Following news of the PS4 Dlclose Exploit for 1.76 and more recently the Entry Point findings, today Wololo reports that PlayStation 4 developer Fire30 made available on Github a PS4 Webkit Exploit proof-of-concept for PlayStation 4 Firmware 2.XX.
Download: PS4-2014-1303-POC-master.zip / PS4-2014-1303-POC GIT
From the ReadMe file: CVE 2014-1303 Proof Of Concept for PS4
This repository contains a poc for the CVE 2014-1303 originally disclosed by Liang Chen. It has been tested to work on system firmware 2.03, but should work for systems on a firmware < 2.50, the ROP test will however only work on 2.03.
Usage
You need to edit the dns.conf to point to the ip address of your machine, and modify your consoles dns settings to point to it as well. Then run
then
Debug output will come from this process.
Navigate to the User's Guide page on the PS4 and various information should be printed to the console. The ROP test will print what is stored in the rsp register. Continuing execution after rsp is pivoted still needs to be done.
Acknowledgements
Liang Chen
thexyz
dreadlyei
Fire30 also notes, to quote: This implementation will not work on the vita as it uses a different memory allocator. In fact I am using the same exploit that is used in https://github.com/Hykem/vitasploit for 3.36, so that is the farthest this vulnerability will go.
Thanks to CnCore for the tip in the PSXHAX.COM Shoutbox!
Download: PS4-2014-1303-POC-master.zip / PS4-2014-1303-POC GIT
From the ReadMe file: CVE 2014-1303 Proof Of Concept for PS4
This repository contains a poc for the CVE 2014-1303 originally disclosed by Liang Chen. It has been tested to work on system firmware 2.03, but should work for systems on a firmware < 2.50, the ROP test will however only work on 2.03.
Usage
You need to edit the dns.conf to point to the ip address of your machine, and modify your consoles dns settings to point to it as well. Then run
Code:
python fakedns.py -c dns.conf
Code:
python server.py
Navigate to the User's Guide page on the PS4 and various information should be printed to the console. The ROP test will print what is stored in the rsp register. Continuing execution after rsp is pivoted still needs to be done.
Acknowledgements
Liang Chen
thexyz
dreadlyei
Fire30 also notes, to quote: This implementation will not work on the vita as it uses a different memory allocator. In fact I am using the same exploit that is used in https://github.com/Hykem/vitasploit for 3.36, so that is the farthest this vulnerability will go.
Thanks to CnCore for the tip in the PSXHAX.COM Shoutbox!