PS3Xploit /localhost/ PoC Exploit Crash [Just A Teaser]

esc0rtd3w · Apr 15, 2018

well, the team has been wondering for a while if it was possible to use the current exploits with a native app to run locally......and the day has come!

i believe this was also mentioned by @kozarovv IIRC

this is purely a demonstration of one of the used exploits running locally and crashing the PS3!

while this is a nice step forward, there is still much work to be done, as this ONLY proves that we can crash the console....just like last year when we had tests available to the public.

here are just some screenshots of PS3 app and COBRA output using socat

we tested this with the NPEB01229 YouTube app, but this can probably be used with other apps that use the offline.html file.

pink1 · Apr 15, 2018

Great work guy! Excited to see where this leads.

bajul · Apr 15, 2018

Many thanks for team dev

luisms · Apr 15, 2018

Always with news, do not you sleep? thank!!!!!

Niander466 · Apr 16, 2018

Congratulations, great work.

SurvivalInstinct · Apr 16, 2018

You doin great again thank you

Agoni212 · Apr 16, 2018

thanks as always great work mate.

mr_ota · Apr 16, 2018

Awesome!!!!

ram. · Apr 16, 2018

Great work!

Yasich217 · Nov 5, 2018

esc0rtd3w said:
well, the team has been wondering for a while if it was possible to use the current exploits with a native app to run locally......and the day has come!

i believe this was also mentioned by @kozarovv IIRC

this is purely a demonstration of one of the used exploits running locally and crashing the PS3!

while this is a nice step forward, there is still much work to be done, as this ONLY proves that we can crash the console....just like last year when we had tests available to the public.

here are just some screenshots of PS3 app and COBRA output using socat

we tested this with the NPEB01229 YouTube app, but this can probably be used with other apps that use the offline.html file.

In the offline.html file, only sites can be opened via https and only from the white list, which is located in the EBOOT.BIN. How can I open any other site on OFW?

bguerville · Nov 6, 2018

Yasich217 said:
In the offline.html file, only sites can be opened via https and only from the white list, which is located in the EBOOT.BIN. How can I open any other site on OFW?

If you face white listing & ssl limitations, you could try using a proxy to redirect those calls to URLs of your own choosing. A simple proxy rule would do the trick, you can use a proxy server on pc or on your smartphone using the Servers Ultimate app from the PlayStore.

Yasich217 · Nov 6, 2018

bguerville said:
If you face white listing & ssl limitations, you could try using a proxy to redirect those calls to URLs of your own choosing. A simple proxy rule would do the trick, you can use a proxy server on pc or on your smartphone using the Servers Ultimate app from the PlayStore.

This is the first, as I wanted to bypass the white list and https. But redirection of secured traffic must be accompanied by a trusted certificate. Replacing certificates in ssl / serts did not help. If you change the certificate, the page does not open and an error is displayed. I redirected traffic through mitmproxy.

bguerville · Nov 6, 2018

Yasich217 said:
This is the first, as I wanted to bypass the white list and https. But redirection of secured traffic must be accompanied by a trusted certificate. Replacing certificates in ssl / serts did not help. If you change the certificate, the page does not open and an error is displayed. I redirected traffic through mitmproxy.

Am afraid I don't have a readily available solution for you.
We haven't researched that area (ssl/certs management) at all. It's unfortunate because it's interesting stuff & potentially useful but we have had other priorities until now.

Adding or replacing certificates in the ps3 folder doesn't appear to be sufficient, we have known that much for a while.
There could be a cert hash check or some other kind of verification, the only way to know is to reverse & step by step debug the "cert loading" code. Maybe a memory patch would be sufficient to allow the use of custom certs...

esc0rtd3w · Nov 6, 2018

Yasich217 said:
In the offline.html file, only sites can be opened via https and only from the white list, which is located in the EBOOT.BIN. How can I open any other site on OFW?

I have only tested using my local PC address (192.168.x.x:8000) and also local files on PS3 in same directory and it worked fine. When trying to redirect to another site, it seemed not to work. I have not tried proxy as mentioned by bguerville but that should work fine too, I would think.

The main problem I see with the YouTube app at least using offline.html is that the mouse and other functions are disabled. They may be able to be re-enabled with JS as the keycode stuff seems to work fine.

ayassinsayed · Nov 6, 2018

esc0rtd3w said:
I have only tested using my local PC address (192.168.x.x:8000) and also local files on PS3 in same directory and it worked fine. When trying to redirect to another site, it seemed not to work. I have not tried proxy as mentioned by bguerville but that should work fine too, I would think.

The main problem I see with the YouTube app at least using offline.html is that the mouse and other functions are disabled. They may be able to be re-enabled with JS as the keycode stuff seems to work fine.

So we can edit offline.html to put han enabler exploit by that method ?

Sent from my iPhone using Tapatalk

bguerville · Nov 6, 2018

ayassinsayed said:
So we can edit offline.html to put han enabler exploit by that method ?

Sent from my iPhone using Tapatalk

No. Ps3xploit tools would not work as is.

When you use a ps3 app like YT, it runs in its own process space, separate from the vsh process space.
Current ps3xploit tools use vsh gadgets for ROP, those would not be available in the app process space & they would all need to be replaced with gadgets taken from the app. About 2 dozen gadgets would need replaced.
Also a tool like HAN Enabler patches the vsh data segment & the same issue arises, that memory area is mapped in the vsh process space, not in the app process space so the current ROP chain couldn't work even if the gadgets were appropriately replaced.

Yasich217 · Nov 7, 2018

esc0rtd3w said:
I have only tested using my local PC address (192.168.x.x:8000) and also local files on PS3 in same directory and it worked fine. When trying to redirect to another site, it seemed not to work. I have not tried proxy as mentioned by bguerville but that should work fine too, I would think.

The main problem I see with the YouTube app at least using offline.html is that the mouse and other functions are disabled. They may be able to be re-enabled with JS as the keycode stuff seems to work fine.

So you could open the page 192.168.x.x: 8000 via offline.html? And can you attach the pkg file, where it opens through <meta http-equiv = "refresh" content = "0; http://192.168.0.55:8000/" /> ?

esc0rtd3w · Nov 7, 2018

Yasich217 said:
So you could open the page 192.168.x.x: 8000 via offline.html? And can you attach the pkg file, where it opens through <meta http-equiv = "refresh" content = "0; http://192.168.0.55:8000/" /> ?

why can't you just make a new pkg? lol

Yasich217 · Nov 7, 2018

esc0rtd3w said:
why can't you just make a new pkg? lol

Because redirection to the local address does not work for me.

esc0rtd3w · Nov 7, 2018

i would have to dig up the file to see what was done. Several of those apps do work like that too, Life w/ Playstation, Live Events Viewer, and a few others i cannot think of at the moment.

PS3Xploit /localhost/ PoC Exploit Crash [Just A Teaser]

esc0rtd3w

pink1

bajul

Forum Noob

luisms

Member

Niander466

Member

SurvivalInstinct

Member

Agoni212

Member

mr_ota

Member

ram.

Member

Yasich217

Member

bguerville

Yasich217

Member

bguerville

esc0rtd3w

ayassinsayed

Member

bguerville

Yasich217

Member

esc0rtd3w

Yasich217

Member

esc0rtd3w

Similar threads