Proof of concept webkit exploit running on PS4 firmwares 2.xx
Developer Fire30 released a webkit exploit proof of concept for the PS4, ported from a webkit heap buffer overflow revealed in 2014. I haven’t tested this myself, and this is still unconfirmed information at this point.
Fire30 says the exploit should run on any PS4 firmware below 2.50, although he mentions parts of the exploit implementation will only work on firmware 2.03, presumably because this is the firmware he’s using to write the code.
There’s not much to be said about this at this point, although in theory the kernel exploits BadIRET and dlclose could be ported to this exploit, if confirmed legit: it has been mentioned these kernel exploits are compatible up to firmware 2.xx, and the only thing preventing those from being used on any other firmware than 1.76 so far was because the only publicly available userland exploit has been the 1,76 webkit exploit.
A port of the dlclose exploit to this new webkit vulnerability could bring some Linux joy to more PS4 users, and help decrease the current asking price for hackable PS4s.
Download and install the CVE 2014-1303 Proof Of Concept for PS4
You can Download Fire30’s proof of concept on his github here. You’ll need a PS4 running below firmware 2.50, ideally firmware 2.03. According to the readme:
a poc for the CVE 2014-1303 originally disclosed by Liang Chen. It has been tested to work on system firmware 2.03, but should work for systems on a firmware < 2.50, the ROP test will however only work on 2.03.
Usage
You need to edit the dns.conf to point to the ip address of your machine, and modify your consoles dns settings to point to it as well. Then run
python fakedns.py -c dns.conf
then
python server.py
Debug output will come from this process.Navigate to the User’s Guide page on the PS4 and various information should be printed to the console. The ROP test will print what is stored in the rsp register. Continuing execution after rsp is pivoted still needs to be done.
fire30 credits the following people, in addition to Liang Chen who revealed the vulnerability in 2014:
thexyz
dreadlyei
If you happen to have a PS4 running a firmware below 2.50, and have the skills to 1) confirm that this is true and 2) try and get the dlclose exploit to run on this, then by all means, help the PS4 scene 🙂
Otherwise… stay tuned!
source: github, thanks to @isset_asset
Last.
i stayed on 3.15 because i feel that soon there will an exploit for it 🙁 missing on remote play.. uhgg but i have faith.
Only a matter of time
Great news! For those wondering, the last firmware version before 2.50 was 2.04.
It’s still 4/20 here… You’re here from the future with good news for the scene!! 🙂
“If you happen to have a PS4 running a firmware below 2.50, and have the skills to 1) confirm that this is true and 2) try and get the dlclose exploit to run on this, then by all means, help the PS4 scene”
The Dclose exploit has been patched on OFW 2.04 (source: Flatz), this webkit exploit may Jailbreak PS4 on firmware 2.03 maximum.
Owners of PS4 on OFW 2.5x or 3.x still have to wait.
PS: Last week someone posted a POC of a 3.50 webkit exploit on twitter (then he deleted all his twits !). If a new kernel exploit is founded on OFW 3.xx that will be huge ! 🙂
I couldn’t find the info about Dclose being in patched in 2.04, but I have no reason to not believe you. How about BadIRET? All I can find is, that it was patched somewhere in 2.xx.
You have to believe Flatz not me 🙂
Badiret actualy doesnt work properly, the registries doesn’t come back on a stable environment, the system is in state of “panic” and hangs/crashes after a few minutes. Maybe Badiret is working on FW 2.5x, but only Cturt knows and someone has to finish to code the exploit, clean the registry.
Thanks for the clarification. Not quite what I had hoped to hear though since I got a second console with 2.04 firmware. Well then I’m just gonna have to wait for a new kernel exploit.
Someone who knows whats the firmware on the Metal Gear solid ps4? i still got my one sealed
This ps4 is available since 09/01/15. At this moment, it was the 2.50 firmware version. The 3.0 version became available the 09/30/15
Hope they find an exploit for 3.15. I only updated just to play SFV which was disappointing. I never should’ve updated my 2.04 fw, I don’t e end play my ps4 much
All these Exploits and nothing worthwhile to run with them. Hopefully CFW and then I’ll hail this a success
I guess for dumbf#$ks such as yourself there isn’t anything worthwhile but linux is a very nice thing to have.
Get yourself a PC if you want to run Linux like everyone else you F W I T. It might be cool then. Brought a PS4 to plat games not to use as PC. What a tool. Get with the program
That’s why you buy two consoles you “tool”. But judging by your petty bickering like that of a 12 year old your parents were only able to afford one for you. Too bad.
Actually Ive got 3 if you would like 1. 1 to play online and 2 with 1.76. lol Whos the tool now ???? 😀
Get yourself a PC and run Linux you F W I T. PS4 is for playing games. Playing games is cool Linux Fanboy. Get with the program
You can play games on Linux. **facepalm** Like NES, SNES, N64, PS1, etc. You can even install and run Steam on Linux. Now *** about things you know nothing about you ***.
Why play old c r a p on a new Cosole. Can’t believe people even bothers with this. Unless running Linux leads to a hack to run PS4 games then it all a waste of time. I’m sure you can run Linux on a PC an emulate all that old stuff too. Why bother doing it on a PS4 ?????
Sorry for all my stupid comments above and below. As you all already know, I have no life. XD
Sorry to hear that Mummy couldn’t afford to by you a laptop and a PS4. F W I T
What a waste of two consoles on a “F W I T Tool” who can’t even appreciate all the work done for the scene right now.
I’m on the same boat, I think linux was an amazing step but I feel like it was really only poc and I just want to see more native to ps4 firmware homebrew come out because it just interests me more than running linux on a console with aging hardware..
Slowly, but sure…
Tested on fw 2.51
Aligning memory…
Vulnrablity triggered!
Couldn’t find corrupted element…!
:'(
Yeah this is expected it will only work for versions < 2.50. See what versions of webkit sony uses for each firmware version here:
http://doc.dl.playstation.net/doc/ps4-oss/webkit.html
Good news, but nothing for vita atm … I will try it as soon as possible ( vita 3.52 )
If I could remember right, PS4 2.50 was released the 26th March 2015 in the same time as 3.50, so I think it will not be good at all :/
Well, it’s funny how Vita is way more secure than PS4 yet. What a shame, Sony, you shouldn’t have made the Vita if its single purpose was only to compete against hackers who knows best about proprietary system security and stuff like that.
If you test this webkit vulnerability on 3.50 or less it will probably work, but nothing ont 3.51+ ( btw I only tested it on 3.52 ) I don’t think security on vita and PS4 are a lot different but PS4 is basicaly a modded computer with standard x32/x64 architecture while PSV is a kind of ARM. Don’t forget the fact that there is more player on PS4 than vita so probably more hacker.
Vita 3.52 Failed …
http://img11.hostingpics.net/pics/822453capturedcran1.png
Wise words, mate. Even for homebrew scene Vita appears to be just a “legacy” handheld, so much that they don’t mind messing with it at all anymore. I’ll keep trying hard to sell my dusty Vita while I still have a drop of hope on obscure native scene.
This implementation will not work on the vita as it uses a different memory allocator. In fact I am using the same exploit that is used in https://github.com/Hykem/vitasploit for 3.36, so that is the farthest this vulnerability will go.
Hi Fire30,
Thank you. I was thinking it was a new exploit, si I was really hopping to be able to run it on vita 🙁
I got PS4 FF type-0 console. originally is 2.01 or something. because I need to download contents before expire, so system upgraded to 2.55 for access psn. Does any hope with webkit exploit in the future?
Last week a see a twit, a POC of a 3.50 webkit exploit (twit deleted).
Stay on 2.55 because maybe the badiret exploit may work untill 2.55:
– Badiret patch released on FreeBSD 9 (Orbis) = 2015-08-25
&
– 2.57 = Jully 2015
Speculation… but I think Badiret is still working untill 3.00 (3.00 ) September 2015 Sony had enough time to patch it?)
You Win!!Please continue hack PS4!
Vita scene is DEAD, stupid ps4
I think that already ps4 scene was not won this talk ta very bored, have to be 3:50, whoever is 1.76 in this scene? ie cut worth not have to be 3:50 on!
what about a poc tut dg 4.78 ps3 to 3.55 ofw to 3.55 cfw to 4.80 cfw ?.?
with downloads and passes ? online pass and dlc pass lol
On FW 2.04
Aligning memory…
Vulnrablity triggered!
Found Corruped ArrayBuffer!
Corruped Index is 0x1fe!
Found ArrayBufferView that we have control over!
Devs are not up for the task. 3DS developer are way more skilled. We will wait a looong time.
3ds is g@y and you should feel g@y
Everytime I read about this webkit exploit, it makes me wonder if something similar could be done with the unhackable PS3’s. It’s not something that I need because I already have one of the hackable ones, but this would be great for the community.
Hey somebody out there I have a ps4 running on firmware 2.03 I live in New York … I could lend you my ps4 for you could tinker with it ?
Bad news: Fire30 can’t crash his 2.03 PS4 with the dlclose vulnerabilty (source IRC #ps4dev)
He already SAID he can, what do you even mean?