Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.

PS4 6.20 WebKit Code Execution Exploit PoC by SpecterDev!

PS4 Jailbreaking       Thread starter PSXHAX       Start date Mar 8, 2019 at 1:50 PM       323      
Status
Not open for further replies.
Proceeding the release of PS4 Firmware 6.50, his previous PS4 Exploit Documentation, GH Clone Demo, the 6.20 Dev Build Strings and 6.50 Dev Build Strings as promised today @SpecterDev released via Twitter a PS4 6.20 WebKit Code Execution Exploit PoC (Proof-of-Concept) using CVE-2018-4441 to obtain RCE crediting lokihardt for the vulnerability used.

From the Tweets below, he states that unlike the PS4 6.XX JSC_ConcatMemcpy WebKit Exploit which wasn't a complete exploit, this one grants code execution in userland for PS4 scene developers! :love:

Download: PS4-6.20-WebKit-Code-Execution-Exploit-master.zip / GIT / Live Demo / 6.20-FS.zip (323 MB - FULL 6.20 Fs with modules, decrypted) / Kernel_Dump_620-1.zip (20.5 MB - 6.20 kernel) / 6.20 kernel offsets via LightningMods

:alert: For newbs: This is a 6.20 PS4 WebKit (Userland) exploit and not a Kernel-level exploit, meaning until a fully implemented 6.20 Kernel exploit is publicly available you won't be able to jailbreak these PlayStation 4 consoles so don't update!

:idea: Also for those that updated already, if you can't get a second jailbroken console to run PS4 game backups then while you're waiting for a PlayStation 4 jailbreak (no ETA) it's recommended to get a Verified Badge via Discord to access the private areas.

To quote from the README.md: PS4 6.20 WebKit Code Execution PoC

This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in wkexploit.js.

It will then setup a framework to run ROP chains in index.html and by default will provide two hyperlinks to run test ROP chains - one for running the sys_getpid() syscall, and the other for running the sys_getuid() syscall to get the PID and user ID of the process respectively.

Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found here.

Note: It's been patched in the 6.50 firmware update.

Files

Files in order by name alphabetically;
  • index.html - Contains post-exploit code, going from arb. R/W -> code execution.
  • rop.js - Contains a framework for ROP chains.
  • syscalls.js - Contains an (incomplete) list of system calls to use for post-exploit stuff.
  • wkexploit.js - Contains the heart of the WebKit exploit.
Notes
  • This vulnerability was patched in 6.50 firmware!
  • This only gives you code execution in userland. This is not a jailbreak nor a kernel exploit, it is only the first half.
  • This exploit targets firmware 6.20. It should work on lower firmwares however the gadgets will need to be ported, and the p.launchchain() method for code execution may need to be swapped out.
  • In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit. This is part of the reason why syscalls.js contains only a small number of system calls.
Usage

Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;
  1. Fake DNS spoofing to redirect the manual page to the exploit page, or
  2. Using the web browser to navigate to the exploit page (not always possible).
Vulnerability Credit

I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.

Resources
Thanks
  • lokihardt - The vulnerability
  • st4rk - Help with the exploit
  • qwertyoruiop - WebKit School
  • saelo - Phrack paper
PS4 6.20 WebKit Proof of Concept (PoC) via Stefanuk12
PS4 6.20 WebKit Code Execution Exploit PoC by SpecterDev!.jpg
 
Click to expand...
PSXHAX
PSXHAX
Live in Your World, HAX in Ours!
Hello World! I've been reporting on Sony PlayStation hacking news since 2000 and started PSXHAX in 2014 to cover PlayStation (PSX), PlayStation 2 (PS2), PlayStation 3 (PS3), PlayStation 4 (PS4), PlayStation Portable (PSP), PlayStation Vita (PS Vita), PlayStation TV (PS TV) and next-gen PlayStation 5 (PS5) platforms along with anything else of interest.

Click on my UserName author link above and you'll be able to view a curated list of all the articles I've contributed thus far to PSXHAX.COM.

If you enjoy gaming and would like to write (unpaid) for this site, Contact Us and we'll be happy to have ya join our Authors! :)

Comments

guys u forget that the majority that use the backups will never buy that games, not because of the backups but because they dont want to waste money on that, actually most of them just buy a ps4 to run backups if that wasnt possible they would never bought it.
sony knows this and if she want´s to sell more and more consoles in the end of life of ps4, she knows how :)
 
i was using memcpy with another bug in 6.20 with video app bug to crash the system and reboots

thus its dumping the system
 
@ Chaos Kid

I thought it was established JB isn't hurting game sales too much.. A good majority of sales are done either pre release and around release with exceptions like R* games. Any JB should always be 5 steps behind the latest FW thus not really impacting on sales.

On average single player campaigns are 6 -15hrs where the online aspect of same game can be 100s hours plus the unique rewards, bonuses etc on offer. So there is still very good incentive to buy games.

I own 2 PS4 consoles one 5.05 the other on latest with 40+ purchased games, regardless of any JB i will still continue to support DEVS... minus EA
 
a lot people only intent is to backup games which i understand 70$ a game is expensive but the need for backups dont speak well for having a modded system. i mod systems for the point of linux and dont care too much for the game backups or playing much of games.

I see a modded system can be used for our old retro games too be ported but when you see it can be done on raspian and others i see a bit pointless for a new console. PSNow offers so much for a gamers heaven that the need for an actual cfw system is at the point of pointless.

to be honest im suprised people never took a look at the option PSNow and flashed console A onto Console B for it and yet giving them tons of dollars worth playstation games. as wrong as it would be it was just a thought
 
WOW, great news! We have to thx this guys for the hard work and making this public, this without doubts is a step into the kernel. We can't be hypocrite saying such things, we have to recognize their hard work, really thanks boys, we are here if u need us too :)
 
I dont think this is a step towards anything. The kexploit will not be released publicly until Sony patches it. Sony won't patch it because they know it will then be released publicly. When ps5 is out and no one cares about the ps4, you will see it released.
 
Any progress in the scene is a step forward. crapping on people’s hard work only kills the scene and makes devs care less about releasing anything.

Stop stating the obvious. This is not a kexploit (which was told to everyone in the original post). Stop complaining. If you have something to bring to the scene then do it. Otherwise “sit down, be humble”. You are lucky you received what you have so far from these devs. Either use it, contribute, or shut up with the complaints that this is not what you wanted.
 
Status
Not open for further replies.

PSXHAX Categories

PS4 Jailbreak Status
PS5 Jailbreak Status

Latest Forum Topics

Share This Page

Back
Top