From b040db45dfc9ef9a902e48bc2718a94cd099f505 Mon Sep 17 00:00:00 2001 From: spv420 Date: Tue, 31 May 2022 19:51:14 -0400 Subject: I live in a constant state of fear and misery Do you miss me anymore? And I don't even notice When it hurts anymore Anymore Anymore Anymore --- tools/-h | 0 tools/935csbypass.c | 14 ++++++++++++++ tools/build_native.sh | 10 +++++++++- tools/defines | Bin 0 -> 13216 bytes tools/defines.c | 28 ++++++++++++++++++++++++++++ tools/ent.xml | 2 ++ tools/jit_all_the_things.c | 32 +++++++++++++++++++++++++++++++- tools/payload.s | 3 +++ tools/shc/shellcode.c | 22 ++++++++++++++++++---- 9 files changed, 105 insertions(+), 6 deletions(-) create mode 100644 tools/-h create mode 100644 tools/935csbypass.c create mode 100755 tools/defines create mode 100644 tools/defines.c create mode 100644 tools/payload.s (limited to 'tools') diff --git a/tools/-h b/tools/-h new file mode 100644 index 0000000..e69de29 diff --git a/tools/935csbypass.c b/tools/935csbypass.c new file mode 100644 index 0000000..c2685f5 --- /dev/null +++ b/tools/935csbypass.c @@ -0,0 +1,14 @@ +#include +#include + +uint8_t payload[] = { + 0x42, 0x01, 0x04, 0xE3, + 0x44, 0x03, 0x44, 0xE3, + 0x1E, 0xFF, 0x2F, 0xE1, +}; + +int main(int argc, char* argv[]) { + uint32_t (*lol)() = (uint32_t (*)())&payload; + printf("Hello, world! %x\n", lol()); + return 0; +} \ No newline at end of file diff --git a/tools/build_native.sh b/tools/build_native.sh index 90ecb60..6dce749 100755 --- a/tools/build_native.sh +++ b/tools/build_native.sh @@ -11,8 +11,16 @@ rm bin/935csbypass gcc 935csbypass.c -o bin/935csbypass --std=c99 -marm ldid -S bin/935csbypass +rm bin/defines +gcc defines.c -o bin/defines --std=c99 -marm +ldid -S bin/defines + rm shc/bin/shellcode gcc shc/shellcode.c -o shc/bin/shellcode --std=c99 -marm -ffreestanding -c -fPIC #ldid -S shc/bin/shellcode -otool -t shc/bin/shellcode -X | cut -d " " -f 2- | tr -d "\n" | xxd -r -ps > shc/bin/shellcode.bin \ No newline at end of file +otool -t shc/bin/shellcode -X | cut -d " " -f 2- | tr -d "\n" | xxd -r -ps > shc/bin/shellcode.bin + +rm bin/jit_all_the_things +gcc jit_all_the_things.c -o bin/jit_all_the_things --std=c99 -marm -fPIC +ldid -Sent.xml bin/jit_all_the_things \ No newline at end of file diff --git a/tools/defines b/tools/defines new file mode 100755 index 0000000..d96c3cd Binary files /dev/null and b/tools/defines differ diff --git a/tools/defines.c b/tools/defines.c new file mode 100644 index 0000000..4c499b3 --- /dev/null +++ b/tools/defines.c @@ -0,0 +1,28 @@ +#include +#include +#include +//#include + +uintptr_t get_dyld_shc_slide(void) { + return _dyld_get_image_vmaddr_slide(1); +} + +uint32_t dlsym_cf(char* s) { + return dlsym(dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", RTLD_NOW), s) - get_dyld_shc_slide(); +} + +void fuck(char* s) { + printf("var %s_addr = 0x%08x;\n", s, dlsym_cf(s)); +} + +int main(int argc, char* argv[]) { + printf("#define PRINTF_ADDR 0x%x\n", dlsym(RTLD_DEFAULT, "printf")); +// printf("%x %x %x %x %x %x %x %x\n", RTLD_NOW, dlsym_cf("kCFTypeDictionaryKeyCallBacks"), 0x41414141);//, &kCFTypeDictionaryValueCallBacks, kCFNumberSInt32Type); + fuck("CFDictionaryCreateMutable"); + fuck("kCFTypeDictionaryKeyCallBacks"); + fuck("kCFTypeDictionaryValueCallBacks"); +// fuck("kCFNumberSInt32Type"); + fuck("CFDictionarySetValue"); + fuck("CFNumberCreate"); + return 0; +} diff --git a/tools/ent.xml b/tools/ent.xml index 2973d1d..6de10e3 100755 --- a/tools/ent.xml +++ b/tools/ent.xml @@ -11,5 +11,7 @@ get-task-allow + run-unsigned-code + \ No newline at end of file diff --git a/tools/jit_all_the_things.c b/tools/jit_all_the_things.c index d955ea1..15344e9 100755 --- a/tools/jit_all_the_things.c +++ b/tools/jit_all_the_things.c @@ -1,10 +1,40 @@ #include +#include #include +#include + +//uint8_t whatever[] = {0xe9, 0x2d, 0x40, 0x80, 0xe2, 0x8d, 0x70, 0x00, 0xeb, 0x00, 0x00, 0x08, 0xe8, 0xbd, 0x80, 0x80, 0xe9, 0x2d, 0x40, 0x80, 0xe2, 0x8d, 0x70, 0x00, 0xe5, 0x9f, 0x20, 0x08, 0xe5, 0x9f, 0x30, 0x08, 0xe5, 0x82, 0x30, 0x00, 0xe8, 0xbd, 0x80, 0x80, 0x41, 0x41, 0x41, 0x41, 0x42, 0x42, 0x42, 0x42}; #define PT_TRACE_ME 0 int ptrace(int, pid_t, caddr_t, int); int main(int argc, char* argv[]) { - ptrace(PT_TRACE_ME, 0, NULL, 0); +// ptrace(PT_TRACE_ME, 0, NULL, 0); + + uint8_t* whatever = NULL; + FILE* fp = fopen("shc/bin/shellcode.bin", "r"); + fseek(fp, 0L, SEEK_END); + size_t sz = ftell(fp); + rewind(fp); + + whatever = (uint8_t*)malloc(sz); + fread(whatever, 1, sz, fp); + fclose(fp); + + void* exec = mmap(0x42000000, 0x1000, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE | MAP_FIXED, 0, 0); + + mprotect(exec, 0x1000, PROT_READ | PROT_WRITE); + + memcpy(exec + 4, whatever, sz); + *(uint32_t*)exec = dlsym(RTLD_DEFAULT, "dlsym"); + + printf("%x\n", *(uint32_t*)exec); + + mprotect(exec, 0x1000, PROT_READ | PROT_EXEC); + + void (*lol)() = (void (*)())(exec + 4); + + lol(); + exit(0); return 0; diff --git a/tools/payload.s b/tools/payload.s new file mode 100644 index 0000000..e8b5add --- /dev/null +++ b/tools/payload.s @@ -0,0 +1,3 @@ +movw r0, #0x4142 +movt r0, #0x4344 +bx lr \ No newline at end of file diff --git a/tools/shc/shellcode.c b/tools/shc/shellcode.c index e48b51d..011b5cc 100644 --- a/tools/shc/shellcode.c +++ b/tools/shc/shellcode.c @@ -4,7 +4,21 @@ typedef unsigned int uint32_t; -void shellcode(void) { - *(uint32_t*)0x41414141 = 0x42424242; -// __builtin_unreachable(); -} \ No newline at end of file +//#define PRINTF_ADDR 0x2054a3b9 +//#define BASE_ADDR 0x42000000 + +void entry(void) { + *(uint32_t*)0x69696969 = (uint32_t)0x1; + /* + uint32_t dlsym_addr = *(uint32_t*)BASE_ADDR; + void* (*dlsym)(void* handle, char* s) = (void* (*)(void*, char*))dlsym_addr; + void (*abort)(void) = dlsym(0xfffffffe, "abort"); + abort();*/ +} + +/* +void shellcode_main(void) { + uint32_t puts_addr = *(uint32_t*)BASE_ADDR; + int (*puts)(char* s) = (int (*)(char* s))puts_addr; + puts("Hello from shellcode!\n"); +}*/ \ No newline at end of file -- cgit v1.2.3