Created
October 2, 2022 22:18
-
-
Save psxdev/0359d0127de26ce5898b298aa5c7e322 to your computer and use it in GitHub Desktop.
prospero kernel exploit under bdj
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[HOST] debugnet listener up | |
[HOST] ready to have a lot of fun!!! | |
[PROSPERO][INFO] [+] Logger initialized... | |
[PROSPERO][INFO] [+] Receive udp log in 192.168.1.12 with: socat udp-recv:18194 stdout | |
[PROSPERO][INFO] [+] bd-jb by bigboss based on TheFlow, specter and sleirsgoevy implementation | |
[PROSPERO][INFO] [+] Creating JavaSecurityAccess | |
[PROSPERO][INFO] [+] Creating fake JavaSecurityProxy | |
[PROSPERO][INFO] [+] Set fake JavaSecurityProxy | |
[PROSPERO][INFO] [+] Creating URLClassLoader | |
[PROSPERO][INFO] [+] Loading Payload | |
[PROSPERO][INFO] [+] SecurityManager bypass done | |
[PROSPERO][INFO] [+] Before initUnsafe | |
[PROSPERO][INFO] [+] get Field theUnsafeField | |
[PROSPERO][INFO] [+] setAccesible theUnsafeField | |
[PROSPERO][INFO] [+] get Unsafe | |
[PROSPERO][INFO] [+] get declared unsafe methods | |
[PROSPERO][INFO] [+] UnsafeJDKImpl done | |
[PROSPERO][INFO] [+] Before initDlsym | |
[PROSPERO][INFO] [+] Before initSymbols | |
[PROSPERO][INFO] [+] handle 0xfffffffffffffffe dlsym symbol JVM_NativePath address 0x1ab09b8f0 | |
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol __Ux86_64_setcontext address 0x82c780334 | |
[PROSPERO][INFO] [+] handle 0x4a dlsym symbol Java_java_lang_reflect_Array_multiNewArray address 0x174e48350 | |
[PROSPERO][INFO] [+] handle 0x2 dlsym symbol setjmp address 0x8292269b0 | |
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol __error address 0x82c7839b0 | |
[PROSPERO][INFO] [+] Before initApiCall | |
[PROSPERO][INFO] [+] init Api done | |
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol sceKernelSendNotificationRequest address 0x82c79bf50 | |
[PROSPERO][INFO] [+] Initializing sockets... | |
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol socket address 0x82c780bd0 | |
[PROSPERO][INFO] [+] kevent_sock=32 | |
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol getsockopt address 0x82c780d70 | |
[PROSPERO][INFO] [+] master_sock=33 tclass=0 | |
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol kqueue address 0x82c781890 | |
[PROSPERO][INFO] [+] Triggering UAF... | |
[PROSPERO][INFO] use thread start run | |
[PROSPERO][INFO] free thread start run | |
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol setsockopt address 0x82c780cb0 | |
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol sceKernelUsleep address 0x82c795ec0 | |
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol sceKernelUsleep address 0x82c795ec0 | |
[PROSPERO][INFO] get_tclass s=33 val=ffffffff getsockopt return 0 | |
[PROSPERO][INFO] get_tclass s=33 val=41 getsockopt return 0 | |
[PROSPERO][INFO] get_tclass s=33 val=41 getsockopt return 0 | |
[PROSPERO][INFO] use thread end run | |
[PROSPERO][INFO] free thread end run | |
[PROSPERO][INFO] get_tclass s=33 val=41 getsockopt return 0 | |
[PROSPERO][INFO] trigger_uaf triggered | |
[PROSPERO][INFO] after join use thread | |
[PROSPERO][INFO] after join free thread | |
[PROSPERO][INFO] get_tclass s=34 val=41 getsockopt return 0 | |
[PROSPERO][INFO] get_tclass s=35 val=41 getsockopt return 0 | |
[PROSPERO][INFO] get_tclass s=36 val=41 getsockopt return 0 | |
[PROSPERO][INFO] get_tclass s=37 val=42 getsockopt return 0 | |
[PROSPERO][INFO] [+] Overlap socket: 0x25 (0x3) | |
[PROSPERO][INFO] get_tclass s=37 val=42 getsockopt return 0 | |
[PROSPERO][INFO] get_tclass s=33 val=42 getsockopt return 0 | |
[PROSPERO][INFO] [+] after reallocate pktopts | |
[PROSPERO][INFO] get_tclass s=37 val=42 getsockopt return 0 | |
[PROSPERO][INFO] get_tclass s=33 val=42 getsockopt return 0 | |
[PROSPERO][INFO] [+] before fake_pktopts | |
[PROSPERO][INFO] size 248 len 30 | |
[PROSPERO][INFO] before tclass | |
[PROSPERO][INFO] get_tclass s=33 val=13370018 getsockopt return 0 | |
[PROSPERO][INFO] tclass 0x13370018 versus TCLASS_MASTER 0x13370000 | |
[PROSPERO][INFO] [+] after fake_pktopts | |
[PROSPERO][INFO] [+] Overlap socket: 0x3a (0x18) | |
[PROSPERO][INFO] size 280 len 34 | |
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol close address 0x82c78e9b0 | |
[PROSPERO][INFO] [+] kqueue_addr: 0xffffb27030ac8600 | |
[PROSPERO][INFO] size 248 len 30 | |
[PROSPERO][INFO] [+] pktopts_addr: 0xffffb27030aaf300 | |
[PROSPERO][INFO] [+] after leak_kevent_pktopts | |
[PROSPERO][INFO] size 248 len 30 | |
[PROSPERO][INFO] before tclass | |
[PROSPERO][INFO] get_tclass s=33 val=13370041 getsockopt return 0 | |
[PROSPERO][INFO] tclass 0x13370041 versus TCLASS_MASTER 0x13370000 | |
[PROSPERO][INFO] [+] after fake_pktopts | |
[PROSPERO][INFO] [+] Overlap socket: 0x63 (0x41) | |
[PROSPERO][INFO] [+] Victim socket: 0x2a (0x8) | |
[PROSPERO][INFO] [+] Arbitrary R/W achieved. | |
[PROSPERO][INFO] [+] Found kqueue .data address: 0xffffffffd50f8ad3 (found @ i = 0x400) | |
[PROSPERO][INFO] [+] Found kqueue .data address: 0xffffffffd50f8ad3 (found @ i = 0x800) | |
[PROSPERO][INFO] [+] Found kqueue .data address: 0xffffffffd50f8ad3 (found @ i = 0xa00) | |
[PROSPERO][INFO] [+] Found kqueue .data address: 0xffffffffd50f8ad3 (found @ i = 0xc00) | |
[PROSPERO][INFO] [+] Found kqueue .data address: 0xffffffffd50f8ad3 (found @ i = 0xe00) | |
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol getpid address 0x82c7805b0 | |
[PROSPERO][INFO] [+] pid: 76 | |
[PROSPERO][INFO] [+] PID: 0x4c | |
[PROSPERO][INFO] [+] Found kernel .data base address: 0xffffffffd4de0000 | |
[PROSPERO][INFO] [+] Found allproc: 0xffffffffd75cdcb8 | |
[PROSPERO][INFO] [+] Found proc->p_ucred: 0xffffb2702fb0b600 | |
[PROSPERO][INFO] [+] Found proc->p_fd: 0xffffb26c02016c60 | |
[PROSPERO][INFO] [+] Enabled debug menu | |
[PROSPERO][INFO] [+] Patched creds | |
[PROSPERO][INFO] [+] Patching 0xffffb27033c44ff0 from 0x200000001 | |
[PROSPERO][INFO] to 0x200000100 | |
[PROSPERO][INFO] [+] overlap_sock cleaned | |
[PROSPERO][INFO] [+] Patching 0xffffb26c02460000 from 0x200000001 | |
[PROSPERO][INFO] to 0x200000100 | |
[PROSPERO][INFO] [+] master_sock cleaned | |
[PROSPERO][INFO] [+] Patching 0xffffb26c6aebaa80 from 0x200000001 | |
[PROSPERO][INFO] to 0x200000100 | |
[PROSPERO][INFO] [+] victim_sock cleaned | |
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol getuid address 0x82c780630 | |
[PROSPERO][INFO] [+] uid: 0 | |
[PROSPERO][INFO] [+] Checking, getuid = 0x0 | |
[PROSPERO][INFO] [+] handle 0x2001 dlsym symbol sceKernelSleep address 0x82c795d80 | |
[PROSPERO][INFO] [+] Done. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment