My purpose was not directly targeting JavaScriptCore as by many fuzzers yet sequentially opening up Safari Browser. I know it is damn slow yet still looked me fun to explore.
Requirements:
Jailbroken iPhone with at least the following packages installed:
OpenSSH
Nano
Cr4shed
Warm Up:
First, I had to find out a way to open a URL page from within iOS command line. After some research finally I found the command:
uiopen http://bilishim.com
Thus I could prepare a simple bash script connecting periodically to the target website:
while true; do
uiopen http://bilishim.com/test.html
sleep 5
killall -9 MobileSafari 2>/dev/null
done
Action:
On this step I had had to prepare some input files. I used kirlangic font fuzzer by SignalSEC https://github.com/SignalSEC/kirlangic-ttf-fuzzer for this purpose. This fuzzer uses byte flipping techniques on a sample TTF font file whereby it calculates the necessary checksum for font files to be indeed valid.
So far so good yet there was an issue. As part of fuzzing, I was planning to connect URL addresses based on sequential numbers such as sample1.pdf, sample2.pdf e.s.o. Yet iPhone always caches a new URL address as a new tab. Which means the cache memory would easily overflowed.
Thus I decided to prepare another bash script to sequentially rename a sample$$$.pdf file to sample.file.
#!/bin/bash
for i in {1..2267}
do
echo "sample$i.pdf"
echo "sample$i.pdf" + `date +"%H:%M:%S"` >> log.txt
cp "sample$i.pdf" "sample.pdf"
sleep 5
done
Knock out:
Now all I had to do was to run both try.sh (on iOS side) and loop.sh (on web server side) at the same time:
After many runs, it is fun to check out Cr4shed for a possible crash.
References:
https://www.amazon.com.tr/iOS-Hackers-Handbook-Charlie-Miller/dp/1118204123