zo0/PSFree-Enhanced-Dockerized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Shrink shellcode a little more

Browse Source
This commit is contained in:
Al Azif
2025-06-11 03:28:59 -07:00
parent 872c5de2c6
commit 315514583d
8 changed files with 76 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
CHANGELOG.md
View File

@@ -27,7 +27,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
- Only run kernel exploit once by checking setuid by @JTAG7371 - Only run kernel exploit once by checking setuid by @JTAG7371
- ~~Restore syscall 661 (`sys_aio_submit()`) after patching by @janisslsm~~ - ~~Restore syscall 661 (`sys_aio_submit()`) after patching by @janisslsm~~
- Was not actually restoring syscall. Used a different method/rewrote to - Was not actually restoring syscall. Used a different method/rewrote to
restore in kpatch. restore in kpatch. (Shellcode change 4)
- Shellcode from 345 bytes to 444 bytes - Shellcode from 345 bytes to 444 bytes
### Changed ### Changed
@@ -39,11 +39,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
- Simplify shellcode a little bit more - Simplify shellcode a little bit more
- No external headers - No external headers
- Added `-fcf-protection=none` flag to skip added "endbr64" instructions - Added `-fcf-protection=none` flag to skip added "endbr64" instructions
(Shellcode change 1)
- 307 bytes to 295 bytes - 307 bytes to 295 bytes
- Changed `restore` and `do_patch` to be inlined - Changed `restore` and `do_patch` to be inlined (Shellcode change 2)
- 307 bytes to 282 bytes - 307 bytes to 282 bytes
- Changed to `-03` for execution speed optimization - Changed to `-03` for execution speed optimization (Shellcode change 3)
- 282 bytes to 345 bytes - 282 bytes to 345 bytes
- Move kbase calc to main function (Shellcode change 5)
- 444 bytes to 418 bytes
## [1.5.1] - 2025-05-12 ## [1.5.1] - 2025-05-12

24
src/kpatch/700.c
View File

@@ -29,18 +29,22 @@ struct kexec_args {
u64 arg5; u64 arg5;
}; };
static inline void restore(struct kexec_args *uap); static inline void restore(void *kbase, struct kexec_args *uap);
static inline void do_patch(void); static inline void do_patch(void *kbase);
__attribute__((section (".text.start"))) __attribute__((section (".text.start")))
int kpatch(void *td, struct kexec_args *uap) { int kpatch(void *td, struct kexec_args *uap) {
do_patch(); const u64 xfast_syscall_off = 0x1c0;
restore(uap); void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
do_patch(kbase);
restore(kbase, uap);
return 0; return 0;
} }
__attribute__((always_inline)) __attribute__((always_inline))
static inline void restore(struct kexec_args *uap) { static inline void restore(void *kbase, struct kexec_args *uap) {
u8 *pipe = uap->arg1; u8 *pipe = uap->arg1;
u8 *pipebuf = uap->arg2; u8 *pipebuf = uap->arg2;
for (int i = 0; i < 0x18; i++) { for (int i = 0; i < 0x18; i++) {
@@ -51,10 +55,6 @@ static inline void restore(struct kexec_args *uap) {
u64 *pktinfo_field2 = uap->arg4; u64 *pktinfo_field2 = uap->arg4;
*pktinfo_field2 = 0; *pktinfo_field2 = 0;
// get kernel base
const u64 xfast_syscall_off = 0x1c0;
void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
u64 *sysent_661_save = uap->arg5; u64 *sysent_661_save = uap->arg5;
for (int i = 0; i < 0x30; i += 8) { for (int i = 0; i < 0x30; i += 8) {
write64(kbase, 0x112d250 + i, sysent_661_save[i / 8]); write64(kbase, 0x112d250 + i, sysent_661_save[i / 8]);
@@ -62,11 +62,7 @@ static inline void restore(struct kexec_args *uap) {
} }
__attribute__((always_inline)) __attribute__((always_inline))
static inline void do_patch(void) { static inline void do_patch(void *kbase) {
// get kernel base
const u64 xfast_syscall_off = 0x1c0;
void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
disable_cr0_wp(); disable_cr0_wp();
// ChendoChap's patches from pOOBs4 // ChendoChap's patches from pOOBs4

24
src/kpatch/750.c
View File

@@ -29,18 +29,22 @@ struct kexec_args {
u64 arg5; u64 arg5;
}; };
static inline void restore(struct kexec_args *uap); static inline void restore(void *kbase, struct kexec_args *uap);
static inline void do_patch(void); static inline void do_patch(void *kbase);
__attribute__((section (".text.start"))) __attribute__((section (".text.start")))
int kpatch(void *td, struct kexec_args *uap) { int kpatch(void *td, struct kexec_args *uap) {
do_patch(); const u64 xfast_syscall_off = 0x1c0;
restore(uap); void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
do_patch(kbase);
restore(kbase, uap);
return 0; return 0;
} }
__attribute__((always_inline)) __attribute__((always_inline))
static inline void restore(struct kexec_args *uap) { static inline void restore(void *kbase, struct kexec_args *uap) {
u8 *pipe = uap->arg1; u8 *pipe = uap->arg1;
u8 *pipebuf = uap->arg2; u8 *pipebuf = uap->arg2;
for (int i = 0; i < 0x18; i++) { for (int i = 0; i < 0x18; i++) {
@@ -51,10 +55,6 @@ static inline void restore(struct kexec_args *uap) {
u64 *pktinfo_field2 = uap->arg4; u64 *pktinfo_field2 = uap->arg4;
*pktinfo_field2 = 0; *pktinfo_field2 = 0;
// get kernel base
const u64 xfast_syscall_off = 0x1c0;
void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
u64 *sysent_661_save = uap->arg5; u64 *sysent_661_save = uap->arg5;
for (int i = 0; i < 0x30; i += 8) { for (int i = 0; i < 0x30; i += 8) {
write64(kbase, 0x1129f30 + i, sysent_661_save[i / 8]); write64(kbase, 0x1129f30 + i, sysent_661_save[i / 8]);
@@ -62,11 +62,7 @@ static inline void restore(struct kexec_args *uap) {
} }
__attribute__((always_inline)) __attribute__((always_inline))
static inline void do_patch(void) { static inline void do_patch(void *kbase) {
// get kernel base
const u64 xfast_syscall_off = 0x1c0;
void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
disable_cr0_wp(); disable_cr0_wp();
// ChendoChap's patches from pOOBs4 // ChendoChap's patches from pOOBs4

24
src/kpatch/800.c
View File

@@ -29,18 +29,22 @@ struct kexec_args {
u64 arg5; u64 arg5;
}; };
static inline void restore(struct kexec_args *uap); static inline void restore(void *kbase, struct kexec_args *uap);
static inline void do_patch(void); static inline void do_patch(void *kbase);
__attribute__((section (".text.start"))) __attribute__((section (".text.start")))
int kpatch(void *td, struct kexec_args *uap) { int kpatch(void *td, struct kexec_args *uap) {
do_patch(); const u64 xfast_syscall_off = 0x1c0;
restore(uap); void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
do_patch(kbase);
restore(kbase, uap);
return 0; return 0;
} }
__attribute__((always_inline)) __attribute__((always_inline))
static inline void restore(struct kexec_args *uap) { static inline void restore(void *kbase, struct kexec_args *uap) {
u8 *pipe = uap->arg1; u8 *pipe = uap->arg1;
u8 *pipebuf = uap->arg2; u8 *pipebuf = uap->arg2;
for (int i = 0; i < 0x18; i++) { for (int i = 0; i < 0x18; i++) {
@@ -51,10 +55,6 @@ static inline void restore(struct kexec_args *uap) {
u64 *pktinfo_field2 = uap->arg4; u64 *pktinfo_field2 = uap->arg4;
*pktinfo_field2 = 0; *pktinfo_field2 = 0;
// get kernel base
const u64 xfast_syscall_off = 0x1c0;
void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
u64 *sysent_661_save = uap->arg5; u64 *sysent_661_save = uap->arg5;
for (int i = 0; i < 0x30; i += 8) { for (int i = 0; i < 0x30; i += 8) {
write64(kbase, 0x11040c0 + i, sysent_661_save[i / 8]); write64(kbase, 0x11040c0 + i, sysent_661_save[i / 8]);
@@ -62,11 +62,7 @@ static inline void restore(struct kexec_args *uap) {
} }
__attribute__((always_inline)) __attribute__((always_inline))
static inline void do_patch(void) { static inline void do_patch(void *kbase) {
// get kernel base
const u64 xfast_syscall_off = 0x1c0;
void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
disable_cr0_wp(); disable_cr0_wp();
// ChendoChap's patches from pOOBs4 // ChendoChap's patches from pOOBs4

25
src/kpatch/850.c
View File

@@ -29,18 +29,22 @@ struct kexec_args {
u64 arg5; u64 arg5;
}; };
static inline void restore(struct kexec_args *uap); static inline void restore(void *kbase, struct kexec_args *uap);
static inline void do_patch(void); static inline void do_patch(void *kbase);
__attribute__((section (".text.start"))) __attribute__((section (".text.start")))
int kpatch(void *td, struct kexec_args *uap) { int kpatch(void *td, struct kexec_args *uap) {
do_patch(); const u64 xfast_syscall_off = 0x1c0;
restore(uap); void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
do_patch(kbase);
restore(kbase, uap);
return 0; return 0;
} }
__attribute__((always_inline)) __attribute__((always_inline))
static inline void restore(struct kexec_args *uap) { static inline void restore(void *kbase, struct kexec_args *uap) {
u8 *pipe = uap->arg1; u8 *pipe = uap->arg1;
u8 *pipebuf = uap->arg2; u8 *pipebuf = uap->arg2;
for (int i = 0; i < 0x18; i++) { for (int i = 0; i < 0x18; i++) {
@@ -51,11 +55,6 @@ static inline void restore(struct kexec_args *uap) {
u64 *pktinfo_field2 = uap->arg4; u64 *pktinfo_field2 = uap->arg4;
*pktinfo_field2 = 0; *pktinfo_field2 = 0;
// get kernel base
const u64 xfast_syscall_off = 0x1c0;
void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
u64 *sysent_661_save = uap->arg5; u64 *sysent_661_save = uap->arg5;
for (int i = 0; i < 0x30; i += 8) { for (int i = 0; i < 0x30; i += 8) {
write64(kbase, 0x11041b0 + i, sysent_661_save[i / 8]); write64(kbase, 0x11041b0 + i, sysent_661_save[i / 8]);
@@ -63,11 +62,7 @@ static inline void restore(struct kexec_args *uap) {
} }
__attribute__((always_inline)) __attribute__((always_inline))
static inline void do_patch(void) { static inline void do_patch(void *kbase) {
// get kernel base
const u64 xfast_syscall_off = 0x1c0;
void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
disable_cr0_wp(); disable_cr0_wp();
// ChendoChap's patches from pOOBs4 // ChendoChap's patches from pOOBs4

24
src/kpatch/900.c
View File

@@ -29,18 +29,22 @@ struct kexec_args {
u64 arg5; u64 arg5;
}; };
static inline void restore(struct kexec_args *uap); static inline void restore(void *kbase, struct kexec_args *uap);
static inline void do_patch(void); static inline void do_patch(void *kbase);
__attribute__((section (".text.start"))) __attribute__((section (".text.start")))
int kpatch(void *td, struct kexec_args *uap) { int kpatch(void *td, struct kexec_args *uap) {
do_patch(); const u64 xfast_syscall_off = 0x1c0;
restore(uap); void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
do_patch(kbase);
restore(kbase, uap);
return 0; return 0;
} }
__attribute__((always_inline)) __attribute__((always_inline))
static inline void restore(struct kexec_args *uap) { static inline void restore(void *kbase, struct kexec_args *uap) {
u8 *pipe = uap->arg1; u8 *pipe = uap->arg1;
u8 *pipebuf = uap->arg2; u8 *pipebuf = uap->arg2;
for (int i = 0; i < 0x18; i++) { for (int i = 0; i < 0x18; i++) {
@@ -51,10 +55,6 @@ static inline void restore(struct kexec_args *uap) {
u64 *pktinfo_field2 = uap->arg4; u64 *pktinfo_field2 = uap->arg4;
*pktinfo_field2 = 0; *pktinfo_field2 = 0;
// get kernel base
const u64 xfast_syscall_off = 0x1c0;
void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
u64 *sysent_661_save = uap->arg5; u64 *sysent_661_save = uap->arg5;
for (int i = 0; i < 0x30; i += 8) { for (int i = 0; i < 0x30; i += 8) {
write64(kbase, 0x1107f00 + i, sysent_661_save[i / 8]); write64(kbase, 0x1107f00 + i, sysent_661_save[i / 8]);
@@ -62,11 +62,7 @@ static inline void restore(struct kexec_args *uap) {
} }
__attribute__((always_inline)) __attribute__((always_inline))
static inline void do_patch(void) { static inline void do_patch(void *kbase) {
// get kernel base
const u64 xfast_syscall_off = 0x1c0;
void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
disable_cr0_wp(); disable_cr0_wp();
// ChendoChap's patches from pOOBs4 // ChendoChap's patches from pOOBs4

24
src/kpatch/903.c
View File

@@ -29,18 +29,22 @@ struct kexec_args {
u64 arg5; u64 arg5;
}; };
static inline void restore(struct kexec_args *uap); static inline void restore(void *kbase, struct kexec_args *uap);
static inline void do_patch(void); static inline void do_patch(void *kbase);
__attribute__((section (".text.start"))) __attribute__((section (".text.start")))
int kpatch(void *td, struct kexec_args *uap) { int kpatch(void *td, struct kexec_args *uap) {
do_patch(); const u64 xfast_syscall_off = 0x1c0;
restore(uap); void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
do_patch(kbase);
restore(kbase, uap);
return 0; return 0;
} }
__attribute__((always_inline)) __attribute__((always_inline))
static inline void restore(struct kexec_args *uap) { static inline void restore(void *kbase, struct kexec_args *uap) {
u8 *pipe = uap->arg1; u8 *pipe = uap->arg1;
u8 *pipebuf = uap->arg2; u8 *pipebuf = uap->arg2;
for (int i = 0; i < 0x18; i++) { for (int i = 0; i < 0x18; i++) {
@@ -51,10 +55,6 @@ static inline void restore(struct kexec_args *uap) {
u64 *pktinfo_field2 = uap->arg4; u64 *pktinfo_field2 = uap->arg4;
*pktinfo_field2 = 0; *pktinfo_field2 = 0;
// get kernel base
const u64 xfast_syscall_off = 0x1c0;
void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
u64 *sysent_661_save = uap->arg5; u64 *sysent_661_save = uap->arg5;
for (int i = 0; i < 0x30; i += 8) { for (int i = 0; i < 0x30; i += 8) {
write64(kbase, 0x1103f00 + i, sysent_661_save[i / 8]); write64(kbase, 0x1103f00 + i, sysent_661_save[i / 8]);
@@ -62,11 +62,7 @@ static inline void restore(struct kexec_args *uap) {
} }
__attribute__((always_inline)) __attribute__((always_inline))
static inline void do_patch(void) { static inline void do_patch(void *kbase) {
// get kernel base
const u64 xfast_syscall_off = 0x1c0;
void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
disable_cr0_wp(); disable_cr0_wp();
// ChendoChap's patches from pOOBs4 // ChendoChap's patches from pOOBs4

24
src/kpatch/950.c
View File

@@ -29,18 +29,22 @@ struct kexec_args {
u64 arg5; u64 arg5;
}; };
static inline void restore(struct kexec_args *uap); static inline void restore(void *kbase, struct kexec_args *uap);
static inline void do_patch(void); static inline void do_patch(void *kbase);
__attribute__((section (".text.start"))) __attribute__((section (".text.start")))
int kpatch(void *td, struct kexec_args *uap) { int kpatch(void *td, struct kexec_args *uap) {
do_patch(); const u64 xfast_syscall_off = 0x1c0;
restore(uap); void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
do_patch(kbase);
restore(kbase, uap);
return 0; return 0;
} }
__attribute__((always_inline)) __attribute__((always_inline))
static inline void restore(struct kexec_args *uap) { static inline void restore(void *kbase, struct kexec_args *uap) {
u8 *pipe = uap->arg1; u8 *pipe = uap->arg1;
u8 *pipebuf = uap->arg2; u8 *pipebuf = uap->arg2;
for (int i = 0; i < 0x18; i++) { for (int i = 0; i < 0x18; i++) {
@@ -51,10 +55,6 @@ static inline void restore(struct kexec_args *uap) {
u64 *pktinfo_field2 = uap->arg4; u64 *pktinfo_field2 = uap->arg4;
*pktinfo_field2 = 0; *pktinfo_field2 = 0;
// get kernel base
const u64 xfast_syscall_off = 0x1c0;
void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
u64 *sysent_661_save = uap->arg5; u64 *sysent_661_save = uap->arg5;
for (int i = 0; i < 0x30; i += 8) { for (int i = 0; i < 0x30; i += 8) {
write64(kbase, 0x1100ee0 + i, sysent_661_save[i / 8]); write64(kbase, 0x1100ee0 + i, sysent_661_save[i / 8]);
@@ -62,11 +62,7 @@ static inline void restore(struct kexec_args *uap) {
} }
__attribute__((always_inline)) __attribute__((always_inline))
static inline void do_patch(void) { static inline void do_patch(void *kbase) {
// get kernel base
const u64 xfast_syscall_off = 0x1c0;
void * const kbase = (void *)rdmsr(0xc0000082) - xfast_syscall_off;
disable_cr0_wp(); disable_cr0_wp();
// ChendoChap's patches from pOOBs4 // ChendoChap's patches from pOOBs4