diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 7c09fcc8c..53464753f 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -845,6 +845,7 @@ - [WWW2Exec - \_\_malloc_hook & \_\_free_hook](binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md) - [Common Exploiting Problems](binary-exploitation/common-exploiting-problems.md) - [Linux kernel exploitation - toctou](binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md) +- [PS5 compromission](binary-exploitation/freebsd-ptrace-rfi-vm_map-prot_exec-bypass-ps5.md) - [Windows Exploiting (Basic Guide - OSCP lvl)](binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md) - [iOS Exploiting](binary-exploitation/ios-exploiting/README.md) - [ios CVE-2020-27950-mach_msg_trailer_t](binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.md) diff --git a/src/binary-exploitation/freebsd-ptrace-rfi-vm_map-prot_exec-bypass-ps5.md b/src/binary-exploitation/freebsd-ptrace-rfi-vm_map-prot_exec-bypass-ps5.md new file mode 100644 index 000000000..63c4f19b0 --- /dev/null +++ b/src/binary-exploitation/freebsd-ptrace-rfi-vm_map-prot_exec-bypass-ps5.md @@ -0,0 +1,199 @@ +# FreeBSD ptrace RFI and vm_map PROT_EXEC bypass (PS5 case study) + +{{#include ../../../banners/hacktricks-training.md}} + +## Overview + +This page documents a practical Unix/BSD usermode process/ELF injection technique on PlayStation 5 (PS5), which is based on FreeBSD. The method generalizes to FreeBSD derivatives when you already have kernel read/write (R/W) primitives. High level: + +- Patch the current process credentials (ucred) to grant debugger authority, enabling ptrace/mdbg on arbitrary user processes. +- Find target processes by walking the kernel allproc list. +- Bypass PROT_EXEC restrictions by flipping vm_map_entry.protection |= PROT_EXEC in the target’s vm_map via kernel data writes. +- Use ptrace to perform Remote Function Invocation (RFI): suspend a thread, set registers to call arbitrary functions inside the target, resume, collect return values, and restore state. +- Map and run arbitrary ELF payloads inside the target using an in-process ELF loader, then spawn a dedicated thread that runs your payload and triggers a breakpoint to detach cleanly. + +PS5 hypervisor mitigations worth noting (contextualized for this technique): +- XOM (execute-only .text) prevents reading/writing kernel .text. +- Clearing CR0.WP or disabling CR4.SMEP causes a hypervisor vmexit (crash). Only data-only kernel writes are viable. +- Userland mmap is restricted to PROT_READ|PROT_WRITE by default. Granting PROT_EXEC must be done by editing vm_map entries in kernel memory. + +This technique is post-exploitation: it assumes kernel R/W primitives from an exploit chain. Public payloads demonstrate this up to firmware 10.01 at time of writing. + +## Kernel data-only primitives + +### Process discovery via allproc + +FreeBSD maintains a doubly-linked list of processes in kernel .data at allproc. With a kernel read primitive, iterate it to locate process names and PIDs: + +```c +struct proc* find_proc_by_name(const char* proc_name){ + uint64_t next = 0; + kernel_copyout(KERNEL_ADDRESS_ALLPROC, &next, sizeof(uint64_t)); // list head + struct proc* proc = malloc(sizeof(struct proc)); + do{ + kernel_copyout(next, (void*)proc, sizeof(struct proc)); // read entry + if (!strcmp(proc->p_comm, proc_name)) return proc; + kernel_copyout(next, &next, sizeof(uint64_t)); // advance next + } while (next); + free(proc); + return NULL; +} + +void list_all_proc_and_pid(){ + uint64_t next = 0; + kernel_copyout(KERNEL_ADDRESS_ALLPROC, &next, sizeof(uint64_t)); + struct proc* proc = malloc(sizeof(struct proc)); + do{ + kernel_copyout(next, (void*)proc, sizeof(struct proc)); + printf("%s - %d\n", proc->p_comm, proc->pid); + kernel_copyout(next, &next, sizeof(uint64_t)); + } while (next); + free(proc); +} +``` + +Notes: +- KERNEL_ADDRESS_ALLPROC is firmware-dependent. +- p_comm is a fixed-size name; consider pid->proc lookups if needed. + +### Elevate credentials for debugging (ucred) + +On PS5, struct ucred includes an Authority ID field reachable via proc->p_ucred. Writing the debugger authority ID grants ptrace/mdbg over other processes: + +```c +void set_ucred_to_debugger(){ + struct proc* proc = get_proc_by_pid(getpid()); + if (proc){ + uintptr_t authid = 0; // read current (optional) + uintptr_t ptrace_authid = 0x4800000000010003ULL; // debugger Authority ID + kernel_copyout((uintptr_t)proc->p_ucred + 0x58, &authid, sizeof(uintptr_t)); + kernel_copyin(&ptrace_authid, (uintptr_t)proc->p_ucred + 0x58, sizeof(uintptr_t)); + free(proc); + } +} +``` + +- Offset 0x58 is specific to the PS5 firmware family and must be verified per version. +- After this write, the injector can attach and instrument user processes via ptrace/mdbg. + +## Bypassing RW-only user mappings: vm_map PROT_EXEC flip + +Userland mmap may be constrained to PROT_READ|PROT_WRITE. FreeBSD tracks a process’s address space in a vm_map of vm_map_entry nodes (BST plus list). Each entry carries protection and max_protection fields: + +```c +struct vm_map_entry { + struct vm_map_entry *prev,*next,*left,*right; + vm_offset_t start, end, avail_ssize; + vm_size_t adj_free, max_free; + union vm_map_object object; vm_ooffset_t offset; vm_eflags_t eflags; + vm_prot_t protection; vm_prot_t max_protection; vm_inherit_t inheritance; + int wired_count; vm_pindex_t lastr; +}; +``` + +With kernel R/W you can locate the target’s vm_map and set entry->protection |= PROT_EXEC (and, if needed, entry->max_protection). Practical implementation notes: +- Walk entries either linearly via next or using the balanced-tree (left/right) for O(log n) search by address range. +- Pick a known RW region you control (scratch buffer or mapped file) and add PROT_EXEC so you can stage code or loader thunks. +- PS5 SDK code provides helpers for fast map-entry lookup and toggling protections. + +This bypasses userland’s mmap policy by editing kernel-owned metadata directly. + +## Remote Function Invocation (RFI) with ptrace + +FreeBSD lacks Windows-style VirtualAllocEx/CreateRemoteThread. Instead, drive the target to call functions on itself under ptrace control: + +1. Attach to the target and select a thread; PTRACE_ATTACH or PS5-specific mdbg flows may apply. +2. Save thread context: registers, PC, SP, flags. +3. Write argument registers per the ABI (x86_64 SysV or arm64 AAPCS64), set PC to the target function, and optionally place additional args/stack as needed. +4. Single-step or continue until a controlled stop (e.g., software breakpoint or signal), then read back return values from regs. +5. Restore original context and continue. + +Use cases: +- Call into an in-process ELF loader (e.g., elfldr_load) with a pointer to your ELF image in target memory. +- Invoke helper routines to fetch returned entrypoints and payload-args pointers. + +Example of driving the ELF loader: + +```c +intptr_t entry = elfldr_load(target_pid, (uint8_t*)elf_in_target); +intptr_t args = elfldr_payload_args(target_pid); +printf("[+] ELF entrypoint: %#02lx\n[+] Payload Args: %#02lx\n", entry, args); +``` + +The loader maps segments, resolves imports, applies relocations and returns the entry (often a CRT bootstrap) plus an opaque payload_args pointer that your stager passes to the payload’s main(). + +## Threaded stager and clean detach + +A minimal stager inside the target creates a new pthread that runs the ELF’s main and then triggers int3 to signal the injector to detach: + +```c +int __attribute__((section(".stager_shellcode$1"))) stager(SCEFunctions* functions){ + pthread_t thread; + functions->pthread_create_ptr(&thread, 0, + (void*(*)(void*))functions->elf_main, functions->payload_args); + asm("int3"); + return 0; +} +``` + +- The SCEFunctions/payload_args pointers are provided by the loader/SDK glue. +- After the breakpoint and detach, the payload continues in its own thread. + +## End-to-end pipeline (PS5 reference implementation) + +A working implementation ships as a small TCP injector server plus a client script: + +- NineS server listens on TCP 9033 and receives a header containing the target process name followed by the ELF image: + +```c +typedef struct __injector_data_t{ + char proc_name[MAX_PROC_NAME]; + Elf64_Ehdr elf_header; +} injector_data_t; +``` + +- Python client usage: + +```bash +python3 ./send_injection_elf.py SceShellUI hello_world.elf +``` + +Hello-world payload example (logs to klog): + +```c +#include +#include +#include +int main(){ + klog_printf("Hello from PID %d\n", getpid()); + return 0; +} +``` + +## Practical considerations + +- Offsets and constants (allproc, ucred authority offset, vm_map layout, ptrace/mdbg details) are firmware-specific and must be updated per release. +- Hypervisor protections force data-only kernel writes; do not attempt to patch CR0.WP or CR4.SMEP. +- JIT memory is an alternative: some processes expose PS5 JIT APIs to allocate executable pages. The vm_map protection flip removes the need to rely on JIT/mirroring tricks. +- Keep register save/restore robust; on failure, you can deadlock or crash the target. + +## Public tooling + +- PS5 SDK (dynamic linking, kernel R/W wrappers, vm_map helpers): https://github.com/ps5-payload-dev/sdk +- ELF loader: https://github.com/ps5-payload-dev/elfldr +- Injector server: https://github.com/buzzer-re/NineS/ +- Utilities/vm_map helpers: https://github.com/buzzer-re/playstation_research_utils +- Related projects: https://github.com/OpenOrbis/mira-project, https://github.com/ps5-payload-dev/gdbsrv + +## References + +- [Usermode ELF injection on the PlayStation 5](https://reversing.codes/posts/PlayStation-5-ELF-Injection/) +- [ps5-payload-dev/sdk](https://github.com/ps5-payload-dev/sdk) +- [ps5-payload-dev/elfldr](https://github.com/ps5-payload-dev/elfldr) +- [buzzer-re/NineS](https://github.com/buzzer-re/NineS/) +- [playstation_research_utils](https://github.com/buzzer-re/playstation_research_utils) +- [Mira](https://github.com/OpenOrbis/mira-project) +- [gdbsrv](https://github.com/ps5-payload-dev/gdbsrv) +- [FreeBSD klog reference](https://lists.freebsd.org/pipermail/freebsd-questions/2006-October/134233.html) + +{{#include ../../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md index a9559a2e4..7bc97b16b 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md @@ -262,6 +262,7 @@ Note that executables compiled with **`pyinstaller`** won't use these environmen > > Even **root** will run this code when running python. + ## Detection ### Shield