Page 4 of 5

Re: PS4 1.76 Webkit ROP POC

Posted: Wed Oct 29, 2014 8:09 pm
by varinek
interesting its working for you :D

Re: PS4 1.76 Webkit ROP POC

Posted: Thu Oct 30, 2014 10:22 am
by Takezo
@Nas could you make comments after your gadgets please (pop ...)?
Which calling convention did you use ?
Because it seem that x86_64 use registers for arguments...

Re: PS4 1.76 Webkit ROP POC

Posted: Thu Oct 30, 2014 5:43 pm
by esperas
Hi every1 actually im just new to this kind of exploit or hack 2 ps4 and i i never had any experienced in ps3 hack or jailbreak b'coz i d0nt own a ps3 but i got interest in ps4 so i just thought maybe someday in the future it will be hack and. Playstati0n fan i just wanna ask sir, if s0me1 shares me please.... what is the purpose of this webkit dump 4 ps4? And what will happen? Is it safe? Bcoz i just d0nt wanna loose my ps4 it hard 2 buy... but im just wanna try it... and maybe i get relate to topic and share my experience thank you guys...

Re: PS4 1.76 Webkit ROP POC

Posted: Thu Oct 30, 2014 5:46 pm
by esperas
My ps4 v1.76 i will n0t update until theres a new exploit for 2.00 please help me guys....

Re: PS4 1.76 Webkit ROP POC

Posted: Fri Oct 31, 2014 1:39 am
by unknown v2
Takezo wrote: @Nas I found some useful syscall in libkernel
sys_exit = 0xDD50 # + libkernel_base
munmap = 0xC0B0# + libkernel_base
execve = 0xBFF0 # + libkernel_base
How did you find those syscall addresses? Did you dump "libkernel" using this method?

Re: PS4 1.76 Webkit ROP POC

Posted: Fri Oct 31, 2014 7:44 am
by Takezo
Yes i found it with ida pro in my libkernel dump.

Code: Select all

ioctl = 0xBF70 
getlogin = 0xBF10 
fstat = 0xBDD0
fork = 0xB9D0
write = 0xBA10
open = 0xBA30
close = 0xBA50
wait4 = 0xBA70
chroot = 0xC030
mmap = 0xC090
mprotect = 0xC0D0
...

Code: Select all

I replaced <body> in ps4.php by 
<body onload="btnClick()"> (dump onload)

Code: Select all

ps4_rop2.html

makeDumpLink(libkernel_base, chunk, 3, "libkernel_base"); //dump libkernel
makeDumpLink(wk_base+0xB39D7, chunk, 341, "wk_base_offB39D7"); // dump webkit at offset 0xB39D7 (result = dump.bin 37.2 Mo)

function makeDumpLink(offset, sizeDump, nbSeg, nameModule)
{
logAdd("<h2><a href='ps4.php?base=0x" + offset.toString(16) + "&chunk=0x" + sizeDump.toString(16) + "&cnt=0x" + nbSeg.toString(16) + "'>"+nameModule+" "+nbSeg.toString(10) + "</a></h2>");
}

Code: Select all

nas  gadget_arg:
#pop rdi ret
#pop rsi ret
#call why ???
#pop rcx ret
#pop r8  ret
#pop r9  ret

Re: PS4 1.76 Webkit ROP POC

Posted: Fri Oct 31, 2014 3:29 pm
by abcdf
debug settings in retail ps4 by skfu, but we cant use it :(

Image

Re: PS4 1.76 Webkit ROP POC

Posted: Fri Oct 31, 2014 3:47 pm
by anhell28
things are getting very interesting for PS4

Re: PS4 1.76 Webkit ROP POC

Posted: Fri Oct 31, 2014 7:12 pm
by yifanlu
abcdf wrote:debug settings in retail ps4 by skfu, but we cant use it :(
An empty screen. Impressive.

Re: PS4 1.76 Webkit ROP POC

Posted: Sat Nov 01, 2014 11:27 am
by nas
Takezo wrote:@Nas could you make comments after your gadgets please (pop ...)?
Which calling convention did you use ?
Because it seem that x86_64 use registers for arguments...
calling convention is "System V AMD64 ABI" (see http://en.wikipedia.org/wiki/X86_callin ... onventions).
"pop r** ; ret" for argument 1-6, stack for for 7 and on