Are you a security researcher or reverse engineer?

For 50% off IDA Products use promo code BILLY50, https://hex-rays.com/pricing *
For 30% off IDA Training use promo code BILLY30, https://hex-rays.com/training **

*License discounts are only valid for individuals, not corporations. Cannot be combined with any other promo code or discount.
** Cannot be combined with any other promo code or discount.

/////////////////////////////////////

Hey guys, today we're going in deeper with our analysis of the 'Coruna' iOS spyware that was recently exploited in the wild. Follow along as we de-obfuscate the stage-1 JavaScript exploit known as 'buffout', identify the core vulnerability trigger, and understand the exploitation strategy. 

In this video we look at how the exploit achieves the 'addrof' primitive. This is a popular exploitation primitive used in WebKit exploits that allows the attacker to leak the actual memory address of arbitrary JavaScript objects.

My work-in-progress implementation of the exploit can be found here - https://github.com/Billy-Ellis/coruna-buffout/

~ bellis1000

References:
https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit
https://projectzero.google/2020/09/jitsploitation-one.html

YouTube

A deep technical walkthrough of the Karuna iOS spyware's stage-one JavaScript exploit targeting Safari on iOS 14–15.2. The analysis covers deobfuscation techniques (XOR integer hiding, encoded string arrays, base64 functions), identification of CVE-2021-30952 as the core JIT compiler bug, and the heap-shaping strategy used to achieve an out-of-bounds array read. The exploit trains the JIT compiler with 1 million iterations using INT32_MIN and near-INT32_MAX indices to trigger a flawed compiled version of the trigger function, then leverages the resulting out-of-bounds primitive to leak a JavaScript object's memory address — the classic 'addrof' primitive used as a foundation for full memory read/write and eventual code execution.

How does this JavaScript hack your iPhone?