An experimental webkit-based kernel exploit (Arb. R/W) for the PS5 on 4.03 & 4.50FW

Overview

PS5 4.xx Kernel Exploit


Summary

This repo contains an experimental WebKit ROP implementation of a PS5 kernel exploit based on TheFlow's IPV6 Use-After-Free (UAF), which was reported on HackerOne. The exploit strategy is for the most part based on TheFlow's BSD/PS4 PoC with some changes to accommodate the annoying PS5 memory layout (for more see Research Notes section). It establishes an arbitrary read / (semi-arbitrary) write primitive. This exploit and its capabilities have a lot of limitations, and as such, it's mostly intended for developers to play with to reverse engineer some parts of the system.

With latest stability improvements, reliability is at about 80%. This document will contain research info about the PS5, and this exploit will undergo continued development and improvements as time goes on.

Those interested in contributing to PS5 research/dev can join a discord I have setup here.

Exploit should now support the following firmwares (more to come):

  • 4.03
  • 4.50
  • 4.51

Currently Included

  • Obtains arbitrary read/write and can run a basic RPC server for reads/writes (or a dump server for large reads) (must edit your own address/port into the exploit file on lines 673-677)
  • Enables debug settings menu (note: you will have to fully exit settings and go back in to see it).
  • Gets root privileges

Limitations

  • This exploit achieves read/write, but not code execution. This is because we cannot currently dump kernel code for gadgets, as kernel .text pages are marked as eXecute Only Memory (XOM). Attempting to read kernel .text pointers will panic!
  • As per the above + the hypervisor (HV) enforcing kernel write protection, this exploit also cannot install any patches or hooks into kernel space, which means no homebrew-related code for the time being.
  • Clang-based fine-grained Control Flow Integrity (CFI) is present and enforced.
  • Supervisor Mode Access Prevention/Execution (SMAP/SMEP) cannot be disabled, due to the HV.
  • The write primitive is somewhat constrained, as bytes 0x10-0x14 must be zero (or a valid network interface).

How to use

  1. Configure fakedns via dns.conf to point manuals.playstation.net to your PCs IP address
  2. Run fake dns: python fakedns.py -c dns.conf
  3. Run HTTPS server: python host.py
  4. Go into PS5 advanced network settings and set primary DNS to your PCs IP address and leave secondary at 0.0.0.0
    1. Sometimes the manual still won't load and a restart is needed, unsure why it's really weird
  5. Go to user manual in settings and accept untrusted certificate prompt, run
  6. Optional: Run rpc/dump server scripts (note: address/port must be substituted in binary form into exploit.js).

Future work

  • Fix-up sockets to exit browser cleanly (top prio)
  • Write some data patches (second prio)
    • Enable debug settings
    • Patch creds for uid0
    • Jailbreak w/ cr_prison overwrite
  • Improve UAF reliability
  • Improve victim socket reliability (third prio)
  • Use a better / more consistent leak target than kqueue (no longer necessary)
  • Make ELF loader support relocations

Using ELF Loader

To use the ELF loader, run the exploit until completion. Upon completion it'll run a server on port :9020. Connect and send your ELF to the PS5 over that port and it'll run it. Assuming the ELF doesn't crash the browser, it can continue to run ELFs forever.

Exploit Stages

This exploit works in 5 stages, and for the most part follows the same exploit strategy as theflow's poc.

  1. Trigger the initial UAF on ip6_pktopts and get two sockets to point to the same pktopts / overlap (master socket <-> overlap spray socket)
  2. Free the pktopts on the master socket and fake it with an ip6_rthdr spray containing a tagged tclass overlap.
  3. Infoleak step. Use pktopts/rthdr overlap to leak a kqueue from the 0x200 slab and pktopts from the 0x100 slab.
  4. Arbitrary read/write step. Fake pktopts again and find the overlap socket to use IPV6_RTHDR as a read/write primitive.
  5. Cleanup + patch step. Increase refcount on corrupted sockets for successful browser exit + patch data to enable debug menu and patch ucreds for uid0.
  6. Run ELF loader server that will accept and load/run ELFs. Currently WIP, does not support relocations at the moment.

Stability Notes

Stability for this exploit is at about 30% 80-90%, and has two potential points of failure. In order of observed descending liklihood:

  1. Stage 1 fails to reclaim the UAF, causing immediate crash or latent corruption that causes crash.
  2. Stage 4 fails to find a victim socket

Research Notes

  • It appears based on various testing and dumping with the read primitive, that the PS5 has reverted back to 0x1000 page size compared to the PS4's 0x4000.

    • After further research, the page size is indeed still 0x4000, however due to some insane allocator changes, different slabs can be allocated in the same virtual page.
  • It also seems on PS5 that adjacent pages rarely belong to the same slab, as you'll get vastly different data in adjacent pages. Memory layout seems more scattered.

  • Often when the PS5 panics (at least in webkit context), there will be awful audio output as the audio buffer gets corrupted in some way.

  • Sometimes this audio corruption persists to the next boot, unsure why.

  • Similar to PS4, the PS5 will require the power button to be manually pressed on the console twice to restart after a panic.

  • It is normal for the PS5 to take an absurd amount of time to reboot from a panic if it's isolated from the internet (unfortunately). Expect boot to take 3-4 minutes.

Contributors / Special Thanks

Thanks to testers

  • Dizz (4.50/4.51)
You might also like...

Bookmarklet exploit that can force-disable extensions installed on Chrome. Also has a very fancy GUI to manage all extensions!

Bookmarklet exploit that can force-disable extensions installed on Chrome. Also has a very fancy GUI to manage all extensions!

ext remover Bookmarklet exploit that can force-disable any extension installed on Google Chrome Instructions Here are the instructions to using this e

Jan 6, 2023

Exploit chrome's profile sync for free cloud storage

BookmarkFS - the dumbest project i've ever made Exploits the google chrome bookmark sync service to store files for free Installation and usage Go to

Dec 30, 2022

An experimental syntax highlighter web app bot based on Telegram's WebApp update.

Syntax Highlighter WebApp Inspired by zubiden/tg-web-bot-demo. Try the demo bot running here: @syntaxyybot Recently Telegram released a big update for

Nov 8, 2022

GitHub and Markdown-Based CMS for Blogs. EXPERIMENTAL and in the "Idea" stage. I have no clue if this is feasible.

Turborepo starter This is an official pnpm starter turborepo. What's inside? This turborepo uses pnpm as a package manager. It includes the following

Oct 13, 2022

Experimental URL-CID index using b trees (chunky-trees from @mikeal)

ipfs-url-index Experimental IPFS index for URL-CID, implemented using chunky-trees B-Tree implementation. API Server Run node main.js to start the ap

Mar 14, 2022

Bitburner-bbpm - An experimental package manager for the game Bitburner.

BPPM - BitBurner Package Manager An experimental package manager for the game Bitburner. Install Instructions Download the latest release of bbpm.js.

Mar 24, 2022

experimental web browser optimized for rabbit-holing

experimental web browser optimized for rabbit-holing

Cartographist Cartographist is an experimental web browser optimized for rabbit-holing. Instead of opening new windows (with cmd-click), Cartographist

Jan 2, 2023

Halfwit is an experimental golfing language that fits most commands in half a byte.

Halfwit Halfwit is an experimental golfing language that fits most commands in half a byte. It's stack-based. Usage npm install halfwit

Jun 27, 2022

An experimental framework-aware Firebase CLI

Firebase Experimental framework-aware CLI Usage $ npm i -g firebase-frameworks $ cd MY-APP $ firebase-frameworks init $ firebase-frameworks build $

Dec 27, 2022
Owner
Kameleon
I like to develop software I like PS Scene :)
Kameleon
ROP userland execution for PS5 (4.03)

# Exploring the Playstation 5 Security - Userland Introduction The PlayStation 5 was released on November 12th 2020. While it's similar to the PS4 in

null 230 Dec 2, 2022
A Kernel Package that adds a tab to Discord settings where you can add and arrange custom code snippets.

Code Snippets A Kernel package (specifically for Discord) that adds a tab in settings where you can add and manage code snippets. Requires: https://gi

SwishyPlugs 6 Dec 14, 2022
Claim $ARB airdrop of several wallets at the same time and transfer all the tokens to one address

arbitrum-airdrop-claimer Claim $ARB airdrop of several wallets at the same time and transfer all tokens to one address You need to have Node.js instal

Wizer 4 Mar 21, 2023
Demo showcasing information leaks resulting from an IndexedDB same-origin policy violation in WebKit.

Safari 15 IndexedDB Leaks Description This demo showcases information leaks resulting from an IndexedDB same-origin policy violation in WebKit (a brow

FingerprintJS 101 Nov 5, 2022
Grupprojekt för kurserna 'Javascript med Ramverk' och 'Agil Utveckling'

JavaScript-med-Ramverk-Laboration-3 Grupprojektet för kurserna Javascript med Ramverk och Agil Utveckling. Utvecklingsguide För information om hur utv

Svante Jonsson IT-Högskolan 3 May 18, 2022
Hemsida för personer i Sverige som kan och vill erbjuda boende till människor på flykt

Getting Started with Create React App This project was bootstrapped with Create React App. Available Scripts In the project directory, you can run: np

null 4 May 3, 2022
Kurs-repo för kursen Webbserver och Databaser

Webbserver och databaser This repository is meant for CME students to access exercises and codealongs that happen throughout the course. I hope you wi

null 14 Jan 3, 2023
WAMpage - A WebOS root LPE exploit chain

WAMpage WAMpage - A WebOS root LPE exploit chain This exploit is mainly of interest to other researchers - if you just want to root your TV, you proba

David Buchanan 45 Dec 2, 2022
🦠🔬 Forta agent that detect deployment of smart contracts containing an exploit function

Attack Simulation Bot Description The agent detects deployment of smart contracts containing an exploit function. Using a simulation-based approach, t

Artem Kovalchuk 29 Dec 26, 2022
Invadium runs exploit playbooks against vulnerable target applications in an intuitive, reproducible, and well-defined manner.

Invadium Invadium runs exploits against one or more target applications in an intuitive, reproducable, and well-defined manner. It focuses on bridging

Dynatrace Open Source 10 Nov 6, 2022