PSXHAX.COM website and domain for sale. Contact Us with your offer!
PPPwn: PlayStation 4 PPPoE RCE PS4 Kernel Exploit to 11.00 by TheOfficialFloW
Today TheOfficialFloW aka theflow0 decided to publish PPPwn ahead of his Remote Vulnerabilities in SPP talk on CVE-2006-4304 (FreeBSD.org) at TyphoonCon 2024 next month, which is the first PlayStation 4 PPPoE (Point-to-Point Protocol over Ethernet) RCE (Remote Code Execution) Kernel Exploit supporting PS4 Firmware versions up to 11.00 OFW with @KIWIDOGGIE aka kd_tech_ passing along some 11.00 Offsets (Orbis110.hpp) that can help in reverse-engineering payloads crediting developer @Al Azif (fw_defines.h / payloads_1100_and_below.zip - 46.3 KB - includes ps4-app-dumper.bin, ps4-disable-updates.bin, ps4-fan-threshold.bin, ps4-ftp.bin, ps4-module-dumper.bin, ps4-permanent-uart.bin and ps4-todex.bin via @zecoxao aka notnotzecoxao) stage2.bin (11.2 KB) and additional payloads (module_dumper.bin - 10.7 KB, permanent_uart.bin - 6.84 KB...
PS4 Kernel RCE Talk on CVE-2006-4304 by TheFloW0 at TyphoonCon 2024
Following his BD-JB PS5 Userland Exploit 7.61 Firmware Revision, Security Researcher theflow0 confirmed via Twitter that he'll be giving a talk on CVE-2006-4304 (Remote Vulnerabilities in SPP) affecting PS4 up to FW 11.00 and PS5 up to FW 8.20 at the Moxy Seoul Myeongdong All Offensive Security Conference which runs from May 27th-31st, 2024 covering a PlayStation 4 Kernel Remote Code Execution (RCE) Exploit enabling a jailbreak without requiring a user entry (such as a WebKit) point. :geek:

This comes proceeding the PSFree WebKit Exploit Updates, Aapo's HackerOne PlayStation Hacktivity Critical Vulnerability Report, PS4PayloadSDK 10.50-11.02 Support update and recent CVE-2006-4304 PoC... with Andy Nguyen's presentation details outlined below courtesy of TyphoonCon.com:

PlayStation 4 Kernel RCE

Date: May 30-31
, 2024

Talk Overview:


This talk will be about successful exploitation of kernel vulnerabilities in a network protocol on the PlayStation 4 which is based on FreeBSD.

I show how internals of the IPv6 protocol can be abused to achieve an information leak and to redirect control...
Aapo on HackerOne's PlayStation Hacktivity Critical Vulnerability Report
Recently cybersecurity researcher Aapo was awarded a $50,000.00 Bug Bounty for his PlayStation Hacktivity Report as part of Sony's HackerOne Program, and similar to TheFloW's promised Disclosure he took to Twitter as AapoOksman stating the following about the critical vulnerability discovered, to quote:

"There is a lot of speculation going around the report, but I'm planning on releasing more information at a later point in time.

Would you like to see me present my findings at a security conference this year? Any suggestions on what conferences I should submit a CFP for?"


Whether it's GeekPwn, Chaos Computer Club (CCC), Zer0Con, Tencent Security Conference, REcon Brussels, Black Hat Europe, SSTIC, Hexacon...
PS4 9.00 pOOBs4 Kernel Exploit (KeX) Port to 8.0x Firmware by ABC
Following the PSFree WebKit Exploit for PS4 6.00 to 9.60 & QuickHEN PS4 incoming, PS4Scene developer abc on Discord shared a PS4 9.00 pOOBs4 Kernel Exploit (KeX) Port to 8.0x Firmware adding the additional details below via PlayStation Devwiki Discord: :geek:

Just ported pOOBs4's trigger_spray() to 8.0x and it reliably triggers a kernel panic. This suggests that pOOBs4 can easily replace unreliable kernel exploits in other firmwares.

Just set up the firmware's ROP runner (p.launch_chain()) to execute the chains at trigger_spray() and use that to load the patches instead.
Code:
function trigger_oob() {
    init();
    const chain = new Chain();
    const num_kqueue = 0x1b0;
    const kqueues = new Uint32Array(num_kqueue);
    const kqueues_p = get_view_vector(kqueues);

    for (let i = 0; i < num_kqueue; i++) {
        chain.push_syscall('kqueue');
        chain.push_gadget('pop rdi; ret');
        chain.push_value(kqueues_p.add(i * 4));
        chain.push_gadget('mov dword ptr [rdi], eax; ret');
    }
    chain.push_end();
    chain.run();
    chain.clean();

    const AF_INET = 2;
    const SOCK_STREAM = 1;
    // socket descriptor
    chain.syscall('socket', AF_INET, SOCK_STREAM, 0);
    const sd = chain.return_value;
    // 0x100 <= sd < 200
    // pOOBs4 wasn't checking the higher 32 bits, pretty sure they want to
    // since (maybe) they are trying to manipulate kqueue_expand()
    if (sd.low() < 0x100 || sd.low() >= 0x200 || sd.high() !== 0) {
        die(`invalid socket: ${sd}`);
    }
    debug_log(`socket descriptor: ${sd}`);

    // spray kevents
    const kevent = new Uint8Array(0x20);
    const kevent_p = get_view_vector(kevent);
    kevent_p.write64(0, sd);
    // EV_ADD and EVFILT_READ
    kevent_p.write32(0x8, 0x1ffff);
    kevent_p.write32(0xc, 0);
    kevent_p.write64(0x10...
PSFree WebKit Exploit for PS4, QuickHEN, Lua Lapse PS4 / PS5 Kernel Exploit & Laps3c0re / Y2JB
This weekend PS4 Scene developer @CelesteBlue announced on Twitter news of a PSFree WebKit Exploit for PS4 6.00 to 9.60 crediting Sergei Glazunov and Maddie Stone (Twitter) of Project Zero for discovering the vulnerability, anonymous for writing the PSFree Exploit and himself for testing, porting and improvements alongside a QuickHEN PS4 collection incoming of WebKit exploits for PlayStation 4 System Software versions between 3.15 and 9.60 with Kernel exploits between 3.15 and 9.00 only albeit requiring more work and Laps3c0re which is a port of the Lapse kernel exploit implementation by abc using Mast1c0re by McCaulay as an entry point and Y2JB Userland code execution by Gezine using the PS5 YouTube (USA) app v1.03 PKG crediting Remote_Lua_Loader. 🔥

Download: psfree-1.2.0.zip (39.93 KB) / GIT / PSFree Exploit (Live Demo) via @zecoxao on Twitter / psfree-beta2.7z (16.34 KB) via...
Back
Top