Dismiss Notice

BEWARE of IMPOSTERS, posing as the PS3Xploit Members/Team:


  -PS3Xploit does NOT have a discord channel, some imposter are using one
 

  -If the info can't be found on ps3xploit.com or psx-place.com its fake
 

  -ZuKuTo / OFWModz is one of the fake names of these imposter's are using to represent the PS3xploit team.

 

 

PS3Xploit /localhost/ PoC Exploit Crash [Just A Teaser]

Discussion in 'Ps3Xploit [Official Forum]' started by esc0rtd3w, Apr 15, 2018.

  1. 1,163
    2,789
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,163
    Likes Received:
    2,789
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    well, the team has been wondering for a while if it was possible to use the current exploits with a native app to run locally......and the day has come! :D

    i believe this was also mentioned by @kozarovv IIRC

    this is purely a demonstration of one of the used exploits running locally and crashing the PS3!

    while this is a nice step forward, there is still much work to be done, as this ONLY proves that we can crash the console....just like last year when we had tests available to the public.

    here are just some screenshots of PS3 app and COBRA output using socat

    we tested this with the NPEB01229 YouTube app, but this can probably be used with other apps that use the offline.html file.

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]
     
    Last edited: Apr 15, 2018
  2. 1,510
    1,618
    297
    pink1

    pink1 Moderator Developer

    Joined:
    Feb 25, 2015
    Messages:
    1,510
    Likes Received:
    1,618
    Trophy Points:
    297
    Gender:
    Male
    Great work guy! Excited to see where this leads.
     
  3. 13
    2
    7
    bajul

    bajul Forum Noob

    Joined:
    Feb 23, 2016
    Messages:
    13
    Likes Received:
    2
    Trophy Points:
    7
    Many thanks for team dev
     
    esc0rtd3w and kozarovv like this.
  4. 6
    4
    7
    luisms

    luisms Forum Noob

    Joined:
    Feb 3, 2018
    Messages:
    6
    Likes Received:
    4
    Trophy Points:
    7
    Gender:
    Male
    Always with news, do not you sleep? thank!!!!!
     
    esc0rtd3w likes this.
  5. 263
    121
    72
    Niander466

    Niander466 Member

    Joined:
    Dec 23, 2017
    Messages:
    263
    Likes Received:
    121
    Trophy Points:
    72
    Gender:
    Male
    Congratulations, great work.
     
    esc0rtd3w likes this.
  6. 80
    26
    17
    SurvivalInstinct

    SurvivalInstinct Member

    Joined:
    Feb 17, 2018
    Messages:
    80
    Likes Received:
    26
    Trophy Points:
    17
    You doin great again thank you
     
    esc0rtd3w likes this.
  7. 315
    111
    72
    Agoni212

    Agoni212 Member

    Joined:
    Mar 16, 2018
    Messages:
    315
    Likes Received:
    111
    Trophy Points:
    72
    Gender:
    Male
    thanks as always great work mate.
     
    esc0rtd3w likes this.
  8. 161
    142
    97
    mr_ota

    mr_ota Member

    Joined:
    Aug 21, 2017
    Messages:
    161
    Likes Received:
    142
    Trophy Points:
    97
    Location:
    A Coruña, Galicia
    Awesome!!!!
     
    esc0rtd3w likes this.
  9. 46
    42
    67
    ram.

    ram. Member

    Joined:
    Mar 20, 2018
    Messages:
    46
    Likes Received:
    42
    Trophy Points:
    67
    Location:
    In front of my LCD Screen
    Great work!
     
    esc0rtd3w likes this.
  10. 17
    2
    57
    Yasich217

    Yasich217 Member

    Joined:
    Mar 11, 2018
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    57
    Gender:
    Male

    In the offline.html file, only sites can be opened via https and only from the white list, which is located in the EBOOT.BIN. How can I open any other site on OFW?
     
  11. 7,843
    6,517
    647
    bguerville

    bguerville Moderator

    Joined:
    Feb 25, 2015
    Messages:
    7,843
    Likes Received:
    6,517
    Trophy Points:
    647
    Location:
    Earth
    If you face white listing & ssl limitations, you could try using a proxy to redirect those calls to URLs of your own choosing. A simple proxy rule would do the trick, you can use a proxy server on pc or on your smartphone using the Servers Ultimate app from the PlayStore.
     
    cygmon0 and esc0rtd3w like this.
  12. 17
    2
    57
    Yasich217

    Yasich217 Member

    Joined:
    Mar 11, 2018
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    57
    Gender:
    Male
    This is the first, as I wanted to bypass the white list and https. But redirection of secured traffic must be accompanied by a trusted certificate. Replacing certificates in ssl / serts did not help. If you change the certificate, the page does not open and an error is displayed. I redirected traffic through mitmproxy.
     
  13. 7,843
    6,517
    647
    bguerville

    bguerville Moderator

    Joined:
    Feb 25, 2015
    Messages:
    7,843
    Likes Received:
    6,517
    Trophy Points:
    647
    Location:
    Earth
    Am afraid I don't have a readily available solution for you.
    We haven't researched that area (ssl/certs management) at all. It's unfortunate because it's interesting stuff & potentially useful but we have had other priorities until now.

    Adding or replacing certificates in the ps3 folder doesn't appear to be sufficient, we have known that much for a while.
    There could be a cert hash check or some other kind of verification, the only way to know is to reverse & step by step debug the "cert loading" code. Maybe a memory patch would be sufficient to allow the use of custom certs...
     
    sandungas, Yasich217 and esc0rtd3w like this.
  14. 1,163
    2,789
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,163
    Likes Received:
    2,789
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    I have only tested using my local PC address (192.168.x.x:8000) and also local files on PS3 in same directory and it worked fine. When trying to redirect to another site, it seemed not to work. I have not tried proxy as mentioned by bguerville but that should work fine too, I would think.

    The main problem I see with the YouTube app at least using offline.html is that the mouse and other functions are disabled. They may be able to be re-enabled with JS as the keycode stuff seems to work fine.
     
    ayassinsayed, Yasich217 and bitsbubba like this.
  15. 345
    104
    97
    ayassinsayed

    ayassinsayed Member

    Joined:
    Mar 16, 2018
    Messages:
    345
    Likes Received:
    104
    Trophy Points:
    97
    Gender:
    Male
    So we can edit offline.html to put han enabler exploit by that method ?


    Sent from my iPhone using Tapatalk
     
  16. 7,843
    6,517
    647
    bguerville

    bguerville Moderator

    Joined:
    Feb 25, 2015
    Messages:
    7,843
    Likes Received:
    6,517
    Trophy Points:
    647
    Location:
    Earth
    No. Ps3xploit tools would not work as is.

    When you use a ps3 app like YT, it runs in its own process space, separate from the vsh process space.
    Current ps3xploit tools use vsh gadgets for ROP, those would not be available in the app process space & they would all need to be replaced with gadgets taken from the app. About 2 dozen gadgets would need replaced.
    Also a tool like HAN Enabler patches the vsh data segment & the same issue arises, that memory area is mapped in the vsh process space, not in the app process space so the current ROP chain couldn't work even if the gadgets were appropriately replaced.
     
  17. 17
    2
    57
    Yasich217

    Yasich217 Member

    Joined:
    Mar 11, 2018
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    57
    Gender:
    Male
    So you could open the page 192.168.x.x: 8000 via offline.html? And can you attach the pkg file, where it opens through <meta http-equiv = "refresh" content = "0; http://192.168.0.55:8000/" /> ?
     
  18. 1,163
    2,789
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,163
    Likes Received:
    2,789
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    why can't you just make a new pkg? lol
     
  19. 17
    2
    57
    Yasich217

    Yasich217 Member

    Joined:
    Mar 11, 2018
    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    57
    Gender:
    Male
    Because redirection to the local address does not work for me.
     
  20. 1,163
    2,789
    397
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    1,163
    Likes Received:
    2,789
    Trophy Points:
    397
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    i would have to dig up the file to see what was done. Several of those apps do work like that too, Life w/ Playstation, Live Events Viewer, and a few others i cannot think of at the moment.
     
    ayassinsayed likes this.

Share This Page