├── .gitignore ├── LICENSE ├── Makefile ├── README.md ├── kfd.xcodeproj ├── project.pbxproj └── project.xcworkspace │ ├── contents.xcworkspacedata │ └── xcshareddata │ └── IDEWorkspaceChecks.plist ├── kfd ├── Assets.xcassets │ ├── AccentColor.colorset │ │ └── Contents.json │ ├── AppIcon.appiconset │ │ └── Contents.json │ └── Contents.json ├── ContentView.swift ├── Preview Content │ └── Preview Assets.xcassets │ │ └── Contents.json ├── kfd-Bridging-Header.h ├── kfd.entitlements ├── kfdApp.swift ├── libkfd.h └── libkfd │ ├── common.h │ ├── info.h │ ├── info │ ├── dynamic_types │ │ ├── kqworkloop.h │ │ ├── proc.h │ │ ├── task.h │ │ ├── thread.h │ │ ├── uthread.h │ │ └── vm_map.h │ └── static_types │ │ ├── fileglob.h │ │ ├── fileops.h │ │ ├── fileproc.h │ │ ├── fileproc_guard.h │ │ ├── ipc_entry.h │ │ ├── ipc_port.h │ │ ├── ipc_space.h │ │ ├── miscellaneous_types.h │ │ ├── pmap.h │ │ ├── pseminfo.h │ │ ├── psemnode.h │ │ ├── semaphore.h │ │ ├── vm_map_copy.h │ │ ├── vm_map_entry.h │ │ ├── vm_named_entry.h │ │ ├── vm_object.h │ │ └── vm_page.h │ ├── krkw.h │ ├── krkw │ ├── kread │ │ ├── kread_kqueue_workloop_ctl.h │ │ └── kread_sem_open.h │ └── kwrite │ │ ├── kwrite_dup.h │ │ └── kwrite_sem_open.h │ ├── perf.h │ ├── puaf.h │ └── puaf │ ├── physpuppet.h │ └── smith.h ├── macos_kfd.c └── writeups ├── exploiting-puafs.md ├── figures ├── exploiting-puafs-figure1.png ├── exploiting-puafs-figure2.png ├── physpuppet-figure1.png ├── physpuppet-figure2.png ├── physpuppet-figure3.png ├── physpuppet-figure4.png ├── physpuppet-figure5.png ├── physpuppet-figure6.png ├── smith-figure1.png ├── smith-figure2.png ├── smith-figure3.png └── smith-figure4.png ├── physpuppet.md └── smith.md /.gitignore: -------------------------------------------------------------------------------- 1 | macos_kfd 2 | xcuserdata 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/LICENSE -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/Makefile -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/README.md -------------------------------------------------------------------------------- /kfd.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd.xcodeproj/project.pbxproj -------------------------------------------------------------------------------- /kfd.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd.xcodeproj/project.xcworkspace/contents.xcworkspacedata -------------------------------------------------------------------------------- /kfd.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist -------------------------------------------------------------------------------- /kfd/Assets.xcassets/AccentColor.colorset/Contents.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/Assets.xcassets/AccentColor.colorset/Contents.json -------------------------------------------------------------------------------- /kfd/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/Assets.xcassets/AppIcon.appiconset/Contents.json -------------------------------------------------------------------------------- /kfd/Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/Assets.xcassets/Contents.json -------------------------------------------------------------------------------- /kfd/ContentView.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/ContentView.swift -------------------------------------------------------------------------------- /kfd/Preview Content/Preview Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/Preview Content/Preview Assets.xcassets/Contents.json -------------------------------------------------------------------------------- /kfd/kfd-Bridging-Header.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/kfd-Bridging-Header.h -------------------------------------------------------------------------------- /kfd/kfd.entitlements: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/kfd.entitlements -------------------------------------------------------------------------------- /kfd/kfdApp.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/kfdApp.swift -------------------------------------------------------------------------------- /kfd/libkfd.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd.h -------------------------------------------------------------------------------- /kfd/libkfd/common.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/common.h -------------------------------------------------------------------------------- /kfd/libkfd/info.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info.h -------------------------------------------------------------------------------- /kfd/libkfd/info/dynamic_types/kqworkloop.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/dynamic_types/kqworkloop.h -------------------------------------------------------------------------------- /kfd/libkfd/info/dynamic_types/proc.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/dynamic_types/proc.h -------------------------------------------------------------------------------- /kfd/libkfd/info/dynamic_types/task.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/dynamic_types/task.h -------------------------------------------------------------------------------- /kfd/libkfd/info/dynamic_types/thread.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/dynamic_types/thread.h -------------------------------------------------------------------------------- /kfd/libkfd/info/dynamic_types/uthread.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/dynamic_types/uthread.h -------------------------------------------------------------------------------- /kfd/libkfd/info/dynamic_types/vm_map.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/dynamic_types/vm_map.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/fileglob.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/fileglob.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/fileops.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/fileops.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/fileproc.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/fileproc.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/fileproc_guard.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/fileproc_guard.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/ipc_entry.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/ipc_entry.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/ipc_port.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/ipc_port.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/ipc_space.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/ipc_space.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/miscellaneous_types.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/miscellaneous_types.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/pmap.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/pmap.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/pseminfo.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/pseminfo.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/psemnode.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/psemnode.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/semaphore.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/semaphore.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/vm_map_copy.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/vm_map_copy.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/vm_map_entry.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/vm_map_entry.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/vm_named_entry.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/vm_named_entry.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/vm_object.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/vm_object.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_types/vm_page.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/info/static_types/vm_page.h -------------------------------------------------------------------------------- /kfd/libkfd/krkw.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/krkw.h -------------------------------------------------------------------------------- /kfd/libkfd/krkw/kread/kread_kqueue_workloop_ctl.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/krkw/kread/kread_kqueue_workloop_ctl.h -------------------------------------------------------------------------------- /kfd/libkfd/krkw/kread/kread_sem_open.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/krkw/kread/kread_sem_open.h -------------------------------------------------------------------------------- /kfd/libkfd/krkw/kwrite/kwrite_dup.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/krkw/kwrite/kwrite_dup.h -------------------------------------------------------------------------------- /kfd/libkfd/krkw/kwrite/kwrite_sem_open.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/krkw/kwrite/kwrite_sem_open.h -------------------------------------------------------------------------------- /kfd/libkfd/perf.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/perf.h -------------------------------------------------------------------------------- /kfd/libkfd/puaf.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/puaf.h -------------------------------------------------------------------------------- /kfd/libkfd/puaf/physpuppet.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/puaf/physpuppet.h -------------------------------------------------------------------------------- /kfd/libkfd/puaf/smith.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/kfd/libkfd/puaf/smith.h -------------------------------------------------------------------------------- /macos_kfd.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/macos_kfd.c -------------------------------------------------------------------------------- /writeups/exploiting-puafs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/writeups/exploiting-puafs.md -------------------------------------------------------------------------------- /writeups/figures/exploiting-puafs-figure1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/writeups/figures/exploiting-puafs-figure1.png -------------------------------------------------------------------------------- /writeups/figures/exploiting-puafs-figure2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/writeups/figures/exploiting-puafs-figure2.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/writeups/figures/physpuppet-figure1.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/writeups/figures/physpuppet-figure2.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/writeups/figures/physpuppet-figure3.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/writeups/figures/physpuppet-figure4.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/writeups/figures/physpuppet-figure5.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/writeups/figures/physpuppet-figure6.png -------------------------------------------------------------------------------- /writeups/figures/smith-figure1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/writeups/figures/smith-figure1.png -------------------------------------------------------------------------------- /writeups/figures/smith-figure2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/writeups/figures/smith-figure2.png -------------------------------------------------------------------------------- /writeups/figures/smith-figure3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/writeups/figures/smith-figure3.png -------------------------------------------------------------------------------- /writeups/figures/smith-figure4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/writeups/figures/smith-figure4.png -------------------------------------------------------------------------------- /writeups/physpuppet.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/writeups/physpuppet.md -------------------------------------------------------------------------------- /writeups/smith.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GeoSn0w/kfd-exploit/HEAD/writeups/smith.md --------------------------------------------------------------------------------