https://github.com/wh1te4ever/WebKit-Bug-256172

Safari 1day RCE Exploit
https://github.com/wh1te4ever/WebKit-Bug-256172

Last synced: about 1 month ago
JSON representation

Safari 1day RCE Exploit

• Host: GitHub
• URL: https://github.com/wh1te4ever/WebKit-Bug-256172
• Owner: wh1te4ever
• Created: 2025-02-11T00:51:27.000Z (3 months ago)
• Default Branch: main
• Last Pushed: 2025-03-22T14:06:54.000Z (about 1 month ago)
• Last Synced: 2025-03-22T14:31:37.877Z (about 1 month ago)
• Language: JavaScript
• Size: 37.1 KB
• Stars: 94
• Watchers: 4
• Forks: 21
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - wh1te4ever/WebKit-Bug-256172 - Safari 1day RCE Exploit (JavaScript)

README

        
# WebKit-Bug-256172

Safari 1day RCE Exploit, might be patched in iOS 16.5.1/macOS 13.4.1

Confirmed exploit works on macOS 13.3.1, iOS 15.8.2.

## Description

Currently only works on macOS 13.0.1 (x86_64) due to hardcoded offsets.

- Implemented addrof/fakeobj, r/w primitive

- Patch SecurityOrigin->m_universalAccess to 1

- Load stage1.bin by JIT Execution

## Credit

- [ENKI WhiteHat](https://medium.com/@enki-techblog/ios-16-5-1-safari-rce-analysis-cve-2023-37450-89bb8583bebc) for original PoC with detail writeup

- [saelo](https://github.com/saelo/jscpwn)'s jscpwn module

- [ret2](https://github.com/ret2/Pwn2Own-2021-Safari/tree/main/eop) for building stage1.bin shellcode 

## Demo

- https://www.youtube.com/watch?v=s9toRRQoWf4

## Disclaimer

This repository is intended solely for educational purposes and should not be used for any malicious activities.

There's no way responsible for me to any misuse of this PoC.