• Stars
    star
    728
  • Rank 62,237 (Top 2 %)
  • Language
  • License
    Do What The F*ck ...
  • Created over 7 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A collection where my current and future writeups for exploits/CTF will go

Exploit Writeups

Welcome to my collection of exploit writeups. This repo is where my current and future writeups for public exploits, vulnerability research, and CTF challenge solves will go. Below is a directory of the current writeups that I've published.

FreeBSD / PS4 Kernel

PS4 4.05 Kernel Exploit Overview

An overview of the PS4 kernel exploit codenamed "namedobj", which targets a type confusion vulnerability in the sys_namedobj_* Sony system calls. This overview covers the basic exploit strategy required to leverage the type confusion bug into a fully fledged exploit.

PS4 4.05 Kernel Exploit Writeup

A full writeup on how the "namedobj" type confusion vulnerability can be leveraged to achieve arbitrary code execution in kernel mode, via a targetted use-after-free (UAF).

PS4 4.55 / FreeBSD BPF Kernel Exploit Writeup

A writeup containing the technical details behind a kernel exploit targetting the Berkely Packet Filter (BPF) system shipped on standard FreeBSD systems, but specifically targetting the Playstation 4 on 4.55FW. The bug is a race condition leading to a stack out-of-bounds (OOB) write. The writeup shows how this can easily be leveraged to escalate privileges to execute arbitrary code in kernel mode.

PS4 5.05 / FreeBSD BPF 2nd Kernel Exploit Writeup

A writeup targetting another BPF vulnerability - another, very similar race condition, but a different approach. Rather than targetting the use-after-free(), this exploit targets a double free() in order to obtain heap corruption on a target object. Again, the writeup shows that this can be leveraged to obtain code execution in kernel mode, however it also contains details on bypassing an SMAP-like implementation developed by Sony.

WebKit

Breaking Down Qwerty's PS4 4.0x WebKit Exploit

This writeup contains a technical analysis on qwertyoruiopz's WebKit exploit targetting the PS4 on 4.0x firmwares. The writeup details how a stack uninitialized read can be leveraged to obtain arbitrary R/W, and eventually code execution.

setAttributeNodeNS Use-After-Free WebKit Exploit

A writeup detailing the setAttributeNodeNS() use-after-free (UAF) vulnerability discovered by lokihardt from Google's Project Zer0 (p0). It contains technical details about how an attacker can combine it with an information disclosure (infoleak) to misalign JSValues to establish an arbitrary R/W primitive, which again will eventually lead to code execution.

More Repositories

1

PS5-IPV6-Kernel-Exploit

An experimental webkit-based kernel exploit (Arb. R/W) for the PS5 on <= 4.51FW
JavaScript
872
star
2

PS4-5.05-Kernel-Exploit

A fully implemented kernel exploit for the PS4 on 5.05FW
JavaScript
625
star
3

PS4-4.05-Kernel-Exploit

A fully implemented kernel exploit for the PS4 on 4.05FW
JavaScript
534
star
4

PS4-4.55-Kernel-Exploit

A fully implemented kernel exploit for the PS4 on 4.55FW
JavaScript
236
star
5

PS4-6.20-WebKit-Code-Execution-Exploit

A WebKit exploit using CVE-2018-4441 to obtain RCE on PS4 6.20.
HTML
197
star
6

REBot

A discord bot for reverse engineers and exploit developers.
Go
78
star
7

PS4-4.0x-Code-Execution-PoC

My edit of qwertyoruiopz 4.0x exploit PoC from http://rce.party/ps4
JavaScript
61
star
8

PS4-KHook

PS4 kernel hooking library / payload.
C
48
star
9

PS4-Playground-3.55

A 3.55 implementation of PS4 Playground (based on CTurt's 1.76 original)
HTML
44
star
10

idc_importer

A Binary Ninja plugin for importing IDC database dumps from IDA.
Python
38
star
11

PS5-SELF-Decrypter

A portable payload to decrypt PS5 SELF files from the filesystem to USB drive
C
38
star
12

PS4Console

A successor to PS4Playground, emulates a shell-like environment to interact with the PlayStation 4.
HTML
35
star
13

MD5-Magic-File-Generator

A project in Golang that will create prefix-based magic MD5 hashes for type juggling.
Go
18
star
14

JinxOS

JinxOS is a minimalist operating system written in C and ARM. The focus is to quickly and easily interface with connected hardware for education and testing purposes.
C
18
star
15

CPP-Easy-Socket

An easy to use, higher abstraction socket class for usage in C++.
C++
16
star
16

PS4-Package-Assessor-Java

Evaluates PS3/PS4 .PKG files and displays information about them in a clean manner.
JavaScript
13
star
17

Space-Invaders-C-

Space Invaders C++ is a project to help learn some of the basics of C++ like classes, MVC, pointers, loops, and libraries.
C++
10
star
18

IDA-ASP-Loader

Simple loader plugin for IDA to load AMD-SP or PSP firmware binaries.
Python
5
star
19

Battleship-Arduino

A battleship game coded with Arduino/C++ using an Arduino UNO and a 32x16 LED RGB Matrix
C++
4
star
20

FalconFramework

A free, simple PHP framework created by myself for web development projects
PHP
3
star
21

goflexpool

Unofficial golang binding for flexpool API.
Go
3
star
22

PS3-Update-List-Parser

A parser written in Java to parse ps3-updatelist.txt from playstation.net
Java
3
star
23

PHPBot-Xat

A semi-company ready light-weight, clean xat bot script coded in PHP.
PHP
2
star
24

BO3-Round-Modifiers

Source code for Round Modifiers BO3 zombies mod.
GSC
1
star
25

GSS-Interpreter

The General Server Script interpreter
C++
1
star