Antonio Jose Ramos Marquez psxdev
psxdev
/ gist:0359d0127de26ce5898b298aa5c7e322
Created
October 2, 2022 22:18
prospero kernel exploit under bdj
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [HOST] debugnet listener up | |
| [HOST] ready to have a lot of fun!!! | |
| [PROSPERO][INFO] [+] Logger initialized... | |
| [PROSPERO][INFO] [+] Receive udp log in 192.168.1.12 with: socat udp-recv:18194 stdout | |
| [PROSPERO][INFO] [+] bd-jb by bigboss based on TheFlow, specter and sleirsgoevy implementation | |
| [PROSPERO][INFO] [+] Creating JavaSecurityAccess | |
| [PROSPERO][INFO] [+] Creating fake JavaSecurityProxy | |
| [PROSPERO][INFO] [+] Set fake JavaSecurityProxy | |
| [PROSPERO][INFO] [+] Creating URLClassLoader | |
| [PROSPERO][INFO] [+] Loading Payload |
psxdev
/ gist:4b5af037a0361f8156c9ea30f2254bfc
Created
August 4, 2022 22:29
Prospero looking camera symbols
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [PROSPERO][INFO] [+] handle 0x1a dlsym symbol sceSystemServiceLoadExec address 0x8240f1880 | |
| [PROSPERO][INFO] [+] handle 0x113 dlsym symbol sceCameraStop address 0x813aa8d70 | |
| [PROSPERO][INFO] [+] handle 0x113 dlsym symbol sceCamera2IsAttached address 0x0<------------ Why? | |
| [PROSPERO][INFO] [+] handle 0x113 dlsym symbol sceCameraIsAttached address 0x813aaa280 | |
| [PROSPERO][INFO] [+] handle 0x113 dlsym symbol sceCameraGetWhiteBalance address 0x813aaa0b0 | |
| [PROSPERO][INFO] [+] handle 0x113 dlsym symbol sceCamera2GetAttribute address 0x0<------------ Why? | |
| [PROSPERO][INFO] [+] handle 0x113 dlsym symbol sceCamera2GetAutoWhiteBalance address 0x0<------------ Why? | |
| [PROSPERO][INFO] [+] handle 0x113 dlsym symbol sceCamera2GetContrast address 0x0<------------ Why? | |
| [PROSPERO][INFO] [+] handle 0x113 dlsym symbol sceCameraDeviceValidationHandleForNativeProc address 0x0 | |
| [PROSPERO][INFO] [+] handle 0x113 dlsym symbol sceCameraSetContrast address 0x813aa9500 |
psxdev
/ gist:1c2a96fa387d82fc34eb09e7fc1b6a5c
Created
August 3, 2022 21:56
Prospero module and handle list dumped from libSceSysmodule.sprx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| libkernel | |
| libSceLibcInternal | |
| libSceFios2 | |
| libc | |
| libSceNet 0x8000001C | |
| libSceIpmi 0x8000001D | |
| libSceMbus 0x8000001E | |
| libSceRegMgr 0x8000001F | |
| libSceRtc 0x80000020 | |
| libSceAvSetting 0x80000021 |
psxdev
/ gist:ff44f0eb20bcc08e56af3585b022b13c
Created
August 1, 2022 21:39
prospero module handle list
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| libkernel 0x2001 | |
| libSceLibcInternal 0x2 | |
| libSceSysmodule 0x11 | |
| libbdj 0x13 from bdj environment | |
| libSceIpmi 0x16 | |
| libSceNetCtl 0x17 | |
| libSceRegMgr 0x19 | |
| libSceSystemService 0x1a | |
| libSceNet 0x2b | |
| libSceMbus 0x3a |
psxdev
/ gist:b876404d30cea461ed54feaa752bc780
Created
July 31, 2022 22:38
prospero handle for modules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [PROSPERO][INFO] [+] before call sceKernelGetModuleInfo for module 0x2 | |
| [PROSPERO][INFO] [+] module name libSceLibcInternal.sprx | |
| [PROSPERO][INFO] [+] module base 0x8058d8000 | |
| [PROSPERO][INFO] [+] module size 901120 | |
| [PROSPERO][INFO] [+] before call sceKernelGetModuleInfo for module 0x11 | |
| [PROSPERO][INFO] [+] module name libSceSysmodule.sprx | |
| [PROSPERO][INFO] [+] module base 0x807f90000 | |
| [PROSPERO][INFO] [+] module size 49152 | |
| [PROSPERO][INFO] [+] handle 11 dlsym symbol sceSysmoduleIsLoaded address 0x807f90290 | |
| [PROSPERO][INFO] [+] handle 11 dlsym symbol sceSysmoduleIsLoadedInternal address 0x807f90540 |
psxdev
/ gist:7b44e8399d5061c8ce44e307c9394062
Created
July 31, 2022 21:42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [PROSPERO][INFO] [+] tryng to load module /haSpcNQDjO/common/lib/libkernel_sys.sprx | |
| [PROSPERO][INFO] [+] handle 2001 dlsym symbol sceKernelLoadStartModule address 0x80f4a9730 | |
| [PROSPERO][INFO] [+] sceKernelLoadStartModule return 0x2001 | |
| [PROSPERO][INFO] [+] sceKernelLoadStartModule result 0xb42ae6 | |
| [PROSPERO][INFO] [+] tryng to load module /haSpcNQDjO/common/lib/libSceSystemService.sprx | |
| [PROSPERO][INFO] [+] sceKernelLoadStartModule return 0x1a | |
| [PROSPERO][INFO] [+] sceKernelLoadStartModule result 0xf401bb00 | |
| [PROSPERO][INFO] [+] tryng to load module /haSpcNQDjO/common/lib/libSceSysmodule.sprx | |
| [PROSPERO][INFO] [+] sceKernelLoadStartModule return 0x11 | |
| [PROSPERO][INFO] [+] sceKernelLoadStartModule result 0x81114ea0 |
psxdev
/ gist:55102f7b588ea804e2ccd89a0e4b8374
Created
July 30, 2022 17:45
prospero proc vmap virtualquery
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| debug.sh | |
| [HOST] debugnet listener up | |
| [HOST] ready to have a lot of fun!!! | |
| [PROSPERO][INFO] [+] Logger initialized... | |
| [PROSPERO][INFO] [+] Receive udp log in 192.168.1.12 with: socat udp-recv:18194 stdout | |
| [PROSPERO][INFO] [+] Creating File Socket use socat -u TCP-LISTEN:18194,reuseaddr OPEN:app0.zip,creat,trunc | |
| [PROSPERO][ERROR] Connection refused (Connection refused) | |
| [PROSPERO][INFO] [+] bd-jb by bigboss based on TheFlow and sleirsgoevy implementation | |
| [PROSPERO][INFO] [+] Creating JavaSecurityAccess | |
| [PROSPERO][INFO] [+] Creating fake JavaSecurityProxy |
psxdev
/ gist:a9f5ccff9bb9023231673ab88f5773e6
Created
July 30, 2022 01:41
prospero native execution bdj.elf proc and vmap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ./debug.sh | |
| [HOST] debugnet listener up | |
| [HOST] ready to have a lot of fun!!! | |
| [PROSPERO][INFO] [+] Logger initialized... | |
| [PROSPERO][INFO] [+] Receive udp log in 192.168.1.12 with: socat udp-recv:18194 stdout | |
| [PROSPERO][INFO] [+] Creating File Socket use socat -u TCP-LISTEN:18194,reuseaddr OPEN:app0.zip,creat,trunc | |
| [PROSPERO][INFO] [+] bd-jb by bigboss based on TheFlow and sleirsgoevy implementation | |
| [PROSPERO][INFO] [+] Creating JavaSecurityAccess | |
| [PROSPERO][INFO] [+] Creating fake JavaSecurityProxy | |
| [PROSPERO][INFO] [+] Set fake JavaSecurityProxy |
psxdev
/ gist:e9dca11a2f41e334627a921632c83c14
Created
July 23, 2022 17:17
retrieve java System properties from your bdj please share yours from each firmware version you have
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Using the java logger at https://gist.github.com/psxdev/fb3fc1c9c329758c7aebaf4b4858afdc | |
| and after you have done SecurityManager bypass add this code | |
| ``` | |
| Properties p=System.getProperties(); | |
| Enumeration keys = p.keys(); | |
| while (keys.hasMoreElements()) | |
| { | |
| String key = (String)keys.nextElement(); | |
| String value = (String)p.get(key); | |
| log.info(key + ": " + value); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //add this class to your bdj project change host for your host ip | |
| //To use initialize with: | |
| //Logger log=Logger.getInstance(); | |
| //send info logs to host with log.info("......."); | |
| //use this listener on host for example with(remember wsl2 has not direct map for udp ports): | |
| //socat udp-recv:18194 stdout | |
| package org.homebrew; |