Advertising
PS4 1.76 Webkit ROP POC
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Forum rule Nº 15 is strictly enforced in this subforum.
Re: PS4 1.76 Webkit ROP POC
I tried this webkit on my ps4 i click on 1 its successfully upload but n0thing happen? N0thing changes....
-
- Posts: 8
- Joined: Thu Feb 20, 2014 1:23 pm
Re: PS4 1.76 Webkit ROP POC
I have two files from the ROP POC dump: dump-0x836be8000-0 (31KB), and dump-0x836be8000-1 (9KB).
How can I load these into IDA Pro? I know that the processor type should be x86_64, but I'm not sure what it is called in IDA, here is a list of processor types supported, https://www.hex-rays.com/products/ida/s ... /618.shtml which one do I use?
How can I load these into IDA Pro? I know that the processor type should be x86_64, but I'm not sure what it is called in IDA, here is a list of processor types supported, https://www.hex-rays.com/products/ida/s ... /618.shtml which one do I use?
Advertising
Re: PS4 1.76 Webkit ROP POC
drag and drop your file in ida pro 64bits
choose metapc
if you have an old version of ida pro, you have to hit "c" to make code ...
Or load this script :
http://pastebin.com/zbwMpV86
choose metapc
if you have an old version of ida pro, you have to hit "c" to make code ...
Or load this script :
http://pastebin.com/zbwMpV86
-
- Posts: 8
- Joined: Thu Feb 20, 2014 1:23 pm
Re: PS4 1.76 Webkit ROP POC
OK, I've dumped all modules, and identified these 4 as the most interesting ones:
1: libKernel
2: libC
14: webKit2
18: libSystemService
The offsets of my libKernel functions match the ones that you posted here:
viewtopic.php?f=63&t=40349&start=20#p368996
But, like you, whenever I try to call any kind of function (with any amount of arguments) I always get the error of there being "not enough free system memory" on the PS4.
The ROP chain that came with the package does cause my PS4 to hang as intended, and I can correctly locate the infinite loop in my dump:
So I am definitely translating the address correctly.
So I believe the problem to be due to trying to call functions from a different module. Has anyone successfully called any libc or libkernel functions which can do anything significant, like mkdir or exit?
1: libKernel
2: libC
14: webKit2
18: libSystemService
The offsets of my libKernel functions match the ones that you posted here:
viewtopic.php?f=63&t=40349&start=20#p368996
But, like you, whenever I try to call any kind of function (with any amount of arguments) I always get the error of there being "not enough free system memory" on the PS4.
The ROP chain that came with the package does cause my PS4 to hang as intended, and I can correctly locate the infinite loop in my dump:
So I am definitely translating the address correctly.
So I believe the problem to be due to trying to call functions from a different module. Has anyone successfully called any libc or libkernel functions which can do anything significant, like mkdir or exit?
-
- Posts: 8
- Joined: Thu Feb 20, 2014 1:23 pm
Re: PS4 1.76 Webkit ROP POC
After further inspection, it turns out that the code being in a different module isn't the problem because I searched for an infinite loop in module 1 (libkernel), found one at 0x11e06 (instruction 0xfeeb), and it causes my system to freeze just like using the infinite loop from the webkit module.
EDIT: After more tests I have found that any retn instructions and infinite loops will work, but anything that modifies the stack like push or pop will cause a segfault, which is what causes the memory error to be displayed. This could be caused by a garbage collector, a stack canary, or something else; I have no idea at the moment.
EDIT: After more tests I have found that any retn instructions and infinite loops will work, but anything that modifies the stack like push or pop will cause a segfault, which is what causes the memory error to be displayed. This could be caused by a garbage collector, a stack canary, or something else; I have no idea at the moment.
Re: PS4 1.76 Webkit ROP POC
@YoshiInAVoid , i fixed it by making my own ROP.
Otherwise, if you are calling mkdir with invalid ptr it will crash.
"Exit" syscall doesn't work ... You should try something like getpid ...
Otherwise, if you are calling mkdir with invalid ptr it will crash.
"Exit" syscall doesn't work ... You should try something like getpid ...
Re: PS4 1.76 Webkit ROP POC
Anyone has tested if this xploit work on a ps3 ?
Re: PS4 1.76 Webkit ROP POC
Hey. Had ps4 1.76, how can i start? I mean i need to coonect the ps4 to the wifi and my computer to? If can how? What should i do? Can you help me step by step? Thx