Add 6.72 Support

[kiwidoggie]

Currently needing the ROP gadgets, will complete this when I get off of work.

[kiwidoggie]

There are missing rop gadgets on 6.72:

jmp qword ptr [rsi + 0x3d]

sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret

pop r8 ; pop rbp ; ret

mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax

This means that the ROP chain will have to be modified to work around this. Outside of this, this is the only thing that's remaining for 6.72 support.

[marcussacana]

@kiwidoggie I tried on my fork do some changes in the gadgets take a look, but untested, first time that I dealed with ROP chain.

The pop r8 ; pop rbp ; ret I replaced with this for example:

            rop += p64(self.kdlsym(self.offs.POP_RDI_RET))
            rop += p64(self.kdlsym(self.offs.ZERO_RW_QWORD_A))            
            rop += p64(self.kdlsym(self.offs.XCHG_RDI_8_R8_RET))
            # here the code tries to set R8 to zero, then I give to RDI pointer to an 0 qword in the memory 
            # and used xchg to set the R8, notice too that the address isn't RDI but [RDI+8]

The most uncertain thing that I did it was with add rsp, 0x28 ; pop rbp ; ret
It seems to be used by rop += p64(self.kdlsym(self.offs.POP_RSI_RET))
to set the SETIDT handler param with an dummy return function,
Since the rsp is changed 0x30 bytes before return I supposed that a valid function should
should clear the stack to be able to return too, but this one is hard because isn't an chain,
is just an callback, so as far I know we need to do with just one offset.
Instead I tried put an nullstub function that I found the kernel using as param for the handler param in the SETIDT,
it just runs an iretq I don't know if that affect the exploit in someway unfortally then I'm basically stuck
and thinking in wait theflow talk conference to see if I learn more about it.

After that I did an trick, later there are more one missing offset used,
but at this part we already had the write protection disabled,
so Instead I found some NOPs block and used as offset to manually write the missing gadget :)

And the last sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret
instead we have sub rsi, rdx ; mov rax, rsi ; ret that do the same thing but does not pop the rbp.

Again, I never worked with ROP chains before so I'm not confident here, then Just trying say my
experience that I had with this hoping to help someway.

Also, I get [-] Scanning for corrupted object...failed. Please retry. too many times, but maybe my changes fault.

and I got stage1 KP, I compared with your offsets and seems like I did wrong some few ones, let me try it again.

[kiwidoggie]

@marcussacana I am down a PS4 right now, so these haven't been tested either. Ymmv until I get this thing back up.

[marcussacana]

After research a bit this SETIDT seems to be related with the CPU interrupt handler callbacks, there are not much info about it by just googling, and is the CPU who call the function, so even hard to me know what should be the expected result.

So, after look a bit more, currently for the add rsp, 0x28 ; pop rbp ; ret gadget maybe this one might works:

0xffffffff824a760b : pop rbx ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; pop rbp ; ret

it moves the stack about 0x30 bytes and then return, just like add rsp, 0x28 ; pop rbp ; ret, the problem is that RBX, R12, R13, R14 and R15 registers are changed with can break things as well.

[TheOfficialFloW]

It's used to ignore the ud2

[marcussacana]

So, ud2 tries fire an exception and the SETIDT help us ignore it and let the ROP chain continue, I see, thanks for the clarification.

Another thing that I didn't look it is if the stack alignment cares anywhere in the ROP chain... since I added some gadgets maybe that may brick it as well, I'm trying what I can do but its hard since I don't have UART to see any KP logs.

[EchoStretch]

I pushed a few changes to @kiwidoggie should work now.
If anyone wishes to test I have it on my github. I don't have 6.72 to test.
https://github.com/EchoStretch/PPPwn

[marcussacana]

You managed to change the ROP chain to circumvent the missing gadgets in the 6.72?
I have an 6.72 but I don't have UART to collect the logs due the KP in the ROP.

[EchoStretch]

Yes, it's a lot easier than 5.05. I'm still working with it, but we'll see how it goes. If you get the time, try testing this to see how far it goes. It should go all the way. Not sure when kiwi will accept my changes. Try my github.

[gdsgithub1]

I pushed a few changes to @kiwidoggie should work now. If anyone wishes to test I have it on my github. I don't have 6.72 to test. https://github.com/EchoStretch/PPPwn

Thank you, @EchoStretch. Do you have plans in order to publish it on docker hub? I would be more easy to install on a Synology (my case)