Skip to content

KONDORDEVSECURITYCORP/DarkSword-RCE

Repository files navigation


Research Platform Language Type CVE


🚨 EXPLOIT SAMPLE β€” FOR SECURITY RESEARCH, VULNERABILITY ANALYSIS AND DEFENSIVE PURPOSES ONLY

🚨 MUESTRA DE EXPLOIT β€” SOLO PARA INVESTIGACIΓ“N DE SEGURIDAD, ANÁLISIS DE VULNERABILIDADES Y FINES DEFENSIVOS

This repository contains a real iOS RCE exploit kit preserved for analysis. Do not use against real devices. / Este repositorio contiene un kit de exploits iOS real preservado para anΓ‘lisis. No usar contra dispositivos reales.


🌐 Idiomas / Languages


πŸ‡ͺπŸ‡Έ DocumentaciΓ³n en EspaΓ±ol

ΒΏQuΓ© es DarkSword-RCE?

DarkSword-RCE es un kit de exploits de EjecuciΓ³n Remota de CΓ³digo (RCE) dirigido a Safari/WebKit en iOS 18.4 – 18.6. Logra ejecuciΓ³n de cΓ³digo arbitrario en iPhones a travΓ©s de una cadena de explotaciΓ³n multi-etapa que atraviesa mΓΊltiples capas de seguridad: JavaScriptCore β†’ sandbox WebKit β†’ proceso GPU β†’ nivel de sistema.

El exploit estΓ‘ escrito Γ­ntegramente en JavaScript y se distribuye como una pΓ‘gina web que el usuario visita sin saberlo (drive-by exploit).


πŸ“± Versiones Afectadas

iOS Estado Notas
18.4 βœ… Explotable MΓ³dulos completos (rce_module.js, rce_worker.js, sbx0_main_18.4.js)
18.6 βœ… Explotable MΓ³dulo extendido (rce_worker_18.6.js β€” 514 KB, mΓ‘s complejo)
18.6.1 βœ… Explotable Mismo mΓ³dulo que 18.6
18.6.2 βœ… Explotable Mismo mΓ³dulo que 18.6

Dispositivos objetivo: iPhone11 series, iPhone12 series (con tablas de offsets especΓ­ficos por modelo)


πŸ—οΈ Estructura del Exploit

DarkSword-RCE/
β”œβ”€β”€ index.html              (689 B)   β€” Punto de entrada (iframe oculto)
β”œβ”€β”€ frame.html              (252 B)   β€” Cargador del exploit desde CDN
β”œβ”€β”€ rce_loader.js           (7.1 KB)  β€” Orquestador principal
β”œβ”€β”€ rce_module.js           (170 KB)  β€” Primitivas de memoria (iOS 18.4)
β”œβ”€β”€ rce_module_18.6.js      (85 B)    β€” Stub para iOS 18.6
β”œβ”€β”€ rce_worker.js           (43 KB)   β€” Worker de explotaciΓ³n (iOS 18.4)
β”œβ”€β”€ rce_worker_18.6.js      (514 KB)  β€” Worker de explotaciΓ³n (iOS 18.6)
β”œβ”€β”€ sbx0_main_18.4.js       (415 KB)  β€” Escape de sandbox vΓ­a GPU (Etapa 0)
β”œβ”€β”€ sbx1_main.js            (311 KB)  β€” Escape de sandbox (Etapa 1)
└── pe_main.js              (761 KB)  β€” Escalada de privilegios

Total: ~2.2 MB | 38,652 lΓ­neas

πŸ”¬ AnΓ‘lisis TΓ©cnico de la Cadena de ExplotaciΓ³n

Flujo de Ataque

[VΓ­ctima visita URL maliciosa]
         β”‚
         β–Ό
index.html β†’ iframe oculto β†’ frame.html
         β”‚
         β–Ό (carga desde CDN atacante)
rce_loader.js
    β”œβ”€ Detecta versiΓ³n iOS (18.4 / 18.6 / 18.6.1 / 18.6.2)
    β”œβ”€ Detecta modelo de iPhone y offsets especΓ­ficos
    └─ Crea Web Worker con mΓ³dulo correcto
         β”‚
         β–Ό
[ETAPA 1] rce_module.js β€” Primitivas de Memoria
    β”œβ”€ Explota internals de JavaScriptCore
    β”œβ”€ Crea funciones read64() y write64() via TypedArray tricks
    └─ Localiza estructuras VM en el heap
         β”‚
         β–Ό
[ETAPA 2] rce_worker.js β€” Bypass JIT y Framework
    β”œβ”€ Deshabilita JIT allow-list via escrituras en offsets
    β”œβ”€ Manipula estructuras AVFAudio/TextToSpeech
    └─ Ejecuta mΓ©todos Obj-C via objc_msgSend
         β”‚
         β–Ό
[ETAPA 3] sbx0_main_18.4.js β€” Escape Sandbox GPU (Etapa 0)
    β”œβ”€ Rompe el sandbox WebKit usando el proceso GPU
    β”œβ”€ Explota la infraestructura de renderizado grΓ‘fico
    └─ Establece primitivas en contexto del proceso GPU
         β”‚
         β–Ό
[ETAPA 4] sbx1_main.js β€” Escape Sandbox GPU (Etapa 1)
    β”œβ”€ Calcula ASLR slide del shared cache
    β”œβ”€ Configura cadenas de gadgets ROP/JOP
    └─ Bypass de PAC (Pointer Authentication Codes)
         β”‚
         β–Ό
[ETAPA 5] pe_main.js β€” Escalada de Privilegios
    β”œβ”€ Establece capacidad de llamada a funciones arbitrarias (fcall)
    β”œβ”€ Invoca APIs del kernel Mach (mach_port_allocate, mach_vm_allocate)
    β”œβ”€ Manipula el runtime Objective-C
    └─ Logra ejecuciΓ³n de cΓ³digo sin restricciones en el dispositivo

MΓ³dulos Detallados

rce_loader.js β€” Orquestador

  • DetecciΓ³n de versiΓ³n iOS vΓ­a User-Agent
  • Lookup de offsets especΓ­ficos por modelo de dispositivo
  • GestiΓ³n de Web Workers y paso de mensajes
  • Redirige a 404.html en caso de error (para evitar detecciΓ³n)
  • Logging/telemetrΓ­a hacia servidor del atacante

rce_module.js β€” Primitivas de Memoria (170 KB)

  • Conversiones de tipo BigInt para aritmΓ©tica de punteros de 64 bits
  • Primitivas de memoria: read64(), write64(), write8(), read32()
  • Clase Encoder para serializaciΓ³n de mensajes IPC
  • Bypass de JIT allow-list mediante escrituras de offset
  • ManipulaciΓ³n del heap para control de layout
  • ExplotaciΓ³n de ArrayBuffer/TypedArray

rce_worker.js β€” Worker iOS 18.4 (43 KB)

  • InicializaciΓ³n de primitivas de memoria
  • Workers especializados para carga dinΓ‘mica de librerΓ­as (dlopen)
  • ExplotaciΓ³n del framework TextToSpeech
  • ResoluciΓ³n dinΓ‘mica de sΓ­mbolos y funciones

rce_worker_18.6.js β€” Worker iOS 18.6 (514 KB)

  • Cadena de explotaciΓ³n mΓ‘s compleja que la versiΓ³n 18.4
  • Workers con IDs mΓ‘gicos: 0xfffe000011111111, 0xfffe000022222222
  • ExplotaciΓ³n del contexto grΓ‘fico
  • ManipulaciΓ³n de NSBundle/frameworks
  • Parcheo del mutex atexit

sbx0_main_18.4.js β€” GPU Sandbox Escape Etapa 0 (415 KB)

Contiene tablas masivas de offsets para mΓΊltiples iPhones:

  • iPhone11,2 / iPhone11,8 / iPhone12,1 / iPhone12,3/5 / iPhone12,8
  • Cada uno con 100+ offsets de memoria para:
    • Clases y funciones del framework AVFAudio
    • Offsets del contexto grΓ‘fico WebCore
    • Estructuras de conexiΓ³n del proceso GPU

sbx1_main.js β€” GPU Sandbox Escape Etapa 1 (311 KB)

  • CΓ‘lculo del slide del shared cache
  • Primitivas de lectura/escritura vΓ­a GPU (gpuRead64, gpuWrite64)
  • Gadgets PAC (PACIA, PACIB, XPac)
  • Gadgets tcall (tail call con carga de registros)
  • Tablas de offsets especΓ­ficas por modelo de dispositivo

pe_main.js β€” Escalada de Privilegios (761 KB)

  • Wrappers de funciones C: calloc, malloc, free, memcpy, syscall
  • APIs Mach: mach_port_allocate, mach_vm_allocate
  • Runtime Objective-C: objc_msgSend, sel_registerName
  • CoreFoundation: operaciones con CFDictionary, CFString, CFNumber
  • ConstrucciΓ³n de cadenas JOP para llamadas a funciones arbitrarias
  • InvocaciΓ³n de mΓ©todos via NSInvocation
  • CreaciΓ³n de threads NSThread con cΓ³digo arbitrario

πŸ”΄ Indicadores de Compromiso (IOCs)

Infraestructura de Red

Tipo Valor PropΓ³sito
CDN atacante static.cdncounter.net DistribuciΓ³n del exploit
URL loader https://static.cdncounter.net/assets/rce_loader.js MΓ³dulo orquestador
URL 404 falsa https://static.cdncounter.net/404.html RedirecciΓ³n en caso de error

LibrerΓ­as del Sistema Cargadas DinΓ‘micamente

/usr/lib/system/libsystem_kernel.dylib
/usr/lib/system/libsystem_platform.dylib
/usr/lib/system/libsystem_pthread.dylib

πŸ›‘οΈ DetecciΓ³n y Defensa

Regla YARA

rule DarkSword_iOS_RCE_Exploit {
    meta:
        description = "Detects DarkSword iOS RCE exploit kit"
        author      = "KONDORDEVSECURITYCORP"
        date        = "2026-03"
        severity    = "critical"
        target      = "iOS 18.4-18.6 Safari/WebKit"

    strings:
        $cdn       = "static.cdncounter.net"
        $magic1    = "0xfffe000011111111"
        $magic2    = "0xfffe000022222222"
        $func1     = "gpuRead64"
        $func2     = "gpuWrite64"
        $func3     = "rce_loader"
        $pac       = "noPAC"
        $sbx       = "sbx0_main"

    condition:
        2 of them
}

Reglas de Red

alert dns  $HOME_NET any -> any 53    (msg:"DarkSword CDN DNS Lookup"; dns.query; content:"cdncounter.net"; sid:9000010;)
alert http $HOME_NET any -> any 443   (msg:"DarkSword Exploit Load"; http.host; content:"static.cdncounter.net"; sid:9000011;)

Medidas de MitigaciΓ³n

  1. Actualizar iOS a la versiΓ³n mΓ‘s reciente (las versiones 18.4-18.6 son vulnerables)
  2. Bloquear dominio cdncounter.net en DNS/firewall corporativo
  3. Activar Modo Lockdown (Lockdown Mode) en iOS para objetivos de alto riesgo
  4. Revisar logs de Safari/WebKit para accesos a dominios sospechosos
  5. No visitar URLs desconocidas β€” el exploit es drive-by (no requiere interacciΓ³n adicional)

πŸ‡¬πŸ‡§ English Documentation

What is DarkSword-RCE?

DarkSword-RCE is a Remote Code Execution (RCE) exploit kit targeting Safari/WebKit on iOS 18.4 – 18.6. It achieves arbitrary code execution on iPhones through a multi-stage exploitation chain that crosses multiple security boundaries: JavaScriptCore β†’ WebKit sandbox β†’ GPU process β†’ system level.

The exploit is written entirely in JavaScript and delivered as a web page visited by the victim without their knowledge (drive-by exploit).


πŸ“± Affected Versions

iOS Status Notes
18.4 βœ… Exploitable Complete modules (rce_module.js, rce_worker.js, sbx0_main_18.4.js)
18.6 βœ… Exploitable Extended module (rce_worker_18.6.js β€” 514 KB, more complex)
18.6.1 βœ… Exploitable Same module as 18.6
18.6.2 βœ… Exploitable Same module as 18.6

Target devices: iPhone11 series, iPhone12 series (with per-model hardcoded offsets)


πŸ—οΈ Exploit Structure

DarkSword-RCE/
β”œβ”€β”€ index.html              (689 B)   β€” Entry point (hidden iframe)
β”œβ”€β”€ frame.html              (252 B)   β€” Exploit loader from CDN
β”œβ”€β”€ rce_loader.js           (7.1 KB)  β€” Main orchestrator
β”œβ”€β”€ rce_module.js           (170 KB)  β€” Memory primitives (iOS 18.4)
β”œβ”€β”€ rce_module_18.6.js      (85 B)    β€” Stub for iOS 18.6
β”œβ”€β”€ rce_worker.js           (43 KB)   β€” Exploitation worker (iOS 18.4)
β”œβ”€β”€ rce_worker_18.6.js      (514 KB)  β€” Exploitation worker (iOS 18.6)
β”œβ”€β”€ sbx0_main_18.4.js       (415 KB)  β€” GPU sandbox escape (Stage 0)
β”œβ”€β”€ sbx1_main.js            (311 KB)  β€” Sandbox escape (Stage 1)
└── pe_main.js              (761 KB)  β€” Privilege escalation

Total: ~2.2 MB | 38,652 lines

πŸ”¬ Technical Exploit Chain Analysis

Attack Flow

[Victim visits malicious URL]
         β”‚
         β–Ό
index.html β†’ hidden iframe β†’ frame.html
         β”‚
         β–Ό (loads from attacker CDN)
rce_loader.js
    β”œβ”€ Detects iOS version (18.4 / 18.6 / 18.6.1 / 18.6.2)
    β”œβ”€ Detects iPhone model and specific offsets
    └─ Creates Web Worker with correct module
         β”‚
         β–Ό
[STAGE 1] rce_module.js β€” Memory Primitives
    β”œβ”€ Exploits JavaScriptCore internals
    β”œβ”€ Creates read64() and write64() via TypedArray tricks
    └─ Locates VM structures in heap
         β”‚
         β–Ό
[STAGE 2] rce_worker.js β€” JIT Bypass and Framework
    β”œβ”€ Disables JIT allow-list via offset writes
    β”œβ”€ Manipulates AVFAudio/TextToSpeech structures
    └─ Executes Obj-C methods via objc_msgSend
         β”‚
         β–Ό
[STAGE 3] sbx0_main_18.4.js β€” GPU Sandbox Escape (Stage 0)
    β”œβ”€ Breaks out of WebKit sandbox via GPU process
    β”œβ”€ Exploits graphics rendering infrastructure
    └─ Establishes primitives in GPU process context
         β”‚
         β–Ό
[STAGE 4] sbx1_main.js β€” GPU Sandbox Escape (Stage 1)
    β”œβ”€ Calculates shared cache ASLR slide
    β”œβ”€ Sets up ROP/JOP gadget chains
    └─ Bypasses PAC (Pointer Authentication Codes)
         β”‚
         β–Ό
[STAGE 5] pe_main.js β€” Privilege Escalation
    β”œβ”€ Establishes arbitrary function calling (fcall)
    β”œβ”€ Invokes Mach kernel APIs (mach_port_allocate, mach_vm_allocate)
    β”œβ”€ Manipulates Objective-C runtime
    └─ Achieves unrestricted code execution on device

Key Technical Techniques

Technique Description
Memory corruption Exploits JS engine internals for arbitrary memory read/write
PAC bypass Strips Pointer Authentication Codes to forge pointers
JIT bypass Disables JIT allow-list to enable arbitrary JIT code execution
ROP/JOP chains Uses Return/Jump-Oriented Programming gadgets from system libraries
GPU process abuse Exploits GPU rendering context for cross-process primitives
Obj-C runtime Invokes arbitrary Objective-C methods via forged selectors
Mach IPC Direct kernel API calls via Mach ports
Dynamic loading Fetches additional payload modules from CDN at runtime

πŸ”΄ Indicators of Compromise (IOCs)

Network Infrastructure

Type Value Purpose
Attacker CDN static.cdncounter.net Exploit distribution
Loader URL https://static.cdncounter.net/assets/rce_loader.js Main orchestrator module
Fake 404 https://static.cdncounter.net/404.html Error-case redirect

Magic Worker IDs

0xfffe000011111111  β€” Worker 1 identifier
0xfffe000022222222  β€” Worker 2 identifier

πŸ›‘οΈ Detection and Defense

YARA Rule

rule DarkSword_iOS_RCE_Exploit {
    meta:
        description = "Detects DarkSword iOS RCE exploit kit"
        author      = "KONDORDEVSECURITYCORP"
        date        = "2026-03"
        severity    = "critical"
        target      = "iOS 18.4-18.6 Safari/WebKit"

    strings:
        $cdn    = "static.cdncounter.net"
        $magic1 = "0xfffe000011111111"
        $magic2 = "0xfffe000022222222"
        $func1  = "gpuRead64"
        $func2  = "gpuWrite64"
        $func3  = "rce_loader"
        $pac    = "noPAC"

    condition:
        2 of them
}

Network Detection Rules

alert dns  $HOME_NET any -> any 53  (msg:"DarkSword CDN DNS"; dns.query; content:"cdncounter.net"; sid:9000010;)
alert http $HOME_NET any -> any 443 (msg:"DarkSword Exploit"; http.host; content:"static.cdncounter.net"; sid:9000011;)

Mitigation Measures

  1. Update iOS to the latest version (18.4-18.6 are vulnerable)
  2. Block domain cdncounter.net at corporate DNS/firewall
  3. Enable Lockdown Mode in iOS for high-risk targets
  4. Review Safari/WebKit logs for suspicious domain access
  5. Do not visit unknown URLs β€” exploit is drive-by (requires no additional interaction)

⚠️ Legal Notice / Aviso Legal

EN: This exploit sample is published for security research, vulnerability analysis, threat intelligence, and defensive purposes ONLY. Using this code against real devices is illegal and unethical. Authors assume no liability for misuse.

ES: Esta muestra de exploit se publica ΓΊnicamente para investigaciΓ³n de seguridad, anΓ‘lisis de vulnerabilidades, inteligencia de amenazas y fines defensivos. Usar este cΓ³digo contra dispositivos reales es ilegal y antiΓ©tico. Los autores no asumen responsabilidad por el uso indebido.


GitHub Telegram

About

iOS 18.4-18.6 Safari WebKit RCE exploit kit for security research

Resources

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors