WebKit arbitrary code execution in Apple Safari and Apple platforms

This repository is a multi-file Apple WebKit/JSC exploit research collection centered on CVE-2024-23222, with numerous auxiliary HTML PoCs for other Safari/WebKit vulnerabilities. It is not a framework module; it is a standalone research repo containing browser-delivered exploit pages, a local Python HTTP collector, and one native C helper. Structure: - README.md documents the intended full exploit chain: a malicious HTML page triggers CVE-2024-23222 in JavaScriptCore, obtains addrof/read64/write64 primitives, then uses a crafted WebAssembly indirect-call trampoline to invoke native libc functions on an A11 iPhone X running iOS 16.4.1. The documented post-exploitation action is opening and writing /tmp/pwned_cve_2024_23222, presented as proof of sandbox escape. - poc/server.py is the operator-side infrastructure. It serves HTML files over HTTP on port 8765, exposes GET/POST /results for telemetry collection, and GET/POST /signal for auxiliary signaling. - find_gigacage.c is a native Mach-based memory scanner that uses task_for_pid, vm_region_recurse_64, and vm_read to locate JSC/Gigacage-related regions and sentinels in another process. This supports exploit development and address discovery rather than remote exploitation. - poc/exploit_23222.html is an earlier standalone Stage 1 exploit for CVE-2024-23222. It contains the core exploitation logic: WebAssembly modules, type confusion setup, arbitrary read/write primitives, addrof, and JIT/JSC structure offset handling. It posts progress markers and results back to /results. - poc/ironloader_diag.html is a diagnostic page for CVE-2023-32409 (“IronLoader”), reusing similar Stage 1 primitives and adding logic to inspect IPC/GPU-related structures. - The remaining poc/cve-*.html files are mostly self-contained browser PoCs or vulnerability checkers for specific CVEs. They generally trigger a suspicious code path, observe crashes/misbehavior, and POST a verdict plus logs to /results. Several are more detection-oriented than weaponized. Main exploit capabilities: - Browser-based initial access via a malicious HTML page. - JSC/WebAssembly memory corruption leading to arbitrary address disclosure and 64-bit read/write in the renderer. - Arbitrary native function invocation by overwriting a WASM indirect-call target slot. - Demonstrated sandbox escape behavior by calling _open/_write on /tmp/pwned_cve_2024_23222. - Extensive telemetry/logging back to a local HTTP server. Notable targeting details: - Primary target is Apple iPhone X (A11, no PAC), iOS 16.4.1, Safari 16.4.1. - The exploit assumes device/version-specific offsets and an ASLR slide known in advance/offline. - README explicitly notes limitations such as inability to directly read dyld cache from JS and failure of mmap(PROT_EXEC), indicating this is a real exploit-development repo rather than a simple detector. Assessment: - The repository contains genuine exploit code and PoCs. The main CVE-2024-23222 chain is operational but environment-specific, with a basic hardcoded payload (proof-file creation) rather than a flexible post-exploitation framework. Auxiliary files broaden the repo into a WebKit vulnerability lab with multiple browser-based tests and diagnostics.

This repository is a Proof-of-Concept (PoC) exploit for CVE-2023-41993, a critical vulnerability in Apple's WebKit browser engine. The exploit targets Safari on iOS (specifically tested on iOS 17.0 Beta 2, iPhone 14 Pro Max) and demonstrates limited arbitrary read/write primitives in the JavaScriptCore engine. The main exploit is implemented in 'pwn.html', which loads several helper JavaScript files ('helper.js', 'int64.js', 'util.js') to perform low-level memory manipulation. The exploit is triggered by visiting the attacker's server (running 'server.py') from Safari on a vulnerable device. The server serves the exploit page and related scripts, and also handles WebSocket connections for logging exploit progress and results. The exploit does not provide a full sandbox escape or remote code execution, but establishes a strong primitive for further exploitation. The repository is structured with clear separation between exploit logic (JavaScript), server logic (Python), and documentation (README.md). No hardcoded IPs or domains are present, but the exploit is designed to be hosted on an attacker-controlled server accessible to the target device.

This repository is a proof-of-concept (POC) exploit for CVE-2023-41993, a vulnerability in Apple WebKit (Safari). The main exploit logic is implemented in the 'pwn.html' file, which loads supporting JavaScript files 'util.js' and 'int64.js' for utility and 64-bit integer operations. The exploit targets the JavaScript engine in WebKit, leveraging object property manipulation and type confusion to achieve arbitrary memory read/write primitives. The exploit demonstrates the ability to create fake objects and obtain their addresses, which are essential steps for browser exploitation. The code references a secondary payload ('stage2_macOS.bin'), which is fetched and intended to be executed in memory, indicating the exploit's capability to escalate from JavaScript to native code execution. The repository structure is typical for a browser exploit POC, with supporting scripts and a main HTML file to be served to a vulnerable browser. No hardcoded network endpoints are present, but the exploit expects to fetch a local binary file for the second stage. The exploit is not weaponized but provides a solid foundation for further development or adaptation for real-world attacks.

This repository is a proof-of-concept (PoC) exploit for CVE-2023-41993, a type confusion vulnerability in WebKit (Safari's JavaScript engine) affecting macOS 14.0, iOS 17.0, and iPadOS 17.0. The repository contains four files: a detailed README.md explaining the vulnerability and exploitation approach, pwn.html (the main exploit file), and two JavaScript helper modules (int64.js for 64-bit integer manipulation and util.js for utility functions). The exploit is designed to be run in a browser on a vulnerable device. It leverages JavaScript engine internals to achieve addrof/fakeobj primitives, which provide arbitrary read/write access within the Safari WebContent process. The exploit is not fully weaponized; it only demonstrates the initial memory corruption primitive and does not provide a full sandbox escape or remote code execution. The README provides affected and unaffected version information, as well as references to the upstream commit and Apple advisory. The main entry point is pwn.html, which orchestrates the exploit logic. The repository also references a hosted version of the PoC at https://po6ix.github.io/POC-for-CVE-2023-41993/pwn.html.