Advertising (This ad goes away for registered users. You can Login or Register)

[HELP] Porting PS4 playground to older firmware

Underground PS4 discussions
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Locked
Sethpaien
Posts: 10
Joined: Fri Jun 12, 2015 10:52 am

[HELP] Porting PS4 playground to older firmware

Post by Sethpaien »

Hi,
I'm trying to port ps4 playground to an older firmware but I'm stuck ;) .

I'm not confident about so many things that it's difficult for me to go further so I ask for help.
What's I'm pretty sure that there isn't ASLR used in my firmware version.
So far I've been able to get module_list and get somes gadgets (I've just search thoses involved in making a syscall for now)

Anyone can explain me how to get return_va and stack_base ?
for stack_base I've found pointer like what's done for 1.76 but when I substract 0x4000 to it,
I feel to land nowhere (but in the stack it seems).

I also don't fully understand how ROP execution is triggered ; In rop.execute() we change rsp to our chainaddress but why it's executed ?

Thank you for any clarification
Advertising
Sethpaien
Posts: 10
Joined: Fri Jun 12, 2015 10:52 am

Re: [HELP] Porting PS4 playground to older firmware

Post by Sethpaien »

Hi,
3 month laters, I'm still stuck :cry:
If any one wanna help, I'm trying to make it works on 1.52.
Offsets which have to be changed in exploit.js are :

xx = (getU64from(xx+0x20)-0x30bf0); => xx = (getU64from(xx+0x20)-0x30e10);
var libc_int_base = getU64from(xx+0x1628); => var libc_int_base = 0x80005C000; // There isn't ASLR
var module_list = xx + 0xae0 + 0x690; => var module_list = 0x80003Dc20;
xx = getU64from(xx+0x1468); => xx = 0x800000000; // libkernel base
xx = getU64from(xx+0x5B278); //1.76 webprocess stack => xx = getU64from(xx+0x5A980);

Here are gadgets that I have search to be able to use getpid() :

var gadgets = {
"pop rbp": new gadget([0x5d], LIBKERNEL, 0x652),
"pop rax": new gadget([0x58], LIBKERNEL, 0x2ce3c),
"pop rcx": new gadget([0x59], WEBKIT2, 0x3d629),
"pop rdx": new gadget([0x5a, 0xff, 0xc5], WEBKIT2, 0x185cf6),
"pop rsi": new gadget([0x5e], WEBKIT2, 0x2a3925),
"pop rdi": new gadget([0x5f], WEBKIT2, 0x1a7fcb),
"pop r8": new gadget([0x41, 0x58], WEBKIT2, 0xb82cd),
"pop r9": new gadget([0x43, 0x59], WEBKIT2, 0x3bef4f),
"pop rsp": new gadget([0xf3, 0x5c], WEBKIT2, 0x5fb25),
"mov r10, rcx; syscall": new gadget([0x49, 0x89, 0xca, 0x0f, 0x05], LIBKERNEL, 0x457),
"mov [rsi+0x18], rax": new gadget([0x48, 0x89, 0x46, 0x18], WEBKIT2, 0x46ec5)
}

If anyone in 1.76 could make a dump from stack_base that I can see what it look like around stack_base + 0x2b38 (return_va)
I will be very grateful.
Advertising
HarmfulMushroom
Posts: 752
Joined: Wed Dec 25, 2013 10:02 pm

Re: [HELP] Porting PS4 playground to older firmware

Post by HarmfulMushroom »

You may want to see if you can reach out to CTurT himself, you might have better luck that way. I don't know if he is responsive to people on twitter but certainly couldn't hurt. Especially since it seems like you're doing a lot of work on your own.

That's all I can help with, that's way out of my league.
Sethpaien
Posts: 10
Joined: Fri Jun 12, 2015 10:52 am

Re: [HELP] Porting PS4 playground to older firmware

Post by Sethpaien »

Thank you for taking the time to reply ; I feel less lonely.
I've send email to cturt, no reply as for now ;)
Still stuck at the very same place.
I can't believe that no one in 1.76 would like to help :cry: ,
even anyone that doesn't know anything about programming should give me informations to know if I'm in the right way.
I've also try to use Fire30 3.55 for 1.52 but that's worth : No corrupted element at the very first stage.
Locked

Return to “Programming and Security”