Category PS4 Jailbreaking       Thread starter PSXHAX       Start date Oct 21, 2017 at 12:50 AM       14,985       22            
Yesterday we saw disclosure of a 4.05 PS4 Kexec, and combined with a Userland Exploit like JailbreakMe PS4 4.0x WebKit RCE the PlayStation 4 scene is eagerly awaiting a public PlayStation 4 Jailbreak for Firmware 4.05 to surface. :D

In the meantime, since Porting JailBreakMe and Breaking Down PS4 4.0x WebKit Exploit PlayStation 4 developer @SpecterDev shared on Twitter a PS4 NamedObj kernel exploit strategy overview of the 4.05 Kernel Exploit that Fail0verflow released. :ninja:

To quote from the NamedObj Kernel Exploit Overview.md:

Introduction

So fail0verflow released a writeup today on the namedobj exploit. I and a few others have had this exploit for some time but did not release as we received help indirectly from f0f, so it was not entirely ours to release. Now that it is out however, I'd like to talk about it as it is a really interesting exploit.

Below is not going to be a full write-up, but more of a framework or strategy that those who are interested can use to try to implement this kernel exploit. In due time I will release my implementation after I've edited non-burned components out of the exploit.

The Bug

So the bug is essentially type confusion with the 'kind' field of the 'id_entry' object used in named objects. Named objects are objects that have properties associated to them (such as a name as you might have guessed), that points to the real object in the heap. By specifying a type 0x5000 for your object, you can cause type confusion.

You now need to find another area of the kernel that can abuse to corrupt your object. Luckily, there is sys_mdbg_service(). This will allow you to overwrite the lower 32-bits of a pointer that you can later free() with sys_namedobj_delete(). This allows you to create a use-after-free situation that you can use to obtain code execution by spraying fake objects on the heap and corrupting a function pointer.

Strategy

A good strategy for exploiting this bug is as follows:
  1. Leak a target object from the kernel heap that not only has function pointers you can corrupt, but ideally is also easy to fake to avoid crashing the kernel.
  2. Create type confusion via sys_namedobj_create() with the 0x5000 (or 0x4000 due to the bitwise OR) flag.
  3. Setup a kernel ROP chain in userland. Ideally in this ROP chain you want to disable kernel write protection, make desired patches (such as RWX memory mapping), and pivot to return to userland successfully.
  4. Overwrite the lower 32-bits in your object with sys_mdbg_service() with the lower-32 bits of your target object's address. We cannot overwrite upper 32-bits, however luckily the pointer stored here before was a heap pointer anyway, so the upper 32-bits will be set to FreeBSD's heap address prefix (0xFFFFYYYYxxxxxxxx where YYYY is randomized by ASLR at boot).
  5. Trigger the free() via sys_namedobj_delete()
  6. Spray your fake object on the heap with a function pointer pointing to your kROP chain created earlier
  7. Find a function that uses the object you corrupted and trigger the function pointer to be read
  8. You now have code execution, and your kROP chain is running in ring0! Yay!
  9. Fix your free()'d object because if you don't, as soon as webkit exits, kernel will crash because it will try to free() your object again and lead to a double free().
  10. Return to userland successfully.
Notes
  • You must fix what your exploit did in your kernel ROP chain or a double free() will occur when you exit WebKit, causing a kernel panic.
  • You must make your kernel ROP chain return to userland successfully, or the kernel will crash when your kROP chain is finished executing.
  • Finding an object to leak and exploit blind is VERY difficult. This was the head bashing part for me.
  • I will release an implementation soon but until then, try to implement it yourself and see how far you go, it's a great learning experience! Have fun!
PS4 NamedObj Kernel Exploit Strategy Overview by SpecterDev.jpg
 
:idea: Reminder: Those without a Verified Badge yet on Discord to access the private areas we recommend Joining Us! Why? The waiting process takes a week for new Members, and there's a lot we're unable to share on public forums including the latest PS4 PKG Games. 🏴‍☠️

Comments

ANONYM0US

AN0NY420
Developer
Senior Member
Contributor
What we need to remember here this is the guy that tried but couldn't get any further than kernel panics, best taking advice from someone who knows a bit more so does cause any system problems :bananaman13:
 

SpaceXX

Senior Member
Contributor
I hope, Failoverflow will release 4.XX / 5.00 Kexploit in future !!! :bananaman13::bananaman13:

Because the scene is getting hot now_days. So stay on lower firmware. I'm fcking damn sure; I'm on 5.00. (y)(y)(y)
 

ZaRTeeK354

Member
Contributor
I can not install azura menu ps4 I install gta 5 via hard disk when I launch the azura intallation I have an error memory insufficient solution thanks to all ;)
 

salah 360

Senior Member
Contributor
Unfortunately george hotz He agreed with Sony that he was not penetrating her CONSOLE again, I think he is the only one who can penetrate this fck PS4 :sneaky:
 

Megago

French Developer ( Ps unban, PSN access, PSID )
Developer
Member
Contributor
This bug was already known by some developers thanks to the fail0verflow team. There are many people who own Webkit RCE 4.05 the problem is that the person who compile a cfw will have sony
 
Recent Articles
PS5 & Xbox Series X Next-Gen Video Game Prices to Go Up Says IDG
According to video game research firm IDG Consulting, publishers are likely to raise the price of next-gen games for PlayStation 5 and Xbox Series X following the PS5 News that NBA 2K21 will...
Sony Introduces PlayStation Indies for PS5 and PS4 with Montage Video
Proceeding the Indie PS5 game Soulborn Alpha Trailer, Sony introduced their PlayStation Indies initiative featuring nine captivating new independent games including Worms Rumble (PS5 / PS4), Haven...
Cyberpunk 2077 4K Footage and New NBA 2K21 Zion PS5 Trailer Video
Since the last batch of PS5 Trailers some 4K gameplay footage of the upcoming RPG Cyberpunk 2077 by CD Projekt Red surfaced with a 2021 tentative release scheduled alongside a new NBA 2K21 PS5...
CTurt on FreeDVDBoot for PS3 / PS4 and Blu-ray BD-J Attacks
Long ago we saw the Original PS4 Jailbreak for 1.76 FW via BadIRET Exploitation (Github Articles), and following his recent FreeDVDBoot PS2 DVD Player Exploit PlayStation 4 developer @CTurt shared...
Top