Skip to content
Branch: master
Find file History
Latest commit eea4e31 Dec 30, 2018

Exploit using following bugs to escape Safari sandbox:

  • CVE-2017-2533: TOCTOU in diskarbitrationd
  • CVE-2017-2535: PID reuse logic bug in authd
  • CVE-2017-2534: Arbitrary dylib loading in speechsynthesisd
  • CVE-2017-6977: NULL ptr dereference in nsurlstoraged

by phoenhex team (niklasb & saelo)

How to use

  1. Get a vulnerable macOS 10.12.4 system with a FAT32 partition called /dev/disk0s1
  2. Back up the contents of /dev/disk0s1
  3. Start Safari
  4. make reset
  5. make inject
You can’t perform that action at this time.