Home Explore Help
Sign In
NitoTV
/
g0blin
Watch 3
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Pass along kern credentials in case we need them later

Sticktron 6 years ago
parent
1b8632a0fa
commit
396d2928c5
3 changed files with 14 additions and 7 deletions
Split View Show Diff Stats
  1. 4 1
      g0blin/ViewController.m
  2. 2 1
      g0blin/v0rtex.h
  3. 8 5
      g0blin/v0rtex.m

+ 4 - 1
g0blin/ViewController.m
View File 

@@ -33,6 +33,7 @@
 
 static task_t tfp0;
 
 static uint64_t kslide;
 
 static uint64_t kbase;
 
+static uint64_t kcred;
 
 
 
 @implementation ViewController
 
@@ -101,7 +102,7 @@ static uint64_t kbase;
 
     
     [self log:@"exploiting kernel"];
 
     
-    kern_return_t ret = v0rtex(&tfp0, &kslide);
 
+    kern_return_t ret = v0rtex(&tfp0, &kslide, &kcred);
 
     
     dispatch_async(dispatch_get_main_queue(), ^{
 
         
@@ -120,6 +121,8 @@ static uint64_t kbase;
 
         kbase = kslide + 0xFFFFFFF007004000;
 
         LOG("kern base -> 0x%llx", kbase);
 
         
+        LOG("kern cred -> 0x%llx", kcred);
 
+
 
         [self bypassKPP];
 
     });
 
 }

+ 2 - 1
g0blin/v0rtex.h
View File 

@@ -5,6 +5,7 @@
 
 #include "common.h"
 
 
 //kern_return_t v0rtex(task_t *tfp0, kptr_t *kslide, kptr_t *kernucred, kptr_t *selfproc);
 
-kern_return_t v0rtex(task_t *tfp0, uint64_t *kslide);
 
+kern_return_t v0rtex(task_t *tfp0, kptr_t *kslide, kptr_t *kernucred);
 
+//kern_return_t v0rtex(task_t *tfp0, uint64_t *kslide);
 
 
 #endif

+ 8 - 5
g0blin/v0rtex.m
View File 

@@ -431,10 +431,10 @@ typedef union
 
     } b;
 
 } ktask_t;
 
 
-//kern_return_t v0rtex(task_t *tfp0, kptr_t *kslide, kptr_t *kernucred, kptr_t *selfproc)
 
-kern_return_t v0rtex(task_t *tfp0, uint64_t *kslide) {
 
-    kern_return_t retval = KERN_FAILURE,
 
-    ret;
 
+//kern_return_t v0rtex(task_t *tfp0, kptr_t *kslide, kptr_t *kernucred, kptr_t *selfproc) {
 
+//kern_return_t v0rtex(task_t *tfp0, uint64_t *kslide) {
 
+kern_return_t v0rtex(task_t *tfp0, kptr_t *kslide, kptr_t *kernucred) {
 
+    kern_return_t retval = KERN_FAILURE, ret;
 
     task_t self = mach_task_self();
 
     host_t host = mach_host_self();
 
     
@@ -1215,10 +1215,13 @@ zm_tmp < zm_hdr.start ? zm_tmp + 0x100000000 : zm_tmp \
 
     
     *tfp0 = kernel_task;
 
     *kslide = slide;
 
-//    *kernucred = kern_ucred;
 
+    *kernucred = kern_ucred;
 
 //    *selfproc = self_proc;
 
+    
     retval = KERN_SUCCESS;
 
     
+    
+    
 out5:;
 
     _kernelrpc_mach_port_destroy_trap(self, maps[0]);
 
     _kernelrpc_mach_port_destroy_trap(self, maps[1]);