Switch branches/tags
Nothing to show
Find file History
Latest commit f503007 Jul 7, 2017


Exploit using following bugs to escape Safari sandbox:

  • CVE-2017-2533: TOCTOU in diskarbitrationd
  • CVE-2017-2535: PID reuse logic bug in authd
  • CVE-2017-2534: Arbitrary dylib loading in speechsynthesisd
  • CVE-2017-6977: NULL ptr dereference in nsurlstoraged

by phoenhex team (niklasb & saelo)

How to use

  1. Get a vulnerable macOS 10.12.4 system with a FAT32 partition called /dev/disk0s1
  2. Back up the contents of /dev/disk0s1
  3. Start Safari
  4. make reset
  5. make inject