Cryptogenic/PS4-6.20-WebKit-Code-Execution-Exploit Cryptogenic/PS4-6.20-WebKit-Code-Execution-Exploit

  • Stars
    star
    197
  • Rank 197,722 (Top 4 %)
  • Language
    HTML
  • License
    Do What The F*ck ...
  • Created over 5 years ago
  • Updated over 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Cryptogenic/PS4-6.20-WebKit-Code-Execution-Exploit
github

Cryptogenic

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A WebKit exploit using CVE-2018-4441 to obtain RCE on PS4 6.20.

PS4 6.20 WebKit Code Execution PoC

This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in wkexploit.js. It will then setup a framework to run ROP chains in index.html and by default will provide two hyperlinks to run test ROP chains - one for running the sys_getpid() syscall, and the other for running the sys_getuid() syscall to get the PID and user ID of the process respectively.

Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found here.

Note: It's been patched in the 6.50 firmware update.

Files

Files in order by name alphabetically;

  • index.html - Contains post-exploit code, going from arb. R/W -> code execution.
  • rop.js - Contains a framework for ROP chains.
  • syscalls.js - Contains an (incomplete) list of system calls to use for post-exploit stuff.
  • wkexploit.js - Contains the heart of the WebKit exploit.

Notes

  • This vulnerability was patched in 6.50 firmware!
  • This only gives you code execution in userland. This is not a jailbreak nor a kernel exploit, it is only the first half.
  • This exploit targets firmware 6.20. It should work on lower firmwares however the gadgets will need to be ported, and the p.launchchain() method for code execution may need to be swapped out.
  • In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit. This is part of the reason why syscalls.js contains only a small number of system calls.

Usage

Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;

  1. Fake DNS spoofing to redirect the manual page to the exploit page, or

  2. Using the web browser to navigate to the exploit page (not always possible).

Vulnerability Credit

I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.

Resources

Chromium Bug Report - The vulnerability.

Phrack: Attacking JavaScript Engines by saelo - A life saver. Exploiting this would have been about 1500x more difficult without this divine paper.

Thanks

lokihardt - The vulnerability

st4rk - Help with the exploit

qwertyoruiop - WebKit School

saelo - Phrack paper

More Repositories

1

PS5-IPV6-Kernel-Exploit

An experimental webkit-based kernel exploit (Arb. R/W) for the PS5 on <= 4.51FW
JavaScript
872
star
2

Exploit-Writeups

A collection where my current and future writeups for exploits/CTF will go
728
star
3

PS4-5.05-Kernel-Exploit

A fully implemented kernel exploit for the PS4 on 5.05FW
JavaScript
625
star
4

PS4-4.05-Kernel-Exploit

A fully implemented kernel exploit for the PS4 on 4.05FW
JavaScript
534
star
5

PS4-4.55-Kernel-Exploit

A fully implemented kernel exploit for the PS4 on 4.55FW
JavaScript
236
star
6

REBot

A discord bot for reverse engineers and exploit developers.
Go
78
star
7

PS4-4.0x-Code-Execution-PoC

My edit of qwertyoruiopz 4.0x exploit PoC from http://rce.party/ps4
JavaScript
61
star
8

PS4-KHook

PS4 kernel hooking library / payload.
C
48
star
9

PS4-Playground-3.55

A 3.55 implementation of PS4 Playground (based on CTurt's 1.76 original)
HTML
44
star
10

idc_importer

A Binary Ninja plugin for importing IDC database dumps from IDA.
Python
38
star
11

PS5-SELF-Decrypter

A portable payload to decrypt PS5 SELF files from the filesystem to USB drive
C
38
star
12

PS4Console

A successor to PS4Playground, emulates a shell-like environment to interact with the PlayStation 4.
HTML
35
star
13

MD5-Magic-File-Generator

A project in Golang that will create prefix-based magic MD5 hashes for type juggling.
Go
18
star
14

JinxOS

JinxOS is a minimalist operating system written in C and ARM. The focus is to quickly and easily interface with connected hardware for education and testing purposes.
C
18
star
15

CPP-Easy-Socket

An easy to use, higher abstraction socket class for usage in C++.
C++
16
star
16

PS4-Package-Assessor-Java

Evaluates PS3/PS4 .PKG files and displays information about them in a clean manner.
JavaScript
13
star
17

Space-Invaders-C-

Space Invaders C++ is a project to help learn some of the basics of C++ like classes, MVC, pointers, loops, and libraries.
C++
10
star
18

IDA-ASP-Loader

Simple loader plugin for IDA to load AMD-SP or PSP firmware binaries.
Python
5
star
19

Battleship-Arduino

A battleship game coded with Arduino/C++ using an Arduino UNO and a 32x16 LED RGB Matrix
C++
4
star
20

FalconFramework

A free, simple PHP framework created by myself for web development projects
PHP
3
star
21

goflexpool

Unofficial golang binding for flexpool API.
Go
3
star
22

PS3-Update-List-Parser

A parser written in Java to parse ps3-updatelist.txt from playstation.net
Java
3
star
23

PHPBot-Xat

A semi-company ready light-weight, clean xat bot script coded in PHP.
PHP
2
star
24

BO3-Round-Modifiers

Source code for Round Modifiers BO3 zombies mod.
GSC
1
star
25

GSS-Interpreter

The General Server Script interpreter
C++
1
star