XPC service vulnerabilities are a convenient way to elevate privileges and/or evade the sandbox. This post will look at a race condition in GSSCred on macOS ...| bazad.github.io
Apple introduced a mitigation against the use of task ports in exploits. In this post we examine the mitigation, find a loophole, and develop a new code inje...| bazad.github.io
Blanket is an exploit for CVE-2018-4280, a Mach port replacement vulnerability in launchd, that can be used to take control of every process on an iOS device...| bazad.github.io
The discovery and analysis of CVE-2018-4248, a vulnerability in Apple's libxpc library that could be used to read out-of-bounds heap data from certain XPC se...| bazad.github.io
Apple introduced a new kernelcache format for iOS 12 that includes what appear to be tagged kernel pointers. In this post I examine changes in the kernelcach...| bazad.github.io
When developing exploits or working on jailbroken devices, it's often useful to build command-line tools for iOS. While the Xcode UI does not support this, I...| bazad.github.io
An explanation of the design process of the jump-oriented programs used by libmemctl to call kernel functions on iOS 11.1.2.| bazad.github.io
In February 2018 I noticed that kernel pointers were showing up in register x18 of iOS crash logs. Figuring out why took me all the way back to the Meltdown ...| bazad.github.io
The ida_kernelcache IDA Pro toolkit now supports autogenerating class structs based on memory access patterns.| bazad.github.io
A live kernel memory inspection tool to aid in analyzing vulnerabilities and modifying the kernel.| bazad.github.io
Exploiting a logic bug in IOKit to directly access physical memory from user space.| bazad.github.io
Exploiting a use-after-free vulnerability in the OS X kernel to elevate privileges on Yosemite.| bazad.github.io