Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-32434 PoC — Apple macOS Big Sur 输入验证错误漏洞

Source
https://github.com/alfiecg24/Trigon
Associated Vulnerability
Title:Apple macOS Big Sur 输入验证错误漏洞 (CVE-2023-32434)
Description:Apple macOS Big Sur是美国苹果(Apple)公司的苹果公司用于MAC操作系统macOS的第17个主要版本。 Apple macOS Big Sur 存在输入验证错误漏洞,该漏洞源于存在整数溢出问题,应用程序可能能够使用内核权限执行任意代码。
Description
Deterministic kernel exploit based on CVE-2023-32434.
Readme
# Trigon

Trigon is a deterministic kernel exploit based on CVE-2023-32434. It currently supports A10(X) devices running iOS 13 - 15.7.6 . Being deterministic means that this exploit will never panic during or after exploitation and is completely reliable.

In the future, I would like to add support for iOS 16.0 - 16.5, as well as expand the range of support chipsets. However, as the writeup explains, this is not always feasible.

Trigon exploits the same CVE as the one used in kfd's Smith exploit, except not as a physical use-after-free. Instead, it takes a different code path in the kernel and uses the vulnerability to create an arbitrary physical address mapping primitive. This gives us read/write primitives to any physical address **unless it's a page table**. Not being able to read page tables made exploitation more difficult, but in the end we found a nice trick to determine whether or not a page holds a page table before reading it and were able to build full virtual read/write primitives.

The full writeup can be found [here](https://alfiecg.uk/2025/03/01/Trigon.html). If you're into technical iOS-related writeups, I would recommend you take a read! I have tried to make it as understandable as possible so that those who are not iOS researchers can follow it too.
File Snapshot

 [4.0K]  /data/pocs/65c2d538bcb19bb2692fa4eb461070f566cb0046
├── [1.3K]  README.md
├── [4.0K]  Trigon
│   ├── [ 175]  AppDelegate.h
│   ├── [ 507]  AppDelegate.m
│   ├── [4.0K]  Assets.xcassets
│   │   ├── [4.0K]  AccentColor.colorset
│   │   │   └── [ 123]  Contents.json
│   │   ├── [4.0K]  AppIcon.appiconset
│   │   │   └── [ 607]  Contents.json
│   │   └── [  63]  Contents.json
│   ├── [4.0K]  Base.lproj
│   │   ├── [1.6K]  LaunchScreen.storyboard
│   │   └── [1.6K]  Main.storyboard
│   ├── [4.0K]  Exploit
│   │   ├── [5.7K]  exploit.c
│   │   ├── [ 132]  exploit.h
│   │   ├── [2.2K]  iboot-handoff.c
│   │   ├── [ 280]  iboot-handoff.h
│   │   ├── [2.4K]  info.c
│   │   ├── [ 619]  info.h
│   │   ├── [ 797]  mach_vm.h
│   │   ├── [2.0K]  memory.c
│   │   ├── [ 693]  memory.h
│   │   ├── [ 15K]  patchfinder.c
│   │   ├── [ 155]  patchfinder.h
│   │   ├── [ 305]  pv.c
│   │   ├── [1.5K]  pv.h
│   │   ├── [7.8K]  surface.c
│   │   ├── [ 583]  surface.h
│   │   ├── [1.1K]  translation.c
│   │   └── [ 157]  translation.h
│   ├── [ 304]  Info.plist
│   ├── [ 392]  main.m
│   ├── [ 112]  ViewController.h
│   └── [ 822]  ViewController.m
└── [4.0K]  Trigon.xcodeproj
    ├── [ 12K]  project.pbxproj
    └── [4.0K]  project.xcworkspace
        └── [ 135]  contents.xcworkspacedata

8 directories, 31 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.