abelrguezr/ios-corellium-connect
skills/binary-exploitation/ios-exploiting/ios-corellium/SKILL.md
How to connect to Corellium iOS VMs for exploitation and testing. Use this skill whenever the user mentions Corellium, iOS virtual machines, connecting to iOS devices, uploading binaries to iOS, installing .ipa files, SSH to iOS VMs, or any iOS exploitation/testing workflow involving Corellium. This includes Quick Connect, VPN setup, file transfers, app installation, port forwarding, and remote debugging.
$ install --global
skillsauthnpx skillsauth add abelrguezr/hacktricks-skills ios-corellium-connectInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:10 AM17.3s3 files scanned
SKILL.md
- name:
- ios-corellium-connect
- description:
- How to connect to Corellium iOS VMs for exploitation and testing. Use this skill whenever the user mentions Corellium, iOS virtual machines, connecting to iOS devices, uploading binaries to iOS, installing .ipa files, SSH to iOS VMs, or any iOS exploitation/testing workflow involving Corellium. This includes Quick Connect, VPN setup, file transfers, app installation, port forwarding, and remote debugging.
iOS Corellium Connection Guide
This skill helps you connect to and interact with Corellium iOS virtual machines for security testing, exploitation, and development.
Quick Start
Method 1: Quick Connect (Recommended for most cases)
- Add your SSH key to Corellium at
/admin/projects(recommended for passwordless login) - Open the device page and click Connect
- Copy the Quick Connect SSH command displayed by Corellium
- Paste in your terminal and execute
# Example Quick Connect command (format varies)
ssh -J <domain> root@<quick-connect-host>
Method 2: VPN Connection (Use when you need local network access)
- Add your SSH key to Corellium at
/admin/projects - Navigate to device page → CONNECT → VPN
- Download the
.ovpnfile and connect with any TAP-mode VPN client - SSH to the VM's internal IP:
ssh [email protected]
When to use VPN: Choose VPN when you need the device on your local network for tools like proxies, network analyzers, or when Quick Connect doesn't work.
File Transfer Operations
Upload a Native Binary
With Quick Connect (jump host):
scp -J <domain> ./mytool [email protected]:/var/root/mytool
With VPN (direct IP):
scp ./mytool [email protected]:/var/root/mytool
Upload and Install an iOS App (.ipa)
Option A: Web UI (Fastest)
- Device page → Apps tab → Install App
- Select your
.ipafile - Use the same tab to launch, kill, or uninstall
Option B: Scripted via Corellium Agent
Use the Corellium API Agent for automated workflows:
// Node.js example using Corellium Agent
await agent.upload("./app.ipa", "/var/tmp/app.ipa");
await agent.install("/var/tmp/app.ipa", (progress, status) => {
console.log(`Progress: ${progress}, Status: ${status}`);
});
Option C: Non-Jailbroken Devices (Requires Signing)
- Use Sideloadly to re-sign with your Apple ID
- Or sign in Xcode with a valid provisioning profile
- Unsigned IPAs will not launch on non-jailbroken devices
Advanced Operations
Port Forwarding
Make the VM accessible locally for other tools:
# Forward local port 2222 to device port 22
ssh -N -L 2222:127.0.0.1:22 [email protected]
# Now use the forwarded port
scp -P 2222 file root@localhost:/var/root/
Remote Debugging with LLDB
- Navigate to device page → CONNECT → LLDB
- Copy the LLDB/GDB stub address shown at the bottom
- Connect from your local LLDB:
lldb
(lldb) platform select remote-ios
(lldb) process connect connect://<stub-address>
USBFlux (macOS/Linux)
Present the VM to Xcode or Sideloadly as if it were physically connected:
# Install USBFlux
brew install usbfluxd
# Run to expose the device
usbfluxd
Now Xcode and Sideloadly will detect the Corellium VM as a connected device.
Quick Reference
| Task | Command/Method |
|------|----------------|
| Quick SSH | Copy command from device page |
| VPN SSH | ssh [email protected] |
| Upload binary | scp -J <domain> ./file [email protected]:/path/ |
| Install .ipa | Web UI Apps tab or Agent API |
| Port forward | ssh -N -L 2222:127.0.0.1:22 [email protected] |
| View logs | Device Console in UI |
Common Pitfalls
- Signing required: Non-jailbroken devices need properly signed IPAs. Unsigned apps won't launch.
- Quick Connect vs VPN: Quick Connect is simpler; use VPN for local network tools.
- No App Store: Corellium devices don't have App Store access. Bring your own signed IPAs.
- SSH keys: Add keys to
/admin/projectsto avoid password prompts. - Path differences: Quick Connect uses jump host (
-J), VPN uses direct IP.
Troubleshooting
Can't connect via Quick Connect?
- Try VPN method instead
- Verify SSH key is added to project
- Check Corellium status page for outages
VPN won't connect?
- Ensure VPN client supports TAP mode
- Check Corellium VPN docs
- Try different VPN client (OpenVPN Connect, Tunnelblick, etc.)
App won't launch?
- On non-jailbroken: re-sign with Sideloadly or Xcode
- Check provisioning profile validity
- Verify app architecture matches device (arm64)
SCP fails?
- Quick Connect: include
-J <domain>flag - VPN: use direct IP without jump host
- Verify SSH key authentication is working
Related Skills
abelrguezr/house-of-lore-exploit
testing
VerifiedTrustedCommunity
How to perform a House of Lore (small bin attack) heap exploitation. Use this skill whenever the user mentions heap exploitation, small bin attacks, fake chunks, glibc heap vulnerabilities, or needs to insert fake chunks into small bins for arbitrary read/write. Trigger for CTF challenges involving heap corruption, glibc 2.31+ exploitation, or when the user needs to bypass malloc sanity checks using fake chunk linking.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-force-exploit
testing
VerifiedTrustedCommunity
How to perform House of Force heap exploitation attacks. Use this skill whenever the user mentions heap exploitation, House of Force, top chunk manipulation, arbitrary memory allocation, malloc manipulation, or wants to allocate chunks at specific addresses. Also trigger for CTF challenges involving heap overflows, top chunk size overwrites, or when the user needs to calculate evil_size for heap attacks. Make sure to use this skill for any binary exploitation task involving glibc heap manipulation, even if they don't explicitly say "House of Force".
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-einherjar
tools
VerifiedTrustedCommunity
How to perform House of Einherjar heap exploitation to allocate memory at arbitrary addresses. Use this skill whenever the user mentions heap exploitation, glibc heap attacks, arbitrary memory allocation, off-by-one overflow exploitation, tcache poisoning, fast bin attacks, or any CTF challenge involving heap manipulation. This is essential for binary exploitation tasks where you need to control malloc() return addresses.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/heap-overflow-exploitation
testing
VerifiedTrustedCommunity
How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.
5SKILL.mdUpdated Apr 16, 2026