On the TianfuCup PWN Contest held in November last year, I demonstrated the remote jailbreak of the latest iOS system on iPhoneX. This article is about the Stage 2 of this exploit chain. Here I used a kernel vulnerability that can be directly reached in the sandbox. (I named it Chaos), so after realizing the RCE of Safari, we can trigger this vulnerability directly from the Safari sandbox, thus achieving the remote jailbreak.

http://blogs.360.cn/post/IPC%20Voucher%20UaF%20Remote%20Jailbreak%20Stage%202%20(EN).html