POC详情: 65c2d538bcb19bb2692fa4eb461070f566cb0046

来源
https://github.com/alfiecg24/Trigon
关联漏洞
标题: Apple macOS Big Sur 输入验证错误漏洞 (CVE-2023-32434)
描述:Apple macOS Big Sur是美国苹果(Apple)公司的苹果公司用于MAC操作系统macOS的第17个主要版本。 Apple macOS Big Sur 存在输入验证错误漏洞,该漏洞源于存在整数溢出问题,应用程序可能能够使用内核权限执行任意代码。
描述
Deterministic kernel exploit based on CVE-2023-32434.
介绍
# Trigon

Trigon is a deterministic kernel exploit based on CVE-2023-32434. It currently supports A10(X) devices running iOS 13 - 15.7.6 . Being deterministic means that this exploit will never panic during or after exploitation and is completely reliable.

In the future, I would like to add support for iOS 16.0 - 16.5, as well as expand the range of support chipsets. However, as the writeup explains, this is not always feasible.

Trigon exploits the same CVE as the one used in kfd's Smith exploit, except not as a physical use-after-free. Instead, it takes a different code path in the kernel and uses the vulnerability to create an arbitrary physical address mapping primitive. This gives us read/write primitives to any physical address **unless it's a page table**. Not being able to read page tables made exploitation more difficult, but in the end we found a nice trick to determine whether or not a page holds a page table before reading it and were able to build full virtual read/write primitives.

The full writeup can be found [here](https://alfiecg.uk/2025/03/01/Trigon.html). If you're into technical iOS-related writeups, I would recommend you take a read! I have tried to make it as understandable as possible so that those who are not iOS researchers can follow it too.
文件快照

 [4.0K]  /data/pocs/65c2d538bcb19bb2692fa4eb461070f566cb0046
├── [1.3K]  README.md
├── [4.0K]  Trigon
│   ├── [ 175]  AppDelegate.h
│   ├── [ 507]  AppDelegate.m
│   ├── [4.0K]  Assets.xcassets
│   │   ├── [4.0K]  AccentColor.colorset
│   │   │   └── [ 123]  Contents.json
│   │   ├── [4.0K]  AppIcon.appiconset
│   │   │   └── [ 607]  Contents.json
│   │   └── [  63]  Contents.json
│   ├── [4.0K]  Base.lproj
│   │   ├── [1.6K]  LaunchScreen.storyboard
│   │   └── [1.6K]  Main.storyboard
│   ├── [4.0K]  Exploit
│   │   ├── [5.7K]  exploit.c
│   │   ├── [ 132]  exploit.h
│   │   ├── [2.2K]  iboot-handoff.c
│   │   ├── [ 280]  iboot-handoff.h
│   │   ├── [2.4K]  info.c
│   │   ├── [ 619]  info.h
│   │   ├── [ 797]  mach_vm.h
│   │   ├── [2.0K]  memory.c
│   │   ├── [ 693]  memory.h
│   │   ├── [ 15K]  patchfinder.c
│   │   ├── [ 155]  patchfinder.h
│   │   ├── [ 305]  pv.c
│   │   ├── [1.5K]  pv.h
│   │   ├── [7.8K]  surface.c
│   │   ├── [ 583]  surface.h
│   │   ├── [1.1K]  translation.c
│   │   └── [ 157]  translation.h
│   ├── [ 304]  Info.plist
│   ├── [ 392]  main.m
│   ├── [ 112]  ViewController.h
│   └── [ 822]  ViewController.m
└── [4.0K]  Trigon.xcodeproj
    ├── [ 12K]  project.pbxproj
    └── [4.0K]  project.xcworkspace
        └── [ 135]  contents.xcworkspacedata

8 directories, 31 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。