PS4 1.76 Webkit ROP POC
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Forum rule Nº 15 is strictly enforced in this subforum.
Re: PS4 1.76 Webkit ROP POC
interesting its working for you
Advertising
Re: PS4 1.76 Webkit ROP POC
@Nas could you make comments after your gadgets please (pop ...)?
Which calling convention did you use ?
Because it seem that x86_64 use registers for arguments...
Which calling convention did you use ?
Because it seem that x86_64 use registers for arguments...
Advertising
Re: PS4 1.76 Webkit ROP POC
Hi every1 actually im just new to this kind of exploit or hack 2 ps4 and i i never had any experienced in ps3 hack or jailbreak b'coz i d0nt own a ps3 but i got interest in ps4 so i just thought maybe someday in the future it will be hack and. Playstati0n fan i just wanna ask sir, if s0me1 shares me please.... what is the purpose of this webkit dump 4 ps4? And what will happen? Is it safe? Bcoz i just d0nt wanna loose my ps4 it hard 2 buy... but im just wanna try it... and maybe i get relate to topic and share my experience thank you guys...
Re: PS4 1.76 Webkit ROP POC
My ps4 v1.76 i will n0t update until theres a new exploit for 2.00 please help me guys....
-
- Posts: 2
- Joined: Thu Oct 30, 2014 9:48 pm
Re: PS4 1.76 Webkit ROP POC
How did you find those syscall addresses? Did you dump "libkernel" using this method?Takezo wrote: @Nas I found some useful syscall in libkernel
sys_exit = 0xDD50 # + libkernel_base
munmap = 0xC0B0# + libkernel_base
execve = 0xBFF0 # + libkernel_base
Re: PS4 1.76 Webkit ROP POC
Yes i found it with ida pro in my libkernel dump.
Code: Select all
ioctl = 0xBF70
getlogin = 0xBF10
fstat = 0xBDD0
fork = 0xB9D0
write = 0xBA10
open = 0xBA30
close = 0xBA50
wait4 = 0xBA70
chroot = 0xC030
mmap = 0xC090
mprotect = 0xC0D0
...
Code: Select all
I replaced <body> in ps4.php by
<body onload="btnClick()"> (dump onload)
Code: Select all
ps4_rop2.html
makeDumpLink(libkernel_base, chunk, 3, "libkernel_base"); //dump libkernel
makeDumpLink(wk_base+0xB39D7, chunk, 341, "wk_base_offB39D7"); // dump webkit at offset 0xB39D7 (result = dump.bin 37.2 Mo)
function makeDumpLink(offset, sizeDump, nbSeg, nameModule)
{
logAdd("<h2><a href='ps4.php?base=0x" + offset.toString(16) + "&chunk=0x" + sizeDump.toString(16) + "&cnt=0x" + nbSeg.toString(16) + "'>"+nameModule+" "+nbSeg.toString(10) + "</a></h2>");
}
Code: Select all
nas gadget_arg:
#pop rdi ret
#pop rsi ret
#call why ???
#pop rcx ret
#pop r8 ret
#pop r9 ret
Re: PS4 1.76 Webkit ROP POC
debug settings in retail ps4 by skfu, but we cant use it
Re: PS4 1.76 Webkit ROP POC
things are getting very interesting for PS4
Re: PS4 1.76 Webkit ROP POC
An empty screen. Impressive.abcdf wrote:debug settings in retail ps4 by skfu, but we cant use it
Re: PS4 1.76 Webkit ROP POC
calling convention is "System V AMD64 ABI" (see http://en.wikipedia.org/wiki/X86_callin ... onventions).Takezo wrote:@Nas could you make comments after your gadgets please (pop ...)?
Which calling convention did you use ?
Because it seem that x86_64 use registers for arguments...
"pop r** ; ret" for argument 1-6, stack for for 7 and on