The PS4 might get some attention again. After the last few weeks, where we saw multiple Homebrew Releases - such as a updated Linux Distribution for your PS4, various Homebrew Games for your PS4, Emulators for playing older Classics on your PS4 and other useful Homebrew Applications, which makes your PS4 more useful for you - today, Developer @SpecterDev released a new WebKit Exploit for a newer System Firmware, namely for System Firmware 6.20. Although this Exploit isn't a complete Kernel Exploit together with the fact that this Remote Code Execution Exploit has been already patched by Sony on the newest System Firmware 6.50 released a few days ago, it is still a useful method to tinker more with this specific System Firmware, as Developer @SpecterDev describes it with his own words, which you can see down below. This can be especially useful for Developers, who wants to tinker with older System Firmwares as well, such as for System Firmware 5.55 for instance. Maybe we can see a newer full Kernel Exploit for a newer System Firmware released sooner or later.
PS4 6.20 WebKit Code Execution PoC
This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in wkexploit.js. It will then setup a framework to run ROP chains in index.html and by default will provide two hyperlinks to run test ROP chains - one for running the sys_getpid() syscall, and the other for running the sys_getuid() syscall to get the PID and user ID of the process respectively.
Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found here.
Note: It's been patched in the 6.50 firmware update.
Files - Files in order by name alphabetically;
- index.html - Contains post-exploit code, going from arb. R/W -> code execution.
- rop.js - Contains a framework for ROP chains.
- syscalls.js - Contains an (incomplete) list of system calls to use for post-exploit stuff.
- wkexploit.js - Contains the heart of the WebKit exploit.
- This vulnerability was patched in 6.50 firmware!
- This only gives you code execution in userland. This is not a jailbreak nor a kernel exploit, it is only the first half.
- This exploit targets firmware 6.20. It should work on lower firmwares however the gadgets will need to be ported, and the p.launchchain() method for code execution may need to be swapped out.
- In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit. This is part of the reason why syscalls.js contains only a small number of system calls.
Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;
- Fake DNS spoofing to redirect the manual page to the exploit page, or
- Using the web browser to navigate to the exploit page (not always possible).
- I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.
- Chromium Bug Report - The Vulnerability.
- lokihardt - The vulnerability
- st4rk - Help with the exploit
- qwertyoruiop - WebKit School
- saelo - Phrack paper
Twitter: @SpecterDev (7th March 2019 - 8:29 pm) --> https://twitter.com/SpecterDev/status/1103739416554594304
Twitter: @SpecterDev (8th March 2019 - 7:26 pm) --> https://twitter.com/SpecterDev/status/1104085876831735808
PS4 PS4 6.20 WebKit Exploit Released by @SpecterDev (Patched for System Firmware 6.50)
By Roxanne on Mar 9, 2019 at 7:47 AM
Milestone Update for Orbital - An PS4 Emulator by @AlexAltea - now with (very first) Video Output!Nearly a year ago, Developer @AlexAltea showcased us an early-stage Version from his own PS4 Emulator called Orbital. The very first Version was on a minimal stage by running several code examples on a Terminal within Linux only but this was already impressive since as you probably know, both the PS4 and standard Computers shares the same x86 CPU Architecture. But the CPU isn't the only thing the PS4 shares with a standard PC. Since you need also a lot of GPU Power to run your Games on a Console for General, it is getting quite usual that those big players like NVIDIA or AMD are collaborating with the Console Manufacturers to deliver them with special-designed Graphics Processing Units for the Consoles you own. Even when we talk about "Special" GPU's, you already recognized by yourself that if you go further in newer Console Generations, you realized that the internal GPU used inside each Console is having more and more similarities compared to a standard GPU. With that result in mind, Developer @AlexAltea showcased yesterday that his Emulator Orbital is capable of running the Safe Mode of the PS4 together with getting a Video Output from that mentioned Safe Mode as well, which leads to the point that his Emulator showcased the very first Video Output from a PS4 emulated by a PC! Do I have to say more? Continue reading
4.84.3 STARBUGED (w/ COBRA 8.01) - New update in from Habib
Following the introduction of 4.84 STARBUGED CFW for the PS3, which also gave us the introduction of Cobra v8.0x from developer @habib, Has now followed up that cfw release with 4.84.3 STARBUGED (w/ Cobra 8.01) that contains some more candy for the scene. As the developer has provided new features once again with this update with the ability to Hardcode Kernel Plugins, which can be useful for things like MAMBA (a Cobra Alternative) as it can not be ran as a kernel plugin. Down below you will see the technical aspects of what this update has provided from Ps3 CFW Developer @habib.
RPCS3 (PS3 Emulator) - January 2019 Progress Report (+ useful Extras and Tools)A new Year, a new Progress Report begins. Kinda late for March, I know and yes it's not the first time I use this excuse for being such late. But the Team behind this wonderful PS3 Emulator RPCS3 thought about that instead of bringing you a monthly updated Progress Report only this time - which still shows some impressive Progress from each Month if you ask me - they decided that it would be a good start for the first Progress Report of 2019 to release some additional Tools together with the January 2019 Progress Report. So while you can enjoy their Progress for January both down below and on their Blog post (also linked down below), the Team behind RPCS3 teased several Tweets about their additional Achievements they did since the beginning of this year. You want an example? Well, maybe you didn't know about but since RPCS3 also supports a Basic Network Functionality, it will allow you not only to emulate some AAA Game Titles. It can be also useful to emulate other Non-Gaming Applications and various Media Applications as well. So there is no problem at all to watch some Videos using the official YouTube-Applications for PS3 via RPCS3, viewing the newest Episode from you favourite Anime Series on Crunchyroll or why not enjoying a full-length Hollywood Blockbuster on Netflix, for instance. How cool is that?Continue reading
Share This Page
- henkaku homebrew
- homebrew game
- playstation 2
- playstation 2 resources
- playstation portable
- playstation portable cfw
- playstation portable resources
- playstation tv
- ps vita
- ps2 emulator
- ps2 resources
- ps3 cfw
- ps3 homebrew
- ps3xploit 3.0
- psp cfw
- psp emulator
- psp resources
- pstv homebrew
- vita homebrew
- webman mod
- User Record:
- Latest Member:
Colecovision Emulator OPL ready ISO (version 2.0) -UniqueUserName