Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2023-32434 PoC — Apple macOS Big Sur 输入验证错误漏洞

Source
https://github.com/alfiecg24/Trigon
Associated Vulnerability
Title:Apple macOS Big Sur 输入验证错误漏洞 (CVE-2023-32434)
Description:An integer overflow was addressed with improved input validation. This issue is fixed in watchOS 9.5.2, macOS Big Sur 11.7.8, iOS 15.7.7 and iPadOS 15.7.7, macOS Monterey 12.6.7, watchOS 8.8.1, iOS 16.5.1 and iPadOS 16.5.1, macOS Ventura 13.4.1. An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
Description
Deterministic kernel exploit based on CVE-2023-32434.
Readme
# Trigon

Trigon is a deterministic kernel exploit based on CVE-2023-32434. It currently supports A10(X) devices running iOS 13 - 15.7.6 . Being deterministic means that this exploit will never panic during or after exploitation and is completely reliable.

In the future, I would like to add support for iOS 16.0 - 16.5, as well as expand the range of support chipsets. However, as the writeup explains, this is not always feasible.

Trigon exploits the same CVE as the one used in kfd's Smith exploit, except not as a physical use-after-free. Instead, it takes a different code path in the kernel and uses the vulnerability to create an arbitrary physical address mapping primitive. This gives us read/write primitives to any physical address **unless it's a page table**. Not being able to read page tables made exploitation more difficult, but in the end we found a nice trick to determine whether or not a page holds a page table before reading it and were able to build full virtual read/write primitives.

The full writeup can be found [here](https://alfiecg.uk/2025/03/01/Trigon.html). If you're into technical iOS-related writeups, I would recommend you take a read! I have tried to make it as understandable as possible so that those who are not iOS researchers can follow it too.
File Snapshot

 [4.0K]  /data/pocs/65c2d538bcb19bb2692fa4eb461070f566cb0046
├── [1.3K]  README.md
├── [4.0K]  Trigon
│   ├── [ 175]  AppDelegate.h
│   ├── [ 507]  AppDelegate.m
│   ├── [4.0K]  Assets.xcassets
│   │   ├── [4.0K]  AccentColor.colorset
│   │   │   └── [ 123]  Contents.json
│   │   ├── [4.0K]  AppIcon.appiconset
│   │   │   └── [ 607]  Contents.json
│   │   └── [  63]  Contents.json
│   ├── [4.0K]  Base.lproj
│   │   ├── [1.6K]  LaunchScreen.storyboard
│   │   └── [1.6K]  Main.storyboard
│   ├── [4.0K]  Exploit
│   │   ├── [5.7K]  exploit.c
│   │   ├── [ 132]  exploit.h
│   │   ├── [2.2K]  iboot-handoff.c
│   │   ├── [ 280]  iboot-handoff.h
│   │   ├── [2.4K]  info.c
│   │   ├── [ 619]  info.h
│   │   ├── [ 797]  mach_vm.h
│   │   ├── [2.0K]  memory.c
│   │   ├── [ 693]  memory.h
│   │   ├── [ 15K]  patchfinder.c
│   │   ├── [ 155]  patchfinder.h
│   │   ├── [ 305]  pv.c
│   │   ├── [1.5K]  pv.h
│   │   ├── [7.8K]  surface.c
│   │   ├── [ 583]  surface.h
│   │   ├── [1.1K]  translation.c
│   │   └── [ 157]  translation.h
│   ├── [ 304]  Info.plist
│   ├── [ 392]  main.m
│   ├── [ 112]  ViewController.h
│   └── [ 822]  ViewController.m
└── [4.0K]  Trigon.xcodeproj
    ├── [ 12K]  project.pbxproj
    └── [4.0K]  project.xcworkspace
        └── [ 135]  contents.xcworkspacedata

8 directories, 31 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →