I used Fiddler to sniff traffic between iPad 2 and Jailbreakme during jailbreaking but I did not found where the PDF files are located. Could you help me find out where are PDFs that contains the exploits?
There is no PDF file, the pdf is a base64 encoded data-uri in the javascript, in the page itself, not even in a separate asset.
For those who fancy doing some analysis, here's the curl command with the required ipad UA string:
curl -A "Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5" http://www.jailbreakme.com
the PDF is very invalid, because it never needs to masquerade as a real document, it doesn't have to pretend to implement the PDF spec correctly. This makes it somewhat resistant to analysis, it doesn't even have the required '%%EOF' marker so many tools choke on it immediately.
EDIT: There's an unterminated stream object in there which doesn't have a type, and it also has a declared length of 61 bytes and an actual length of well over 400. I think we have a winner... Unfortunately iOS shellcode analysis is waaaay over my head so I'll have to do something useful instead.