Share
## https://sploitus.com/exploit?id=83983F41-D75C-5426-975D-1255F8FDEE98
# ๐ดโโ ๏ธ Coruna iOS Exploit Kit: CVE-2024-23222 Research




## ๐ Overview
This repository contains a comprehensive technical analysis and deobfuscation research of the **Coruna iOS Exploit Kit**. The research focuses on documenting how the exploit chain targets **CVE-2024-23222** โ a high-severity type confusion vulnerability in WebKit's JavaScriptCore (JSC) engine to achieve Remote Code Execution (RCE).
---
## ๐๏ธ Exploit Chain Architecture
The execution flow is divided into several sophisticated stages:
* **Platform Detection**: Identifying iOS versions, checking lockdown mode, and simulator status via `platform_module.js`.
* **Stage 1: WASM Memory Primitives**: Utilizing WASM-based memory corruption to build `addrof` and `fakeobj` primitives.
* **Stage 2: PAC Bypass**: Corrupting `Intl.Segmenter` iterator vtables to redirect virtual method calls through ARM64 gadgets for PAC signing.
* **Stage 3: Sandbox Escape**: Orchestrating Mach-O parsing and symbol resolution to escape the WebKit sandbox.
* **Stages 4-6: Payload Delivery**: Final delivery of the encrypted binary blob and the **PLASMAGRID** stager.
---
## ๐ Repository Structure
| File | Description |
| :--- | :--- |
| `exploit_trigger.js` | Main entry point for orchestrating the exploit chain. |
| `utility_module.js` | Core framework for low-level type conversions and Int64 arithmetic. |
| `stage1_wasm_primitives.js` | Implementation of WASM-based memory read/write primitives. |
| `stage2_pac_bypass.js` | Logic for Pointer Authentication Code (PAC) bypass logic. |
| `stage3_sandbox_escape.js` | Mach-O payload builder and sandbox escape orchestration. |
| `fingerprint.js` | Telemetry and IP detection module. |
---
## ๐ MITRE ATT&CKยฎ Mapping
* **Initial Access**: T1190 - Exploit Public-Facing Application
* **Execution**: T1059 - Command and Scripting Interpreter (JavaScript)
* **Privilege Escalation**: T1068 - Exploitation for Privilege Escalation
* **Defense Evasion**: T1574.001 - Hijack Execution Flow: Code Cache Poisoning
---
## ๐งช Deobfuscation Methodology
The analysis involved reversing several layers of obfuscation applied to the original source:
* **XOR-Encoded Strings**: Mapping character codes to bypass static analysis.
* **SHA1-Keyed Module System**: Identifying asynchronous modules via SHA256 filename hashing.
* **XOR-Masked Constants**: Decoding numeric values hidden via bitwise XOR operations.
---
## โ ๏ธ Disclaimer
This research is for **educational and defensive security purposes only**. Unauthorized testing on third-party devices is strictly prohibited and may be illegal.
---
**Lead Researcher**: [Rohitberiwala (Vikings)](https://github.com/Rohitberiwala)