elf-loader switch

README.md

@@ -180,7 +180,16 @@ PS4LINK FOR PS4
   cd libdebugnet
   make
   make install
-  cd ../..
+  cd ..
+  ```
+
+  compile and instal libelfloader it will let to use elf related function:
+
+  ```
+  cd libelfloader
+  make
+  make install
+  cd ..
   ```
 
   compile and install libps4link it will let fio host requests and commands support
@@ -189,30 +198,30 @@ PS4LINK FOR PS4
   cd libps4link
   make 
   make install
+  cd ..
   ```
 
   Customize your pc/mac ip configuration if you need in /usr/local/ps4dev/git/ps4link/ps4link/source/main.c in ps4LinkInit call. You must use your pc/mac ip configuration in first parameter.
 
 
-  create ps4link loader based on elfldr 
+  create ps4link loader based on elf-loader 
 
   ```
-  cd ../
   ls
-  LICENSE		elfldr		libps4link	ps4sh
+  LICENSE		elf-loader		libps4link	ps4sh
   README.md	libdebugnet	ps4link		samples
-  cd elfldr
+  cd elf-loader
   ./copy_ps4link_sources.sh
   make
   ```
-  Now you have a ldr.js file in /usr/local/ps4dev/git/ps4link/elfldr/local/ldr with PS4Link embed in it.
+  Now you have a ldr.js file in /usr/local/ps4dev/git/ps4link/elf-loader/local/ldr with PS4Link embed in it.
 
   To run webkit exploit you will need load index.html from directory local. Publish content from directory local in your web server or:
 
   ```
-  cd /usr/local/ps4dev/git/ps4link/eldldr/local
+  cd /usr/local/ps4dev/git/ps4link/elf-loader/local
   node server.js
-  Serving directory /usr/local/ps4dev/git/ps4link/elfldr/local on port 5350
+  Serving directory /usr/local/ps4dev/git/ps4link/elf-loader/local on port 5350
   ```
 
   Now you are ready to run PS4Link from your PlayStation 4
@@ -750,6 +759,9 @@ PS4LINK FOR PS4
 ===================
  Last Changes
 ===================
+  - switched to libraries
+  - switched to elf-loader fronted
+  - add install.sh by droogie
   - ps4sdk compliant
   - Added listproc sample
   - Added execdecrypt command
@@ -775,6 +787,7 @@ PS4LINK FOR PS4
   - hitodama for ps4sdk and elfldr 
   - xerpi for ps4ftp code base :P
   - wskeu and zecoxao for sharing code to decrypt files i only add save option to host0 :P
+  - droogie for testing and install script
   - kr105 for valid return code to userland in his dlclose poc
   - qwertyoruiop and cturt for sharing dlclose information
   - All people who collaborated in ps4dev

elfldr/LICENSE → elf-loader/LICENSE

@@ -22,7 +22,3 @@ ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 OTHER DEALINGS IN THE SOFTWARE.
 
 For more information, please refer to <http://unlicense.org>
-
-##########################IMPORTANT##################################
-The contents in local/js are NOT licensed to you under the above terms.
-#####################################################################

elf-loader/Makefile

@@ -0,0 +1,5 @@
+.DEFAULT_GOAL := all
+
+%:
+	$(MAKE) -C generate $@ $?
+	$(MAKE) -C ps4/binary/ps4link $@ $?

elf-loader/README.md

@@ -0,0 +1,59 @@
+# Elf loader
+
+Runs ps4sdk elf files in-process on your PS4.
+
+## Prerequisites
+* clang 4.x for ps4 part 
+* make
+* [ps4sdk](https://github.com/ps4dev/ps4sdk)
+* node.js to run server.js (or any alternative to serve /local)
+* ps4sh if you want to use ps4link loader 
+* user loader is available but it is commented on Makefile if you choose use it compile ps4link elf mode instead loader mode and you can load following [user](https://github.com/ps4dev/elf-loader/blob/master/README.md)
+
+## Important
+
+The elf loader does not support dynamically linked executables. All libraries need to be statically linked into the executable. [ps4sdk](https://github.com/ps4dev/ps4sdk) provides a variaty of position independant, statically linkable libraries, such as a libc, for the PS4. Depending on their build system and requirenments, you can compile third party libraries using the ps4-lib target of the sdk. Alternatively you will have to alter their build system to compile them as PIC statically linked libraries.
+
+## Example
+```bash
+#Populate ps4link main source
+./copy_ps4link_sources.sh
+# Build as raw binary to bin/ and then convert to ldr.js in /local (you can 'make keepelf=1' to debug)
+make clean && make
+
+# Start server
+cd local
+node server.js
+
+# Start socat to check output
+socat udp-recv:18194 stdout
+
+# Browse ps4 browser to local server (<local>:5350)
+# Wait until the browser hangs in 'step 5'
+# Repeat again if you get out of memory problem
+#Output expected
+[PS4][INFO]: debugnet initialized
+[PS4][INFO]: Copyright (C) 2010,2016 Antonio Jose Ramos Marquez aka bigboss @psxdev
+[PS4][INFO]: ready to have a lot of fun...
+[PS4][DEBUG]: getuid() : 1
+[PS4][DEBUG]: executing privilege scalation
+[PS4][DEBUG]: ps4KernelExecute ret=0
+[PS4][DEBUG]: getuid() : 0
+[PS4][DEBUG]: [PS4LINK] Server request thread UID: 0x804AE480
+[PS4][DEBUG]: [PS4LINK] Server command thread UID: 0x804AD640
+[PS4][DEBUG]: [PS4LINK] Created ps4link_requests_sock: 82
+[PS4][DEBUG]: [PS4LINK] bind to ps4link_requests_sock done
+[PS4][DEBUG]: [PS4LINK] Ready for connection 1
+[PS4][DEBUG]: [PS4LINK] Waiting for connection
+[PS4][DEBUG]: [PS4LINK] Command Thread Started.
+[PS4][DEBUG]: [PS4LINK] Created ps4link_commands_sock: 84
+[PS4][DEBUG]: [PS4LINK] Command listener waiting for commands...
+# Thread number and sockets number can be different in your environment
+
+#Check that no bind error present in log
+
+# If all is fine you can use ps4sh to connect and send commands 
+```
+
+
+

elf-loader/copy_ps4link_sources.sh

@@ -0,0 +1,2 @@
+mkdir -p ps4/binary/ps4link/source
+cp ../ps4link/source/main.c ps4/binary/ps4link/source

elf-loader/generate/Makefile

@@ -0,0 +1,38 @@
+ifndef Ps4Sdk
+ifdef ps4sdk
+Ps4Sdk := $(ps4sdk)
+endif
+ifdef PS4SDK
+Ps4Sdk := $(PS4SDK)
+endif
+ifndef Ps4Sdk
+$(error Neither PS4SDK, Ps4Sdk nor ps4sdk set)
+endif
+endif
+
+
+
+ldrgen ?= true
+OutPath ?= bin
+
+
+compileAndLinkLdrGen = gcc $? -std=c11 -O3 -Wall -pedantic -Iinclude -o $@
+
+###################################
+
+
+.PHONY:: generate
+
+$(OutPath)/generate: source/main.c 
+ifneq ($(ldrgen), false)
+	$(dirp)
+	mkdir -p bin
+	$(compileAndLinkLdrGen)
+endif
+
+generate: $(OutPath)/generate
+
+all:: $(OutPath)/generate
+
+clean: 
+	@rm -fR bin 

elfldr/ps4link/ldrgen/main.c → elf-loader/generate/source/main.c

@@ -1,13 +1,59 @@
+#define _XOPEN_SOURCE 700
+#define __BSD_VISIBLE 1
+
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdint.h>
+
 #include <unistd.h>
 #include <fcntl.h>
 
-#include "util.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+
+enum{ ELF_LOADER_BINARY_SEGMENT_SIZE = 0x100000 };
+
+void *elfLoaderMemoryAllocateFileFromPathAligned(char *file, size_t *size, size_t alignment)
+{
+	struct stat s;
+	FILE *f;
+	uint32_t *b;
+	size_t sz;
+	size_t i;
+
+	if(size != NULL)
+		*size = 0;
+
+	if(stat(file, &s) < 0)
+		return NULL;
+
+	if(alignment == 0)
+		alignment = 1;
 
-enum{ BinarySegmentSize = 0x100000 };
+ 	sz = ((size_t)s.st_size * alignment) / alignment;
+	b = (uint32_t *)malloc(sz * sizeof(uint8_t));
+
+	if(b == NULL)
+		return NULL;
+
+	f = fopen(file, "rb");
+	if(f == NULL)
+	{
+		free(b);
+		return NULL;
+	}
+	fread(b, s.st_size, 1, f);
+	fclose(f);
+
+	if(size != NULL)
+		*size = sz;
+
+	for(i = s.st_size; i < sz; ++i)
+		((uint32_t *)b)[i] = 0;
+
+	return b;
+}
 
 int main(int argc, char **argv)
 {
@@ -23,7 +69,7 @@ int main(int argc, char **argv)
 		return EXIT_FAILURE;
 	}
 
-	bin = utilAllocFileAligned(argv[2], &s, 4);
+	bin = elfLoaderMemoryAllocateFileFromPathAligned(argv[2], &s, 4);
 	if(bin == NULL)
 	{
 		fprintf(stderr, "Bin %s could not be loaded\n", argv[2]);
@@ -35,12 +81,12 @@ int main(int argc, char **argv)
 	data = NULL;
 	dataSize = 0;
 
-	if(binSize > BinarySegmentSize)
+	if(binSize > ELF_LOADER_BINARY_SEGMENT_SIZE)
 	{
-		for(i = (BinarySegmentSize - 1) / 4; i > 0 && bin[i] == 0; --i);
+		for(i = (ELF_LOADER_BINARY_SEGMENT_SIZE - 1) / 4; i > 0 && bin[i] == 0; --i);
 		textSize = (i + 1) * 4;
-		data = (uint32_t *)((uint8_t *)bin + BinarySegmentSize);
-		dataSize = binSize - BinarySegmentSize;
+		data = (uint32_t *)((uint8_t *)bin + ELF_LOADER_BINARY_SEGMENT_SIZE);
+		dataSize = binSize - ELF_LOADER_BINARY_SEGMENT_SIZE;
 	}
 
 	f = fopen(argv[3], "wb");

elfldr/local/index.html → elf-loader/local/index.html

@@ -8,12 +8,11 @@
 		<script type='text/javascript' src='js/exploit.js'></script>
 		<script type='text/javascript' src='js/just-rop.js'></script>
 		<script type='text/javascript' src='js/gadgets.js'></script>
-		<script type='text/javascript' src='ldr/ldr.js'></script>
 
 		<script type='text/javascript'>
 			var loopOnExit = true;
 
-			var debug = 3;
+			var debug = 0;
 			var debugWait = 4000;
 
 			function searchURIToObject(searchURI)
@@ -80,15 +79,34 @@
 				window.location.href = window.location.href.split('?')[0] + objectToSearchURI(params);
 			}
 
+			function ldrpre()
+			{
+				var params = searchURIToObject(window.location.search);
+				if(params['stage'] != 5)
+					return ldr();
+
+				(function(d, script)
+				{
+					script = d.createElement('script');
+					script.type = 'text/javascript';
+					script.async = true;
+					script.onload = function(){ldr();};
+					script.src = 'ldr/ldr.js';
+					d.getElementsByTagName('head')[0].appendChild(script);
+				}(document));
+			}
+
 			function ldr()
 			{
 				exploit();
 				var chain = new rop();
 
 				var size = 0x100000;
 				var writeAddress = 0x926100000;
-				var execAddress = 0x926200000;
-				var dataAddress = 0x926300000;
+				//var execAddress = 0x926200000;
+				var execAddress = 0x93a300000;
+				//var dataAddress = 0x926300000;
+				var dataAddress = 0x93a400000;
 				var dataSegmentCount = 3;
 
 				var params = searchURIToObject(window.location.search);
@@ -232,7 +250,7 @@
 	</head>
 	<body style="background-color:#000000;color:#11EE11">
 		<script type='text/javascript'>
-			document.body.onload = ldr;
+			document.body.onload = ldrpre;
 		</script>
 	</body>
 </html>