Adding Your Choice of Payloads Into PS4 Playground for ESP8266

Following my previous guide, here is another tutorial as requested covering how to add your choice of payload into PS4 playground for ESP8266.

Again I use treyjazz's sample webpage for this tutorial (in 'data' folder inside PS4Exploit).

• I suggest you download Notepad++ for code editing. Download and install.
• So now navigate to 'data' folder. You will see bunch of files (.js and .html) in it. The webpage you see on ESP8266 is coded in 'index.html'. So find 'index.html', right-click on it, click 'Edit with Notepad++'.

• Now double-click on 'index.html' and the page will open on your browser.

• Now compare side by side the code and the webpage

• You can now understand a bit the how its relate. In the code, those I highlighted in colour is the text showed in webpage. Each payload option has different index source. For example HEN is pointed to 'xvortex-hen-index.html'. So now find 'xvortex-hen-index.html' in the folder.

• You will see files with same name 'xvortex-hen-'. Those are the HEN exploit files required to exploit your PS4. And you see files with other name too

• The different name separate the exploit files so its not mix up.
• Ok back to our example, HEN exploit. Right-click on 'xvortex-hen-index.html' and scroll down to bottom.

• You can see some .js file mention in the code. It means the webpage calling the .js file during the execution of exploit. Each of payload type have it files to excute.

Just imagine :

index.html
|
| (When you selected HEN)
|
xvortex-hen-index.html
|
|        (calling)
|
|-------------------------------
|xvortex-hen-expl.js           |
|xvortex-hen-gadgets.js        |
|xvortex-hen-rop.js            |
|xvortex-hen-payload.js        |
--------------------------------
|
|
HEN exploit done

So how you add the payload of your choice?

• 1st prepare the exploit files for example you want to add. For example you want to add Linux Loader payload
• Let say you already have Linux payload and other files

• To prevent from files mixing up, rename the files

• Open 'linux-index.html' with Notepad++ and scroll to bottom. Insert the all .js files required for the exploit and save it.

• Now open 'index.html' with Notepad++ and now we add new payload option in webpage and save it.

• To test our webpage, simply double-click 'index.html' to view the webpage

• We have new payload option for Linux Loader

So that is basically how it works. You can add any payloads you want including 4.05 payloads. Hope this helps. Sorry for my English

My brain just stopped functioning right now.

 

[barelynotlegal]

@Keeperdy so just use the example files from above as in treyjazz’s page and just update payloads?

 

[Keeperdy]

Now it's even easier, because HEN, dumper and ftp use only one index.html file. Mira+Hen has some js files.

 

[pearlxcore]

@barelynotlegal @Keeperdy the problem is how you implement the binary payload into autolaunch webpage like before. Because in 5.05 exploit file there are differences. No payload.js anymore. Maybe someone has some explaination to do that

 

[Keeperdy]

@pearlxcore Sure 5.05 exploit process differs, but Mira payload still exists in js format with all supportive files. Other payloads are released in html or bin format. However, I've already made beta firmware with Mira, separate HEN (it's more stable), dumper and ftp payloads.

 

[pearlxcore]

@Keeperdy yeah me too has included those but for incoming binary payload, Im stuck adding payload into webpage

http://pearlxcore.net/

 

[muxi]

But what about payloads existing only in bin format? I tried, to import the new backup payload into my 5.05 ESP-Firmware, but there is no payload in html-format, so I converted the bin with bin2js, analysed the html-payload (I used blocker html as example) and replaced the existing payload-code with this one from the backup-js-file. But it doesn't work.

Then I cleaned the code as you did it @Keeperdy with FTP+RW. But that doesn't work too. How can I manage that? Thanks!

 

[pearlxcore]

@muxi @Keeperdy @barelynotlegal Managed to make apptousb and db sg backup to work. also included kernel dumper but it seems not working atm

Spoiler

 

[muxi]

@pearlxcore Thanks! Great work! Are the js-suportfiles from backup and app2usb equal, so that I can I use only one file-set for both payloads (It´s for saving space)?

 

[pearlxcore]

@muxi yes all are equal except homebrew..

Anyone please correct me if im wrong

 

[pearlxcore]

New Payload added