Python HTTP collector, and one native C helper. Structure: - README.md documents the intended full exploit chain: a malicious HTML page triggers CVE-2024-23222 in JavaScriptCore, obtains addrof/read64/write64 primitives, then uses a crafted WebAssembly indirect-call trampoline to invoke native libc functions on an A11 iPhone X running iOS 16.4.1. The documented post-exploitation action is opening and writing /tmp/pwned_cve_2024_23222, presented as proof of sandbox escape. - poc/server.py is the operator-side infrastructure. It serves HTML files over HTTP on port 8765, exposes GET/POST /results for telemetry collection, and GET/POST /signal for auxiliary signaling. - find_gigacage.c is a native Mach-based memory scanner that uses task_for_pid, vm_region_recurse_64, and vm_read to locate JSC/Gigacage-related regions and sentinels in another process. This supports exploit development and address discovery rather than remote exploitation. - poc/exploit_23222.html is an earlier standalone Stage 1 exploit for CVE-2024-23222. It contains the core exploitation logic: WebAssembly modules, type confusion setup, arbitrary read/write primitives, addrof, and JIT/JSC structure offset handling. It posts progress markers and results back to /results. - poc/ironloader_diag.html is a diagnostic page for CVE-2023-32409 (“IronLoader”), reusing similar Stage 1 primitives and adding logic to inspect IPC/GPU-related structures. - The remaining poc/cve-*.html files are mostly self-contained browser PoCs or vulnerability checkers for specific CVEs. They generally trigger a suspicious code path, observe crashes/misbehavior, and POST a verdict plus logs to /results. Several are more detection-oriented than weaponized. Main exploit capabilities: - Browser-based initial access via a malicious HTML page. - JSC/WebAssembly memory corruption leading to arbitrary address disclosure and 64-bit read/write in the renderer. - Arbitrary native function invocation by overwriting a WASM indirect-call target slot. - Demonstrated sandbox escape behavior by calling _open/_write on /tmp/pwned_cve_2024_23222. - Extensive telemetry/logging back to a local HTTP server. Notable targeting details: - Primary target is Apple iPhone X (A11, no PAC), iOS 16.4.1, Safari 16.4.1. - The exploit assumes device/version-specific offsets and an ASLR slide known in advance/offline. - README explicitly notes limitations such as inability to directly read dyld cache from JS and failure of mmap(PROT_EXEC), indicating this is a real exploit-development repo rather than a simple detector. Assessment: - The repository contains genuine exploit code and PoCs. The main CVE-2024-23222 chain is operational but environment-specific, with a basic hardcoded payload (proof-file creation) rather than a flexible post-exploitation framework. Auxiliary files broaden the repo into a WebKit vulnerability lab with multiple browser-based tests and diagnostics.

Repository contains a minimal browser/JS-engine exploit proof-of-concept labeled "CVE-2025-43529 Test". Structure is extremely small: LICENSE (GPLv3), a short README.md naming the CVE, and a single index.html containing all exploit logic. index.html implements heap grooming and GC pressure using large arrays and repeated ArrayBuffer allocations (e.g., 0x80_0000) to influence allocation patterns. The function foo(flag, k, allocCount) manipulates object fields with type instability (switching between object and double when flag is true) and performs heavy loops likely intended to trigger JIT compilation/optimization. The main() routine repeatedly calls foo() and a deep recursive() function to stress the engine/stack and encourage deterministic GC/optimization behavior. The exploit then attempts a use-after-free/type-confusion style reclaim: it reads a nested property (freed = arr[arr_index].p1.p1) and tries to detect successful memory reuse by allocating small JS arrays containing a sentinel value (13.37) and checking freed[0]. On success, it constructs classic exploitation primitives using a boxed/unboxed array pair and typed arrays for bit-casting (BigUint64Array/Float64Array): itof(), ftoi(), addrof(obj) (leaks an address), and fakeobj(addr) (creates a fake JS object reference). The PoC ends by alerting a leaked address (0x...) and does not proceed to arbitrary read/write or code execution. No network I/O, external URLs, domains, IPs, registry keys, or command execution are present; the only observable interaction is via alert() dialogs and local in-browser memory manipulation.

Repository is a work-in-progress exploit-chain analysis and PoC for two iOS WebKit-related vulnerabilities used together in-the-wild: CVE-2025-43529 (JavaScriptCore DFG store-barrier insertion UAF) and CVE-2025-14174 (ANGLE Metal backend out-of-bounds write reachable via WebGL2). Structure: - README.md: High-level writeup of both CVEs, intended chain (renderer RCE -> GPU process corruption/sandbox escape), and current status. Notes that addrof/fakeobj primitives are achieved but arbitrary read/write is blocked by arm64e Pointer Authentication (PAC). - poc/uaf_trigger.js: Implements the UAF trigger. It constructs a Phi node scenario in JSC DFG where a Phi escapes but Upsilon inputs are not marked escaped, leading to missing write barriers. A Date object with an indexed property is used to create a butterfly; GC pressure is induced via large ArrayBuffer allocations; then a long loop provides a GC window. The result is a freed Date whose butterfly can be reclaimed by sprayed arrays. The main() function repeatedly triggers and sprays until it detects successful reclamation (freed[0] == 13.37), returning two views of the same butterfly (freed Date view and spray Array view) enabling type confusion. - poc/primitives.js: Given the boxed/unboxed views of the same butterfly, provides itof/ftoi conversions and implements addrof(obj) (leak object address by storing into boxed array and reading raw bits via unboxed array) and fakeobj(addr) (write address bits via unboxed array and read back as object via boxed array). This is a classic JSC boxed/unboxed confusion primitive. - poc/angle_oob.js: WebGL2 trigger for ANGLE Metal backend OOB write. It creates a texture and a pixel unpack buffer (PBO) containing full-size data for a 256x256 float texture, then sets UNPACK_IMAGE_HEIGHT to 16 so ANGLE allocates a staging buffer sized for 256x16 but performs a write for 256x256, producing a large OOB write in the GPU process. No controlled corruption strategy or sandbox escape payload is implemented—this is a trigger PoC. - analysis/pac_analysis.md: Detailed notes on arm64e PAC mitigations in JSC, focusing on PAC-protected fields like JSArray m_butterfly and TypedArray m_vector. Explains why naive fake TypedArray/JSArray techniques crash (autda/auth failure) and why the butterfly-reuse confusion works (pointers remain legitimately signed). Lists potential PAC bypass research directions. - analysis/crash_logs/*.ips: Example iOS crash report showing EXC_BAD_ACCESS with a PAC-failure-like address pattern (0x0001fffffffffffc) in JavaScriptCore LLInt get_by_val path. Capabilities and limitations: - Achieved: renderer-side addrof/fakeobj and repeated address leaks via UAF-driven butterfly reclamation/type confusion. - Not achieved: arbitrary read/write and code execution primitives due to PAC on arm64e; ANGLE OOB is confirmed as a trigger but not yet chained into a full exploit.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-43529, a use-after-free vulnerability in the DFG JIT compiler of WebKit's JavaScriptCore (JSC) engine. The exploit targets Apple devices running iOS 26.1, iPadOS 26.1, and macOS Tahoe 26.0.1. The vulnerability arises from a missing StoreBarrier in the DFG JIT, which can lead to memory corruption when the garbage collector misses objects that should be scanned. The repository consists of two files: - README.md: A detailed technical write-up explaining the vulnerability, the underlying JSC garbage collection and JIT internals, and the exploit development process. It also describes the primitives achieved (addrof/fakeobj) and the steps required to build further exploitation (such as arbitrary read/write and code execution). - exp.html: The main exploit file, containing JavaScript code that triggers the vulnerability. The code manipulates arrays and objects to create a use-after-free condition, then constructs addrof/fakeobj primitives, which are essential for further exploitation. The exploit demonstrates successful primitive creation by alerting the address of a JavaScript object. No hardcoded network endpoints, IP addresses, or external URLs are present in the exploit code. The attack vector is browser-based, requiring the victim to visit a malicious web page containing the exploit. The exploit is a functional PoC, providing memory manipulation primitives but leaving full code execution (such as bypassing pointer authentication) as an exercise for the reader.

This repository contains a comprehensive proof-of-concept (PoC) and test harnesses for CVE-2025-43529, a critical use-after-free vulnerability in JavaScriptCore's DFG/FTL JIT (WebKit) affecting macOS 26.1 and iOS 26.1. The exploit leverages a missing escape check in the ObjectAllocationSinkingPhase, allowing the JIT to use stale heap hints after a Phi merge and OSR exit, resulting in memory corruption. The repository includes: - Multiple HTML/JavaScript test harnesses for both iOS (Safari) and macOS (JSC CLI), targeting strict-mode and non-strict argument patterns, Phi merges, promoted stores, and OSR exits. - Scripts and instructions for running the PoC on real devices (notably iPhone 11 Pro Max) and on macOS with the JSC binary. - The PoC demonstrates the vulnerability by producing observable mismatches or corrupted values in JavaScript, confirming the presence of the bug. While the code does not provide a direct RCE payload, it establishes a reliable memory corruption primitive that could be weaponized. - The repository is well-structured, with clear separation between device-specific probes, core JavaScript test cases, and supporting scripts. The README provides detailed technical analysis, root cause, binary diffing, and exploitation implications. No hardcoded IPs or external network endpoints are present, but the exploit is designed to be delivered via a local HTTP server to a browser on a vulnerable device. The attack vector is browser-based, requiring the victim to visit a malicious or attacker-controlled web page.