Share
## https://sploitus.com/exploit?id=83983F41-D75C-5426-975D-1255F8FDEE98
# ๐Ÿดโ€โ˜ ๏ธ Coruna iOS Exploit Kit: CVE-2024-23222 Research

![CVE](https://img.shields.io/badge/CVE-2024--23222-red)
![CVSS](https://img.shields.io/badge/CVSS-8.8-orange)
![Platform](https://img.shields.io/badge/Platform-iOS%2013.0--17.x-blue)
![Target](https://img.shields.io/badge/Target-WebKit--JSC-green)

## ๐Ÿ“Œ Overview
This repository contains a comprehensive technical analysis and deobfuscation research of the **Coruna iOS Exploit Kit**. The research focuses on documenting how the exploit chain targets **CVE-2024-23222** โ€” a high-severity type confusion vulnerability in WebKit's JavaScriptCore (JSC) engine to achieve Remote Code Execution (RCE).

---

## ๐Ÿ—๏ธ Exploit Chain Architecture
The execution flow is divided into several sophisticated stages:

* **Platform Detection**: Identifying iOS versions, checking lockdown mode, and simulator status via `platform_module.js`.
* **Stage 1: WASM Memory Primitives**: Utilizing WASM-based memory corruption to build `addrof` and `fakeobj` primitives.
* **Stage 2: PAC Bypass**: Corrupting `Intl.Segmenter` iterator vtables to redirect virtual method calls through ARM64 gadgets for PAC signing.
* **Stage 3: Sandbox Escape**: Orchestrating Mach-O parsing and symbol resolution to escape the WebKit sandbox.
* **Stages 4-6: Payload Delivery**: Final delivery of the encrypted binary blob and the **PLASMAGRID** stager.

---

## ๐Ÿ“‚ Repository Structure
| File | Description |
| :--- | :--- |
| `exploit_trigger.js` | Main entry point for orchestrating the exploit chain. |
| `utility_module.js` | Core framework for low-level type conversions and Int64 arithmetic. |
| `stage1_wasm_primitives.js` | Implementation of WASM-based memory read/write primitives. |
| `stage2_pac_bypass.js` | Logic for Pointer Authentication Code (PAC) bypass logic. |
| `stage3_sandbox_escape.js` | Mach-O payload builder and sandbox escape orchestration. |
| `fingerprint.js` | Telemetry and IP detection module. |

---

## ๐Ÿ“Š MITRE ATT&CKยฎ Mapping
* **Initial Access**: T1190 - Exploit Public-Facing Application
* **Execution**: T1059 - Command and Scripting Interpreter (JavaScript)
* **Privilege Escalation**: T1068 - Exploitation for Privilege Escalation
* **Defense Evasion**: T1574.001 - Hijack Execution Flow: Code Cache Poisoning

---

## ๐Ÿงช Deobfuscation Methodology
The analysis involved reversing several layers of obfuscation applied to the original source:
* **XOR-Encoded Strings**: Mapping character codes to bypass static analysis.
* **SHA1-Keyed Module System**: Identifying asynchronous modules via SHA256 filename hashing.
* **XOR-Masked Constants**: Decoding numeric values hidden via bitwise XOR operations.

---

## โš ๏ธ Disclaimer
This research is for **educational and defensive security purposes only**. Unauthorized testing on third-party devices is strictly prohibited and may be illegal.

---
**Lead Researcher**: [Rohitberiwala (Vikings)](https://github.com/Rohitberiwala)