The PS4 might get some attention again. After the last few weeks, where we saw multiple Homebrew Releases - such as a updated Linux Distribution for your PS4, various Homebrew Games for your PS4, Emulators for playing older Classics on your PS4 and other useful Homebrew Applications, which makes your PS4 more useful for you - today, Developer @SpecterDev released a new WebKit Exploit for a newer System Firmware, namely for System Firmware 6.20. Although this Exploit isn't a complete Kernel Exploit together with the fact that this Remote Code Execution Exploit has been already patched by Sony on the newest System Firmware 6.50 released a few days ago, it is still a useful method to tinker more with this specific System Firmware, as Developer @SpecterDev describes it with his own words, which you can see down below. This can be especially useful for Developers, who wants to tinker with older System Firmwares as well, such as for System Firmware 5.55 for instance. Maybe we can see a newer full Kernel Exploit for a newer System Firmware released sooner or later.
PS4 6.20 WebKit Code Execution PoC
This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in wkexploit.js. It will then setup a framework to run ROP chains in index.html and by default will provide two hyperlinks to run test ROP chains - one for running the sys_getpid() syscall, and the other for running the sys_getuid() syscall to get the PID and user ID of the process respectively.
Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found here.
Note: It's been patched in the 6.50 firmware update.
Files - Files in order by name alphabetically;
- index.html - Contains post-exploit code, going from arb. R/W -> code execution.
- rop.js - Contains a framework for ROP chains.
- syscalls.js - Contains an (incomplete) list of system calls to use for post-exploit stuff.
- wkexploit.js - Contains the heart of the WebKit exploit.
- This vulnerability was patched in 6.50 firmware!
- This only gives you code execution in userland. This is not a jailbreak nor a kernel exploit, it is only the first half.
- This exploit targets firmware 6.20. It should work on lower firmwares however the gadgets will need to be ported, and the p.launchchain() method for code execution may need to be swapped out.
- In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit. This is part of the reason why syscalls.js contains only a small number of system calls.
Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;
- Fake DNS spoofing to redirect the manual page to the exploit page, or
- Using the web browser to navigate to the exploit page (not always possible).
- I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.
- Chromium Bug Report - The Vulnerability.
- lokihardt - The vulnerability
- st4rk - Help with the exploit
- qwertyoruiop - WebKit School
- saelo - Phrack paper
Twitter: @SpecterDev (7th March 2019 - 8:29 pm) --> https://twitter.com/SpecterDev/status/1103739416554594304
Twitter: @SpecterDev (8th March 2019 - 7:26 pm) --> https://twitter.com/SpecterDev/status/1104085876831735808
PS4 PS4 6.20 WebKit Exploit Released by @SpecterDev (Patched for System Firmware 6.50)
By Roxanne on Mar 9, 2019 at 7:47 AM
(Update) PS3 HFW (Hybrid Firmware) 4.84.2 - PS3Xploit HAN & Flash Tools Restored for 4.84 OFW usersHuge News as the PS3 exploit ladder has taken a step up into 4.84 rung, with a new approach to bring back PS3Xploit functionality on 4.84. With a Hybrid Firmware (NOT A CFW) that can be installed on ANY MODEL PS3 over any Official Firmware (OFW) version. .The only thing this modified firmware essentially does is bring back the patched webkit from OFW 4.82 that was an entry point for PS3Xploit, if you recall when 4.84 was released developers @bguerville and @esc0rtd3w stated the exploit was not actually patched but rather only the webkit entry used was removed in 4.83+ which rendered the actual exploit unreachable (not patched and could be restored). Now the webkit is back for 4.84 OFW thanks to this new clever magic that has allowed OFW user's to use and install this slightly modified Firmware.
So, what does all this mean? Now Its just like it was back in 4.82 before PS3Xploit was patched you will be able to install a CFW (on a CFW compatible model) and for those unfortunate user's that does not have a CFW Compatible model (i.e. SuperSlim/late slims) you have will have access to the HAN exploit . So for new user's or ones that updated, here is your second chances thanks to the efforts of the PS3Xploit Team and to @Joonie (waved magic wand on files), @habib (for valuable input on this project) and @esc0rtd3w (work in porting ps3xploit tools to 4.84) and the PS3XploitContinue reading
Milestone Update for Orbital - An PS4 Emulator by @AlexAltea - now with (very first) Video Output!Nearly a year ago, Developer @AlexAltea showcased us an early-stage Version from his own PS4 Emulator called Orbital. The very first Version was on a minimal stage by running several code examples on a Terminal within Linux only but this was already impressive since as you probably know, both the PS4 and standard Computers shares the same x86 CPU Architecture. But the CPU isn't the only thing the PS4 shares with a standard PC. Since you need also a lot of GPU Power to run your Games on a Console for General, it is getting quite usual that those big players like NVIDIA or AMD are collaborating with the Console Manufacturers to deliver them with special-designed Graphics Processing Units for the Consoles you own. Even when we talk about "Special" GPU's, you already recognized by yourself that if you go further in newer Console Generations, you realized that the internal GPU used inside each Console is having more and more similarities compared to a standard GPU. With that result in mind, Developer @AlexAltea showcased yesterday that his Emulator Orbital is capable of running the Safe Mode of the PS4 together with getting a Video Output from that mentioned Safe Mode as well, which leads to the point that his Emulator showcased the very first Video Output from a PS4 emulated by a PC! Do I have to say more? Continue reading
4.84.3 STARBUGED (w/ COBRA 8.01) - New update in from Habib
Following the introduction of 4.84 STARBUGED CFW for the PS3, which also gave us the introduction of Cobra v8.0x from developer @habib, Has now followed up that cfw release with 4.84.3 STARBUGED (w/ Cobra 8.01) that contains some more candy for the scene. As the developer has provided new features once again with this update with the ability to Hardcode Kernel Plugins, which can be useful for things like MAMBA (a Cobra Alternative) as it can not be ran as a kernel plugin. Down below you will see the technical aspects of what this update has provided from Ps3 CFW Developer @habib.
Share This Page
- henkaku homebrew
- homebrew game
- playstation 2
- playstation 2 resources
- playstation portable
- playstation portable cfw
- playstation portable resources
- playstation tv
- ps vita
- ps2 emulator
- ps2 resources
- ps3 cfw
- ps3 homebrew
- ps3xploit 3.0
- psp cfw
- psp emulator
- psp resources
- pstv homebrew
- vita homebrew
- webman mod
- User Record:
- Latest Member: