Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Status
Not open for further replies.

PSXHAX

Staff Member
Moderator
Verified
Following up on the PS Vita Native WebKit Exploit by Davee and CodeLion from a few days ago, today PlayStation 4 developers nas and proxima have announced that the Webkit Exploit is confirmed to run on PlayStation 4 Firmware 1.76 with details below.

To quote: PS4 1.76 Webkit Exploit

Developers nas and proxima have extended the recently released Vita Webkit exploit, and made it compatible with the latest PS4 firmware, firwmare 1.76. (Update: Proxima actually clarified that although this is the same webkit exploit, it was developed in parallel to the Vita exploit, and not “based” on it)

Their proof of concept code provides several samples, including a module dumper and some tool to create more advanced ROP code.

I am not close to my PS4 right now and cannot confirm if the Proof of Concept actually works, but the code looks perfectly legit, the devs behind this have a great track of record, and it should be a matter of minutes now for other people to confirm that this indeed works.

This webkit exploit, just like in the case of the same exploit for the Vita revealed last week, will not be extremely useful to the end user, except to confirm that their PS4 is indeed exploitable. It does however seem to provide some basic tools for developers who want to explore its functionality, and, more importantly, it is the first public entry point into PS4 hacking ever, which is a massive breakthrough.

This piece of news comes just as Sony have announced upcoming PS4 Firmware 2.00, which will be released next week. It goes without saying that if you have expectations to use the hack that just got released, it might be wise to not update your PS4.

Where to test this?

I have uploaded the proof of concept pages here, you can point your PS4 to these urls, and report:
  • daxhordes.org/ps4_176/ps4_dump.html
  • daxhordes.org/ps4_176/ps4_dump2.html
  • daxhordes.org/ps4_176/ps4_rop2.html
From nas: Hi, I finally got around to do some cleanup and... here you are: ps4_176_poc.rar

This package contains:
  • ROP POC
  • Module Dumpers
  • Helper script for creating rop chains
  • Other stuff :p
Thanks a lot to Proxima for helping me!

From Proxima: The 64bit version is a bit different. It is the same heap corruption via the sort() bug, but from there its different. On 32bit you can set the Uint32Array to 0x40000000 size and access any memory. On 64bit, you have to carefully change the base address since the 0x40000000 trick doesn't work for a 64bit address space.

Finally, from cfwprophet: Urrmm... guys you know that that at least 2 LV2 Exploit's for the PS3 are public but till now nothing. And why ? Cause in case of the PS3's secure System and the Chains of Trust you will not be able to use that exploit on a unhacked OFW PS3.

Let us come to the PS4,... well she is for sure in compare to the PS3 double if not triple secured. Nearly everything run in own Virtual Machine. We talking here in this Thread of a WebKit exploit. Which give you control over a little part which is capsulated.

So you even not controlling UserMode. You simply have control over the WebKit Array. That is (and nothing more) a Entry point. But that doesn't mean that you have hacked the con and control, over at least, the usermode. And we are not talking about Kernel privileges here. Beside the fact that if you think to touch the LV2 on a PS3/PS4 expect LV1 to kill you.

And we are still not talking about other secure systems like ASLR, DEP, AMD Secured Root, CANARIS and what ever. So before anyone get excited, you should first read up about those secure techniques to fully understand how they work. Then you will also be able to understand what his WebKit exploit does actually mean for the PS4. Nothing.
 
Status
Not open for further replies.
Top