Advertising (This ad goes away for registered users. You can Login or Register)

PS4 1.76 Webkit ROP POC

Underground PS4 discussions
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Berlin
Posts: 3
Joined: Sat Oct 25, 2014 10:43 pm

Re: PS4 1.76 Webkit ROP POC

Post by Berlin »

anhell28 wrote:i really do want the new features coming with fw 2.0 but i will most likely purchase another PS4 to keep 1 vulnerable and 1 legit for my online gaming.

i was thinking that the Xbox one would be hacked 1st and then awhile later the PS4.....

glad i purchased a PS4 instead of an xb1 even tho i always had an xbox360 in my home which i have jtag'd and flashed the drive with LT3.0 for online
I am aware of two different ways we can implement this exploit post 2.0. As for the 2.0 update, we should be able to get this working as is with some minor changes. There is another trick i am aware of that will allow people to implement this on any firmware version, but it is possible that will be fixed eventually as well. No need to buy another console just yet.
Advertising
yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: PS4 1.76 Webkit ROP POC

Post by yifanlu »

Berlin wrote:
HarmfulMushroom wrote:
D3NN15 wrote:Since this has been rumored to be patched in 2.0, should I update or should I wait or get another ps4 and keep it on 1.76 for a couple months while devs work on an exploit? If there are more vulnerabilities in 2.0> is it worth updating to?
It's not a rumor it's a fact; it will be patched at 2.00. And I'd say it's a safe assumption it's going to be longer than just a couple months before anything big is found, so your call on what you want to do.
I bet you $100 i can get this running on 2.0... Id say its fairly safe to update to be honest. Make of that what you will and update at your own risk, im %99 sure we will be able to port this to 2.0 one way or another.
Are you going to say webkit based apps?
Advertising
Takezo
Posts: 14
Joined: Mon Oct 20, 2014 7:05 am

Re: PS4 1.76 Webkit ROP POC

Post by Takezo »

Congratulation and thanks to Proxima and Nas_plugi.
I can confirm it works !!! I am also totally astonished by your "make_rop.py" :shock: :D
Berlin
Posts: 3
Joined: Sat Oct 25, 2014 10:43 pm

Re: PS4 1.76 Webkit ROP POC

Post by Berlin »

[/quote]Are you going to say webkit based apps?[/quote]

That's not what i have in mind, although its a good guess i suppose. :lol:
I dont know if you can get this working on webkit based media apps (Netflix, ect) as i haven't really looked into that to much. I don't believe you can for a couple different reasons.

Using this webkit exploit on higher firmware will be slightly more difficult as you will have to employ several different methods to get you access to a vulnerable webkit revision.Without revealing specifics, there are a couple clever ways you can find to get this working sans the regular browser :D With that being said, id bet the farm that we get this to work on 2.0.
varinek
Posts: 4
Joined: Mon Oct 08, 2012 5:58 am

Re: PS4 1.76 Webkit ROP POC

Post by varinek »

Hello,

pls can you help me how edit source code to working at my own server... dump upload not working for me. :roll: thanks in advance
nas
Posts: 10
Joined: Thu Aug 14, 2014 6:35 am

Re: PS4 1.76 Webkit ROP POC

Post by nas »

Try xampp if you're having problems
varinek
Posts: 4
Joined: Mon Oct 08, 2012 5:58 am

Re: PS4 1.76 Webkit ROP POC

Post by varinek »

ty for reply... problem is that i have not ps4 ... but many users of my forum have ps4 system. so i upload files at http://ps3haxcz.com/ps4/. webkit proceed correctly but upload on server failed
Takezo
Posts: 14
Joined: Mon Oct 20, 2014 7:05 am

Re: PS4 1.76 Webkit ROP POC

Post by Takezo »

@varinek
dump-0x48f8c000-0
dump-0x48f8c000-1
dump-0x82f7e4000-0
dump-0x82f7e4000-1
dump-0x82f7e4000-2
dump-0x82f7e4000-3
Place this files into last_dump directory and exec python dir2bin.py

Because dumps are personal, you should say to your members
1-Install uWAmp http://www.uwamp.com
2-Copy nas poc into www
3-ps4 browser local ip let's go
...

@Nas I found some useful syscall in libkernel
sys_exit = 0xDD50 # + libkernel_base
munmap = 0xC0B0# + libkernel_base
execve = 0xBFF0 # + libkernel_base

But for example when i am trying to call sys_exit , i got memory error

Code: Select all

make_rop.py code:
sys_exit = 0xDD50 # + libkernel_base
func_1("libkernel_base",sys_exit,  0)
print_rop()
sp_takeover()# ?

Code: Select all

javascript rop code:
setU64to(chain_addr + 0, wk_base + 1277117);
setU64to(chain_addr + 8, 0);
setU64to(chain_addr + 16, libkernel_base + 56656);
// point a return address of the stack to our chain
setU64to(stack_base + return_va + 8, chain_addr);
setU64to(stack_base + return_va, wk_base + 392117);
varinek
Posts: 4
Joined: Mon Oct 08, 2012 5:58 am

Re: PS4 1.76 Webkit ROP POC

Post by varinek »

thank you. I'll try it
Karl69
Posts: 1
Joined: Tue Oct 28, 2014 8:12 pm

Re: PS4 1.76 Webkit ROP POC

Post by Karl69 »

hi all,

i used Varinek's links and downloaded the dumps from there.
The dumps had to be processed, as leading zeroes were missing and the order of the bytes had to be swapped.
I'd like to share the resulting binaries with you guys.

cheers

karl
Attachments
dump_binaries.rar
(18.63 KiB) Downloaded 461 times
Locked

Return to “Programming and Security”