-
Notifications
You must be signed in to change notification settings - Fork 0
/
kernel.h
134 lines (109 loc) · 2.9 KB
/
kernel.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#pragma once
#include "ps4.h"
#define Inline static inline __attribute__((always_inline))
#define KERN_XFAST_SYSCALL 0x1C0 //5.01 https://twitter.com/C0rpVultra/status/992789973966512133
#define KERN_PROCESS_ASLR 0x194765 //5.01
#define KERN_PRISON_0 0x10986A0 //5.01
#define KERN_ROOTVNODE 0x22C19F0 //5.01
#define KERN_PTRACE_CHECK 0x30D633 //5.01
#define X86_CR0_WP (1 << 16)
struct auditinfo_addr {
/*
4 ai_auid;
8 ai_mask;
24 ai_termid;
4 ai_asid;
8 ai_flags;r
*/
char useless[184];
};
struct ucred {
uint32_t useless1;
uint32_t cr_uid; // effective user id
uint32_t cr_ruid; // real user id
uint32_t useless2;
uint32_t useless3;
uint32_t cr_rgid; // real group id
uint32_t useless4;
void *useless5;
void *useless6;
void *cr_prison; // jail(2)
void *useless7;
uint32_t useless8;
void *useless9[2];
void *useless10;
struct auditinfo_addr useless11;
uint32_t *cr_groups; // groups
uint32_t useless12;
};
struct filedesc {
void *useless1[3];
void *fd_rdir;
void *fd_jdir;
};
struct proc {
char useless[64];
struct ucred *p_ucred;
struct filedesc *p_fd;
};
struct thread {
void *useless;
struct proc *td_proc;
};
int kernelPayload(struct thread *td, void* uap);
Inline uint64_t readCr0(void) {
uint64_t cr0;
__asm__ __volatile__(
"movq %0, %%cr0"
: "=r" (cr0)
: : "memory"
);
return cr0;
}
Inline void writeCr0(uint64_t cr0) {
__asm__ __volatile__(
"movq %%cr0, %0"
: : "r" (cr0)
: "memory"
);
}
Inline uint8_t* getKernelBase() {
uint32_t lo, hi;
__asm__ __volatile__("rdmsr" : "=a" (lo), "=d" (hi) : "c"(0xC0000082));
return (uint8_t*)(((uint64_t)lo | ((uint64_t)hi << 32)) - KERN_XFAST_SYSCALL);
}
int kernelPayload(struct thread *td, void* uap) {
uint8_t* ptrKernel = getKernelBase();
struct ucred* cred = td->td_proc->p_ucred;
struct filedesc* fd = td->td_proc->p_fd;
// Escalate privileges
cred->cr_uid = 0;
cred->cr_ruid = 0;
cred->cr_rgid = 0;
cred->cr_groups[0] = 0;
// Escape sandbox
void** prison0 = (void**)&ptrKernel[KERN_PRISON_0];
void** rootvnode = (void**)&ptrKernel[KERN_ROOTVNODE];
cred->cr_prison = *prison0;
fd->fd_rdir = fd->fd_jdir = *rootvnode;
void *td_ucred = *(void **)(((char *)td) + 304); // p_ucred == td_ucred
// sceSblACMgrIsSystemUcred
uint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96);
*sonyCred = 0xffffffffffffffff;
// sceSblACMgrGetDeviceAccessType
uint64_t *sceProcType = (uint64_t *)(((char *)td_ucred) + 88);
*sceProcType = 0x3801000000000013; // Max access
// sceSblACMgrHasSceProcessCapability
uint64_t *sceProcCap = (uint64_t *)(((char *)td_ucred) + 104);
*sceProcCap = 0xffffffffffffffff; // Sce Process
// Disable write protection
uint64_t cr0 = readCr0();
writeCr0(cr0 & ~X86_CR0_WP);
// Disable ptrace check
ptrKernel[KERN_PTRACE_CHECK] = 0xEB;
// Disable process aslr
*(uint16_t*)&ptrKernel[KERN_PROCESS_ASLR] = 0x9090;
// Enable write protection
writeCr0(cr0);
return 0;
}