Apple WebContent Sandbox Escape

This repository is a multi-file Apple WebKit/JSC exploit research collection centered on CVE-2024-23222, with numerous auxiliary HTML PoCs for other Safari/WebKit vulnerabilities. It is not a framework module; it is a standalone research repo containing browser-delivered exploit pages, a local Python HTTP collector, and one native C helper. Structure: - README.md documents the intended full exploit chain: a malicious HTML page triggers CVE-2024-23222 in JavaScriptCore, obtains addrof/read64/write64 primitives, then uses a crafted WebAssembly indirect-call trampoline to invoke native libc functions on an A11 iPhone X running iOS 16.4.1. The documented post-exploitation action is opening and writing /tmp/pwned_cve_2024_23222, presented as proof of sandbox escape. - poc/server.py is the operator-side infrastructure. It serves HTML files over HTTP on port 8765, exposes GET/POST /results for telemetry collection, and GET/POST /signal for auxiliary signaling. - find_gigacage.c is a native Mach-based memory scanner that uses task_for_pid, vm_region_recurse_64, and vm_read to locate JSC/Gigacage-related regions and sentinels in another process. This supports exploit development and address discovery rather than remote exploitation. - poc/exploit_23222.html is an earlier standalone Stage 1 exploit for CVE-2024-23222. It contains the core exploitation logic: WebAssembly modules, type confusion setup, arbitrary read/write primitives, addrof, and JIT/JSC structure offset handling. It posts progress markers and results back to /results. - poc/ironloader_diag.html is a diagnostic page for CVE-2023-32409 (“IronLoader”), reusing similar Stage 1 primitives and adding logic to inspect IPC/GPU-related structures. - The remaining poc/cve-*.html files are mostly self-contained browser PoCs or vulnerability checkers for specific CVEs. They generally trigger a suspicious code path, observe crashes/misbehavior, and POST a verdict plus logs to /results. Several are more detection-oriented than weaponized. Main exploit capabilities: - Browser-based initial access via a malicious HTML page. - JSC/WebAssembly memory corruption leading to arbitrary address disclosure and 64-bit read/write in the renderer. - Arbitrary native function invocation by overwriting a WASM indirect-call target slot. - Demonstrated sandbox escape behavior by calling _open/_write on /tmp/pwned_cve_2024_23222. - Extensive telemetry/logging back to a local HTTP server. Notable targeting details: - Primary target is Apple iPhone X (A11, no PAC), iOS 16.4.1, Safari 16.4.1. - The exploit assumes device/version-specific offsets and an ASLR slide known in advance/offline. - README explicitly notes limitations such as inability to directly read dyld cache from JS and failure of mmap(PROT_EXEC), indicating this is a real exploit-development repo rather than a simple detector. Assessment: - The repository contains genuine exploit code and PoCs. The main CVE-2024-23222 chain is operational but environment-specific, with a basic hardcoded payload (proof-file creation) rather than a flexible post-exploitation framework. Auxiliary files broaden the repo into a WebKit vulnerability lab with multiple browser-based tests and diagnostics.