Adding Your Choice of Payloads Into PS4 Playground for ESP8266

Following my previous guide, here is another tutorial as requested covering how to add your choice of payload into PS4 playground for ESP8266.

Again I use treyjazz's sample webpage for this tutorial (in 'data' folder inside PS4Exploit).

• I suggest you download Notepad++ for code editing. Download and install.
• So now navigate to 'data' folder. You will see bunch of files (.js and .html) in it. The webpage you see on ESP8266 is coded in 'index.html'. So find 'index.html', right-click on it, click 'Edit with Notepad++'.

• Now double-click on 'index.html' and the page will open on your browser.

• Now compare side by side the code and the webpage

• You can now understand a bit the how its relate. In the code, those I highlighted in colour is the text showed in webpage. Each payload option has different index source. For example HEN is pointed to 'xvortex-hen-index.html'. So now find 'xvortex-hen-index.html' in the folder.

• You will see files with same name 'xvortex-hen-'. Those are the HEN exploit files required to exploit your PS4. And you see files with other name too

• The different name separate the exploit files so its not mix up.
• Ok back to our example, HEN exploit. Right-click on 'xvortex-hen-index.html' and scroll down to bottom.

• You can see some .js file mention in the code. It means the webpage calling the .js file during the execution of exploit. Each of payload type have it files to excute.

Just imagine :

index.html
|
| (When you selected HEN)
|
xvortex-hen-index.html
|
|        (calling)
|
|-------------------------------
|xvortex-hen-expl.js           |
|xvortex-hen-gadgets.js        |
|xvortex-hen-rop.js            |
|xvortex-hen-payload.js        |
--------------------------------
|
|
HEN exploit done

So how you add the payload of your choice?

• 1st prepare the exploit files for example you want to add. For example you want to add Linux Loader payload
• Let say you already have Linux payload and other files

• To prevent from files mixing up, rename the files

• Open 'linux-index.html' with Notepad++ and scroll to bottom. Insert the all .js files required for the exploit and save it.

• Now open 'index.html' with Notepad++ and now we add new payload option in webpage and save it.

• To test our webpage, simply double-click 'index.html' to view the webpage

• We have new payload option for Linux Loader

So that is basically how it works. You can add any payloads you want including 4.05 payloads. Hope this helps. Sorry for my English

My brain just stopped functioning right now.

 

[manny9]

Thank you for your response.
Yes, I noticed that about "python js_shellcode.py payload.bin code_addr" too.

So even if the hex numbers are totally different with "python js_shellcode.py payload.bin addr" compared to "bintojs64.exe payload.bin code_addr", you're saying that it will still work?

First 3 lines of shellcode with bin2js64 gives:

 p.write4(addr.add32(0x00000000), 0x000353e9);
p.write4(addr.add32(0x00000004), 0x0f2e6600);
p.write4(addr.add32(0x00000008), 0x0000841f);

(Yes, the "function writeHomebrewEN(p, addr) {" part and the closing brace have to be added by the user manually)

First 4 lines of shellcode with js_shellcode.py gives:

 function writeHomebrewEN(p, addr) {
  p.write4(addr.add32(0x00000000), 0xe9000000);
  p.write4(addr.add32(0x00000004), 0x00000353);
  p.write4(addr.add32(0x00000008), 0x1f0f2e66);

I will try it to convince myself. Thank you for your patience.

 

[pearlxcore]

@manny9 Or you just follow specter’s command:

python js_shellcode.py payload.bin code_addr

Then rename all ‘code_addr’ to ‘addr’. Im using notepad++ to do that and yes the exploit works.

Sorry im not inteded to make you confuse. Im too still wondering why we dont just use addr at first. Thanks for noticing me that both command produce different value.

Do some test and report me back here. Thanks.

 

[Keeperdy]

@pearlxcore Why do you include in every folder all js files like rop/kernel/mira etc? As I as understand the converter makes homebrew.js - the main exploit (previously payload.js) and we also need some supportive files like rop and userland.

 

[muxi]

How to send payloads over port 9020 to the PS4, as "Original" is not available anymore since 5.05?

 

[pearlxcore]

@Keeperdy I was messing with the files. Some exploit like xvortex does not need the supportive files. Unlike original exploit it still need those.

 

[Zoilus]

@pearlxcore hey bud, sorry but do you have a 5.05 github repository? where all the folder files you have are? I love the way you put everything in folders. Everybody else just does bins so thanks for that!! I just wanted to see if you had a github for 5.05 set up

thanks

 

[pearlxcore]

I will do that soon. Thanks for your concern.

 

[Keeperdy]

@pearlxcore Yeah, that's why I was asking about it. Moreover, now Stooged released on his Github also html version of app2usb and backup payloads. So, the principles of bin payloads conversion have changed!!!

 

[manny9]

@pearlxcore:

As I suspected (since the values are totally off), "python js_shellcode.py payload.bin addr"
produces a homebrew.js that does NOT work.

When I click on DB_SG_Backup, I get that circling thing but it always ends up saying the same thing, that there's not enough system memory...

I tried a few times, rebooting the PS4, rebooting the ps4-exploit-host.exe, same thing.

So, people should use your bin2js exe instead, if they want to convert a bin payload to .js
successfully.

 

[pearlxcore]

@manny9 Now im a bit confused lol. The program i shared did produce working js or not?

@Keeperdy stooged’s standalone html should be more stable i guess

Btw, why their single html exploit contain code in only single line?