π¨ EXPLOIT SAMPLE β FOR SECURITY RESEARCH, VULNERABILITY ANALYSIS AND DEFENSIVE PURPOSES ONLY
π¨ MUESTRA DE EXPLOIT β SOLO PARA INVESTIGACIΓN DE SEGURIDAD, ANΓLISIS DE VULNERABILIDADES Y FINES DEFENSIVOS
This repository contains a real iOS RCE exploit kit preserved for analysis. Do not use against real devices. / Este repositorio contiene un kit de exploits iOS real preservado para anΓ‘lisis. No usar contra dispositivos reales.
DarkSword-RCE es un kit de exploits de EjecuciΓ³n Remota de CΓ³digo (RCE) dirigido a Safari/WebKit en iOS 18.4 β 18.6. Logra ejecuciΓ³n de cΓ³digo arbitrario en iPhones a travΓ©s de una cadena de explotaciΓ³n multi-etapa que atraviesa mΓΊltiples capas de seguridad: JavaScriptCore β sandbox WebKit β proceso GPU β nivel de sistema.
El exploit estΓ‘ escrito Γntegramente en JavaScript y se distribuye como una pΓ‘gina web que el usuario visita sin saberlo (drive-by exploit).
| iOS | Estado | Notas |
|---|---|---|
| 18.4 | β Explotable | MΓ³dulos completos (rce_module.js, rce_worker.js, sbx0_main_18.4.js) |
| 18.6 | β Explotable | MΓ³dulo extendido (rce_worker_18.6.js β 514 KB, mΓ‘s complejo) |
| 18.6.1 | β Explotable | Mismo mΓ³dulo que 18.6 |
| 18.6.2 | β Explotable | Mismo mΓ³dulo que 18.6 |
Dispositivos objetivo: iPhone11 series, iPhone12 series (con tablas de offsets especΓficos por modelo)
DarkSword-RCE/
βββ index.html (689 B) β Punto de entrada (iframe oculto)
βββ frame.html (252 B) β Cargador del exploit desde CDN
βββ rce_loader.js (7.1 KB) β Orquestador principal
βββ rce_module.js (170 KB) β Primitivas de memoria (iOS 18.4)
βββ rce_module_18.6.js (85 B) β Stub para iOS 18.6
βββ rce_worker.js (43 KB) β Worker de explotaciΓ³n (iOS 18.4)
βββ rce_worker_18.6.js (514 KB) β Worker de explotaciΓ³n (iOS 18.6)
βββ sbx0_main_18.4.js (415 KB) β Escape de sandbox vΓa GPU (Etapa 0)
βββ sbx1_main.js (311 KB) β Escape de sandbox (Etapa 1)
βββ pe_main.js (761 KB) β Escalada de privilegios
Total: ~2.2 MB | 38,652 lΓneas
[VΓctima visita URL maliciosa]
β
βΌ
index.html β iframe oculto β frame.html
β
βΌ (carga desde CDN atacante)
rce_loader.js
ββ Detecta versiΓ³n iOS (18.4 / 18.6 / 18.6.1 / 18.6.2)
ββ Detecta modelo de iPhone y offsets especΓficos
ββ Crea Web Worker con mΓ³dulo correcto
β
βΌ
[ETAPA 1] rce_module.js β Primitivas de Memoria
ββ Explota internals de JavaScriptCore
ββ Crea funciones read64() y write64() via TypedArray tricks
ββ Localiza estructuras VM en el heap
β
βΌ
[ETAPA 2] rce_worker.js β Bypass JIT y Framework
ββ Deshabilita JIT allow-list via escrituras en offsets
ββ Manipula estructuras AVFAudio/TextToSpeech
ββ Ejecuta mΓ©todos Obj-C via objc_msgSend
β
βΌ
[ETAPA 3] sbx0_main_18.4.js β Escape Sandbox GPU (Etapa 0)
ββ Rompe el sandbox WebKit usando el proceso GPU
ββ Explota la infraestructura de renderizado grΓ‘fico
ββ Establece primitivas en contexto del proceso GPU
β
βΌ
[ETAPA 4] sbx1_main.js β Escape Sandbox GPU (Etapa 1)
ββ Calcula ASLR slide del shared cache
ββ Configura cadenas de gadgets ROP/JOP
ββ Bypass de PAC (Pointer Authentication Codes)
β
βΌ
[ETAPA 5] pe_main.js β Escalada de Privilegios
ββ Establece capacidad de llamada a funciones arbitrarias (fcall)
ββ Invoca APIs del kernel Mach (mach_port_allocate, mach_vm_allocate)
ββ Manipula el runtime Objective-C
ββ Logra ejecuciΓ³n de cΓ³digo sin restricciones en el dispositivo
- DetecciΓ³n de versiΓ³n iOS vΓa User-Agent
- Lookup de offsets especΓficos por modelo de dispositivo
- GestiΓ³n de Web Workers y paso de mensajes
- Redirige a
404.htmlen caso de error (para evitar detecciΓ³n) - Logging/telemetrΓa hacia servidor del atacante
- Conversiones de tipo BigInt para aritmΓ©tica de punteros de 64 bits
- Primitivas de memoria:
read64(),write64(),write8(),read32() - Clase
Encoderpara serializaciΓ³n de mensajes IPC - Bypass de JIT allow-list mediante escrituras de offset
- ManipulaciΓ³n del heap para control de layout
- ExplotaciΓ³n de ArrayBuffer/TypedArray
- InicializaciΓ³n de primitivas de memoria
- Workers especializados para carga dinΓ‘mica de librerΓas (dlopen)
- ExplotaciΓ³n del framework TextToSpeech
- ResoluciΓ³n dinΓ‘mica de sΓmbolos y funciones
- Cadena de explotaciΓ³n mΓ‘s compleja que la versiΓ³n 18.4
- Workers con IDs mΓ‘gicos:
0xfffe000011111111,0xfffe000022222222 - ExplotaciΓ³n del contexto grΓ‘fico
- ManipulaciΓ³n de NSBundle/frameworks
- Parcheo del mutex atexit
Contiene tablas masivas de offsets para mΓΊltiples iPhones:
- iPhone11,2 / iPhone11,8 / iPhone12,1 / iPhone12,3/5 / iPhone12,8
- Cada uno con 100+ offsets de memoria para:
- Clases y funciones del framework AVFAudio
- Offsets del contexto grΓ‘fico WebCore
- Estructuras de conexiΓ³n del proceso GPU
- CΓ‘lculo del slide del shared cache
- Primitivas de lectura/escritura vΓa GPU (
gpuRead64,gpuWrite64) - Gadgets PAC (PACIA, PACIB, XPac)
- Gadgets
tcall(tail call con carga de registros) - Tablas de offsets especΓficas por modelo de dispositivo
- Wrappers de funciones C:
calloc,malloc,free,memcpy,syscall - APIs Mach:
mach_port_allocate,mach_vm_allocate - Runtime Objective-C:
objc_msgSend,sel_registerName - CoreFoundation: operaciones con CFDictionary, CFString, CFNumber
- ConstrucciΓ³n de cadenas JOP para llamadas a funciones arbitrarias
- InvocaciΓ³n de mΓ©todos via NSInvocation
- CreaciΓ³n de threads NSThread con cΓ³digo arbitrario
| Tipo | Valor | PropΓ³sito |
|---|---|---|
| CDN atacante | static.cdncounter.net |
DistribuciΓ³n del exploit |
| URL loader | https://static.cdncounter.net/assets/rce_loader.js |
MΓ³dulo orquestador |
| URL 404 falsa | https://static.cdncounter.net/404.html |
RedirecciΓ³n en caso de error |
/usr/lib/system/libsystem_kernel.dylib
/usr/lib/system/libsystem_platform.dylib
/usr/lib/system/libsystem_pthread.dylib
rule DarkSword_iOS_RCE_Exploit {
meta:
description = "Detects DarkSword iOS RCE exploit kit"
author = "KONDORDEVSECURITYCORP"
date = "2026-03"
severity = "critical"
target = "iOS 18.4-18.6 Safari/WebKit"
strings:
$cdn = "static.cdncounter.net"
$magic1 = "0xfffe000011111111"
$magic2 = "0xfffe000022222222"
$func1 = "gpuRead64"
$func2 = "gpuWrite64"
$func3 = "rce_loader"
$pac = "noPAC"
$sbx = "sbx0_main"
condition:
2 of them
}alert dns $HOME_NET any -> any 53 (msg:"DarkSword CDN DNS Lookup"; dns.query; content:"cdncounter.net"; sid:9000010;)
alert http $HOME_NET any -> any 443 (msg:"DarkSword Exploit Load"; http.host; content:"static.cdncounter.net"; sid:9000011;)
- Actualizar iOS a la versiΓ³n mΓ‘s reciente (las versiones 18.4-18.6 son vulnerables)
- Bloquear dominio
cdncounter.neten DNS/firewall corporativo - Activar Modo Lockdown (Lockdown Mode) en iOS para objetivos de alto riesgo
- Revisar logs de Safari/WebKit para accesos a dominios sospechosos
- No visitar URLs desconocidas β el exploit es drive-by (no requiere interacciΓ³n adicional)
DarkSword-RCE is a Remote Code Execution (RCE) exploit kit targeting Safari/WebKit on iOS 18.4 β 18.6. It achieves arbitrary code execution on iPhones through a multi-stage exploitation chain that crosses multiple security boundaries: JavaScriptCore β WebKit sandbox β GPU process β system level.
The exploit is written entirely in JavaScript and delivered as a web page visited by the victim without their knowledge (drive-by exploit).
| iOS | Status | Notes |
|---|---|---|
| 18.4 | β Exploitable | Complete modules (rce_module.js, rce_worker.js, sbx0_main_18.4.js) |
| 18.6 | β Exploitable | Extended module (rce_worker_18.6.js β 514 KB, more complex) |
| 18.6.1 | β Exploitable | Same module as 18.6 |
| 18.6.2 | β Exploitable | Same module as 18.6 |
Target devices: iPhone11 series, iPhone12 series (with per-model hardcoded offsets)
DarkSword-RCE/
βββ index.html (689 B) β Entry point (hidden iframe)
βββ frame.html (252 B) β Exploit loader from CDN
βββ rce_loader.js (7.1 KB) β Main orchestrator
βββ rce_module.js (170 KB) β Memory primitives (iOS 18.4)
βββ rce_module_18.6.js (85 B) β Stub for iOS 18.6
βββ rce_worker.js (43 KB) β Exploitation worker (iOS 18.4)
βββ rce_worker_18.6.js (514 KB) β Exploitation worker (iOS 18.6)
βββ sbx0_main_18.4.js (415 KB) β GPU sandbox escape (Stage 0)
βββ sbx1_main.js (311 KB) β Sandbox escape (Stage 1)
βββ pe_main.js (761 KB) β Privilege escalation
Total: ~2.2 MB | 38,652 lines
[Victim visits malicious URL]
β
βΌ
index.html β hidden iframe β frame.html
β
βΌ (loads from attacker CDN)
rce_loader.js
ββ Detects iOS version (18.4 / 18.6 / 18.6.1 / 18.6.2)
ββ Detects iPhone model and specific offsets
ββ Creates Web Worker with correct module
β
βΌ
[STAGE 1] rce_module.js β Memory Primitives
ββ Exploits JavaScriptCore internals
ββ Creates read64() and write64() via TypedArray tricks
ββ Locates VM structures in heap
β
βΌ
[STAGE 2] rce_worker.js β JIT Bypass and Framework
ββ Disables JIT allow-list via offset writes
ββ Manipulates AVFAudio/TextToSpeech structures
ββ Executes Obj-C methods via objc_msgSend
β
βΌ
[STAGE 3] sbx0_main_18.4.js β GPU Sandbox Escape (Stage 0)
ββ Breaks out of WebKit sandbox via GPU process
ββ Exploits graphics rendering infrastructure
ββ Establishes primitives in GPU process context
β
βΌ
[STAGE 4] sbx1_main.js β GPU Sandbox Escape (Stage 1)
ββ Calculates shared cache ASLR slide
ββ Sets up ROP/JOP gadget chains
ββ Bypasses PAC (Pointer Authentication Codes)
β
βΌ
[STAGE 5] pe_main.js β Privilege Escalation
ββ Establishes arbitrary function calling (fcall)
ββ Invokes Mach kernel APIs (mach_port_allocate, mach_vm_allocate)
ββ Manipulates Objective-C runtime
ββ Achieves unrestricted code execution on device
| Technique | Description |
|---|---|
| Memory corruption | Exploits JS engine internals for arbitrary memory read/write |
| PAC bypass | Strips Pointer Authentication Codes to forge pointers |
| JIT bypass | Disables JIT allow-list to enable arbitrary JIT code execution |
| ROP/JOP chains | Uses Return/Jump-Oriented Programming gadgets from system libraries |
| GPU process abuse | Exploits GPU rendering context for cross-process primitives |
| Obj-C runtime | Invokes arbitrary Objective-C methods via forged selectors |
| Mach IPC | Direct kernel API calls via Mach ports |
| Dynamic loading | Fetches additional payload modules from CDN at runtime |
| Type | Value | Purpose |
|---|---|---|
| Attacker CDN | static.cdncounter.net |
Exploit distribution |
| Loader URL | https://static.cdncounter.net/assets/rce_loader.js |
Main orchestrator module |
| Fake 404 | https://static.cdncounter.net/404.html |
Error-case redirect |
0xfffe000011111111 β Worker 1 identifier
0xfffe000022222222 β Worker 2 identifier
rule DarkSword_iOS_RCE_Exploit {
meta:
description = "Detects DarkSword iOS RCE exploit kit"
author = "KONDORDEVSECURITYCORP"
date = "2026-03"
severity = "critical"
target = "iOS 18.4-18.6 Safari/WebKit"
strings:
$cdn = "static.cdncounter.net"
$magic1 = "0xfffe000011111111"
$magic2 = "0xfffe000022222222"
$func1 = "gpuRead64"
$func2 = "gpuWrite64"
$func3 = "rce_loader"
$pac = "noPAC"
condition:
2 of them
}alert dns $HOME_NET any -> any 53 (msg:"DarkSword CDN DNS"; dns.query; content:"cdncounter.net"; sid:9000010;)
alert http $HOME_NET any -> any 443 (msg:"DarkSword Exploit"; http.host; content:"static.cdncounter.net"; sid:9000011;)
- Update iOS to the latest version (18.4-18.6 are vulnerable)
- Block domain
cdncounter.netat corporate DNS/firewall - Enable Lockdown Mode in iOS for high-risk targets
- Review Safari/WebKit logs for suspicious domain access
- Do not visit unknown URLs β exploit is drive-by (requires no additional interaction)
EN: This exploit sample is published for security research, vulnerability analysis, threat intelligence, and defensive purposes ONLY. Using this code against real devices is illegal and unethical. Authors assume no liability for misuse.
ES: Esta muestra de exploit se publica ΓΊnicamente para investigaciΓ³n de seguridad, anΓ‘lisis de vulnerabilidades, inteligencia de amenazas y fines defensivos. Usar este cΓ³digo contra dispositivos reales es ilegal y antiΓ©tico. Los autores no asumen responsabilidad por el uso indebido.