Add source code

Not closing issue #3 yet as this hasn't been tested.
sleirsgoevy · Jul 17, 2020 · 300ced0 · 300ced0
1 parent f860d82
commit 300ced0
Show file tree

Hide file tree

Showing 8 changed files with 818 additions and 0 deletions.
diff --git a/.gitmodules b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "src/8cc"]
+	path = src/8cc
+	url = https://github.com/sleirsgoevy/ps4-rop-8cc
diff --git a/README.md b/README.md
@@ -0,0 +1,22 @@
+# ps4jb
+
+This is a full chain exploit for PS4 firmware 6.72. Basically this is TheFlow's POC together with PS4-specific kROP & kernel patches. [Mira](https://github.com/OpenOrbis/mira-project) is used as a HEN payload.
+
+## Building from source
+
+To build from source, clone this repository recursively, and run these commands:
+
+```
+cd src
+make
+```
+
+You will get a fresh copy of the binary build in `src/build/`.
+
+Dependencies: `python3`, `gcc`, `ROPgadget`. Note: Mira is not being built from source
+
+## Adding your own payloads
+
+`miraldr.c` loads 65536 bytes at address stored in JS variable `mira_blob` into RWX memory and jumps to it. At this point only the minimal patches (amd64_syscall, mmap, mprotect, kexec) are applied (i.e. the process is still "sandboxed"). Normally `mira_blob` contains MiraLoader.
+
+`mira_blob_2_len` bytes at `mira_blob_2` are sent to `127.0.0.1:9021` in a background thread. If `mira_blob` contains MiraLoader this will be run in the same way but with the full patchset applied & already jailbroken.
diff --git a/src/8cc b/src/8cc
diff --git a/src/Makefile b/src/Makefile
@@ -0,0 +1,39 @@
+all: build/jb/c-code.js build/mira/mira.js build/mira/mira2.js build/mira/c-code.js copy_js
+
+clean:
+	rm -rf build
+
+8cc_setup:
+	cd 8cc; make
+
+build/jb/c-code.js: 8cc_setup kex.c
+	mkdir -p build/jb
+	8cc/8cc/python/rop-ps4-8cc /dev/stdout 8cc/librop/*.c 8cc/printf/*.c 8cc/ps4/*.c kex.c | python3 8cc/bad_hoist/rop/compiler.py /dev/stdin 8cc/bad_hoist/dumps/gadgets.txt > build/jb/c-code.js
+
+build/mira/c-code.js: 8cc_setup miraldr.c
+	mkdir -p build/mira
+	8cc/8cc/python/rop-ps4-8cc /dev/stdout 8cc/librop/*.c 8cc/printf/*.c 8cc/ps4/*.c miraldr.c | python3 8cc/bad_hoist/rop/compiler.py /dev/stdin 8cc/bad_hoist/dumps/gadgets.txt > build/mira/c-code.js
+
+miraldr.bin:
+	echo 'Place MiraLoader payload at miraldr.bin'
+	exit 1
+
+mira.elf:
+	echo 'Place Mira ELF here at miraldr.bin'
+	exit 1
+
+build/mira/mira.js: gen_mira_blob.py miraldr.bin
+	mkdir -p build/mira
+	python3 gen_mira_blob.py miraldr.bin > build/mira/mira.js
+
+build/mira/mira2.js: gen_mira_blob_2.py mira.elf
+	mkdir -p build/mira
+	python3 gen_mira_blob_2.py mira.elf > build/mira/mira2.js
+
+copy_js:
+	mkdir -p build/common
+	cp 8cc/bad_hoist/exploit.js 8cc/bad_hoist/helpers.js 8cc/bad_hoist/malloc.js build/common/
+	cp 8cc/bad_hoist/rop/rop.js build/common/
+	cp 8cc/bad_hoist/dumps/syscalls.txt build/common/syscalls.js
+	cp 8cc/build/syscall_names.txt build/common/syscalls2.js
+	cp ../index.html build/
diff --git a/src/gen_mira_blob.py b/src/gen_mira_blob.py
@@ -0,0 +1,4 @@
+import sys
+
+print('window.mira_blob = malloc(65536);')
+print('write_mem(window.mira_blob, %r);'%list(open(sys.argv[1], 'rb').read()))
diff --git a/src/gen_mira_blob_2.py b/src/gen_mira_blob_2.py
@@ -0,0 +1,6 @@
+import sys
+
+data = list(open(sys.argv[1], 'rb').read())
+print('window.mira_blob_2_len = %d'%len(data))
+print('window.mira_blob_2 = malloc(window.mira_blob_2_len);')
+print('write_mem(window.mira_blob_2, %r);'%data)