- JavaScript 98.5%
- HTML 1.4%
f3093b7364iOS 15.0-16.2 userspace PAC bypass (breezy15) and iOS 15.6-16.1.2 WebContent r/w (bluebird) made functional |
||
|---|---|---|
| downloaded | ||
| extracted | ||
| other | ||
| payloads | ||
| SpringBoardTweak | ||
| .gitignore | ||
| ANALYSIS.md | ||
| group.html | ||
| platform_module.js | ||
| README.md | ||
| Stage1_15.2_15.5_jacurutu.js | ||
| Stage1_15.6_16.1.2_bluebird.js | ||
| Stage1_16.2_16.5.1_terrorbird.js | ||
| Stage1_16.6_17.2.1_cassowary.js | ||
| Stage2_15.0_16.2_breezy15.js | ||
| Stage2_16.3_16.5.1_seedbell.js | ||
| Stage2_16.6_16.7.12_seedbell.js | ||
| Stage2_16.6_17.2.1_seedbell_pre.js | ||
| Stage2_17.0_17.2.1_seedbell.js | ||
| Stage3_VariantB.js | ||
| utility_module.js | ||
Coruna
Caution
This repository hosts captured malicious payloads and is intended for educational and research purposes only. While all C2 URLs have been shut down, the payloads may still contain potentially harmful code.
The leaked exploit toolkit for various iOS versions. Extracted from https://sadjd.mijieqi[.]cn/group.html
Partially deobfuscated, symbolicated, and modified to load decrypted payloads by Claude (thanks @34306 for sponsor) and by hand.
These scripts are modified in a way that allows you to host them locally. Note that this only includes exploit chains for tested devices.
Analysis
There are so many analysis by other people right now so I'm not doing it again, however I have a generated ANALYSIS.md specifically talking about decryption process and iOS payloads version table.
Tested on
| Device | Version | WebKit exploit chain |
|---|---|---|
| iPhone 6s+ | 15.4.1 | jacurutu -> VariantB? |
| iPhone Xs Max | 16.5 | terrorbird -> seedbell -> VariantB |
| iPhone 15 Pro Max | 17.0 | cassowary -> seedbell_pre -> seedbell_17 -> VariantB |