Skip to content

Sanctioned but Still Spying Intellexa’s Prolific Zero-Day Ex... #1657

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
carlospolop merged 1 commit into from
Dec 16, 2025
Merged

Sanctioned but Still Spying Intellexa’s Prolific Zero-Day Ex... #1657

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions src/binary-exploitation/ios-exploiting/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1190,10 +1190,35 @@ If you want to check for vulnerabilities in a specific version of iOS, you can c
For example, the versions `15.1 RC`, `15.1` and `15.1.1` use the version `Darwin Kernel Version 21.1.0: Wed Oct 13 19:14:48 PDT 2021; root:xnu-8019.43.1~1/RELEASE_ARM64_T8006`.


## JSKit-Based Safari Chains and PREYHUNTER Stagers

### Renderer RCE abstraction with JSKit
- **Reusable entry**: Recent in-the-wild chains abused a WebKit JIT bug (patched as CVE-2023-41993) purely to gain JavaScript-level arbitrary read/write. The exploit immediately pivots into a purchased framework called **JSKit**, so any future Safari bug only needs to deliver the same primitive.
- **Version abstraction & PAC bypasses**: JSKit bundles support for a wide range of iOS releases together with multiple, selectable Pointer Authentication Code bypass modules. The framework fingerprints the target build, selects the appropriate PAC bypass logic, and verifies every step (primitive validation, shellcode launch) before progressing.
- **Manual Mach-O mapping**: JSKit parses Mach-O headers directly from memory, resolves the symbols it needs inside dyld-cached images, and can manually map additional Mach-O payloads without writing them to disk. This keeps the renderer process in-memory only and evades code-signature checks tied to filesystem artifacts.
- **Portfolio model**: Debug strings such as *"exploit number 7"* show that the suppliers maintain multiple interchangeable WebKit exploits. Once the JS primitive matches JSKit’s interface, the rest of the chain is unchanged across campaigns.

### Kernel bridge: IPC UAF -> code-sign bypass pattern
- **Kernel IPC UAF (CVE-2023-41992)**: The second stage, still running inside the Safari context, triggers a kernel use-after-free in IPC code, re-allocates the freed object from userland, and abuses the dangling pointers to pivot into arbitrary kernel read/write. The stage also reuses PAC bypass material previously computed by JSKit instead of re-deriving it.
- **Code-signing bypass (CVE-2023-41991)**: With kernel R/W available, the exploit patches the trust cache / code-signing structures so unsigned payloads execute as `system`. The stage then exposes a lightweight kernel R/W service to later payloads.
- **Composed pattern**: This chain demonstrates a reusable recipe that defenders should expect going forward:

```
WebKit renderer RCE -> kernel IPC UAF -> kernel arbitrary R/W -> code-sign bypass -> unsigned system stager
```

### PREYHUNTER helper & watcher modules
- **Watcher anti-analysis**: A dedicated watcher binary continuously profiles the device and aborts the kill-chain when a research environment is detected. It inspects `security.mac.amfi.developer_mode_status`, the presence of a `diagnosticd` console, locales `US` or `IL`, jailbreak traces such as **Cydia**, processes like `bash`, `tcpdump`, `frida`, `sshd`, or `checkrain`, mobile AV apps (McAfee, AvastMobileSecurity, NortonMobileSecurity), custom HTTP proxy settings, and custom root CAs. Failing any check blocks further payload delivery.
- **Helper surveillance hooks**: The helper component speaks to other stages through `/tmp/helper.sock`, then loads hook sets named **DMHooker** and **UMHooker**. These hooks tap VOIP audio paths (recordings land under `/private/var/tmp/l/voip_%lu_%u_PART.m4a`), implement a system-wide keylogger, capture photos with no UI, and hook SpringBoard to suppress notifications that those actions would normally raise. The helper therefore acts as a stealthy validation + light-surveillance layer before heavier implants such as Predator are dropped.

### iMessage/Media Parser Zero-Click Chains

{{#ref}}
imessage-media-parser-zero-click-coreaudio-pac-bypass.md
{{#endref}}

## References

- [Google Threat Intelligence – Intellexa zero-day exploits continue](https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day-exploits-continue)

{{#include ../../banners/hacktricks-training.md}}