├── .DS_Store ├── .gitignore ├── LICENSE ├── Makefile ├── README.md ├── fun.m ├── kfd.xcodeproj ├── project.pbxproj └── project.xcworkspace │ ├── contents.xcworkspacedata │ └── xcshareddata │ ├── IDEWorkspaceChecks.plist │ └── swiftpm │ └── Package.resolved ├── kfd ├── .DS_Store ├── Assets.xcassets │ ├── AccentColor.colorset │ │ └── Contents.json │ ├── AppIcon.appiconset │ │ └── Contents.json │ └── Contents.json ├── CBindings │ ├── CBindings.h │ ├── posix_spawn.h │ └── th_state.h ├── ContentView.swift ├── Preview Content │ └── Preview Assets.xcassets │ │ └── Contents.json ├── fun │ ├── fun.h │ ├── fun.m │ ├── grant_full_disk_access.h │ ├── grant_full_disk_access.m │ ├── helpers.h │ ├── helpers.m │ ├── krw.c │ ├── krw.h │ ├── offsets.h │ ├── offsets.m │ ├── proc.c │ ├── proc.h │ ├── thanks_opa334dev_htrowii.h │ ├── thanks_opa334dev_htrowii.m │ ├── vnode.c │ └── vnode.h ├── kfd-Bridging-Header.h ├── kfd.entitlements ├── kfdApp.swift ├── libkfd.h ├── libkfd │ ├── .DS_Store │ ├── AAAA.bin │ ├── com.apple.MobileGestalt.plist │ ├── common.h │ ├── info.h │ ├── info │ │ ├── dynamic_info.h │ │ └── static_info.h │ ├── krkw.h │ ├── krkw │ │ ├── kread │ │ │ ├── kread_kqueue_workloop_ctl.h │ │ │ └── kread_sem_open.h │ │ └── kwrite │ │ │ ├── kwrite_dup.h │ │ │ └── kwrite_sem_open.h │ ├── perf.h │ ├── puaf.h │ └── puaf │ │ ├── physpuppet.h │ │ └── smith.h └── test.swift ├── macos_kfd.c └── writeups ├── exploiting-puafs.md ├── figures ├── exploiting-puafs-figure1.png ├── exploiting-puafs-figure2.png ├── physpuppet-figure1.png ├── physpuppet-figure2.png ├── physpuppet-figure3.png ├── physpuppet-figure4.png ├── physpuppet-figure5.png ├── physpuppet-figure6.png ├── smith-figure1.png ├── smith-figure2.png ├── smith-figure3.png └── smith-figure4.png ├── physpuppet.md └── smith.md /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/.DS_Store -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | macos_kfd 2 | xcuserdata 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/LICENSE -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/Makefile -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/README.md -------------------------------------------------------------------------------- /fun.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/fun.m -------------------------------------------------------------------------------- /kfd.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd.xcodeproj/project.pbxproj -------------------------------------------------------------------------------- /kfd.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd.xcodeproj/project.xcworkspace/contents.xcworkspacedata -------------------------------------------------------------------------------- /kfd.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist -------------------------------------------------------------------------------- /kfd.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved -------------------------------------------------------------------------------- /kfd/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/.DS_Store -------------------------------------------------------------------------------- /kfd/Assets.xcassets/AccentColor.colorset/Contents.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/Assets.xcassets/AccentColor.colorset/Contents.json -------------------------------------------------------------------------------- /kfd/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/Assets.xcassets/AppIcon.appiconset/Contents.json -------------------------------------------------------------------------------- /kfd/Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/Assets.xcassets/Contents.json -------------------------------------------------------------------------------- /kfd/CBindings/CBindings.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/CBindings/CBindings.h -------------------------------------------------------------------------------- /kfd/CBindings/posix_spawn.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/CBindings/posix_spawn.h -------------------------------------------------------------------------------- /kfd/CBindings/th_state.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/CBindings/th_state.h -------------------------------------------------------------------------------- /kfd/ContentView.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/ContentView.swift -------------------------------------------------------------------------------- /kfd/Preview Content/Preview Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/Preview Content/Preview Assets.xcassets/Contents.json -------------------------------------------------------------------------------- /kfd/fun/fun.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/fun.h -------------------------------------------------------------------------------- /kfd/fun/fun.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/fun.m -------------------------------------------------------------------------------- /kfd/fun/grant_full_disk_access.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/grant_full_disk_access.h -------------------------------------------------------------------------------- /kfd/fun/grant_full_disk_access.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/grant_full_disk_access.m -------------------------------------------------------------------------------- /kfd/fun/helpers.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/helpers.h -------------------------------------------------------------------------------- /kfd/fun/helpers.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/helpers.m -------------------------------------------------------------------------------- /kfd/fun/krw.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/krw.c -------------------------------------------------------------------------------- /kfd/fun/krw.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/krw.h -------------------------------------------------------------------------------- /kfd/fun/offsets.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/offsets.h -------------------------------------------------------------------------------- /kfd/fun/offsets.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/offsets.m -------------------------------------------------------------------------------- /kfd/fun/proc.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/proc.c -------------------------------------------------------------------------------- /kfd/fun/proc.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/proc.h -------------------------------------------------------------------------------- /kfd/fun/thanks_opa334dev_htrowii.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/thanks_opa334dev_htrowii.h -------------------------------------------------------------------------------- /kfd/fun/thanks_opa334dev_htrowii.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/thanks_opa334dev_htrowii.m -------------------------------------------------------------------------------- /kfd/fun/vnode.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/vnode.c -------------------------------------------------------------------------------- /kfd/fun/vnode.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/fun/vnode.h -------------------------------------------------------------------------------- /kfd/kfd-Bridging-Header.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/kfd-Bridging-Header.h -------------------------------------------------------------------------------- /kfd/kfd.entitlements: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/kfd.entitlements -------------------------------------------------------------------------------- /kfd/kfdApp.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/kfdApp.swift -------------------------------------------------------------------------------- /kfd/libkfd.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd.h -------------------------------------------------------------------------------- /kfd/libkfd/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd/.DS_Store -------------------------------------------------------------------------------- /kfd/libkfd/AAAA.bin: -------------------------------------------------------------------------------- 1 | stD -------------------------------------------------------------------------------- /kfd/libkfd/com.apple.MobileGestalt.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd/com.apple.MobileGestalt.plist -------------------------------------------------------------------------------- /kfd/libkfd/common.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd/common.h -------------------------------------------------------------------------------- /kfd/libkfd/info.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd/info.h -------------------------------------------------------------------------------- /kfd/libkfd/info/dynamic_info.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd/info/dynamic_info.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_info.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd/info/static_info.h -------------------------------------------------------------------------------- /kfd/libkfd/krkw.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd/krkw.h -------------------------------------------------------------------------------- /kfd/libkfd/krkw/kread/kread_kqueue_workloop_ctl.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd/krkw/kread/kread_kqueue_workloop_ctl.h -------------------------------------------------------------------------------- /kfd/libkfd/krkw/kread/kread_sem_open.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd/krkw/kread/kread_sem_open.h -------------------------------------------------------------------------------- /kfd/libkfd/krkw/kwrite/kwrite_dup.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd/krkw/kwrite/kwrite_dup.h -------------------------------------------------------------------------------- /kfd/libkfd/krkw/kwrite/kwrite_sem_open.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd/krkw/kwrite/kwrite_sem_open.h -------------------------------------------------------------------------------- /kfd/libkfd/perf.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd/perf.h -------------------------------------------------------------------------------- /kfd/libkfd/puaf.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd/puaf.h -------------------------------------------------------------------------------- /kfd/libkfd/puaf/physpuppet.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd/puaf/physpuppet.h -------------------------------------------------------------------------------- /kfd/libkfd/puaf/smith.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/libkfd/puaf/smith.h -------------------------------------------------------------------------------- /kfd/test.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/kfd/test.swift -------------------------------------------------------------------------------- /macos_kfd.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/macos_kfd.c -------------------------------------------------------------------------------- /writeups/exploiting-puafs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/writeups/exploiting-puafs.md -------------------------------------------------------------------------------- /writeups/figures/exploiting-puafs-figure1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/writeups/figures/exploiting-puafs-figure1.png -------------------------------------------------------------------------------- /writeups/figures/exploiting-puafs-figure2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/writeups/figures/exploiting-puafs-figure2.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/writeups/figures/physpuppet-figure1.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/writeups/figures/physpuppet-figure2.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/writeups/figures/physpuppet-figure3.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/writeups/figures/physpuppet-figure4.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/writeups/figures/physpuppet-figure5.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/writeups/figures/physpuppet-figure6.png -------------------------------------------------------------------------------- /writeups/figures/smith-figure1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/writeups/figures/smith-figure1.png -------------------------------------------------------------------------------- /writeups/figures/smith-figure2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/writeups/figures/smith-figure2.png -------------------------------------------------------------------------------- /writeups/figures/smith-figure3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/writeups/figures/smith-figure3.png -------------------------------------------------------------------------------- /writeups/figures/smith-figure4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/writeups/figures/smith-figure4.png -------------------------------------------------------------------------------- /writeups/physpuppet.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/writeups/physpuppet.md -------------------------------------------------------------------------------- /writeups/smith.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lrdsnow/kfd/HEAD/writeups/smith.md --------------------------------------------------------------------------------