Skip to content
/ treadm1ll Public

You don't need to be as fast as lightspeed, but a run on a treadm1ll surely doesn't hurt.

51 stars 12 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tihmstar/treadm1ll

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
IOKit.framework
IOKit.framework
 
 
treadm1ll.xcodeproj
treadm1ll.xcodeproj
 
 
treadm1ll
treadm1ll
 
 
README.md
README.md
 
 

Repository files navigation

treadm1ll

You don't need to be as fast as lightspeed, but a run on a treadm1ll surely doesn't hurt.

Since i'm now busy with other stuff and likely not gonna come back to this here is my unfinished exploit:

  • works up to 11.4.1
  • gets you tfp0
  • incomplete/missing cleanup, will probably panic on exit

Offsets hardcoded for: Darwin Kernel Version 17.4.0: Fri Dec 8 19:35:52 PST 2017; root:xnu-4570.40.9~1/RELEASE_ARM64_S5L8960X
Get your own if you wanna run it on something else ;)

PS: exploit uses userland derefs, so it won't work with PAN
only for phones with headphone jack

A great writeup by Luca Moro (johncool) on the bug can be found here:
https://www.synacktiv.com/posts/exploit/lightspeed-a-race-for-an-iosmacos-sandbox-escape.html

About

You don't need to be as fast as lightspeed, but a run on a treadm1ll surely doesn't hurt.

Resources

Readme
Activity

Stars

51 stars

Watchers

9 watching

Forks

12 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages