psxdev/gist:0359d0127de26ce5898b298aa5c7e322

## gistfile1.txt
[HOST] debugnet listener up
[HOST] ready to have a lot of fun!!!
[PROSPERO][INFO] [+] Logger initialized...
[PROSPERO][INFO] [+] Receive udp log in 192.168.1.12 with: socat udp-recv:18194 stdout
[PROSPERO][INFO] [+] bd-jb by bigboss based on TheFlow, specter and sleirsgoevy implementation
[PROSPERO][INFO] [+] Creating JavaSecurityAccess
[PROSPERO][INFO] [+] Creating fake JavaSecurityProxy
[PROSPERO][INFO] [+] Set fake JavaSecurityProxy
[PROSPERO][INFO] [+] Creating URLClassLoader
[PROSPERO][INFO] [+] Loading Payload
[PROSPERO][INFO] [+] SecurityManager bypass done
[PROSPERO][INFO] [+] Before initUnsafe
[PROSPERO][INFO] [+] get Field theUnsafeField
[PROSPERO][INFO] [+] setAccesible theUnsafeField
[PROSPERO][INFO] [+] get Unsafe
[PROSPERO][INFO] [+] get declared unsafe methods
[PROSPERO][INFO] [+] UnsafeJDKImpl done
[PROSPERO][INFO] [+] Before initDlsym
[PROSPERO][INFO] [+] Before initSymbols
[PROSPERO][INFO] [+] handle 0xfffffffffffffffe dlsym symbol JVM_NativePath address 0x1ab09b8f0
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol __Ux86_64_setcontext address 0x82c780334
[PROSPERO][INFO] [+] handle 0x4a dlsym symbol Java_java_lang_reflect_Array_multiNewArray address 0x174e48350
[PROSPERO][INFO] [+] handle 0x2 dlsym symbol setjmp address 0x8292269b0
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol __error address 0x82c7839b0
[PROSPERO][INFO] [+] Before initApiCall
[PROSPERO][INFO] [+] init Api done
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol sceKernelSendNotificationRequest address 0x82c79bf50
[PROSPERO][INFO] [+] Initializing sockets...
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol socket address 0x82c780bd0
[PROSPERO][INFO] [+] kevent_sock=32
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol getsockopt address 0x82c780d70
[PROSPERO][INFO] [+] master_sock=33 tclass=0
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol kqueue address 0x82c781890
[PROSPERO][INFO] [+] Triggering UAF...
[PROSPERO][INFO] use thread start run
[PROSPERO][INFO] free thread start run
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol setsockopt address 0x82c780cb0
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol sceKernelUsleep address 0x82c795ec0
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol sceKernelUsleep address 0x82c795ec0
[PROSPERO][INFO] get_tclass s=33 val=ffffffff getsockopt return 0
[PROSPERO][INFO] get_tclass s=33 val=41 getsockopt return 0
[PROSPERO][INFO] get_tclass s=33 val=41 getsockopt return 0
[PROSPERO][INFO] use thread end run
[PROSPERO][INFO] free thread end run
[PROSPERO][INFO] get_tclass s=33 val=41 getsockopt return 0
[PROSPERO][INFO] trigger_uaf triggered
[PROSPERO][INFO] after join use thread
[PROSPERO][INFO] after join free thread
[PROSPERO][INFO] get_tclass s=34 val=41 getsockopt return 0
[PROSPERO][INFO] get_tclass s=35 val=41 getsockopt return 0
[PROSPERO][INFO] get_tclass s=36 val=41 getsockopt return 0
[PROSPERO][INFO] get_tclass s=37 val=42 getsockopt return 0
[PROSPERO][INFO] [+] Overlap socket: 0x25 (0x3)
[PROSPERO][INFO] get_tclass s=37 val=42 getsockopt return 0
[PROSPERO][INFO] get_tclass s=33 val=42 getsockopt return 0
[PROSPERO][INFO] [+] after reallocate pktopts
[PROSPERO][INFO] get_tclass s=37 val=42 getsockopt return 0
[PROSPERO][INFO] get_tclass s=33 val=42 getsockopt return 0
[PROSPERO][INFO] [+] before fake_pktopts
[PROSPERO][INFO] size 248 len 30
[PROSPERO][INFO] before tclass
[PROSPERO][INFO] get_tclass s=33 val=13370018 getsockopt return 0
[PROSPERO][INFO] tclass 0x13370018 versus TCLASS_MASTER 0x13370000
[PROSPERO][INFO] [+] after fake_pktopts
[PROSPERO][INFO] [+] Overlap socket: 0x3a (0x18)
[PROSPERO][INFO] size 280 len 34
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol close address 0x82c78e9b0
[PROSPERO][INFO] [+] kqueue_addr: 0xffffb27030ac8600
[PROSPERO][INFO] size 248 len 30
[PROSPERO][INFO] [+] pktopts_addr: 0xffffb27030aaf300
[PROSPERO][INFO] [+] after leak_kevent_pktopts
[PROSPERO][INFO] size 248 len 30
[PROSPERO][INFO] before tclass
[PROSPERO][INFO] get_tclass s=33 val=13370041 getsockopt return 0
[PROSPERO][INFO] tclass 0x13370041 versus TCLASS_MASTER 0x13370000
[PROSPERO][INFO] [+] after fake_pktopts
[PROSPERO][INFO] [+] Overlap socket: 0x63 (0x41)
[PROSPERO][INFO] [+] Victim socket: 0x2a (0x8)
[PROSPERO][INFO] [+] Arbitrary R/W achieved.
[PROSPERO][INFO] [+] Found kqueue .data address: 0xffffffffd50f8ad3 (found @ i = 0x400)
[PROSPERO][INFO] [+] Found kqueue .data address: 0xffffffffd50f8ad3 (found @ i = 0x800)
[PROSPERO][INFO] [+] Found kqueue .data address: 0xffffffffd50f8ad3 (found @ i = 0xa00)
[PROSPERO][INFO] [+] Found kqueue .data address: 0xffffffffd50f8ad3 (found @ i = 0xc00)
[PROSPERO][INFO] [+] Found kqueue .data address: 0xffffffffd50f8ad3 (found @ i = 0xe00)
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol getpid address 0x82c7805b0
[PROSPERO][INFO] [+] pid: 76
[PROSPERO][INFO] [+] PID: 0x4c
[PROSPERO][INFO] [+] Found kernel .data base address: 0xffffffffd4de0000
[PROSPERO][INFO] [+] Found allproc: 0xffffffffd75cdcb8
[PROSPERO][INFO] [+] Found proc->p_ucred: 0xffffb2702fb0b600
[PROSPERO][INFO] [+] Found proc->p_fd: 0xffffb26c02016c60
[PROSPERO][INFO] [+] Enabled debug menu
[PROSPERO][INFO] [+] Patched creds
[PROSPERO][INFO] [+] Patching 0xffffb27033c44ff0 from 0x200000001
[PROSPERO][INFO] to 0x200000100
[PROSPERO][INFO] [+] overlap_sock cleaned
[PROSPERO][INFO] [+] Patching 0xffffb26c02460000 from 0x200000001
[PROSPERO][INFO] to 0x200000100
[PROSPERO][INFO] [+] master_sock cleaned
[PROSPERO][INFO] [+] Patching 0xffffb26c6aebaa80 from 0x200000001
[PROSPERO][INFO] to 0x200000100
[PROSPERO][INFO] [+] victim_sock cleaned
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol getuid address 0x82c780630
[PROSPERO][INFO] [+] uid: 0
[PROSPERO][INFO] [+] Checking, getuid = 0x0
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol sceKernelSleep address 0x82c795d80
[PROSPERO][INFO] [+] Done.
	[HOST] debugnet listener up
	[HOST] ready to have a lot of fun!!!
	[PROSPERO][INFO] [+] Logger initialized...
	[PROSPERO][INFO] [+] Receive udp log in 192.168.1.12 with: socat udp-recv:18194 stdout
	[PROSPERO][INFO] [+] bd-jb by bigboss based on TheFlow, specter and sleirsgoevy implementation
	[PROSPERO][INFO] [+] Creating JavaSecurityAccess
	[PROSPERO][INFO] [+] Creating fake JavaSecurityProxy
	[PROSPERO][INFO] [+] Set fake JavaSecurityProxy
	[PROSPERO][INFO] [+] Creating URLClassLoader
	[PROSPERO][INFO] [+] Loading Payload
	[PROSPERO][INFO] [+] SecurityManager bypass done
	[PROSPERO][INFO] [+] Before initUnsafe
	[PROSPERO][INFO] [+] get Field theUnsafeField
	[PROSPERO][INFO] [+] setAccesible theUnsafeField
	[PROSPERO][INFO] [+] get Unsafe
	[PROSPERO][INFO] [+] get declared unsafe methods
	[PROSPERO][INFO] [+] UnsafeJDKImpl done
	[PROSPERO][INFO] [+] Before initDlsym
	[PROSPERO][INFO] [+] Before initSymbols
	[PROSPERO][INFO] [+] handle 0xfffffffffffffffe dlsym symbol JVM_NativePath address 0x1ab09b8f0
	[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol __Ux86_64_setcontext address 0x82c780334
	[PROSPERO][INFO] [+] handle 0x4a dlsym symbol Java_java_lang_reflect_Array_multiNewArray address 0x174e48350
	[PROSPERO][INFO] [+] handle 0x2 dlsym symbol setjmp address 0x8292269b0
	[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol __error address 0x82c7839b0
	[PROSPERO][INFO] [+] Before initApiCall
	[PROSPERO][INFO] [+] init Api done
	[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol sceKernelSendNotificationRequest address 0x82c79bf50
	[PROSPERO][INFO] [+] Initializing sockets...
	[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol socket address 0x82c780bd0
	[PROSPERO][INFO] [+] kevent_sock=32
	[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol getsockopt address 0x82c780d70
	[PROSPERO][INFO] [+] master_sock=33 tclass=0
	[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol kqueue address 0x82c781890
	[PROSPERO][INFO] [+] Triggering UAF...
	[PROSPERO][INFO] use thread start run
	[PROSPERO][INFO] free thread start run
	[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol setsockopt address 0x82c780cb0
	[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol sceKernelUsleep address 0x82c795ec0
	[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol sceKernelUsleep address 0x82c795ec0
	[PROSPERO][INFO] get_tclass s=33 val=ffffffff getsockopt return 0
	[PROSPERO][INFO] get_tclass s=33 val=41 getsockopt return 0
	[PROSPERO][INFO] get_tclass s=33 val=41 getsockopt return 0
	[PROSPERO][INFO] use thread end run
	[PROSPERO][INFO] free thread end run
	[PROSPERO][INFO] get_tclass s=33 val=41 getsockopt return 0
	[PROSPERO][INFO] trigger_uaf triggered
	[PROSPERO][INFO] after join use thread
	[PROSPERO][INFO] after join free thread
	[PROSPERO][INFO] get_tclass s=34 val=41 getsockopt return 0
	[PROSPERO][INFO] get_tclass s=35 val=41 getsockopt return 0
	[PROSPERO][INFO] get_tclass s=36 val=41 getsockopt return 0
	[PROSPERO][INFO] get_tclass s=37 val=42 getsockopt return 0
	[PROSPERO][INFO] [+] Overlap socket: 0x25 (0x3)
	[PROSPERO][INFO] get_tclass s=37 val=42 getsockopt return 0
	[PROSPERO][INFO] get_tclass s=33 val=42 getsockopt return 0
	[PROSPERO][INFO] [+] after reallocate pktopts
	[PROSPERO][INFO] get_tclass s=37 val=42 getsockopt return 0
	[PROSPERO][INFO] get_tclass s=33 val=42 getsockopt return 0
	[PROSPERO][INFO] [+] before fake_pktopts
	[PROSPERO][INFO] size 248 len 30
	[PROSPERO][INFO] before tclass
	[PROSPERO][INFO] get_tclass s=33 val=13370018 getsockopt return 0
	[PROSPERO][INFO] tclass 0x13370018 versus TCLASS_MASTER 0x13370000
	[PROSPERO][INFO] [+] after fake_pktopts
	[PROSPERO][INFO] [+] Overlap socket: 0x3a (0x18)
	[PROSPERO][INFO] size 280 len 34
	[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol close address 0x82c78e9b0
	[PROSPERO][INFO] [+] kqueue_addr: 0xffffb27030ac8600
	[PROSPERO][INFO] size 248 len 30
	[PROSPERO][INFO] [+] pktopts_addr: 0xffffb27030aaf300
	[PROSPERO][INFO] [+] after leak_kevent_pktopts
	[PROSPERO][INFO] size 248 len 30
	[PROSPERO][INFO] before tclass
	[PROSPERO][INFO] get_tclass s=33 val=13370041 getsockopt return 0
	[PROSPERO][INFO] tclass 0x13370041 versus TCLASS_MASTER 0x13370000
	[PROSPERO][INFO] [+] after fake_pktopts
	[PROSPERO][INFO] [+] Overlap socket: 0x63 (0x41)
	[PROSPERO][INFO] [+] Victim socket: 0x2a (0x8)
	[PROSPERO][INFO] [+] Arbitrary R/W achieved.
	[PROSPERO][INFO] [+] Found kqueue .data address: 0xffffffffd50f8ad3 (found @ i = 0x400)
	[PROSPERO][INFO] [+] Found kqueue .data address: 0xffffffffd50f8ad3 (found @ i = 0x800)
	[PROSPERO][INFO] [+] Found kqueue .data address: 0xffffffffd50f8ad3 (found @ i = 0xa00)
	[PROSPERO][INFO] [+] Found kqueue .data address: 0xffffffffd50f8ad3 (found @ i = 0xc00)
	[PROSPERO][INFO] [+] Found kqueue .data address: 0xffffffffd50f8ad3 (found @ i = 0xe00)
	[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol getpid address 0x82c7805b0
	[PROSPERO][INFO] [+] pid: 76
	[PROSPERO][INFO] [+] PID: 0x4c
	[PROSPERO][INFO] [+] Found kernel .data base address: 0xffffffffd4de0000
	[PROSPERO][INFO] [+] Found allproc: 0xffffffffd75cdcb8
	[PROSPERO][INFO] [+] Found proc->p_ucred: 0xffffb2702fb0b600
	[PROSPERO][INFO] [+] Found proc->p_fd: 0xffffb26c02016c60
	[PROSPERO][INFO] [+] Enabled debug menu
	[PROSPERO][INFO] [+] Patched creds
	[PROSPERO][INFO] [+] Patching 0xffffb27033c44ff0 from 0x200000001
	[PROSPERO][INFO] to 0x200000100
	[PROSPERO][INFO] [+] overlap_sock cleaned
	[PROSPERO][INFO] [+] Patching 0xffffb26c02460000 from 0x200000001
	[PROSPERO][INFO] to 0x200000100
	[PROSPERO][INFO] [+] master_sock cleaned
	[PROSPERO][INFO] [+] Patching 0xffffb26c6aebaa80 from 0x200000001
	[PROSPERO][INFO] to 0x200000100
	[PROSPERO][INFO] [+] victim_sock cleaned
	[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol getuid address 0x82c780630
	[PROSPERO][INFO] [+] uid: 0
	[PROSPERO][INFO] [+] Checking, getuid = 0x0
	[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol sceKernelSleep address 0x82c795d80
	[PROSPERO][INFO] [+] Done.