Vulnerable Kext

A WIP (work-in progress) "Vulnerable by Design" kext for iOS/macOS to play/learn with *OS kernel exploitation

Usage

• Documentation can be found at https://fuzzing.science/vulnerable-kext

• Basic setup requirements

  • iOS device that can be jailbroken with checkra1n
  • Currently the make files are made to be used on a Mac. So, a macOS device or a VM.

• Running the following command causes checkra1n to listen for attached iOS devices in DFU mode and boot pongoOS:

/Applications/checkra1n.app/Contents/MacOS/checkra1n -c -p

• Run run.sh to build kext_loader, pongo_module, and the vulnerable kext and to start kext_loader kext_loader waits for a device that's booted pongo shell!

./run.sh

For more details about ktrw, check ktrw

Disclaimer

Vulnerable-Kext is an intentionally vulnerable kext for iOS/macOS, meant for educational purpose only.

TODO

• Add IOKit stuff
• Add vulnerabilities from reported XNU/IOKit bugs? 🤔
• Maybe improve stability of loading kexts
• Fix the bugs in the vulnerabilities I implemented 🧐
• Add Writeups for exploitation

credits

• @_bazad for the super awesome ktrw
• checkra1n team for the jailbreak
• Used the kext template from twic