@_simo36 profile picture
simo @_simo36
Joined December 2013
  • Tweets 36
  • Following 126
  • Followers 7,078
6 Photos and videos
simo@_simo36
13 Mar 2024
I've audited the Android kernel in late 2023, and reported 10 kernel bugs to Google, along with 2 exploits. Today, I'm releasing the first exploit, targeting the Mali GPU on Pixel devices, accessible from an untrusted_app context. github.com/0x36/Pixel_GPU_Ex…

GitHub - 0x36/Pixel_GPU_Exploit: Android 14 kernel exploit for Pixel7/8 Pro

Android 14 kernel exploit for Pixel7/8 Pro. Contribute to 0x36/Pixel_GPU_Exploit development by creating an account on GitHub.

github.com
27
262
1,044
114,889
simo@_simo36
10 Dec 2022
34
35
361
simo@_simo36
24 Nov 2022
I'm sharing two other iOS kernel vulnerabilities reachable from the default app sandbox that don’t require you to open a UserClient: 0x36.github.io/CVE-2022-3289…

15
116
465
simo@_simo36
16 Nov 2022
CVE-2022-32932 is another vulnerability I discovered in the ANE kernel interface; this is a double fetch issue that resulted in an interesting OOB write. 0x36.github.io/CVE-2022-3293…

9
71
269
simo@_simo36
11 Nov 2022
My #POC2022 slides the iOS kernel r/w exploit can be found here :) github.com/0x36/weightBufs/ Thanks @POC_Crew for a fantastic conference and truly honored to have been part of it.

GitHub - 0x36/weightBufs: ANE kernel r/w exploit for iOS 15 and macOS 12

ANE kernel r/w exploit for iOS 15 and macOS 12 . Contribute to 0x36/weightBufs development by creating an account on GitHub.

github.com
22
198
598
simo@_simo36
26 Oct 2022
16 kernel bugs I reported to Apple have been fixed in iOS 16/16.1. I'll give a talk on how I chained some bugs to achieve kernel r/w at #POC2022 next month, and the kernel exploit for iOS 15 will be released along with a some other high impact vulns after the conference.
30
142
757
simo@_simo36
31 Jul 2022
My favorite IDA 8.0 feature so far: artificial Obj-C method imports
4
3
30
simo@_simo36
8 Jun 2022
35
79
566
simo@_simo36
1 May 2022
In iOS 15.5 beta 3, Apple removed IOMallocAligned(KHEAP_DEFAULT,...) from IOSharedDataQueue/IODataQueue::initWithCapacity() ( now uses kernel_memory_allocate() with KMA_DATA flag). It was an elegant technique to groom the kernel default heap with user controlled data. RIP
7
37
275
simo@_simo36
19 Jan 2022
I’ve updated ghidra_kernelcache! now it’s compatible with Ghidra 10.1 , macOS KEXT/Kernelcache support, PAC Xrefs, better class definition with custom class construction feature, dwarf4 and more ... check it out. github.com/0x36/ghidra_kerne…

GitHub - 0x36/ghidra_kernelcache: a Ghidra framework for iOS kernelcache reverse engineering

a Ghidra framework for iOS kernelcache reverse engineering - 0x36/ghidra_kernelcache

github.com
2
26
125
simo@_simo36
19 Jan 2022
And if you lean more toward IDA, you can also import the C header from Ghidra and parse it there :-)
1
16
simo@_simo36
7 May 2021
Looks like Ghidra does not support LC_DYLD_CHAINED_FIXUPS for macOS M1 KEXTs, here is a dirty script to fix it . gist.github.com/0x36/5ea657f…

depac.py

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com
1
4
23
simo@_simo36
25 Nov 2020
I've updated oob_events exploit and it should work fine in on A12 devices (with 60 % of success rate) and ~95% in devices with lower ram size i.e A10. Tested on iPhone 11 and iPhone 7.
19
18
148
simo@_simo36
11 Nov 2020
Here is a PoC kernel exploit, it demonstrates how to get kernel task port on iOS 13.7. I will update the PoC with a writeup later. github.com/0x36/oob_events

GitHub - 0x36/oob_events: kernel exploit for Apple iOS 13.X

kernel exploit for Apple iOS 13.X. Contribute to 0x36/oob_events development by creating an account on GitHub.

github.com
27
115
459
simo@_simo36
11 Nov 2020
The exploit in arm64e is not quite reliable unlike iPhone 9,3 (which works 9/10 times), expect a lot of kernel panics, it needs some work and it’s hard to make such exploit generic and working across all devices.
3
10
50
simo@_simo36
11 Nov 2020
I dont recommend using it in your personal device or to use it for a jailbreak. it may leave your device in unstable state. You’ve been warned.
3
4
54
simo@_simo36
5 Nov 2020
PoC for iOS kernel bug reachable from within the sandbox, I may drop the exploit later gist.github.com/0x36/ebb6af8…

IOAccelContext2::finish_fence_event() race condition OOB read/write

IOAccelContext2::finish_fence_event() race condition OOB read/write - oob_events.c

gist.github.com
18
159
520
simo@_simo36
8 Nov 2020
I've checked iOS 14.1 shipped with IOGPU Family (the successor of IOAcceleratorFamily) and didn't find a matching pattern to trigger the bug, so it works only on iOS 13.x and all devices using IOAcceleratorFamily i.e: macOS.
5
8
35
simo@_simo36
5 Aug 2020
ghidra_kernelcache: a Ghidra iOS kernelcache framework for reverse engineering github.com/0x36/ghidra_kerne…

GitHub - 0x36/ghidra_kernelcache: a Ghidra framework for iOS kernelcache reverse engineering

a Ghidra framework for iOS kernelcache reverse engineering - 0x36/ghidra_kernelcache

github.com
6
33
134
simo@_simo36
16 Jul 2020
24
61
331
simo@_simo36
16 Jul 2020
iOS 13.6 forced me to rewrite the exploit from scratch
9
8
94
Load more