Since the PS3Xploit Tools v3.0 updates, PlayStation 3 developer Derrik (aka @GhzGangster on Twitter) recently made available Zerosense which is an exploit toolkit for the PS3 Browser via ROP exploitation in development with details below.
Download: zerosense-master.zip / GIT
To quote from the README.md: zerosense
Zerosense is an exploit toolkit for the PlayStation 3 Browser, based on work by the PS3Xploit team, and the proof-of-concepts which came before. It also takes inspiration other projects, such as PegaSwitch and PS4 Playground.
This project is primarily designed to manipulate files for the SaveMGO MGO2 Revival project, to aid users on official firmware. Additional functionality may be added in the future.
Node.js is used both to bundle the application, and to act as a web server. The JavaScript target is ES3, so additional functionality is added as needed.
Warning
Project is still under heavy development. Things may completely change in the future.
Approach
We create an array a certain size, number of elements, and first element for verification. After searching, we should find the address of the array in memory. Once we have this, we can get the addresses of elements within the array.
Once we have the array, we can create our ROP chains, figure out their addresses, and then trigger the Use-After-Free exploit.
This approach allows us to conduct only one initial, cheap search, as opposed to searching for each chain in memory.
Goals
Node.js and NPM should be installed beforehand. See https://docs.npmjs.com/getting-started/installing-node
This project has been built using Node 7.10.1 and NPM 4.2.0. There may be some issues that arise for other versions.
Building
Running
The web server will be running on port 9000, by default.
Zerosense file manager demo for PS3 4.84 HFW. You can look at your file system and copy files to dev_usb000. It's really slow, like 0.25 MB/s max. I'll see if I can speed it up sometime.
Download: zerosense-master.zip (Exploit library for the PlayStation 3 Browser) / Live Demo / GIT / zerosense-ftpd-master.zip (FTP server in the PS3 browser, not ready for public use) / GIT
Cheers to @HydrogenNGU for the heads up on the news via Twitter below!
Download: zerosense-master.zip / GIT
To quote from the README.md: zerosense
Zerosense is an exploit toolkit for the PlayStation 3 Browser, based on work by the PS3Xploit team, and the proof-of-concepts which came before. It also takes inspiration other projects, such as PegaSwitch and PS4 Playground.
This project is primarily designed to manipulate files for the SaveMGO MGO2 Revival project, to aid users on official firmware. Additional functionality may be added in the future.
Node.js is used both to bundle the application, and to act as a web server. The JavaScript target is ES3, so additional functionality is added as needed.
Warning
Project is still under heavy development. Things may completely change in the future.
Approach
We create an array a certain size, number of elements, and first element for verification. After searching, we should find the address of the array in memory. Once we have this, we can get the addresses of elements within the array.
Once we have the array, we can create our ROP chains, figure out their addresses, and then trigger the Use-After-Free exploit.
This approach allows us to conduct only one initial, cheap search, as opposed to searching for each chain in memory.
Goals
- Have a clean and easy-to-understand codebase
- Be easily extendable
- Be able to execute quickly and reliably
- Be able to easily add support for different firmware
Node.js and NPM should be installed beforehand. See https://docs.npmjs.com/getting-started/installing-node
Code:
npm install
Building
Code:
npm run build
Code:
npm start
Zerosense file manager demo for PS3 4.84 HFW. You can look at your file system and copy files to dev_usb000. It's really slow, like 0.25 MB/s max. I'll see if I can speed it up sometime.
Download: zerosense-master.zip (Exploit library for the PlayStation 3 Browser) / Live Demo / GIT / zerosense-ftpd-master.zip (FTP server in the PS3 browser, not ready for public use) / GIT
Cheers to @HydrogenNGU for the heads up on the news via Twitter below!