JJTechFeb 17, 2024

I was trying to create a pure-Swift version of the libkfd "PhysPuppet" [1] vulnerability that could run inside a Swift Playground (the iPad app)

However, I keep getting error 4 (invalid args) for step 2, a vm_map

Anyone have any ideas? Testing on an iPad on 16.2, so it should be vulnerable.
EDIT: Here's my failed attempt : https://gist.github.com/JJTech0130/846b92cb0d9bb195f090bfacefd6d8b4
[1] https://github.com/felix-pb/kfd/blob/main/kfd/libkfd/puaf/physpuppet.h

trying to come up with a port of https://github.com/felix-pb/kfd/blob/main/kfd/libkfd/puaf/physpuppet.h in pure Swift

trying to come up with a port of https://github.com/felix-pb/kfd/blob/main/kfd/libkfd/puaf/physpuppet.h in pure Swift - PhysPuppet.swift

Gist
Show threadJJTechFeb 21, 2024

Well, turns out this is definitely possible. Using the Landa exploit instead of PhysPuppet, it all worked great in Swift Playgrounds.

Now to port the rest of libkfd to get something useful out of it...

Show threadJJTechFeb 22, 2024
Almost there!
Show threadgamer191
@jjtech Any plans to upload this onto GitHub? I’m very curious to see how far Swift Playgrounds can be pushed
May 3, 2024 at 1:52pmWeb