Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Mar 8, 2019 at 1:50 PM       191,028       323            
Status
Not open for further replies.
Proceeding the release of PS4 Firmware 6.50, his previous PS4 Exploit Documentation, GH Clone Demo, the 6.20 Dev Build Strings and 6.50 Dev Build Strings as promised today @SpecterDev released via Twitter a PS4 6.20 WebKit Code Execution Exploit PoC (Proof-of-Concept) using CVE-2018-4441 to obtain RCE crediting lokihardt for the vulnerability used.

From the Tweets below, he states that unlike the PS4 6.XX JSC_ConcatMemcpy WebKit Exploit which wasn't a complete exploit, this one grants code execution in userland for PS4 scene developers! :love:

Download: PS4-6.20-WebKit-Code-Execution-Exploit-master.zip / GIT / Live Demo

:alert: For newbs: This is a 6.20 PS4 WebKit (Userland) exploit and not a Kernel-level exploit, meaning until a fully implemented 6.20 Kernel exploit is publicly available you won't be able to jailbreak these PlayStation 4 consoles so don't update!

:idea: Also for those that updated already, if you can't get a second jailbroken console to run PS4 game backups then while you're waiting for a PlayStation 4 jailbreak (no ETA) it's recommended to get a Verified Badge via Discord to access the private areas.

To quote from the README.md: PS4 6.20 WebKit Code Execution PoC

This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in wkexploit.js.

It will then setup a framework to run ROP chains in index.html and by default will provide two hyperlinks to run test ROP chains - one for running the sys_getpid() syscall, and the other for running the sys_getuid() syscall to get the PID and user ID of the process respectively.

Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found here.

Note: It's been patched in the 6.50 firmware update.

Files

Files in order by name alphabetically;
  • index.html - Contains post-exploit code, going from arb. R/W -> code execution.
  • rop.js - Contains a framework for ROP chains.
  • syscalls.js - Contains an (incomplete) list of system calls to use for post-exploit stuff.
  • wkexploit.js - Contains the heart of the WebKit exploit.
Notes
  • This vulnerability was patched in 6.50 firmware!
  • This only gives you code execution in userland. This is not a jailbreak nor a kernel exploit, it is only the first half.
  • This exploit targets firmware 6.20. It should work on lower firmwares however the gadgets will need to be ported, and the p.launchchain() method for code execution may need to be swapped out.
  • In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit. This is part of the reason why syscalls.js contains only a small number of system calls.
Usage

Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;
  1. Fake DNS spoofing to redirect the manual page to the exploit page, or
  2. Using the web browser to navigate to the exploit page (not always possible).
Vulnerability Credit

I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.

Resources
Thanks
  • lokihardt - The vulnerability
  • st4rk - Help with the exploit
  • qwertyoruiop - WebKit School
  • saelo - Phrack paper
PS4 6.20 WebKit Proof of Concept (PoC) via Stefanuk12
PS4 6.20 WebKit Code Execution Exploit PoC by SpecterDev!.jpg
 

Comments

Status
Not open for further replies.

ecffg2010

Senior Member
Contributor
Verified
Kexploit hasn’t been fixed, just this Webkit exploit. Waiting continues. On the plus side, when it drops someday in the future, we’ll be able to play more games XD
 

skinnybiggs

Senior Member
Contributor
Russians have rest mode exploit but wont let it out of there entrusted circle :( ....its working for all firmwares .. great work on webkit exploit nice to see share findings scene will be busted wide open soon enough ps5 is edging closer and closer to release
 

sanyo23

Senior Member
Contributor
russians already have tlou2 too :p this webkit means 0 to breaking the ps4 but have a sublime message from specter:

1. he is on low profile but is not sleeping;
2. he says that have things only when he can release them to public (maybe, the others, should start looking to this man)
3. and with this, who says to us that he doesnt have more than this? but he probably isnt a regular kid that need to go to twitter saying "oh oh "i found it" bye, until next year"
 
Status
Not open for further replies.
Recent Articles
Ninja Shodown PS4 Homebrew Game in Development, Demo by Markus95
Since the PCSX-R Emulator PS4 PKG release, PlayStation 4 developer @Markus95 (aka @Kus00095) shared a demonstration video of a new homebrew game in development for PS4, PS Vita and Nintendo Switch...
Red Dead Redemption 2 Modding Demos by RDR2 Modder JediJosh920
Following the Spider-Man PS4 Models & Textures Tool and IG PS4 Modding Tools, this weekend RDR2 modder @jedijosh920 (Web site / Twitter) shared on his YouTube Channel some demonstration videos of...
Action-RPG Oninaki Joins New PlayStation 4 Games Next Week
Next week Tokyo RPG Factory's latest action-RPG Oninaki hits PlayStation 4 on August 22nd casting you as a Watcher, tasked with helping usher the souls of the departed into their next life. 🗼...
Electric Purple, Red Camouflage, Titanium Blue & Rose Gold DS4 Controllers!
Earlier this year we saw an Alpine Green DualShock 4 PS4 Controller, and now Sony announced their latest batch of DualShock 4 PS4 Controllers will include Electric Purple, Red Camouflage, Titanium...
Top