Advertising (This ad goes away for registered users. You can Login or Register)

PS4 1.76 Webkit ROP POC

Underground PS4 discussions
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
esperas
Posts: 3
Joined: Thu Oct 30, 2014 5:28 pm

Re: PS4 1.76 Webkit ROP POC

Post by esperas » Thu Nov 06, 2014 5:51 am

I tried this webkit on my ps4 i click on 1 its successfully upload but n0thing happen? N0thing changes....
Advertising

YoshiInAVoid
Posts: 8
Joined: Thu Feb 20, 2014 1:23 pm

Re: PS4 1.76 Webkit ROP POC

Post by YoshiInAVoid » Tue Apr 07, 2015 9:51 am

I have two files from the ROP POC dump: dump-0x836be8000-0 (31KB), and dump-0x836be8000-1 (9KB).

How can I load these into IDA Pro? I know that the processor type should be x86_64, but I'm not sure what it is called in IDA, here is a list of processor types supported, https://www.hex-rays.com/products/ida/s ... /618.shtml which one do I use?
Advertising

Takezo
Posts: 14
Joined: Mon Oct 20, 2014 7:05 am

Re: PS4 1.76 Webkit ROP POC

Post by Takezo » Tue Apr 07, 2015 11:29 am

drag and drop your file in ida pro 64bits
choose metapc
if you have an old version of ida pro, you have to hit "c" to make code ...
Or load this script :
http://pastebin.com/zbwMpV86

YoshiInAVoid
Posts: 8
Joined: Thu Feb 20, 2014 1:23 pm

Re: PS4 1.76 Webkit ROP POC

Post by YoshiInAVoid » Fri May 29, 2015 11:38 am

OK, I've dumped all modules, and identified these 4 as the most interesting ones:

1: libKernel
2: libC
14: webKit2
18: libSystemService

The offsets of my libKernel functions match the ones that you posted here:

viewtopic.php?f=63&t=40349&start=20#p368996

But, like you, whenever I try to call any kind of function (with any amount of arguments) I always get the error of there being "not enough free system memory" on the PS4.

The ROP chain that came with the package does cause my PS4 to hang as intended, and I can correctly locate the infinite loop in my dump:
hang.png
hang.png (3.01 KiB) Viewed 4758 times
So I am definitely translating the address correctly.

So I believe the problem to be due to trying to call functions from a different module. Has anyone successfully called any libc or libkernel functions which can do anything significant, like mkdir or exit?

YoshiInAVoid
Posts: 8
Joined: Thu Feb 20, 2014 1:23 pm

Re: PS4 1.76 Webkit ROP POC

Post by YoshiInAVoid » Tue Jun 02, 2015 1:50 pm

After further inspection, it turns out that the code being in a different module isn't the problem because I searched for an infinite loop in module 1 (libkernel), found one at 0x11e06 (instruction 0xfeeb), and it causes my system to freeze just like using the infinite loop from the webkit module.

EDIT: After more tests I have found that any retn instructions and infinite loops will work, but anything that modifies the stack like push or pop will cause a segfault, which is what causes the memory error to be displayed. This could be caused by a garbage collector, a stack canary, or something else; I have no idea at the moment.

Takezo
Posts: 14
Joined: Mon Oct 20, 2014 7:05 am

Re: PS4 1.76 Webkit ROP POC

Post by Takezo » Mon Jun 08, 2015 7:15 am

@YoshiInAVoid , i fixed it by making my own ROP.
Otherwise, if you are calling mkdir with invalid ptr it will crash.
"Exit" syscall doesn't work ... You should try something like getpid ...

PlayMaker
Posts: 1
Joined: Sat May 23, 2015 11:01 pm

Re: PS4 1.76 Webkit ROP POC

Post by PlayMaker » Fri Sep 25, 2015 7:10 pm

Anyone has tested if this xploit work on a ps3 ?

Orgad1992
Posts: 13
Joined: Fri Mar 04, 2016 7:45 pm

Re: PS4 1.76 Webkit ROP POC

Post by Orgad1992 » Sat Mar 05, 2016 3:56 pm

Hey. Had ps4 1.76, how can i start? I mean i need to coonect the ps4 to the wifi and my computer to? If can how? What should i do? Can you help me step by step? Thx

Post Reply

Return to “Programming and Security”