Yesterday we saw disclosure of a
4.05 PS4 Kexec, and combined with a Userland Exploit like
JailbreakMe PS4 4.0x WebKit RCE the PlayStation 4 scene is eagerly awaiting a public PlayStation 4 Jailbreak for Firmware 4.05 to surface.
In the meantime, since
Porting JailBreakMe and
Breaking Down PS4 4.0x WebKit Exploit PlayStation 4 developer
@SpecterDev shared on
Twitter a PS4 NamedObj kernel exploit strategy overview of the
4.05 Kernel Exploit that Fail0verflow
released.
To quote from the
NamedObj Kernel Exploit Overview.md:
Introduction
So fail0verflow released a writeup today on the namedobj exploit. I and a few others have had this exploit for some time but did not release as we received help indirectly from f0f, so it was not entirely ours to release. Now that it is out however, I'd like to talk about it as it is a really interesting exploit.
Below is not going to be a full write-up, but more of a framework or strategy that those who are interested can use to try to implement this kernel exploit. In due time I will release my implementation after I've edited non-burned components out of the exploit.
The Bug
So the bug is essentially type confusion with the 'kind' field of the 'id_entry' object used in named objects. Named objects are objects that have properties associated to them (such as a name as you might have guessed), that points to the real object in the heap. By specifying a type 0x5000 for your object, you can cause type confusion.
You now need to find another area of the kernel that can abuse to corrupt your object. Luckily, there is sys_mdbg_service(). This will allow you to...