whw

@cutesmilee__ I don’t have a computer with IDA by hand now. But this part in GTIG’s blog is basically right. You can check the RWTransfer::Get and RWTransfer::Give.

@WHW_0x455 are you sure about that? I looked a bit at it and to me it looks like it builds krw, it was messing with fds and thread states in order to get respectively aaw and aar

These ITW chains remind me the 2023 Predator. THE ipc_right_destroy bug is like a nightmare to me. The mach ipc really changed a lot after that. But I guess I just can’t forget such a special bug, especially after investing time and didn’t figure that out.

@cutesmilee__ The sample gets krw from another process. Maybe Webcontent or something else. Like the watcher passes krw to the helper in the sample.

@WHW_0x455 have you looked at the intellexa sample to see how they managed to get krw with that?

@khanhduytran0 Always update your daily device. I do know someone who got attack in December 2025.

New ITW kernel exploits for more recent iOS versions. RIP I already updated to 26.1 for obviously stupid reason :/

@khanhduytran0 @devtosbaha I will try ! For unknown reason, I can’t set x0 when -[AMFIPathValidator_macos validateWithError:] returns in LLDB. I hope this will work

@WHW_0x455 @devtosbaha You can also put a breakpoint at `-[AMFIPathValidator_macos validateUsingMacOSProvisioningProfileWithRestrictedEntitlements:andSoftRestrictedEntitlements:andApplicationIdentifier:]` and return 0

@khanhduytran0 🥳🥳🥳

All 3 have been pwned via Safari 15.4.1 arm64 16.5 arm64e 17.0 arm64e

@devtosbaha I'm trying amfidont. Looks like lldb cannot get codePath from amfid

@WHW_0x455 Use amfidont which is listed as option 2 in the repo.

@matteyeux iOS version ?

Infecting myself with the Coruna exploit chain right now. You can see the chain being triggered and the C2 communication

@cutesmilee__ Thank you !

@WHW_0x455 github.com/matteyeux/coru…

All right…. Being busy these days and missing a lot of things. Any sample for Coruna ? Public or private share will be appreciated !

What mathematicians call "literature review" should be familiar to you as "vulnerability research". Or, put another way: erdosproblems.com is currently the best benchmark for LLM capabilities in finding 0days.

Bypass PAC in JIT - CVE-2024-27834 And I'm ready for my Spring Festival holiday 🥳 gist.github.com/WHW0x455/3c219…

Some notes about the 2023 predator sample. gist.github.com/WHW0x455/2b720…

The collection is complete! 🎬 We just uploaded @radian's keynote to our YouTube channel youtube.com/watch?v=Du8BbJ…

A full iOS zero-day exploit chain used in the wild against targets in Egypt. #Intellexa #Predator Stage 1: Initial RCE via JSKit Framework (Safari WebKit Exploitation)Entry Point: The chain starts with a zero-day RCE vulnerability in Safari's WebKit rendering engine, patched by Apple as CVE-2023-41993 (a memory corruption issue in the JIT compiler). Stage 2: Sandbox Escape and Kernel Privilege EscalationVulnerabilities Exploited: CVE-2023-41992: Kernel IPC use-after-free (sandbox escape + local privilege escalation, LPE). CVE-2023-41991: Code-signing bypass (LPE). Stage 3: Persistence and Surveillance Setup (PREYHUNTER Modules)Components: Divided into two modules—"watcher" and "helper"—deployed via the escalated privileges from Stage 2. cloud.google.com/blog/topics/th… github.com/blackorbird/AP…

@matteyeux @radian 😢

Except the one by @radian

Hexacon videos are up youtube.com/playlist?list=…

@wwwGUIA 可以检查一下 vmware nat的dhcp，我最常遇到的就是 nat 的 dhcp不工作了。所以我习惯关闭 nat 的 dhcp，自己手动指定ip和网关。

求救！VMware 其中一個虛擬機不聯網。

Again...Bluetooth (CVE-2025-48593)[374746961][Bluetooth]RCE related to HF client discovery database(bta_hf_client_cb_init, 0-click RCE???) android.googlesource.com/platform/packa…

SCOOP: A man who worked on developing hacking tools for defense contractor L3Harris Trenchant was notified by Apple that his iPhone was targeted with spyware. It's unclear who targeted him, but he believes he was the scapegoat of a leak investigation. techcrunch.com/2025/10/21/app…

🤔 seclists.org/fulldisclosure…