iOS 9.3.2 web-based jailbreak

How to jailbreak iOS 9.3.2

This document describes a theoretical chain of vulnerabilities
which could theoretically be exploited by an experienced security
researcher in order to theoretically preform a tethered jailbreak
of iOS 9.3.2, install Cydia, obtain root access. After a reboot,
any devices on which this method are applied will need to be
subject to a restore in order to restore functionality, thus
updating said devices to the latest version of iOS. For this
reason, it is highly not recommended that this guide be followed
by anyone who does not wish to bare the consequences of such a
device restore.

Prerequisits

In order to preform this jailbreak, it is necisary that we exploit
a bug in the WebCore which requires an Apache (or simular) web
server. It is also necisary that you have a method of sending
raw TCP and UDP packets over a network to the device, an SSH
client, and software such as telnet, netcat, or simular software.

Setting up WebCore

It is next required to test your exploitation environment. Set up
a basic implementation of the WebCore bug. The code for this
vulnerability can be found on GitHub, but a sample is available
below for convenience. A file should be created at the index of
the web server: index.html

<html>
<script>
document.write('<iframe src="1.html"</iframe>');
</script>
</html>

another file with the name 1.html should then be created, with
the following contents:

<html>
<iframe src='2.html'></iframe>
<iframe src='3.html'></iframe>
</html>

2.html will contain the following code:

<html>
<script>
parent.stop();
</script>
</html>

finally, 3.html should contain

<html>
</html>

This vulnerability will create an OutOfMemoryException, which,
unless other action (detailed below) is taken, will cause the
WebCore process to stop.

Memory manipulation in preparation for arbitrary code execution

It is the next required step to manipulate the contents of the
memory assiciated with the WebCore process. This can be achieved
by the utilization of arbitrary and seemingly random webpage
content being loaded into the memory. Upon the occurance fo the
OutOfMemoryException, the process would usually be killed, unless
it continues to respond to prompts from the kernel. First, a small
binary should be compiled that will be downloaded into the memory
in order to cause the process to continue to seem to respond, even
after the original process has crashed. This procedure is known
as process hijacking, or the arbitrary replacement of a process
by another process. A binary file should be downloaded to the
device from the web server before the execution of the WebCore
crash. This will cause the process to seem to continue to respond
as normal. This arbitrary process zombie should then contact the
web server, requrest a larger payload containing further
vulnerabilities (detailed below) and execute said payload.

Further exploitation

At this point, a payload containing the GasGague (or simular)
vulnerability can be executed, with the permissions of the
mobile user. In effect, this serves as the sandbox
escape that this vulnerability requires. The memory maps obtained
from this vulnerability can then be used to exploit the kernel.

Kernel access

The kernel vulnerability that is utilized for the completion of
this jailbreak is CVE-2016-1863. The memory maps obtained by
GasGague can be used to locate a memory position where this
vulnerability can then be implemented. This will allow for the
execution of code with kernel priveleges. At this point, more
binaries can be downloaded from the web server, verified with
AMFID, and executed with AMFI (vuln due to a recent change).
The cydia binary could then be downloaded and installed onto
the system, allowing for the installation of pachages and tweaks.

Now if only I could compile English into Objective-C :/