Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
Status
Not open for further replies.
In PS5 Scene news today, proceeding the PS5 RPi Pico W Server Project developer @euroali (Twitter) aka Euro Ali on Discord shared a PS5 Redis.elf payload for connecting to Redis server on PlayStation 5 consoles that are exploited alongside a BD-J Plus / BDJPlus / BDJ Plus file pack with additional details below. :geek:

Download: redis.elf (17.1 KB) / bdjplus.zip (3.59 MB) / Payload Injector Clients

According to Wikipedia, Redis (Remote Dictionary Server) is an in-memory data structure store, used as a distributed, in-memory key–value database, cache and message broker, with optional durability.

Below are some related messages from Euro Ali on Discord:
  • redis server can execute lua. and we can have permanent payload loader as it is background service.
  • yeah lua execution supported
  • yes this is output from ps5.
  • but i think lua is sandboxed. I don't know if this function will work.
  • I'm making this s**t public, anyone can connect to the redis server on their ps5.
  • source code is not closed. I was actually going to post it, but it's on my other computer.
  • It's actually quite simple in logic.
  • application + code execution sandbox available, code execution sandbox = disabling global lua functions
  • maybe it's possible to break the code execution sandbox via webkit.
  • How To Fix CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability In Redis
  • ps5 has low redis version but unfortunately this is open for linux only. I tested it and I can confirm it doesn't work.
  • An unexpected Redis sandbox escape affecting Debian-based distros
Code:
redis-cli eval 'return select(2, loadstring("\027")):match("binary") and "VULNERABLE" or "OK"' 0
I had tested this.
ps5 returns ok
  • i have never tried this. PS5 uses redis 6.0.4
  • even older than this version. so 2020 release
  • I don't have a ps5 right now, you can try it if you want.
  • Just run the elf file I shared. then you can connect to redis with the cli from the port it gives.
  • port is closed to outside.
  • payload simply connects to redis locally and broadcasts that port outside. basically I used ftps5's source code, thank you for publishing socket example to them.
BD-J PS5
  • Now you can store all the .jar inside the PS5 and launch it from its menu, you won't need to save a BD anymore.
  • You can launch the .jar from the PC to the PS5
  • You can store the exploit inside the PS5 and launch it locally
  • The PS5 becomes...
...a local server, any PS4/5 connected to the network will be able to launch the exploit.
Euro Ali Credits

BD-J (BD-J Plus / BDJPlus / BDJ Plus)

You can store all the .jar files inside the PS5, the exploit files and more. Credits Euro Ali

PS5 Redis.elf by Euro Ali to Connect to Redis Server on PlayStation 5.png
 

Comments

Status
Not open for further replies.
Back
Top