Dismiss Notice

BEWARE of IMPOSTERS, posing as the PS3Xploit Members/Team:


  -PS3Xploit does NOT have a discord channel, some imposter are using one
 

  -If the info can't be found on ps3xploit.com or psx-place.com its fake
 

  -ZuKuTo / OFWModz is one of the fake names of these imposter's are using to represent the PS3xploit team.

 

 

PS3Xploit /localhost/ PoC Exploit Crash [Just A Teaser]

Discussion in 'Ps3Xploit [Official Forum]' started by esc0rtd3w, Apr 15, 2018.

  1. 776
    1,736
    247
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    776
    Likes Received:
    1,736
    Trophy Points:
    247
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    well, the team has been wondering for a while if it was possible to use the current exploits with a native app to run locally......and the day has come! :D

    i believe this was also mentioned by @kozarovv IIRC

    this is purely a demonstration of one of the used exploits running locally and crashing the PS3!

    while this is a nice step forward, there is still much work to be done, as this ONLY proves that we can crash the console....just like last year when we had tests available to the public.

    here are just some screenshots of PS3 app and COBRA output using socat

    we tested this with the NPEB01229 YouTube app, but this can probably be used with other apps that use the offline.html file.

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]
     
    Last edited: Apr 15, 2018
  2. 1,136
    1,318
    272
    pink1

    pink1 Moderator Developer

    Joined:
    Feb 25, 2015
    Messages:
    1,136
    Likes Received:
    1,318
    Trophy Points:
    272
    Gender:
    Male
    Great work guy! Excited to see where this leads.
     
  3. 13
    2
    7
    bajul

    bajul Forum Noob

    Joined:
    Feb 23, 2016
    Messages:
    13
    Likes Received:
    2
    Trophy Points:
    7
    Many thanks for team dev
     
    esc0rtd3w and kozarovv like this.
  4. 5
    4
    7
    luisms

    luisms Forum Noob

    Joined:
    Feb 3, 2018
    Messages:
    5
    Likes Received:
    4
    Trophy Points:
    7
    Gender:
    Male
    Always with news, do not you sleep? thank!!!!!
     
    esc0rtd3w likes this.
  5. 53
    17
    12
    Niander466

    Niander466 Forum Noob

    Joined:
    Dec 23, 2017
    Messages:
    53
    Likes Received:
    17
    Trophy Points:
    12
    Gender:
    Male
    Congratulations, great work.
     
    esc0rtd3w likes this.
  6. 80
    26
    17
    SurvivalInstinct

    SurvivalInstinct Member

    Joined:
    Feb 17, 2018
    Messages:
    80
    Likes Received:
    26
    Trophy Points:
    17
    You doin great again thank you
     
    esc0rtd3w likes this.
  7. 256
    92
    32
    Agoni212

    Agoni212 Member

    Joined:
    Mar 16, 2018
    Messages:
    256
    Likes Received:
    92
    Trophy Points:
    32
    Gender:
    Male
    thanks as always great work mate.
     
    esc0rtd3w likes this.
  8. 140
    120
    97
    mr_ota

    mr_ota Member

    Joined:
    Aug 21, 2017
    Messages:
    140
    Likes Received:
    120
    Trophy Points:
    97
    Location:
    A Coruña, Galicia
    Awesome!!!!
     
    esc0rtd3w likes this.
  9. 42
    35
    17
    ram.

    ram. Member

    Joined:
    Mar 20, 2018
    Messages:
    42
    Likes Received:
    35
    Trophy Points:
    17
    Location:
    In front of my LCD Screen
    Great work!
     
    esc0rtd3w likes this.
  10. 11
    2
    7
    Yasich217

    Yasich217 Forum Noob

    Joined:
    Mar 11, 2018
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    7
    Gender:
    Male

    In the offline.html file, only sites can be opened via https and only from the white list, which is located in the EBOOT.BIN. How can I open any other site on OFW?
     
  11. 7,434
    6,067
    622
    bguerville

    bguerville Moderator Developer

    Joined:
    Feb 25, 2015
    Messages:
    7,434
    Likes Received:
    6,067
    Trophy Points:
    622
    Location:
    Earth
    If you face white listing & ssl limitations, you could try using a proxy to redirect those calls to URLs of your own choosing. A simple proxy rule would do the trick, you can use a proxy server on pc or on your smartphone using the Servers Ultimate app from the PlayStore.
     
    cygmon0 and esc0rtd3w like this.
  12. 11
    2
    7
    Yasich217

    Yasich217 Forum Noob

    Joined:
    Mar 11, 2018
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    7
    Gender:
    Male
    This is the first, as I wanted to bypass the white list and https. But redirection of secured traffic must be accompanied by a trusted certificate. Replacing certificates in ssl / serts did not help. If you change the certificate, the page does not open and an error is displayed. I redirected traffic through mitmproxy.
     
  13. 7,434
    6,067
    622
    bguerville

    bguerville Moderator Developer

    Joined:
    Feb 25, 2015
    Messages:
    7,434
    Likes Received:
    6,067
    Trophy Points:
    622
    Location:
    Earth
    Am afraid I don't have a readily available solution for you.
    We haven't researched that area (ssl/certs management) at all. It's unfortunate because it's interesting stuff & potentially useful but we have had other priorities until now.

    Adding or replacing certificates in the ps3 folder doesn't appear to be sufficient, we have known that much for a while.
    There could be a cert hash check or some other kind of verification, the only way to know is to reverse & step by step debug the "cert loading" code. Maybe a memory patch would be sufficient to allow the use of custom certs...
     
    sandungas, Yasich217 and esc0rtd3w like this.
  14. 776
    1,736
    247
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    776
    Likes Received:
    1,736
    Trophy Points:
    247
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    I have only tested using my local PC address (192.168.x.x:8000) and also local files on PS3 in same directory and it worked fine. When trying to redirect to another site, it seemed not to work. I have not tried proxy as mentioned by bguerville but that should work fine too, I would think.

    The main problem I see with the YouTube app at least using offline.html is that the mouse and other functions are disabled. They may be able to be re-enabled with JS as the keycode stuff seems to work fine.
     
    ayassinsayed, Yasich217 and bitsbubba like this.
  15. 192
    55
    32
    ayassinsayed

    ayassinsayed Member

    Joined:
    Mar 16, 2018
    Messages:
    192
    Likes Received:
    55
    Trophy Points:
    32
    Gender:
    Male
    So we can edit offline.html to put han enabler exploit by that method ?


    Sent from my iPhone using Tapatalk
     
  16. 7,434
    6,067
    622
    bguerville

    bguerville Moderator Developer

    Joined:
    Feb 25, 2015
    Messages:
    7,434
    Likes Received:
    6,067
    Trophy Points:
    622
    Location:
    Earth
    No. Ps3xploit tools would not work as is.

    When you use a ps3 app like YT, it runs in its own process space, separate from the vsh process space.
    Current ps3xploit tools use vsh gadgets for ROP, those would not be available in the app process space & they would all need to be replaced with gadgets taken from the app. About 2 dozen gadgets would need replaced.
    Also a tool like HAN Enabler patches the vsh data segment & the same issue arises, that memory area is mapped in the vsh process space, not in the app process space so the current ROP chain couldn't work even if the gadgets were appropriately replaced.
     
  17. 11
    2
    7
    Yasich217

    Yasich217 Forum Noob

    Joined:
    Mar 11, 2018
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    7
    Gender:
    Male
    So you could open the page 192.168.x.x: 8000 via offline.html? And can you attach the pkg file, where it opens through <meta http-equiv = "refresh" content = "0; http://192.168.0.55:8000/" /> ?
     
  18. 776
    1,736
    247
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    776
    Likes Received:
    1,736
    Trophy Points:
    247
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    why can't you just make a new pkg? lol
     
  19. 11
    2
    7
    Yasich217

    Yasich217 Forum Noob

    Joined:
    Mar 11, 2018
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    7
    Gender:
    Male
    Because redirection to the local address does not work for me.
     
  20. 776
    1,736
    247
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    776
    Likes Received:
    1,736
    Trophy Points:
    247
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    i would have to dig up the file to see what was done. Several of those apps do work like that too, Life w/ Playstation, Live Events Viewer, and a few others i cannot think of at the moment.
     
    ayassinsayed likes this.

Share This Page