Advertising (This ad goes away for registered users. You can Login or Register)

PS4 1.76 Webkit ROP POC

Underground PS4 discussions
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
nas
Posts: 10
Joined: Thu Aug 14, 2014 6:35 am

PS4 1.76 Webkit ROP POC

Post by nas »

hi,
i finally got around to do some cleanup and...
here you are: https://www.sendspace.com/file/mdunzp

this package contains:
  • ROP POC
  • Module Dumpers
  • helper script for creating rop chains
  • other stuff :P
thanks a lot to Proxima for helping me!
Advertising
Belmondo
Posts: 102
Joined: Sat Jan 01, 2011 6:32 pm

Re: PS4 1.76 Webkit ROP POC

Post by Belmondo »

thanks nas! nice work mate! :)
Advertising
josh_axey
Retired Mod
Posts: 266
Joined: Sun Oct 07, 2012 10:14 pm
Location: /dev/null
Contact:

Re: PS4 1.76 Webkit ROP POC

Post by josh_axey »

nas wrote:...
Always interested to see how other people are doing theirs.
Thanks for sharing nas and Proxima.
Catch me: on Twitter | on GitHub | Rambling
【・ヘ・?】0b00000101
yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: PS4 1.76 Webkit ROP POC

Post by yifanlu »

That one WebKit bug is the gift that keeps on giving.
anhell28
Posts: 33
Joined: Mon Apr 16, 2012 2:07 am

Re: PS4 1.76 Webkit ROP POC

Post by anhell28 »

so i take it that this is a port of the vita webkit but for PS4.

is it safe to say i should NOT update my PS4's fw to 2.00 when it is released?

just looking forward to some cool homebrew and hacks for my psvita and PS4.
josh_axey
Retired Mod
Posts: 266
Joined: Sun Oct 07, 2012 10:14 pm
Location: /dev/null
Contact:

Re: PS4 1.76 Webkit ROP POC

Post by josh_axey »

anhell28 wrote:so i take it that this is a port of the vita webkit but for PS4.
I don't believe so, no. This was done in tandem, separately.

We're referring to the same bug in WebKit itself that is being used by different people in different ways.
Catch me: on Twitter | on GitHub | Rambling
【・ヘ・?】0b00000101
Proxima
Guru
Posts: 47
Joined: Mon Jan 03, 2011 2:38 pm

Re: PS4 1.76 Webkit ROP POC

Post by Proxima »

The 64bit version is a bit different. It is the same heap corruption via the sort() bug, but from there its different. On 32bit you can set the Uint32Array to 0x40000000 size and access any memory. On 64bit, you have to carefully change the base address since the 0x40000000 trick doesn't work for a 64bit address space.
ninjadudexp
Posts: 30
Joined: Sat Feb 08, 2014 8:42 am

Re: PS4 1.76 Webkit ROP POC

Post by ninjadudexp »

How does a average joe like me, test this POC with the download files given
josh_axey
Retired Mod
Posts: 266
Joined: Sun Oct 07, 2012 10:14 pm
Location: /dev/null
Contact:

Re: PS4 1.76 Webkit ROP POC

Post by josh_axey »

Proxima wrote:The 64bit version is a bit different. It is the same heap corruption via the sort() bug, but from there its different. On 32bit you can set the Uint32Array to 0x40000000 size and access any memory. On 64bit, you have to carefully change the base address since the 0x40000000 trick doesn't work for a 64bit address space.
Yeah, I noticed that when having a look through. Nice, by the way.
Catch me: on Twitter | on GitHub | Rambling
【・ヘ・?】0b00000101
anhell28
Posts: 33
Joined: Mon Apr 16, 2012 2:07 am

Re: PS4 1.76 Webkit ROP POC

Post by anhell28 »

thank you guy's for all your work so far...keep it up.
Locked

Return to “Programming and Security”