exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 132 RSS Feed

Files from Ian Beer

Email addressianbeer at google.com
First Active2014-12-02
Last Active2023-02-03
macOS Dirty Cow Arbitrary File Write Local Privilege Escalation
Posted Feb 3, 2023
Authored by timwr, Ian Beer, Zhuowei Zhang | Site metasploit.com

Dirty Cow arbitrary file write local privilege escalation exploit for macOS.

tags | exploit, arbitrary, local
advisories | CVE-2022-46689
SHA-256 | 2c735a5dbdfd48004da2df38d8a8eed0528ab5199ff9cd6dbf70e890c7786c0c
XNU vm_map_copy_overwrite_unaligned Race Condition
Posted Jan 17, 2023
Authored by Google Security Research, Ian Beer

A XNU race condition in vm_map_copy_overwrite_unaligned allows writing to read-only mappings.

tags | exploit
advisories | CVE-2022-46689
SHA-256 | d28599b3adaf36ddb22cc63b493aedbe6d4bd9c80ab19441c0799cf163fd9d83
XNU VM Copy-On-Write Bypass
Posted Jan 17, 2023
Authored by Google Security Research, Ian Beer

XNU VM suffers from a copy-on-write bypass vulnerability due to incorrect shadow creation logic used during unaligned vm_map_copy operations.

tags | exploit, bypass
advisories | CVE-2022-46689
SHA-256 | 5a1b882267ecf571c7ea7314e620f51e45be202a17fa7c8a02fcea5a7a5b3641
XNU vm_object Use-After-Free
Posted Nov 25, 2022
Authored by Google Security Research, Ian Beer

XNU suffers from a vm_object use-after-free vulnerability due to invalid error handling in vm_map_enter.

tags | exploit
advisories | CVE-2022-42801
SHA-256 | 5ef6c77b173e377d874346d025662d6a74af50dd2789a4af20f0430f362f87df
XNU Dangling PTE Entry
Posted Nov 25, 2022
Authored by Google Security Research, Ian Beer

XNU suffers from a dangling PTE entry due to integer truncation when collapsing vm_object shadow chains.

tags | exploit
advisories | CVE-2022-32924
SHA-256 | 29e4042cd9a0b7666d0b7fda5c45703a1a078adf7f5202670b30f28e36559698
launchd Heap Corruption
Posted Jun 30, 2022
Authored by Google Security Research, Ian Beer

launchd suffers from a heap corruption vulnerability due to incorrect rounding in launch_data_unpack.

tags | advisory
advisories | CVE-2014-1359
SHA-256 | 5728e5ebf948c4d9fcd1bcdca177b71ce40167df17cbb2d5d1900427d642880f
XNU Kernel mach_msg Use-After-Free
Posted Jan 24, 2022
Authored by Google Security Research, Ian Beer

The XNU kernel suffers from a use-after-free vulnerability in mach_msg.

tags | exploit, kernel
advisories | CVE-2021-30949
SHA-256 | 2f6301f083bee339053850c19d2a821eb5bf15e94079651382aba5531646e6f1
XNU Network Stack Kernel Heap Overflow
Posted Jul 14, 2021
Authored by Google Security Research, Ian Beer

XNU suffers from a network stack kernel heap overflow due to an out-of-bounds memmove in 6lowpan. Proof of concept code included.

tags | exploit, overflow, kernel, proof of concept
advisories | CVE-2020-9967, CVE-2021-30736
SHA-256 | a1d06d7c40ef5cee75dbfed56b2263d072ffb407a0a5a9ac79847d59421ad896
iOS / macOS Radio Proximity Kernel Memory Corruption
Posted Apr 7, 2021
Authored by Google Security Research, Ian Beer

A radio proximity kernel memory corruption vulnerability exists in iOS and macOS due to bad state machine in BSS steering.

tags | exploit, kernel
systems | ios
advisories | CVE-2020-3843, CVE-2020-9906
SHA-256 | 9e6c28acc2dc2cdb2acc5704dda5595cbbba3c80139500e4fad8a275eaa86716
XNU Kernel Mach Message Trailers Memory Disclosure
Posted Feb 5, 2021
Authored by Google Security Research, Ian Beer

The XNU kernel suffers from a memory disclosure vulnerability in mach message trailers.

tags | exploit, kernel
advisories | CVE-2020-27950
SHA-256 | 642f39fd92a5ac4ffb770427ffb354a2a9fadfb25d5b0622ea37837653fb0f84
XNU Kernel Turnstiles Type Confusion
Posted Feb 5, 2021
Authored by Google Security Research, Ian Beer

The XNU kernel suffers from a type confusion vulnerability in turnstiles.

tags | exploit, kernel
advisories | CVE-2020-27932
SHA-256 | d3d2bb641fe186858d248f07b853338f4be5d90e81441c7f7abebd7540ae579c
Safari Webkit For iOS 7.1.2 JIT Optimization Bug
Posted Aug 14, 2020
Authored by timwr, Ian Beer, kudima, WanderingGlitch | Site metasploit.com

This Metasploit module exploits a JIT optimization bug in Safari Webkit. This allows us to write shellcode to an RWX memory section in JavaScriptCore and execute it. The shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw, obtains root and disables code signing. Finally we download and execute the meterpreter payload. This module has been tested against iOS 7.1.2 on an iPhone 4.

tags | exploit, kernel, root, shellcode
systems | apple, iphone, ios
advisories | CVE-2016-4669, CVE-2018-4162
SHA-256 | 8ca4b125e9aba514f4d2bd3c12b5189f4dceafcaab577262cc602a11c87480fb
iOS / macOS Wifi Proximity Kernel Double-Free
Posted Jun 25, 2020
Authored by Google Security Research, Ian Beer

iOS and macOS suffered from a wifi proximity kernel double-free vulnerability in AWDL BSS Steering.

tags | exploit, kernel
systems | ios
advisories | CVE-2020-3843, CVE-2020-9844
SHA-256 | 185ed329e279974bff794995bb28d911a3d0487fe537cf5e9f91c71beea77fb6
iOS / macOS AWDL Heap Corruption / Bounds Checking
Posted Mar 9, 2020
Authored by Google Security Research, Ian Beer

A remote iOS / macOS heap corruption issue exists due to insufficient bounds checking in AWDL.

tags | exploit, remote
systems | ios
advisories | CVE-2020-3843
SHA-256 | 1e68cf9915d34a1e26c5b0144404e1b0fe8b04f018d7bdc8675b27fbd497f2c1
Samsung /dev/tsmux Heap Out-Of-Bounds Write
Posted Feb 13, 2020
Authored by Google Security Research, Ian Beer

The Samsung kernel suffers from a heap out-of-bounds write in /dev/tsmux.

tags | exploit, kernel
SHA-256 | cfdc74006e656bf14b792a3ef9b9b45e5579d2eed455326e014482691d8ebf38
XPC Memory Disclosure / Corruption
Posted Feb 13, 2020
Authored by Google Security Research, Ian Beer

XPC fast path fails to ensure NULL termination of XPC strings, leading to memory disclosure and corruption vulnerabilities in XPC services.

tags | exploit, vulnerability
advisories | CVE-2020-3856
SHA-256 | 177cb639e6a25a5904e8f4f9ae68c987f945f93207a3d09333a7ea42bc47e766
macOS / iOS launchd XPC Message Parsing Memory Corruption
Posted Feb 13, 2020
Authored by Google Security Research, Ian Beer

launchd on macOS and iOS suffer from a memory corruption issue due to a lack of bounds checking when parsing XPC messages.

tags | exploit
systems | ios
advisories | CVE-2020-3829
SHA-256 | 13c83122693a08ee0f24211a2e669324b5b58b62191c82afb69d83c51fdecf4a
XNU vm_map_copy Insufficient Fix
Posted Jan 22, 2020
Authored by Google Security Research, Ian Beer

An insufficient fix for CVE-2019-6205 means XNU vm_map_copy optimization which requires atomicity still is not atomic.

tags | exploit
advisories | CVE-2019-6205, CVE-2019-8833
SHA-256 | 64852008642517c7a6286853a18dc6ef2a98bff2e171d9812bbe7c77a11b7b7d
iOS mediaserverd Integer Overflow Sandbox Escape
Posted Nov 15, 2019
Authored by Google Security Research, Ian Beer

iOS suffers from a sandbox escape vulnerability due to an integer overflow in mediaserverd.

tags | exploit, overflow
systems | ios
SHA-256 | 2b4a9f24dc9fb9fa02db02c8a4e93a710241e3d12f49d9ae097344a6df912908
Safari Webkit Proxy Object Type Confusion
Posted Jun 2, 2019
Authored by saelo, Ian Beer, Siguza, niklasb | Site metasploit.com

This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.

tags | exploit, arbitrary, kernel, javascript, shellcode
advisories | CVE-2017-13861, CVE-2018-4233
SHA-256 | ac8550e0b0dd814a249c313353fcb65341e18bb2e59885151b0cffac8172e060
iOS / MacOS PF_KEY Kernel Heap Overflow
Posted Jan 31, 2019
Authored by Google Security Research, Ian Beer

iOS and MacOS suffer from a kernel heap overflow in PF_KEY due to lack of bounds checking when retrieving statistics.

tags | exploit, overflow, kernel
systems | ios
advisories | CVE-2019-6213
SHA-256 | bdaf091fad9a237fd95f4fa168b1b385cfb161f48fc179a6801b4e62a8099278
XNU vm_map_copy Optimization Issue
Posted Jan 31, 2019
Authored by Google Security Research, Ian Beer

XNU vm_map_copy optimization which requires atomicity is not atomic. This violates the semantics of mach message OOL memory, and leads to TOCTOU issues which can lead to memory corruption.

tags | exploit
advisories | CVE-2019-6205
SHA-256 | b373ad17106c25ccfb2435934691e9a515824d6d61c83d2a4930737e86b27e33
iOS / MacOS iohideventsystem Sandbox Escape
Posted Jan 31, 2019
Authored by Google Security Research, Ian Beer

iOS and MacOS suffers from sandbox escape vulnerabilities due to type confusions and memory safety issues in iohideventsystem.

tags | exploit, vulnerability
systems | ios
advisories | CVE-2019-6214
SHA-256 | b146623feeb4a1369ee8ad78d27a529480b21c17737e192ad3c2686b0448d8cb
MacOS 10.14.1 libxpc Deallocation
Posted Jan 31, 2019
Authored by Google Security Research, Ian Beer

libxpc on MacOS version 10.14.1 suffers from an arbitrary mach port name deallocation in XPC services due to invalid mach message parsing in _xpc_serializer_unpack.

tags | exploit, arbitrary
advisories | CVE-2019-6218
SHA-256 | 861787c4c8e28e6258f60f01561930d07585075db06c25a1f80b7aadb5eeb770
Apple Intel GPU Driver Use-After-Free / Double-Delete
Posted Oct 19, 2018
Authored by Google Security Research, Ian Beer

The Apple Intel GPU driver suffers from use-after-free and double-delete issues due to bad locking.

tags | advisory
systems | apple
advisories | CVE-2018-4334
SHA-256 | 4d6791432618061cb975059371e237f9a46d82d2bec01d12172ccd55d321b85d
Page 1 of 6
Back12345Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close