The PS4 might get some attention again. After the last few weeks, where we saw multiple Homebrew Releases - such as a updated Linux Distribution for your PS4, various Homebrew Games for your PS4, Emulators for playing older Classics on your PS4 and other useful Homebrew Applications, which makes your PS4 more useful for you - today, Developer @SpecterDev released a new WebKit Exploit for a newer System Firmware, namely for System Firmware 6.20. Although this Exploit isn't a complete Kernel Exploit together with the fact that this Remote Code Execution Exploit has been already patched by Sony on the newest System Firmware 6.50 released a few days ago, it is still a useful method to tinker more with this specific System Firmware, as Developer @SpecterDev describes it with his own words, which you can see down below. This can be especially useful for Developers, who wants to tinker with older System Firmwares as well, such as for System Firmware 5.55 for instance. Maybe we can see a newer full Kernel Exploit for a newer System Firmware released sooner or later.
PS4 6.20 WebKit Code Execution PoC
This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in wkexploit.js. It will then setup a framework to run ROP chains in index.html and by default will provide two hyperlinks to run test ROP chains - one for running the sys_getpid() syscall, and the other for running the sys_getuid() syscall to get the PID and user ID of the process respectively.
Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found here.
Note: It's been patched in the 6.50 firmware update.
Files - Files in order by name alphabetically;
- index.html - Contains post-exploit code, going from arb. R/W -> code execution.
- rop.js - Contains a framework for ROP chains.
- syscalls.js - Contains an (incomplete) list of system calls to use for post-exploit stuff.
- wkexploit.js - Contains the heart of the WebKit exploit.
- This vulnerability was patched in 6.50 firmware!
- This only gives you code execution in userland. This is not a jailbreak nor a kernel exploit, it is only the first half.
- This exploit targets firmware 6.20. It should work on lower firmwares however the gadgets will need to be ported, and the p.launchchain() method for code execution may need to be swapped out.
- In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit. This is part of the reason why syscalls.js contains only a small number of system calls.
Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;
- Fake DNS spoofing to redirect the manual page to the exploit page, or
- Using the web browser to navigate to the exploit page (not always possible).
- I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.
- Chromium Bug Report - The Vulnerability.
- lokihardt - The vulnerability
- st4rk - Help with the exploit
- qwertyoruiop - WebKit School
- saelo - Phrack paper
Twitter: @SpecterDev (7th March 2019 - 8:29 pm) --> https://twitter.com/SpecterDev/status/1103739416554594304
Twitter: @SpecterDev (8th March 2019 - 7:26 pm) --> https://twitter.com/SpecterDev/status/1104085876831735808
PS4 PS4 6.20 WebKit Exploit Released by @SpecterDev (Patched for System Firmware 6.50)
By Roxanne on Mar 9, 2019 at 7:47 AM
4.85 Flash Writer Released (CFW PS3 Models Only) - Now go from 4.85 OFW to 4.85 HFW to a 4.85 CFWIt looks like the 4.85 landscape is starting to take shape now as developer's around the scene have been updated the homebrew, utilities and tools that require updates (not all things require updates) and now the PS3Xploit Team released one of the missing pieces. The Flash Writer for 4.85 HFW has now arose and now you can make the jump from 4.85 OFW >> 4.85 HFW >> Execute Flash Writer >>> Install a 4.85 CFW. This release (utility) is ONLY for PlayStation 3 models that can install a Custom FirmWare, if your model can not install a CFW then look at PS3HEN as the next best alternative to cfw, which the team has an update around the corner as well (stay tuned for that soon), but back to the Flash Writer, If your are new to the tool that is executed from the PS3 Internet Browser, it simply provides those cfw capable models with the ability to install a Custom Firmware after the tool has done its magic to your console's internal flash. However, you must follow all instructions for a clean installation to avoid any issues during the process on the fully softmod exploit..Continue reading
ManaGunZ v1.36 & v1.37: NEW PS3HEN Support , New Features & 4.85 (CEX) Support by ZarDeveloper @Zar made an update for 4.85 firmware (cex) support for the popular ps3 homebrew ManaGunZ, but also late last month the developer made a huge update, that has added many new features to the popular Game Manager that always comes equipped with plenty of other features for your exploited PS3. Not only is this homebrew for CFW any longer, but since v1.36 ManaGunZ is now both compatible with PS3 Custom FirmWare and also PS3HEN, also zar did not stop there as there has been tons of new additions (seen in the changelogs provided below) and various fixes/optimizations have been brought forward as well in these recent updates that have emerged from developer @Zar. Checkout all the latest details below surrounding ManaGunZ for the PS3.Continue reading
IRISMAN + webMAN MOD - Updated with 4.85 CEX SupportDeveloper @aldostools recently updated two great projects of his with 4.85 firmware (cex) support. When the releases appeared over at brewology.com they were added to the 4.85 Update/CFW thread > here < but i wanted to get something up on the mainpage for the two apps as there are staples in the PS3 library of homebrew fame. For those whom may be new to PS3 homebrew, IRISMAN is a Game Manager (aka Backup Manager) that provides many features, While multiMAN / IRISMAN & ManaGunZ are all excellent Game Manager's they are all unique from each other, while all sharing the essentials. So no choice of the three is a bad one, but all 3 are different, IRISMAN is a fork from an earlier PS3 Homebrew Manager called IRIS Manager by Estwald & D_Skywalk but aldostools has taken the foundation of that project to new levels by adding a TON of functionality,.. Which bring us to Aldostools other project of webMAN MOD which is a fork of deank's original webMAN plugin. deank made a spectacular foundation and down right great plugin, but as the scene advanced developer aldostools stepped in with other devs and formed webMAN MOD fork and since that forked spawned developer aldostools has created one hell of a plugin with tons of functionality and great features. This plugin allow offers more features then all Sony Firmware updates combined and that is even close to being a discussion. These are to great projects to explore if you have not.Continue reading
Share This Page
- henkaku homebrew
- playstation 2
- playstation 2 resources
- playstation portable
- playstation portable cfw
- playstation portable resources
- playstation tv
- ps vita
- ps2 resources
- ps3 cfw
- ps3 han
- ps3 homebrew
- ps4 homebrew
- psp cfw
- psp resources
- pstv homebrew
- vita homebrew
- webman mod
- xmb mod
- User Record:
- Latest Member: