├── .gitignore ├── LICENSE ├── Makefile ├── README.md ├── kfd.xcodeproj ├── project.pbxproj └── project.xcworkspace │ ├── contents.xcworkspacedata │ └── xcshareddata │ └── IDEWorkspaceChecks.plist ├── kfd ├── Assets.xcassets │ ├── AccentColor.colorset │ │ └── Contents.json │ ├── AppIcon.appiconset │ │ └── Contents.json │ └── Contents.json ├── ContentView.swift ├── Info.plist ├── Preview Content │ └── Preview Assets.xcassets │ │ └── Contents.json ├── fun │ ├── cs_blobs.h │ ├── cs_blobs.m │ ├── fun.h │ ├── fun.m │ ├── kpf │ │ ├── libdimentio.h │ │ ├── libdimentio.m │ │ ├── patchfinder.h │ │ └── patchfinder.m │ ├── krw.h │ ├── krw.m │ ├── mdc │ │ ├── grant_full_disk_access.h │ │ ├── grant_full_disk_access.m │ │ ├── helpers.h │ │ ├── helpers.m │ │ ├── vm_unaligned_copy_switch_race.c │ │ └── vm_unaligned_copy_switch_race.h │ ├── offsets.h │ ├── offsets.m │ ├── ppl │ │ ├── GPU_CoreSight.h │ │ ├── GPU_CoreSight.m │ │ ├── pplrw.h │ │ └── pplrw.m │ ├── proc.c │ ├── proc.h │ ├── thanks_opa334dev_htrowii.h │ ├── thanks_opa334dev_htrowii.m │ ├── utils.h │ ├── utils.m │ ├── vnode.h │ └── vnode.m ├── kfd-Bridging-Header.h ├── kfd.entitlements ├── kfdApp.swift ├── libkfd.h └── libkfd │ ├── common.h │ ├── info.h │ ├── info │ ├── dynamic_info.h │ └── static_info.h │ ├── krkw.h │ ├── krkw │ ├── kread │ │ ├── kread_kqueue_workloop_ctl.h │ │ └── kread_sem_open.h │ └── kwrite │ │ ├── kwrite_dup.h │ │ └── kwrite_sem_open.h │ ├── perf.h │ ├── puaf.h │ └── puaf │ ├── landa.h │ ├── physpuppet.h │ └── smith.h ├── macos_kfd.c └── writeups ├── exploiting-puafs.md ├── figures ├── exploiting-puafs-figure1.png ├── exploiting-puafs-figure2.png ├── physpuppet-figure1.png ├── physpuppet-figure2.png ├── physpuppet-figure3.png ├── physpuppet-figure4.png ├── physpuppet-figure5.png ├── physpuppet-figure6.png ├── smith-figure1.png ├── smith-figure2.png ├── smith-figure3.png └── smith-figure4.png ├── physpuppet.md └── smith.md /.gitignore: -------------------------------------------------------------------------------- 1 | macos_kfd 2 | xcuserdata 3 | .DS_Store 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/LICENSE -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/Makefile -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/README.md -------------------------------------------------------------------------------- /kfd.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd.xcodeproj/project.pbxproj -------------------------------------------------------------------------------- /kfd.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd.xcodeproj/project.xcworkspace/contents.xcworkspacedata -------------------------------------------------------------------------------- /kfd.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist -------------------------------------------------------------------------------- /kfd/Assets.xcassets/AccentColor.colorset/Contents.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/Assets.xcassets/AccentColor.colorset/Contents.json -------------------------------------------------------------------------------- /kfd/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/Assets.xcassets/AppIcon.appiconset/Contents.json -------------------------------------------------------------------------------- /kfd/Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/Assets.xcassets/Contents.json -------------------------------------------------------------------------------- /kfd/ContentView.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/ContentView.swift -------------------------------------------------------------------------------- /kfd/Info.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/Info.plist -------------------------------------------------------------------------------- /kfd/Preview Content/Preview Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/Preview Content/Preview Assets.xcassets/Contents.json -------------------------------------------------------------------------------- /kfd/fun/cs_blobs.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/cs_blobs.h -------------------------------------------------------------------------------- /kfd/fun/cs_blobs.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/cs_blobs.m -------------------------------------------------------------------------------- /kfd/fun/fun.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/fun.h -------------------------------------------------------------------------------- /kfd/fun/fun.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/fun.m -------------------------------------------------------------------------------- /kfd/fun/kpf/libdimentio.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/kpf/libdimentio.h -------------------------------------------------------------------------------- /kfd/fun/kpf/libdimentio.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/kpf/libdimentio.m -------------------------------------------------------------------------------- /kfd/fun/kpf/patchfinder.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/kpf/patchfinder.h -------------------------------------------------------------------------------- /kfd/fun/kpf/patchfinder.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/kpf/patchfinder.m -------------------------------------------------------------------------------- /kfd/fun/krw.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/krw.h -------------------------------------------------------------------------------- /kfd/fun/krw.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/krw.m -------------------------------------------------------------------------------- /kfd/fun/mdc/grant_full_disk_access.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/mdc/grant_full_disk_access.h -------------------------------------------------------------------------------- /kfd/fun/mdc/grant_full_disk_access.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/mdc/grant_full_disk_access.m -------------------------------------------------------------------------------- /kfd/fun/mdc/helpers.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/mdc/helpers.h -------------------------------------------------------------------------------- /kfd/fun/mdc/helpers.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/mdc/helpers.m -------------------------------------------------------------------------------- /kfd/fun/mdc/vm_unaligned_copy_switch_race.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/mdc/vm_unaligned_copy_switch_race.c -------------------------------------------------------------------------------- /kfd/fun/mdc/vm_unaligned_copy_switch_race.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/mdc/vm_unaligned_copy_switch_race.h -------------------------------------------------------------------------------- /kfd/fun/offsets.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/offsets.h -------------------------------------------------------------------------------- /kfd/fun/offsets.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/offsets.m -------------------------------------------------------------------------------- /kfd/fun/ppl/GPU_CoreSight.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/ppl/GPU_CoreSight.h -------------------------------------------------------------------------------- /kfd/fun/ppl/GPU_CoreSight.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/ppl/GPU_CoreSight.m -------------------------------------------------------------------------------- /kfd/fun/ppl/pplrw.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/ppl/pplrw.h -------------------------------------------------------------------------------- /kfd/fun/ppl/pplrw.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/ppl/pplrw.m -------------------------------------------------------------------------------- /kfd/fun/proc.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/proc.c -------------------------------------------------------------------------------- /kfd/fun/proc.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/proc.h -------------------------------------------------------------------------------- /kfd/fun/thanks_opa334dev_htrowii.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/thanks_opa334dev_htrowii.h -------------------------------------------------------------------------------- /kfd/fun/thanks_opa334dev_htrowii.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/thanks_opa334dev_htrowii.m -------------------------------------------------------------------------------- /kfd/fun/utils.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/utils.h -------------------------------------------------------------------------------- /kfd/fun/utils.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/utils.m -------------------------------------------------------------------------------- /kfd/fun/vnode.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/vnode.h -------------------------------------------------------------------------------- /kfd/fun/vnode.m: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/fun/vnode.m -------------------------------------------------------------------------------- /kfd/kfd-Bridging-Header.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/kfd-Bridging-Header.h -------------------------------------------------------------------------------- /kfd/kfd.entitlements: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/kfd.entitlements -------------------------------------------------------------------------------- /kfd/kfdApp.swift: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/kfdApp.swift -------------------------------------------------------------------------------- /kfd/libkfd.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/libkfd.h -------------------------------------------------------------------------------- /kfd/libkfd/common.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/libkfd/common.h -------------------------------------------------------------------------------- /kfd/libkfd/info.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/libkfd/info.h -------------------------------------------------------------------------------- /kfd/libkfd/info/dynamic_info.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/libkfd/info/dynamic_info.h -------------------------------------------------------------------------------- /kfd/libkfd/info/static_info.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/libkfd/info/static_info.h -------------------------------------------------------------------------------- /kfd/libkfd/krkw.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/libkfd/krkw.h -------------------------------------------------------------------------------- /kfd/libkfd/krkw/kread/kread_kqueue_workloop_ctl.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/libkfd/krkw/kread/kread_kqueue_workloop_ctl.h -------------------------------------------------------------------------------- /kfd/libkfd/krkw/kread/kread_sem_open.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/libkfd/krkw/kread/kread_sem_open.h -------------------------------------------------------------------------------- /kfd/libkfd/krkw/kwrite/kwrite_dup.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/libkfd/krkw/kwrite/kwrite_dup.h -------------------------------------------------------------------------------- /kfd/libkfd/krkw/kwrite/kwrite_sem_open.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/libkfd/krkw/kwrite/kwrite_sem_open.h -------------------------------------------------------------------------------- /kfd/libkfd/perf.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/libkfd/perf.h -------------------------------------------------------------------------------- /kfd/libkfd/puaf.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/libkfd/puaf.h -------------------------------------------------------------------------------- /kfd/libkfd/puaf/landa.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/libkfd/puaf/landa.h -------------------------------------------------------------------------------- /kfd/libkfd/puaf/physpuppet.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/libkfd/puaf/physpuppet.h -------------------------------------------------------------------------------- /kfd/libkfd/puaf/smith.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/kfd/libkfd/puaf/smith.h -------------------------------------------------------------------------------- /macos_kfd.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/macos_kfd.c -------------------------------------------------------------------------------- /writeups/exploiting-puafs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/writeups/exploiting-puafs.md -------------------------------------------------------------------------------- /writeups/figures/exploiting-puafs-figure1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/writeups/figures/exploiting-puafs-figure1.png -------------------------------------------------------------------------------- /writeups/figures/exploiting-puafs-figure2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/writeups/figures/exploiting-puafs-figure2.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/writeups/figures/physpuppet-figure1.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/writeups/figures/physpuppet-figure2.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/writeups/figures/physpuppet-figure3.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/writeups/figures/physpuppet-figure4.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/writeups/figures/physpuppet-figure5.png -------------------------------------------------------------------------------- /writeups/figures/physpuppet-figure6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/writeups/figures/physpuppet-figure6.png -------------------------------------------------------------------------------- /writeups/figures/smith-figure1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/writeups/figures/smith-figure1.png -------------------------------------------------------------------------------- /writeups/figures/smith-figure2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/writeups/figures/smith-figure2.png -------------------------------------------------------------------------------- /writeups/figures/smith-figure3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/writeups/figures/smith-figure3.png -------------------------------------------------------------------------------- /writeups/figures/smith-figure4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/writeups/figures/smith-figure4.png -------------------------------------------------------------------------------- /writeups/physpuppet.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/writeups/physpuppet.md -------------------------------------------------------------------------------- /writeups/smith.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wh1te4ever/kfund/HEAD/writeups/smith.md --------------------------------------------------------------------------------