Advertising (This ad goes away for registered users. You can Login or Register)

PS4 1.76 Webkit ROP POC

Underground PS4 discussions
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
varinek
Posts: 4
Joined: Mon Oct 08, 2012 5:58 am

Re: PS4 1.76 Webkit ROP POC

Post by varinek »

interesting its working for you :D
Advertising
Takezo
Posts: 14
Joined: Mon Oct 20, 2014 7:05 am

Re: PS4 1.76 Webkit ROP POC

Post by Takezo »

@Nas could you make comments after your gadgets please (pop ...)?
Which calling convention did you use ?
Because it seem that x86_64 use registers for arguments...
Advertising
esperas
Posts: 3
Joined: Thu Oct 30, 2014 5:28 pm

Re: PS4 1.76 Webkit ROP POC

Post by esperas »

Hi every1 actually im just new to this kind of exploit or hack 2 ps4 and i i never had any experienced in ps3 hack or jailbreak b'coz i d0nt own a ps3 but i got interest in ps4 so i just thought maybe someday in the future it will be hack and. Playstati0n fan i just wanna ask sir, if s0me1 shares me please.... what is the purpose of this webkit dump 4 ps4? And what will happen? Is it safe? Bcoz i just d0nt wanna loose my ps4 it hard 2 buy... but im just wanna try it... and maybe i get relate to topic and share my experience thank you guys...
esperas
Posts: 3
Joined: Thu Oct 30, 2014 5:28 pm

Re: PS4 1.76 Webkit ROP POC

Post by esperas »

My ps4 v1.76 i will n0t update until theres a new exploit for 2.00 please help me guys....
unknown v2
Posts: 2
Joined: Thu Oct 30, 2014 9:48 pm

Re: PS4 1.76 Webkit ROP POC

Post by unknown v2 »

Takezo wrote: @Nas I found some useful syscall in libkernel
sys_exit = 0xDD50 # + libkernel_base
munmap = 0xC0B0# + libkernel_base
execve = 0xBFF0 # + libkernel_base
How did you find those syscall addresses? Did you dump "libkernel" using this method?
Takezo
Posts: 14
Joined: Mon Oct 20, 2014 7:05 am

Re: PS4 1.76 Webkit ROP POC

Post by Takezo »

Yes i found it with ida pro in my libkernel dump.

Code: Select all

ioctl = 0xBF70 
getlogin = 0xBF10 
fstat = 0xBDD0
fork = 0xB9D0
write = 0xBA10
open = 0xBA30
close = 0xBA50
wait4 = 0xBA70
chroot = 0xC030
mmap = 0xC090
mprotect = 0xC0D0
...

Code: Select all

I replaced <body> in ps4.php by 
<body onload="btnClick()"> (dump onload)

Code: Select all

ps4_rop2.html

makeDumpLink(libkernel_base, chunk, 3, "libkernel_base"); //dump libkernel
makeDumpLink(wk_base+0xB39D7, chunk, 341, "wk_base_offB39D7"); // dump webkit at offset 0xB39D7 (result = dump.bin 37.2 Mo)

function makeDumpLink(offset, sizeDump, nbSeg, nameModule)
{
logAdd("<h2><a href='ps4.php?base=0x" + offset.toString(16) + "&chunk=0x" + sizeDump.toString(16) + "&cnt=0x" + nbSeg.toString(16) + "'>"+nameModule+" "+nbSeg.toString(10) + "</a></h2>");
}

Code: Select all

nas  gadget_arg:
#pop rdi ret
#pop rsi ret
#call why ???
#pop rcx ret
#pop r8  ret
#pop r9  ret
abcdf
Posts: 2
Joined: Fri Oct 31, 2014 3:26 pm

Re: PS4 1.76 Webkit ROP POC

Post by abcdf »

debug settings in retail ps4 by skfu, but we cant use it :(

Image
anhell28
Posts: 33
Joined: Mon Apr 16, 2012 2:07 am

Re: PS4 1.76 Webkit ROP POC

Post by anhell28 »

things are getting very interesting for PS4
yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: PS4 1.76 Webkit ROP POC

Post by yifanlu »

abcdf wrote:debug settings in retail ps4 by skfu, but we cant use it :(
An empty screen. Impressive.
nas
Posts: 10
Joined: Thu Aug 14, 2014 6:35 am

Re: PS4 1.76 Webkit ROP POC

Post by nas »

Takezo wrote:@Nas could you make comments after your gadgets please (pop ...)?
Which calling convention did you use ?
Because it seem that x86_64 use registers for arguments...
calling convention is "System V AMD64 ABI" (see http://en.wikipedia.org/wiki/X86_callin ... onventions).
"pop r** ; ret" for argument 1-6, stack for for 7 and on
Locked

Return to “Programming and Security”