argp
@_argp
Followers
18,861
Following
140
Media
615
Statuses
15,321
Hacker. Ascetic. Phrack author. The most technical boy in town.
0x29A
Joined January 2010
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Happy Pride Month
• 211918 Tweets
サイン色紙
• 113166 Tweets
キャンペーン開催中
• 82048 Tweets
Itália
• 65511 Tweets
LINGORM OTW EP2
• 62749 Tweets
鳴尾記念
• 39164 Tweets
Happy New Month
• 30802 Tweets
#VoleiNoSporTV
• 29091 Tweets
#cgUT_東京昼
• 23259 Tweets
新シーズン
• 20463 Tweets
Pancasila
• 15717 Tweets
#楽天スーパーSALEで買うべきもの
• 13985 Tweets
テイフェス
• 13255 Tweets
Aaron Judge
• 13170 Tweets
フルイド
• 10662 Tweets
パイモン
• 10505 Tweets
Pinned Tweet
Slide deck (PDF) from my
#CanSecWest2019
talk "Vs .sandbox" on reverse engineering the Apple iOS sandbox kernel extension:
18
113
263
Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027); epic logical exploitation writeup by huku:
4
273
621
Undecimus by
@Pwn20wnd
is totally research friendly; just tried it on a 12.4 XR and happy to see so many things exported for exploring and playing around, who needs Apple's "research" devices anyway.
19
38
447
There you go:
iBoot.d421.RELEASE.im4p, iPhone 11 Pro, 13.4 17E255
d15a611e6792e13f68fd340df5e27558b589eb9332452086ec40b5a54cd5353a4ffc8425860beba3f380e884c1a2b683
19
76
443
'The bug was "fixed" by Apple in 2012 as CVE-2012-3727 but fixed the bug in the wrong function (dns4 one) so this is still an 0day at the moment.'
;)
2
71
235
There are 220 sandbox profiles in iOS 13.3.1; there were 193 in iOS 12.4. Here's the diff (all dumped/decompiled with my sandboxhelper IDA Python tool):
2
49
197
"Smashing the stack for fun and profit" anniversary -- 8 Nov 1996!
jmp offset-to-call
pop ...
call offset-to-pop
"/bin/sh"
2
54
186
Nice paper on causing bit flips in Firefox arrays on Android
by abusing WebGL shader textures:
The authors use & reference my previously published in Phrack exploitation primitives for leveraging the bit flips to ASLR leak & RCE:
1
78
178
"Smashing the stack for fun and profit" anniversary -- 8 Nov 1996!
jmp offset-to-call
pop ...
call offset-to-pop
"/bin/sh"
1
34
154
Happy birthday to Phrack!
"This issue is Volume One, Issue One, released on November 17, 1985."
2
55
147
Just pushed to github a major update of my iBoot64helper tool for IDA; use it to help you in reversing AArch64 iBoot, iBEC, and SecureROM. You can use it both as a loader and as an ordinary script.
2
47
124
Here's an IDA script I wrote to help with iBoot64 RE; it goes well with
@xerub
's img4 & the i5s keys he released ;)
1
60
122
Smashing the stack for fun and profit anniversary (8 Nov 1996)!
jmp offset-to-call; pop ...; call offset-to-pop; "/bin/sh"
1
72
128
While reversing the recent iOS 16.0 beta 2 build 20A5303i sandbox kext, I found a new set of profiles seemingly named “protobox” for various services and daemons all being “allow default”; here’s an excerpt from one picked randomly ;)
4
15
126
"Smashing the stack for fun and profit" anniversary -- 8 Nov 1996!
jmp offset-to-call; pop ...; call offset-to-pop; "/bin/sh"
1
31
122
The public release of our shadow v2 jemalloc exploitation tool with support for Android (both ARM32 and ARM64):
7
107
122
XNU kernel 4570.1.46 sources (macOS High Sierra 10.13) are now available:
3
70
119
From an iOS 13.3 sandbox profile I just decompiled:
${ENTITLEMENT:.ts.nano-preference.read-write}
;) cc:
@qwertyoruiopz
5
7
112
Apple had accidentally (again ;) left in code related to a new A12/A13 kernel integrity implementation called CTRR (KERNEL_INTEGRITY_CTRR). But there are also more interesting things in the diff.
If you diff the XNU 6153.41.3 sources that were taken down (tar.gz md5: 374aedd280f4ba812ec3796445a3d8b8) vs the ones available now (tar.gz md5: 6e111e534c5a80b6edd737d9c4c880eb ), you will understand the reason they were quickly deleted ;)
6
11
87
4
28
112
iOS 13.4.5 beta 1 (17F5034c) has introduced a new sandbox operation: fs-snapshot-mount
2
21
112
My IDAPython sandbox profiles dumper / decompiler against the sandbox kext from iOS 13.1.3; I have implemented handling for all operations and filters.
The plan is to use it for something cool in
@checkra1n
; stay tuned!
1
19
113
"Smashing the stack for fun and profit" by
@aleph_one
anniversary -- 8 Nov 1996!
jmp offset-to-call
pop ...
call offset-to-pop
"/bin/sh"
1
32
103
Ghidra decompiler view -> right click on a (possible) ptr to a struct -> "Auto Create Structure": base struct and fields created from its uses.
Then viewable under Data Type Manager -> auto_structs. Right click it there to get "Find Uses of" and "Find Uses of Field".
Handy!
1
20
106
XNU kernel 8792.41.9 sources (macOS 13.0) are now available:
1
20
103
Look for __ARM_KERNEL_PROTECT__ in XNU kernel's code to see Apple's changes to protect against microarchitectural attacks on ARM64; basically kernel mappings are removed when switching to userland (EL0) from kernel (EL1):
2
37
99
Don't forget to support Binary Ninja, Hopper, Relyze, Radare, and any other RE tool that slips my mind right now. Alternatives are awesome!
4
15
99
iOS 12.0 beta2 sandbox kext profiles finally dumped; my IDAPython script takes ~20 minutes to unpack and dump them all (190 in iOS 12b2).
"darwin-notification-post" is one of the new operations added in iOS 12.0b; here's the operations' diff with 11.4:
2
26
97
If you diff the XNU 6153.41.3 sources that were taken down (tar.gz md5: 374aedd280f4ba812ec3796445a3d8b8) vs the ones available now (tar.gz md5: 6e111e534c5a80b6edd737d9c4c880eb ), you will understand the reason they were quickly deleted ;)
6
11
87
All source tarballs for macOS 10.13.6, 10.13.5, and 10.13.4 are now available:
10.13.6:
10.13.5:
10.13.4:
0
34
87
I just released "shadow", a Firefox/jemalloc heap exploitation swiss army knife:
1
78
87
Congrats to my co-researcher
@census_labs
Chariton Karamitas (huku) for his academic publication on binary diffing:
1
25
80
You can find how to exploit jemalloc double frees in mine and
@yung_vats
' Infiltrate talk from last year. Although our work was Android-specific, the methodology applies to all targets that use jemalloc:
0
38
79
Remember, remember the 22nd of November
4
41
80
"The university of Minnesota has been banned from making any commits to the Linux kernel after it was found out they'd been submitting bogus patches to the LKML to knowingly introduce security issues:"
7
32
78
Slide deck from my
@InfiltrateCon
2015 talk "OR’LYEH? The Shadow over Firefox":
http://t.co/nfCqC8xrRE
3
71
77
Pangu's notes on the iOS Pegasus kernel bugs and persistence method; orig: and translation:
0
55
67
Added some SecureROM specific stuff to my iBoot64helper, more soon:
1
15
66
Public sample of CVE-2015-4495 (via
@0x0000EBFE
) -
http://t.co/BSIo0qcTLk;
looks like the real malicious sample from the in-the-wild attack.
1
71
66
My iOS sandbox kext IDAPython dumper / profile decompiler against version 12.1 b2 (16B5068i); I have implemented full support for all operations and filters.
2
17
66
iOS 14.5 beta 4 (18E5178a) adds these new sandbox operations:
3
16
67
Porting my iBoot64helper to Ghidra, stay tuned
4
10
63
Pangu's writeup on CVE-2016-4655, an XNU stack infoleak in OSUnserializeBinary; orig: ; eng:
0
48
65
In contrast to almost all process-specific sandbox profiles, the iOS platform profile (which serves as the default policy for all processes) is "allow default"; it enumerates the baseline of what processes are not allowed to do, here's an excerpt from it:
1
10
64
Happy Malloc Maleficarum anniversary! I’ll celebrate by completing a somewhat old Firefox/jemalloc exploit I left unfinished because the underlying UAF bug was fixed in a release.
1
18
61
If you're trying to compile XNU 4570.41.2 (macOS 10.13.3), these two repositories may help you: &&
1
16
62
Choronzon, our (CENSUS) evolutionary knowledge-based fuzzer, has just been released as open source software:
2
65
60
Good to see
@LambdaConcept
using my iBoot64helper for loading SecureROM to IDA and attaching to a
#checkm8
demoted device:
I plan to push more commits to it today:
0
18
59
I'm on the PC of the Reversing & Offensive-oriented Trends Symposium (ROOTS), and the CFP is now open (deadline Aug. 20)!
Contrary to academic CON practice, lodgings and travel expenses are covered for accepted authors.
Submit your offensive work now!
0
33
61
This VUzzer paper takes many ideas from our Choronzon fuzzer we have developed and open sourced half a year ago:
4
31
60
Don’t use unofficial and/or re-packed versions of checkra1n! It’s not that hard for someone to include malicious functionality!
Always get your checkra1n from:
5
11
56
After some small changes, my IDAPython IOKit vtable reconstructor works again on iOS 12.0 beta1 kexts.
1
8
60
Phrack anniversary
"This issue is Volume One, Issue One, released on November 17, 1985."
0
20
59
I shouldn't need to say this, but don't jailbreak your primary device; just your testing/research devices.
12
7
58
What is happening? Is this bizarro world?
2
16
58
v67 of
@tihmstar
's prometheus downgrade nonce-matching-apticket method is working for me now:
4
17
49
I am looking forward to Apple's portless iPhone and all the new code in iBoot this will bring along.
3
0
54
OS X + iOS IOKit IOSurfaceRoot (available from sandbox) kernel code execution bug (and PoC code) from
#ProjectZero
:
2
48
54
I wanted mail with encrypted metadata, but instead we now have spam with UTF8 emojis in the subject. The future sucks.
0
69
48