How to jailbreak iOS 9.3.2

This document describes a theoretical chain of vulnerabilities

which could theoretically be exploited by an experienced security

researcher in order to theoretically preform a tethered jailbreak

of iOS 9.3.2, install Cydia, obtain root access. After a reboot,

any devices on which this method are applied will need to be

subject to a restore in order to restore functionality, thus

updating said devices to the latest version of iOS. For this

reason, it is highly not recommended that this guide be followed

by anyone who does not wish to bare the consequences of such a

device restore.

Prerequisits

In order to preform this jailbreak, it is necisary that we exploit

a bug in the WebCore which requires an Apache (or simular) web

server. It is also necisary that you have a method of sending

raw TCP and UDP packets over a network to the device, an SSH

client, and software such as telnet, netcat, or simular software.

Setting up WebCore

It is next required to test your exploitation environment. Set up

a basic implementation of the WebCore bug. The code for this

vulnerability can be found on GitHub, but a sample is available

below for convenience. A file should be created at the index of

the web server: index.html

<html>

<script>

document.write('<iframe src="1.html"</iframe>');

</script>

</html>

another file with the name 1.html should then be created, with

the following contents:

<html>

<iframe src='2.html'></iframe>

<iframe src='3.html'></iframe>

</html>

2.html will contain the following code:

<html>

<script>

parent.stop();

</script>

</html>

finally, 3.html should contain

<html>

</html>

This vulnerability will create an OutOfMemoryException, which,

unless other action (detailed below) is taken, will cause the

WebCore process to stop.

Memory manipulation in preparation for arbitrary code execution

It is the next required step to manipulate the contents of the

memory assiciated with the WebCore process. This can be achieved

by the utilization of arbitrary and seemingly random webpage

content being loaded into the memory. Upon the occurance fo the

OutOfMemoryException, the process would usually be killed, unless

it continues to respond to prompts from the kernel. First, a small

binary should be compiled that will be downloaded into the memory

in order to cause the process to continue to seem to respond, even

after the original process has crashed. This procedure is known

as process hijacking, or the arbitrary replacement of a process

by another process. A binary file should be downloaded to the

device from the web server before the execution of the WebCore

crash. This will cause the process to seem to continue to respond

as normal. This arbitrary process zombie should then contact the

web server, requrest a larger payload containing further

vulnerabilities (detailed below) and execute said payload.

Further exploitation

At this point, a payload containing the GasGague (or simular)

vulnerability can be executed, with the permissions of the

mobile user. In effect, this serves as the sandbox

escape that this vulnerability requires. The memory maps obtained

from this vulnerability can then be used to exploit the kernel.

Kernel access

The kernel vulnerability that is utilized for the completion of

this jailbreak is CVE-2016-1863. The memory maps obtained by

GasGague can be used to locate a memory position where this

vulnerability can then be implemented. This will allow for the

execution of code with kernel priveleges. At this point, more

binaries can be downloaded from the web server, verified with

AMFID, and executed with AMFI (vuln due to a recent change).

The cydia binary could then be downloaded and installed onto

the system, allowing for the installation of pachages and tweaks.