Physical Use-After-Free in the iOS Kernel (PhysPuppet) YT
Description
https://zygosec.com
Happy 2025,
Today we're looking at PhysPuppet, the first in a series of PUAF (Physical Use After Free) exploits for the iOS kernel. We look at how the XNU kernel manages virtual memory mappings per process, and how PhysPuppet manipulates this to achieve a dangling PTE which it then uses to build powerful kernel R/W primitives.
Original writeup by felix-pb - https://github.com/felix-pb/kfd/blob/main/writeups/physpuppet.md
Exploit writeup using IOSurface spray by alfiecg - https://alfiecg.uk/2024/09/24/Kernel-exploit.html
Thanks for watching
 [0q4HThusovQ].webp){kind=link}