CVE-2018-4087

A sandbox escape based on the proof-of-concept (CVE-2018-4087) by Rani Idan (Zimperium)

UnjailMe A sandbox escape based on: the proof-of-concept (CVE-2018-4087) by Rani Idan (Zimperium) @cheesecakeufo's securityd overflow proof-of-concept (zeroday, no CVE known, thank you Abraham!) About the ZIMPERIUM PoC Rani used sbtool from Jonathan Levine to find out what services were accessible for communication from within the sandbox He then found under more blueto

POC for CVE-2018-4327

brokentooth POC for CVE-2018-4327 (at least I think so since CVE-2018-4327 and CVE-2018-4330 were both discussed by @SparkZheng but it's not clear from him which one relates to which bug but since he described this one first I'm taking a guess) Tested on iPhone 6S 1131 Should work until 114 Let's you set the PC (ARM's version for IP register) to a value

CVE-2018-4330 POC for iOS

toothfairy Related to brokentooth (linked below) Unlike brokentooth, toothfairy does not require pressing buttons on the bluetooth menu Both CVE's were revealed by @SparkZheng but with no POC so I decided to make a POC for the learning experience The code is not perfect but it does the job Tested on iPhone 6S 1131 Should work until 114 Let's you set the PC (ARM

brokentooth POC for CVE-2018-4327 (atleast I think so since CVE-2018-4327 and CVE-2018-4330 were both written about by @SparkZheng but it does not say which once relates to which bug but since he described this one first then I'm taking a guess) Tested on iPhone 6S 1131 Should work until 114 Let's you set the PC (ARM's version for IP register) to a value of y

CVE-2018-4087 PoC

@RaniXCH bluetoothdPoC CVE-2018-4087 PoC ETA son? (Is it a jailbreak?) Depends, Got any kernel vulnerability? You're welcome chain them together This one allow you to have huge attack surface from within the sandbox wwwweibocom/ttarticle/p/show?id=2309404271293301154324 - @SparkZheng - iOS jailbreak internals (2): Escaping sandbox using callbacks References ht

Exploit iOS 11.2.x by ZIMPERIUM and semi-completed by me. Sandbox escapes on CVE-2018-4087.

Exploit112 Exploit iOS 112x by ZIMPERIUM and semi-completed by me Sandbox escapes on CVE-2018-4087This checks also of a root access incompleted You can creat an app to running exploit on your device (if you are a developer) and turn the root access @ Thanks to: •RaniXCH, Adam Donenfeld, Abraham Masri and ZIMPERIUM TEAM •th0ex & x0x8_os for collaboratin

brokentooth POC for CVE-2018-4327 (atleast I think so since CVE-2018-4327 and CVE-2018-4330 were both written about by @SparkZheng but it does not say which once relates to which bug but since he described this one first then I'm taking a guess) Tested on iPhone 6S 1131 Should work until 114 Let's you set the PC (ARM's version for IP register) to a value of y