Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Status
Not open for further replies.
Proceeding the This is for the Pwners presentation at Black Hat Europe 2020 and the Talos WebSocket Vulnerability disclosure, PlayStation 4 developer sleirsgoevy shared on Twitter a PS4 WebKit Exploit 7.02 with Arbitrary Read / Write Access that can be used with the previously released PS4 7.02 Kernel Exploit (KEX) at a 10% success rate on 7.02 PS4 OFW prior to his fix for the crash in leakJSC(), alongside 7.02 Mira and Payload Ports via @Al Azif... who reminds everyone NOT to enable IDU Mode (read HERE why) while stating the following on Twitter:

⚠️ "Down time should be minimal but if you are already on an exploitable firmware you should probably hold up a bit to make sure everything is working."

Download: PS4-webkit-exploit-7.02.rar (33.8 KB) / PS4-webkit-exploit-6.XX-master.zip / GIT / PS4-webkit-exploit-7.02-master.zip / GIT (Fork by sleirsgoevy) / Demo / payloads_1.0.5.zip via Scene Collective's PS4 Payload Repo GIT / 702_MACROSS_COLLECTION_FOR_SLEIRSGOEVY.rar / Mira 7.00-7.02 PS4 Ports / GIT / PS4 7.02 Punch Payload Injector / 7.02 PS4 OFW PUP / test-payloads.7z (34.96 KB) / test-payloads-v2.7z (37.92 KB)

:note: For those in the PlayStation 4 Scene who are curious, HERE and HERE are lists of games through 7.02 that are not currently working with the 6.72 PS4 Jailbreak Exploit.

:idea: If you haven't done so yet, be sure to follow the PSXHAX Member Verification & PS4 Fake PKG (FPKG) Sharing Guide to become a Verified Member by getting a Blue Verified Badge (FAQ in the spoiler HERE) through our PSXHAX Floating Discord Channel to access private or restricted areas for the latest FPKG game releases! 🏴‍☠️

Some valid 7.02 addresses:
  • 0x200eb00d8
  • 0x200f300d8
  • 0x200fb00d8
  • 0x2011100d8
The success rate is about 10% for the last one. Unfortunately the exploit then crashes in the critical section in leakJSC. Will now investigate how to fix it.
Code:
Fix for the crash in leakJSC(): after debug_log("[+] Got a relative read"); insert        var tmp_spray = {};        for(var i = 0; i < 100000; i++)                tmp_spray['Z'.repeat(8 * 2 * 8 - 5 - LENGTH_STRINGIMPL) + (''+i).padStart(5, '0')] = 0x1337;

:arrow: Update: It appears the 7.02 WebKit exploit is also working on 7.51 through 7.55, but keep in mind the current Kernel exploit only supports up to 7.02 so those above will have to wait for a newer KEX to be released publicly for a full jailbreak.

PS4 7.51 WEBKIT EXPLOIT CONFIRMED via Quenlood

THIS IS NOT A FULL JAILBREAK AND WEBKIT EXPLOIT NOT STABLE BUT ABSOLUTELY WORKING.

FOR 7.02 I THINK GOING TO JAILBREAK SOON BUT FOR 7.51 WE NEED TO WAIT FOR KERNEL EXPLOIT. :(

THANKS SLEIRSGOEVY

PS4 WebKit Exploit 7.02 with Arbitrary Read Write Access and Payloads!.jpg
 

Comments

If he isn't responsive via Twitter, you can try opening an issue on his Github to ask if he's willing to accept donations... chances are if he intended to he would have included a Ko-fi, Patreon, etc.

When asked previously his response was he just "put things together for a working JB" and to give it to the original exploit founder, namely TheOfficialFloW at the time, who responded saying to "donate this money to charity."

In this case, sleirsgoevy put together the 7.02 WebKit port forked from Synacktiv based on the findings of abu_y0ussef and 0xdagger in their BHEU 2020 presentation... so you may try contacting them also to see if they're accepting donations for the vulnerability disclosure.
 
Status
Not open for further replies.
Back
Top