CVE-2017-2491 / CVE-2017-2536 Spread Overflow Exploit by Phoenhex

[PSXHAX]

We'll use this as a discussion (non-news) thread for now on the CVE-2017-2491 / CVE-2017-2536 Spread Overflow Exploit WebKit bugs by Phoenhex.

While the earlier PS4 4.70 WebKit Exploit GIT by LordYusei doesn't appear complete so unable to be tested and verified, @GritNGrind let us know in the Shoutbox that he tested the Phoenhex GIT on his PS4 4.50 and 4.55 consoles and says he can get them to hang the browser without a crash.

Some other feedback / thoughts from him on it:

• once you leave the browser using the PS button you can't come back in, as a matter of fact you can't do anything but shutdown the PS4
• you can keep hitting the PS button and see the menus, but can't click on them, then had to pull plug to PS4
• someone crafty could use this for sure
• tested on 3.55 with no luck, my guess is it's on older webkit and not compatible with this newer code

And also from @Chaos Kid on this:

• change array at x8
• and yes even tho system in frozen state it's not completely frozen leaves it vulnerable

If anyone else gives this a try let us know your results below!

 

[asok30]

good to try them: https://github.com/qazbnm456/awesome-cve-poc?files=1

 

[Centrino]

I also tried this one, on 4.70 the browser gets out of memory error and will continue to do so. Guessing it is filling ram...i dont really know

 

[Elm0]

what else can i do to help? i just tried this and my browser crashes and cant do anything but run spotify. i clicked on rest mode instead of power off and it turned off in rest mode about a good 5 mins later..

-Elmo
using this.. https://ps4-expo.neocities.org/

 

[PSXHAX]

There are some older posts on PS4 crashes like those, here are a few of them:

• By mete2221 on Mar 12, 2017
• By PSXHAX on Mar 14, 2017
• PS4 OFW 4.71 Jailbreak / Webkit 4.71 PoC by NeotikZ questions

Without a user/kernel exploit they aren't much use to escape the PS4 sandbox unfortunately.

Also here's another Github that @ryan111 ran across which can be used to set up a fuzzer over xampp for those who want to experiment with it on the PS4.

He notes the config has to be updated because it's outdated in case anyone gives it a try.

 

[bandti7]

So as most of us know webkit exploits are great

last night I was playing The Crew, and in the garage where one edits vehicles I found something very interesting, I opened a built in web browser that connects to Uplay, built into the game, I already spoofed the web address to go to other web addresses, now im no good with cve's or really how to execute one... BUT this build in WebBrowser in TheCrew... does anyone think is a good place to look for exploits?

 

[MurkyConspiracy]

After taking a slight break for working on an in browser Hex editor for FW 3.55 I decided to tackle this problem: MrV1rus encrypted his index.php file, and in doing so managed to make exploits run 40-50% more often. Seeing as exploits only tended to run 20-30% of the time on my system this was a huge improvement. Exploits using this system only ever fail once or twice. I've come here to post how to decrypt the file, and more importantly, encrypt it!

Spoiler: The Work

No disrespect meant to MrV1rrus but if this works for everyone like it works for me i don't think it should be a hidden matter. Thank you all for your time!!!

 

[Wultra]

Wait what, it was only encrypted as people kept claiming it was there work o.0

You sir have wasted your time when all you had to do was message the owner for the decrypted source

 

[MurkyConspiracy]

You sir have wasted your time when all you had to do was message the owner for the decrypted source

Maybe but it was a FUN break, as why I did it, i was frustrated over my work so I did this. This is more than a decrypted source, that's not what I cared for, I did this so i could write the encryption method.

you can EASILY find the decrypted source by just loading the web-page in firefox and inspecting the element and copy/pasting the html that is output from this