Pinned Repositories
blanket
CVE-2018-4280: Mach port replacement vulnerability in launchd on iOS 11.2.6 leading to sandbox escape, privilege escalation, and codesigning bypass.
ida_kernelcache
An IDA Toolkit for analyzing iOS kernelcaches.
ios-command-line-tool
Example showing how to build a standalone iOS executable using Xcode.
memctl
An iOS kernel introspection tool.
physmem
Local privilege escalation through macOS 10.12.1 via CVE-2016-1825 or CVE-2016-7617.
presentations
Slides from my conference presentations.
rootsh
Local privilege escalation for OS X 10.10.5 via CVE-2016-1828.
threadexec
A library to execute code in the context of other processes on iOS 11.
x18-leak
CVE-2018-4185: iOS 11.2-11.2.6 kernel pointer disclosure introduced by Apple's Meltdown mitigation.
ktrw
An iOS kernel debugger based on a KTRR bypass for A11 iPhones; works with LLDB and IDA Pro.
bazad's Repositories
bazad/ida_kernelcache
An IDA Toolkit for analyzing iOS kernelcaches.
bazad/blanket
CVE-2018-4280: Mach port replacement vulnerability in launchd on iOS 11.2.6 leading to sandbox escape, privilege escalation, and codesigning bypass.
bazad/memctl
An iOS kernel introspection tool.
bazad/x18-leak
CVE-2018-4185: iOS 11.2-11.2.6 kernel pointer disclosure introduced by Apple's Meltdown mitigation.
bazad/threadexec
A library to execute code in the context of other processes on iOS 11.
bazad/presentations
Slides from my conference presentations.
bazad/ios-command-line-tool
Example showing how to build a standalone iOS executable using Xcode.
bazad/launchd-portrep
CVE-2018-4280: Mach port replacement vulnerability in launchd on macOS 10.13.5 leading to local privilege escalation and SIP bypass.
bazad/devicetree-parse
A tool to parse Apple's binary device tree format.
bazad/xpc-string-leak
CVE-2018-4248: Out-of-bounds read in libxpc during string serialization.
bazad/macho_gadgets
A tool to find gadgets in the iOS kernelcache.
bazad/AppleJPEGDriver-memleak
Kernel memory leak/local DOS on iOS 11.
bazad/ctl_ctloutput-leak
CVE-2017-13868: Information leak of uninitialized kernel heap data in XNU.
bazad/gsscred-race
CVE-2018-4331: Exploit for a race condition in the GSSCred system service on iOS 11.2.
bazad/memctl-kext-core
A memctl core for macOS that uses a kernel extension.
bazad/IOAccelerator-leak
Kernel heap pointer disclosure in IOGraphicsFamily.
bazad/memctl-tfp0-core
A memctl core for jailbroken iOS devices.
bazad/bazad.github.io
My security blog.
bazad/flow_divert-leak
Kernel heap read buffer overflow on macOS/iOS requiring root.
bazad/xpc-crash
An out-of-bounds read in libxpc that can be used to crash XPC services.
bazad/mincore-dos
Local denial of service exploit for iOS 11/macOS 10.13.
bazad/kldstat-stack-disclosure
A kernel stack disclosure in FreeBSD.
bazad/memctl-physmem-core
A memctl core that uses the physmem exploit.
bazad/gsscred-move-uaf
CVE-2018-4343: Proof-of-concept for a use-after-free in the GSSCred daemon on macOS and iOS.
bazad/flow_divert-memleak
Memory leak in XNU requiring root privileges.
bazad/IOMFB-DOS-1
Local denial of service on iOS 11.2.
bazad/IOFireWireFamily-null-deref
CVE-2017-2388: Null-pointer dereference in IOFireWireFamily.
bazad/mach_portal_memctl
An example of how to use libmemctl with mach_portal.
bazad/sysctl_coalition_get_pid_list-dos
CVE-2017-7173: Local denial of service for iOS requiring root privileges.
bazad/IOFireWireFamily-overflow
CVE-2016-7608: Buffer overflow in IOFireWireFamily.