The PS4 might get some attention again. After the last few weeks, where we saw multiple Homebrew Releases - such as a updated Linux Distribution for your PS4, various Homebrew Games for your PS4, Emulators for playing older Classics on your PS4 and other useful Homebrew Applications, which makes your PS4 more useful for you - today, Developer @SpecterDev released a new WebKit Exploit for a newer System Firmware, namely for System Firmware 6.20. Although this Exploit isn't a complete Kernel Exploit together with the fact that this Remote Code Execution Exploit has been already patched by Sony on the newest System Firmware 6.50 released a few days ago, it is still a useful method to tinker more with this specific System Firmware, as Developer @SpecterDev describes it with his own words, which you can see down below. This can be especially useful for Developers, who wants to tinker with older System Firmwares as well, such as for System Firmware 5.55 for instance. Maybe we can see a newer full Kernel Exploit for a newer System Firmware released sooner or later.
PS4 6.20 WebKit Code Execution PoC
This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in wkexploit.js. It will then setup a framework to run ROP chains in index.html and by default will provide two hyperlinks to run test ROP chains - one for running the sys_getpid() syscall, and the other for running the sys_getuid() syscall to get the PID and user ID of the process respectively.
Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found here.
Note: It's been patched in the 6.50 firmware update.
Files - Files in order by name alphabetically;
- index.html - Contains post-exploit code, going from arb. R/W -> code execution.
- rop.js - Contains a framework for ROP chains.
- syscalls.js - Contains an (incomplete) list of system calls to use for post-exploit stuff.
- wkexploit.js - Contains the heart of the WebKit exploit.
- This vulnerability was patched in 6.50 firmware!
- This only gives you code execution in userland. This is not a jailbreak nor a kernel exploit, it is only the first half.
- This exploit targets firmware 6.20. It should work on lower firmwares however the gadgets will need to be ported, and the p.launchchain() method for code execution may need to be swapped out.
- In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit. This is part of the reason why syscalls.js contains only a small number of system calls.
Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;
- Fake DNS spoofing to redirect the manual page to the exploit page, or
- Using the web browser to navigate to the exploit page (not always possible).
- I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.
- Chromium Bug Report - The Vulnerability.
- lokihardt - The vulnerability
- st4rk - Help with the exploit
- qwertyoruiop - WebKit School
- saelo - Phrack paper
Twitter: @SpecterDev (7th March 2019 - 8:29 pm) --> https://twitter.com/SpecterDev/status/1103739416554594304
Twitter: @SpecterDev (8th March 2019 - 7:26 pm) --> https://twitter.com/SpecterDev/status/1104085876831735808
PS4 PS4 6.20 WebKit Exploit Released by @SpecterDev (Patched for System Firmware 6.50)
By Roxanne on Mar 9, 2019 at 7:47 AM
The Power Supply (Vol. 02) - Our Guest Today: "PS4 Developer @m0rph3us1987"With the very first introduction of our new Series of Developer Interviews - as known by "The Power Supply" - you were already allowed to dabble a little bit with Volume 01 of the series, where you got a deep look into the work from well-known Developer @deank he did for this scene. While he worked mainly for the PS3 Community, we thought it would be only fair to bring you a PS4 Developer with Volume 02 of this Interview Series today. This Developer maybe don't have the same long reputation as deank have since he began to tinker with the PS4 as his very first Sony Console. But this doesn't mean that he isn't worth to ask some questions. We covered his Achievements already in the past here in this Forum, especially when we provided you our yearly Overview about the CCC Events held in Germany. In fact, you should be familiar with him and his Lecture he held back at 35C3. So please give an warm welcome to m0rph3us1987, while in his Interview, we will talk about his Lecture he held, we will learn how he sees the current situation in "PS4 Development and Hacking" and we will get an deep insight how he began to learn writing some code in his young age. So allow us to introduce him further.Continue reading
RetroArch (PS4) R3 Released: New libretro Cores Added (Dramcaset / Jaguar / ScummVM /) + Source CodeFollowing the initial release of R1 and the followup of R2, developer @OsirisX has just released R3 for the PS4 Port of RetroArch with new core being added, various bug fixes to go along and also a release of the promised source code is included as well.. The new update provides ps4 support for Flycast (Sega Dreamcast), Bettle PSX, Virtual Jaguar, ScummVM, Stella-2014 (Atari 2600), Vectrex and SameBoy are the new cores included (emulation like dreamcast is experimental and many games have speed issues) in this release This update is based on RetroArch v1.8.4 and the Core Updater has been enabled, multi-controller Support has been added (up to 4 can be used), previous R1/R2 only one controller was supported. Also some cores that need have added support for keyboard and mouse controls. This port has evolve quite nicely and should be even better with now the source code release and likely will becomes part of the official release as this is still considered an "unofficial" port, but likely to become the official port.
Also the developer has created a Core Updater, which provides another method to update the cores. It help keeps the main pkg lite and you can also download indvidual cores via RetroArch itself as that bug of downloading cores has been fixed. See all the latest details below pertaining to the R3 release.Continue reading
The Power Supply (vol. I) Featuring a chat with developer deank (creator of multiMAN / webMAN & ...)In this inaugural edition of The Power Supply (A new developer interview series) we have the pleasure to interview one of the legendary developer's of the PlayStation Homebrew Community. A developer whom has contributed on a variety of projects and been a master of some of his own . Very well known in the PS3 scene, this dev is responsible for projects that include the AIO Homebrew known as multiMAN, or the popular ps3 plugin known as webMAN (not to be confused with a forked version called webMAN MOD by aldostools). Then later on the emergence of the sMAN plugin can be from only one person and that developer is of course @deank . The developer has graciously given us some time for a Q/A interview to kick of this new series. Dean will give us a bit of insight on himself, along with his development journey on the PS3 . Also, we have asked the developer if he still has plans for a multiMAN (PS4) release after a small hint in the past that suggested the developer at least was contemplating the idea , Also, does Dean have any immediate plans for future development on the PS3/4, We have these answers and more from himself in the discussion below, so lets dive into:.Continue reading
Share This Page
- henkaku homebrew
- playstation 2
- playstation 2 resources
- playstation portable
- playstation portable cfw
- playstation portable resources
- playstation tv
- ps vita
- ps2 resources
- ps3 cfw
- ps3 homebrew
- ps4 homebrew
- psp cfw
- psp resources
- pstv homebrew
- vita homebrew
- webman mod
- xmb mod
- User Record:
- Latest Member: