PS3 WebKitSploit and PS3 Playground WIP Github Forks by Esc0rtd3w

Following his PS3 OFW PSID Dump Tool Tutorial and recent d0 / d1 pdb file findings PlayStation 3 developer @esc0rtd3w (Twitter) set up some new work-in-progress Github forks for a PS3 WebKitSploit and PS3 Playground port.

Download: ps3-webkitsploit-master.zip / PS3 WebKitSploit GIT / ps3-playground-master.zip / PS3 Playground GIT / Websploit.org / PS3 Playground Test Page / PS3 Webkit POC / PlayStation 3 Browser Investigation

The PS3 WebKitSploit is based on original PS4 code from Cryptogenic and qwertyoruiopz focusing on PS3 3.xx / 4.xx code execution, while the PS3 Playground WebKit exploit port is based on CTurt and Cryptogenics PS4 code.

From the README.md file, to quote: PS3 Playground

A collection of PS3 tools and experiments using the WebKit, Flash, and other options.
We are only testing on firmware 4.81 only at the moment.

THIS REPO IS FOR THE PUBLIC PS3 COMMUNITY TO EXPLORE AND TEST ON THEIR OWN

OUR TEAM IS CURRENTLY WORKING ON THIS PROJECT PRIVATELY AND WILL UPDATE WHEN FINISHED!

FOR A LIVE DEMO WITH PUBLIC TESTS TO TRY OUT, PLEASE VISIT: http://www.websploit.org/ps3/ps3-playground/test/

There are a lot of files here for reference and exploration.

Once more testing has been done, these will be cleaned up over time.

CREDITS:

Inspired by original work from CTurt (https://github.com/CTurt/PS4-playground/) and Cryptogenic (https://github.com/Cryptogenic/PS4-Playground-3.55)

Spoiler: Original (Outdated) Information

If anyone can lend him a hand on Github that would be much appreciated, and cheers to @B7U3 C50SS, @Bultra and @spyro2670 for the heads-up in the PSXHAX Shoutbox earlier today!

 

[Amaandip]

will it be for e3 flasher users btw i have cech-4002a for testing and i dont have a e3 flasher

 

[ShadixAced]

Nope, for all end users. No E3 Flasher/ODE needed.

Can the CECH4004 (SuperSlim) be downgradable to MinVer without any modifs ?

 

[Jaroslav01]

The MinVer is 4.50 on super slim, what are you going to do on that firmware?

 

[k9mo]

Well if no cfw can be achieved on the superslim then downgrading to 4.50 is the best option To run backup games through the backup injection process also you could grab your idps just incase you need it and some people say you can run backup games on 4.70 and below consoles through backup injection and then upgrade to 4.81 and the games will still work so you can play online but there is a risk of a ban.

 

[Andrew92]

You will not be banned. And you can as far as I know with the ps3proxy tool an update bypass and with the firmware 4.70 continue to go online. You just have to create a text file and change the ps3-update.txt.

 

[k9mo]

Wow thats even better.

 

[Amaandip]

@esc0rtd3w when do u think this is going to be done?

 

[esc0rtd3w]

@Amaandip i refuse to answer this question again, actually take 2 seconds and read the thread

 

[Amaandip]

What is a vhs sorry I am a noob

 

[Reborn Persona]

the main reason is that all team members must approve before release to the public. the 2nd reason is we need to get a graceful return back from exploit in order to enable things like buttons for doing stuff on web page.

I'll elaborate on this for them. In my knowledge, one of the biggest difficulties in finding exploits come in the type of exploits needing to be found. So, for example, finding a simple vulnerability in a web browser or things like that actually is not all that difficult. The difficulty is finding one that can be USED to do something.

For example, many different vulnerabilities exists, but the basic concept is that you have to manipulate the system to either inject or modify data to do something you want to be done. However, most vulnerabilities also come with limitations. I will give some over-simplified examples.

For example, if a certain use after free somehow uses a namespace that can hold exactly 32 bytes of data, and a loader to take over user space needs 64 bytes of data, (over simplified example,as I said) then you either need a second vulnerability, being able to use said vulnerability more than once to set it up, or have to get a new vulnerability entirely if it can only be used once.

But this is only the beginning. There are also some vulnerabilities that do things that the system itself will not stabilize with and will immediately halt. These are called breakpoints, and they are devastating. You can get an entire vulnerability set up, think it works, and when you run it...you hit a breakpoint and cannot properly return from it because the system hard crashes or halts.

This is NOT the same as when a system becomes unstable or slows to a crawl because you can still run code on a system that returns but becomes unstable. When it hard locks, that's it, end of the ball game.

So, what I'm saying is, the reason some of these exploits have to be cleanly polished and worked on is because these guys aren't finding simple vulnerabilities. They have to find vulnerabilities that are able to do exactly the kinds of things they are trying to do or can build to the type of exploit they want to create. I don't know exactly how much code is needed to gain access to each level, but as I said before, they have to find ways to either move or inject code to memory in a way that this can happen and they can get a STABLE return from the setup, or be able to syscall soft restart into a stable environment, as they said.

I hope this explains a little bit more to you guys about what they are trying to do, and why patience is important.

PS: This is explained in this way because it seems they are using classic exploits instead of ROP style. If they're using ROP it's a bit different in that they aren't injecting code, they're re-using code that already exists in memory. I believe it's classic though.