In PS5 Scene news today, proceeding the PS5 RPi Pico W Server Project developer @euroali (Twitter) aka Euro Ali on Discord shared a PS5 Redis.elf payload for connecting to Redis server on PlayStation 5 consoles that are exploited alongside a BD-J Plus / BDJPlus / BDJ Plus file pack with additional details below.
Download: redis.elf (17.1 KB) / bdjplus.zip (3.59 MB) / Payload Injector Clients
According to Wikipedia, Redis (Remote Dictionary Server) is an in-memory data structure store, used as a distributed, in-memory key–value database, cache and message broker, with optional durability.
Below are some related messages from Euro Ali on Discord:
BD-J (BD-J Plus / BDJPlus / BDJ Plus)
You can store all the .jar files inside the PS5, the exploit files and more. Credits Euro Ali
Download: redis.elf (17.1 KB) / bdjplus.zip (3.59 MB) / Payload Injector Clients
According to Wikipedia, Redis (Remote Dictionary Server) is an in-memory data structure store, used as a distributed, in-memory key–value database, cache and message broker, with optional durability.
Below are some related messages from Euro Ali on Discord:
- redis server can execute lua. and we can have permanent payload loader as it is background service.
- yeah lua execution supported
- yes this is output from ps5.
- but i think lua is sandboxed. I don't know if this function will work.
- I'm making this s**t public, anyone can connect to the redis server on their ps5.
- redis.elf (17.1 KB)
- source code is not closed. I was actually going to post it, but it's on my other computer.
- It's actually quite simple in logic.
- application + code execution sandbox available, code execution sandbox = disabling global lua functions
- maybe it's possible to break the code execution sandbox via webkit.
- How To Fix CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability In Redis
- ps5 has low redis version but unfortunately this is open for linux only. I tested it and I can confirm it doesn't work.
- An unexpected Redis sandbox escape affecting Debian-based distros
Code:
redis-cli eval 'return select(2, loadstring("\027")):match("binary") and "VULNERABLE" or "OK"' 0
I had tested this.
ps5 returns ok
- i have never tried this. PS5 uses redis 6.0.4
- even older than this version. so 2020 release
- I don't have a ps5 right now, you can try it if you want.
- Just run the elf file I shared. then you can connect to redis with the cli from the port it gives.
- port is closed to outside.
- payload simply connects to redis locally and broadcasts that port outside. basically I used ftps5's source code, thank you for publishing socket example to them.
- Now you can store all the .jar inside the PS5 and launch it from its menu, you won't need to save a BD anymore.
- You can launch the .jar from the PC to the PS5
- You can store the exploit inside the PS5 and launch it locally
- The PS5 becomes...
- bdjplus.zip (3.59 MB) / BD-J.zip (3.59 MB)
BD-J (BD-J Plus / BDJPlus / BDJ Plus)
You can store all the .jar files inside the PS5, the exploit files and more. Credits Euro Ali