Advertising (This ad goes away for registered users. You can Login or Register)

PS4 1.76 Webkit ROP POC

Underground PS4 discussions
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
esperas
Posts: 3
Joined: Thu Oct 30, 2014 5:28 pm

Re: PS4 1.76 Webkit ROP POC

Post by esperas »

I tried this webkit on my ps4 i click on 1 its successfully upload but n0thing happen? N0thing changes....
Advertising
YoshiInAVoid
Posts: 8
Joined: Thu Feb 20, 2014 1:23 pm

Re: PS4 1.76 Webkit ROP POC

Post by YoshiInAVoid »

I have two files from the ROP POC dump: dump-0x836be8000-0 (31KB), and dump-0x836be8000-1 (9KB).

How can I load these into IDA Pro? I know that the processor type should be x86_64, but I'm not sure what it is called in IDA, here is a list of processor types supported, https://www.hex-rays.com/products/ida/s ... /618.shtml which one do I use?
Advertising
Takezo
Posts: 14
Joined: Mon Oct 20, 2014 7:05 am

Re: PS4 1.76 Webkit ROP POC

Post by Takezo »

drag and drop your file in ida pro 64bits
choose metapc
if you have an old version of ida pro, you have to hit "c" to make code ...
Or load this script :
http://pastebin.com/zbwMpV86
YoshiInAVoid
Posts: 8
Joined: Thu Feb 20, 2014 1:23 pm

Re: PS4 1.76 Webkit ROP POC

Post by YoshiInAVoid »

OK, I've dumped all modules, and identified these 4 as the most interesting ones:

1: libKernel
2: libC
14: webKit2
18: libSystemService

The offsets of my libKernel functions match the ones that you posted here:

viewtopic.php?f=63&t=40349&start=20#p368996

But, like you, whenever I try to call any kind of function (with any amount of arguments) I always get the error of there being "not enough free system memory" on the PS4.

The ROP chain that came with the package does cause my PS4 to hang as intended, and I can correctly locate the infinite loop in my dump:
hang.png
hang.png (3.01 KiB) Viewed 8800 times
So I am definitely translating the address correctly.

So I believe the problem to be due to trying to call functions from a different module. Has anyone successfully called any libc or libkernel functions which can do anything significant, like mkdir or exit?
YoshiInAVoid
Posts: 8
Joined: Thu Feb 20, 2014 1:23 pm

Re: PS4 1.76 Webkit ROP POC

Post by YoshiInAVoid »

After further inspection, it turns out that the code being in a different module isn't the problem because I searched for an infinite loop in module 1 (libkernel), found one at 0x11e06 (instruction 0xfeeb), and it causes my system to freeze just like using the infinite loop from the webkit module.

EDIT: After more tests I have found that any retn instructions and infinite loops will work, but anything that modifies the stack like push or pop will cause a segfault, which is what causes the memory error to be displayed. This could be caused by a garbage collector, a stack canary, or something else; I have no idea at the moment.
Takezo
Posts: 14
Joined: Mon Oct 20, 2014 7:05 am

Re: PS4 1.76 Webkit ROP POC

Post by Takezo »

@YoshiInAVoid , i fixed it by making my own ROP.
Otherwise, if you are calling mkdir with invalid ptr it will crash.
"Exit" syscall doesn't work ... You should try something like getpid ...
PlayMaker
Posts: 1
Joined: Sat May 23, 2015 11:01 pm

Re: PS4 1.76 Webkit ROP POC

Post by PlayMaker »

Anyone has tested if this xploit work on a ps3 ?
Orgad1992
Posts: 13
Joined: Fri Mar 04, 2016 7:45 pm

Re: PS4 1.76 Webkit ROP POC

Post by Orgad1992 »

Hey. Had ps4 1.76, how can i start? I mean i need to coonect the ps4 to the wifi and my computer to? If can how? What should i do? Can you help me step by step? Thx
Locked

Return to “Programming and Security”