Add support for relative relocations

Author: Cryptogenic

README.md

@@ -37,6 +37,8 @@ Exploit should now support the following firmwares:
 - Clang-based fine-grained Control Flow Integrity (CFI) is present and enforced.
 - Supervisor Mode Access Prevention/Execution (SMAP/SMEP) cannot be disabled, due to the HV.
 - The write primitive is somewhat constrained, as bytes 0x10-0x14 must be zero (or a valid network interface).
+  - Though due to newer work using pipes, full arbitrary read/write is now possible
+
 
 
 
@@ -61,7 +63,9 @@ Exploit should now support the following firmwares:
 - [x] ~~Improve UAF reliability~~
 - [x] ~~Improve victim socket reliability (third prio)~~
 - [x] ~~Use a better / more consistent leak target than kqueue~~ (no longer necessary)
-- [ ] Make ELF loader support relocations
+- [x] Make ELF loader support relocations
+  - [ ] Add support for more relocations and possibly full dynamic linkage?
+
 
 
 

document/en/ps5/exploit.js

@@ -1294,39 +1294,49 @@ async function userland() {
     await chain.add_syscall_ret(test_store_buf, SYSCALL_LISTEN, elf_loader_sock_fd, 5);
     await chain.run();
 
-    // Accept and process connections
+    // ELF sizes and offsets
     let SIZE_ELF_HEADER                 = 0x40;
     let SIZE_ELF_PROGRAM_HEADER         = 0x38;
+
     let OFFSET_ELF_HEADER_ENTRY         = 0x18;
     let OFFSET_ELF_HEADER_PHOFF         = 0x20;
     let OFFSET_ELF_HEADER_PHNUM         = 0x38;
+
     let OFFSET_PROGRAM_HEADER_TYPE      = 0x00;
     let OFFSET_PROGRAM_HEADER_FLAGS     = 0x04;
     let OFFSET_PROGRAM_HEADER_OFFSET    = 0x08;
     let OFFSET_PROGRAM_HEADER_VADDR     = 0x10;
-    let OFFSET_PROGRAM_HEADER_FILESZ    = 0x20;
     let OFFSET_PROGRAM_HEADER_MEMSZ     = 0x28;
-    let ELF_PT_NULL                     = 0x00;
+
+    let OFFSET_RELA_OFFSET              = 0x00;
+    let OFFSET_RELA_INFO                = 0x08;
+    let OFFSET_RELA_ADDEND              = 0x10;
+
+    // ELF program header types
     let ELF_PT_LOAD                     = 0x01;
+    let ELF_PT_DYNAMIC                  = 0x02;
+
+    // ELF dynamic table types
+    let ELF_DT_NULL                     = 0x00;
+    let ELF_DT_RELA                     = 0x07;
+    let ELF_DT_RELASZ                   = 0x08;
+    let ELF_DT_RELAENT                  = 0x09;
+    let ELF_R_AMD64_RELATIVE            = 0x08;
 
+    // Accept clients
     let conn_fd_store                   = p.malloc(0x4);
     let conn_addr_store                 = p.malloc(0x10);
     let conn_addr_sz_store              = p.malloc(0x4);
     let conn_ret_store                  = p.malloc(0x8);
-    let segment_text_addr_store         = p.malloc(0x8);
-    let segment_data_addr_store         = p.malloc(0x8);
     let elf_store_size                  = SIZE_ELF_HEADER + (SIZE_ELF_PROGRAM_HEADER * 0x10) + 0x200000;
     let elf_store                       = p.malloc(elf_store_size);
 
     let shadow_mapping_addr = new int64(0x20100000, 0x00000009);
     let mapping_addr        = new int64(0x26100000, 0x00000009);
-    let data_mapping_addr;
 
     let elf_program_headers_offset  = 0;
     let elf_program_headers_num     = 0;
 
-    let elf_mapped_addr   = 0;
-
     p.write4(conn_addr_sz_store, 0x10);
 
     for (;;) {
@@ -1362,8 +1372,13 @@ async function userland() {
 
         await log("[+] Received ELF file (" + total_sz.toString(10) + " bytes), loading...");
 
-        let text_segment_sz = 0;
-        let data_segment_sz = 0;
+        let text_segment_sz    = 0;
+        let data_segment_sz    = 0;
+        let rela_table_offset  = 0;
+        let rela_table_count   = 0;
+        let rela_table_size    = 0;
+        let rela_table_entsize = 0;
+        let shadow_write_mapping = 0;
 
         // Parse program headers and map segments
         for (let i = 0; i < elf_program_headers_num; i++) {
@@ -1381,7 +1396,7 @@ async function userland() {
                 // Also, the mapping size is fixed at 0x100000. This is because jitshm requires to be aligned this way... for some dumb reason.
                 if ((program_flags & 1) == 1) {
                     // Executable segment
-                    text_segment_sz = aligned_memsz;
+                    text_segment_sz = program_memsz;
 
                     // Get exec
                     await chain.add_syscall_ret(jit_handle_store, SYSCALL_JITSHM_CREATE, 0x0, aligned_memsz, 0x7);
@@ -1396,6 +1411,7 @@ async function userland() {
                     // Map to shadow mapping
                     await chain.add_syscall_ret(conn_ret_store, SYSCALL_MMAP, shadow_mapping_addr, aligned_memsz, 0x3, 0x11, write_handle, 0);
                     await chain.run();
+                    shadow_write_mapping = p.read8(conn_ret_store);
 
                     // Copy in segment data
                     let dest = p.read8(conn_ret_store);
@@ -1424,7 +1440,65 @@ async function userland() {
                 }
             }
 
-            // TODO: Dynamic / relocations
+            if (program_type == ELF_PT_DYNAMIC) {
+                // Parse dynamic tags, the ones we truly care about are rela-related.
+                for (let j = 0x00; ; j += 0x10) {
+                    let d_tag = p.read8(elf_store.add32(program_offset + j)).low;
+                    let d_val = p.read8(elf_store.add32(program_offset + j + 0x08));
+
+                    // DT_NULL means we reached the end of the table
+                    if (d_tag == ELF_DT_NULL || j > 0x100) {
+                        break;
+                    }
+
+                    switch (d_tag) {
+                    case ELF_DT_RELA:
+                        rela_table_offset = d_val.low;
+                        break;
+                    case ELF_DT_RELASZ:
+                        rela_table_size = d_val.low;
+                        break;
+                    case ELF_DT_RELAENT:
+                        rela_table_entsize = d_val.low;
+                        break;
+                    }
+                }
+            }
+        }
+
+        // Process relocations if they exist
+        if (rela_table_offset != 0) {
+            let base_address = 0x1000;
+
+            // The rela table offset from dynamic table is relative to the LOAD segment offset not file offset.
+            // The linker script should guarantee it ends up in the first LOAD segment (code).
+            rela_table_offset += base_address;
+
+            // Rela count can be gotten from dividing the table size by entry size
+            rela_table_count = rela_table_size / rela_table_entsize;
+
+            // Parse relocs and apply them
+            for (let i = 0; i < rela_table_count; i++) {
+                let r_offset = p.read8(elf_store.add32(rela_table_offset + (i * rela_table_entsize) + 
+                    OFFSET_RELA_OFFSET));
+                let r_info   = p.read8(elf_store.add32(rela_table_offset + (i * rela_table_entsize) + 
+                    OFFSET_RELA_INFO));
+                let r_addend = p.read8(elf_store.add32(rela_table_offset + (i * rela_table_entsize) + 
+                    OFFSET_RELA_ADDEND));
+
+                let reloc_addr = mapping_addr.add32(r_offset.low);
+
+                // If the relocation falls in the executable section, we need to redirect the write to the
+                // writable shadow mapping or we'll crash
+                if (r_offset.low <= text_segment_sz) {
+                    reloc_addr = shadow_write_mapping.add32(r_offset.low);
+                }
+
+                if ((r_info.low & 0xFF) == ELF_R_AMD64_RELATIVE) {
+                    let reloc_value  = mapping_addr.add32(r_addend.low); // B + A
+                    p.write8(reloc_addr, reloc_value);
+                }
+            }
         }
 
         let rwpair_mem              = p.malloc(0x8);

document/en/ps5/index.html

@@ -78,7 +78,7 @@
 
     <center>
         <h3>
-            <b>v1.02.</b>
+            <b>v1.03.</b>
             <br />
             <a href="https://twitter.com/theflow0">@theflow0</a>, 
             <a href="https://twitter.com/SpecterDev">@SpecterDev</a>,