Advertising (This ad goes away for registered users. You can Login or Register)

PS4 1.76 Webkit ROP POC

Underground PS4 discussions
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Berlin
Posts: 3
Joined: Sat Oct 25, 2014 10:43 pm

Re: PS4 1.76 Webkit ROP POC

Post by Berlin » Sat Oct 25, 2014 11:36 pm

anhell28 wrote:i really do want the new features coming with fw 2.0 but i will most likely purchase another PS4 to keep 1 vulnerable and 1 legit for my online gaming.

i was thinking that the Xbox one would be hacked 1st and then awhile later the PS4.....

glad i purchased a PS4 instead of an xb1 even tho i always had an xbox360 in my home which i have jtag'd and flashed the drive with LT3.0 for online
I am aware of two different ways we can implement this exploit post 2.0. As for the 2.0 update, we should be able to get this working as is with some minor changes. There is another trick i am aware of that will allow people to implement this on any firmware version, but it is possible that will be fixed eventually as well. No need to buy another console just yet.
Advertising

yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: PS4 1.76 Webkit ROP POC

Post by yifanlu » Sun Oct 26, 2014 2:00 am

Berlin wrote:
HarmfulMushroom wrote:
D3NN15 wrote:Since this has been rumored to be patched in 2.0, should I update or should I wait or get another ps4 and keep it on 1.76 for a couple months while devs work on an exploit? If there are more vulnerabilities in 2.0> is it worth updating to?
It's not a rumor it's a fact; it will be patched at 2.00. And I'd say it's a safe assumption it's going to be longer than just a couple months before anything big is found, so your call on what you want to do.
I bet you $100 i can get this running on 2.0... Id say its fairly safe to update to be honest. Make of that what you will and update at your own risk, im %99 sure we will be able to port this to 2.0 one way or another.
Are you going to say webkit based apps?
Advertising

Takezo
Posts: 14
Joined: Mon Oct 20, 2014 7:05 am

Re: PS4 1.76 Webkit ROP POC

Post by Takezo » Sun Oct 26, 2014 12:45 pm

Congratulation and thanks to Proxima and Nas_plugi.
I can confirm it works !!! I am also totally astonished by your "make_rop.py" :shock: :D

Berlin
Posts: 3
Joined: Sat Oct 25, 2014 10:43 pm

Re: PS4 1.76 Webkit ROP POC

Post by Berlin » Sun Oct 26, 2014 4:19 pm

[/quote]Are you going to say webkit based apps?[/quote]

That's not what i have in mind, although its a good guess i suppose. :lol:
I dont know if you can get this working on webkit based media apps (Netflix, ect) as i haven't really looked into that to much. I don't believe you can for a couple different reasons.

Using this webkit exploit on higher firmware will be slightly more difficult as you will have to employ several different methods to get you access to a vulnerable webkit revision.Without revealing specifics, there are a couple clever ways you can find to get this working sans the regular browser :D With that being said, id bet the farm that we get this to work on 2.0.

varinek
Posts: 4
Joined: Mon Oct 08, 2012 5:58 am

Re: PS4 1.76 Webkit ROP POC

Post by varinek » Mon Oct 27, 2014 5:20 pm

Hello,

pls can you help me how edit source code to working at my own server... dump upload not working for me. :roll: thanks in advance

nas
Posts: 10
Joined: Thu Aug 14, 2014 6:35 am

Re: PS4 1.76 Webkit ROP POC

Post by nas » Mon Oct 27, 2014 8:42 pm

Try xampp if you're having problems

varinek
Posts: 4
Joined: Mon Oct 08, 2012 5:58 am

Re: PS4 1.76 Webkit ROP POC

Post by varinek » Mon Oct 27, 2014 9:43 pm

ty for reply... problem is that i have not ps4 ... but many users of my forum have ps4 system. so i upload files at http://ps3haxcz.com/ps4/. webkit proceed correctly but upload on server failed

Takezo
Posts: 14
Joined: Mon Oct 20, 2014 7:05 am

Re: PS4 1.76 Webkit ROP POC

Post by Takezo » Tue Oct 28, 2014 9:21 am

@varinek
dump-0x48f8c000-0
dump-0x48f8c000-1
dump-0x82f7e4000-0
dump-0x82f7e4000-1
dump-0x82f7e4000-2
dump-0x82f7e4000-3
Place this files into last_dump directory and exec python dir2bin.py

Because dumps are personal, you should say to your members
1-Install uWAmp http://www.uwamp.com
2-Copy nas poc into www
3-ps4 browser local ip let's go
...

@Nas I found some useful syscall in libkernel
sys_exit = 0xDD50 # + libkernel_base
munmap = 0xC0B0# + libkernel_base
execve = 0xBFF0 # + libkernel_base

But for example when i am trying to call sys_exit , i got memory error

Code: Select all

make_rop.py code:
sys_exit = 0xDD50 # + libkernel_base
func_1("libkernel_base",sys_exit,  0)
print_rop()
sp_takeover()# ?

Code: Select all

javascript rop code:
setU64to(chain_addr + 0, wk_base + 1277117);
setU64to(chain_addr + 8, 0);
setU64to(chain_addr + 16, libkernel_base + 56656);
// point a return address of the stack to our chain
setU64to(stack_base + return_va + 8, chain_addr);
setU64to(stack_base + return_va, wk_base + 392117);

varinek
Posts: 4
Joined: Mon Oct 08, 2012 5:58 am

Re: PS4 1.76 Webkit ROP POC

Post by varinek » Tue Oct 28, 2014 10:05 am

thank you. I'll try it

Karl69
Posts: 1
Joined: Tue Oct 28, 2014 8:12 pm

Re: PS4 1.76 Webkit ROP POC

Post by Karl69 » Tue Oct 28, 2014 8:22 pm

hi all,

i used Varinek's links and downloaded the dumps from there.
The dumps had to be processed, as leading zeroes were missing and the order of the bytes had to be swapped.
I'd like to share the resulting binaries with you guys.

cheers

karl
Attachments
dump_binaries.rar
(18.63 KiB) Downloaded 240 times

Post Reply

Return to “Programming and Security”