PS4 A New PS4 kernel exploit by qwertyoruiop

Things are starting to get a bit interesting in the PlayStation 4 Hacking Scene, as well known hacker qwertyoruiop a couple of days ago released a webkit exploit for 4.0x firmware (non 4.50), however this exploit needs a kexploit (kernel exploit) on the same level as something like 1.76 firmware and did not work in 4.50. So the hacker has been working on a kernel exploit as well and in 5 days the developer has not only a kernel exploit but one that works for 4.50 but with 4.50 we do not have an entry point to execute the kernel exploit, which is where the webkit exploit comes in. So 4.50 user's appear has some strong hope , .

C8YkhwRWsAANHFy.jpg

Various Tweets and Comments from the hacker

    • Nothing to kernel in 5 days. GG sony
    • 0day, it should work on 4.50 too
    • It was actually simpler than expected. iOS is more challenging from the post exploitation point of view
    • 30 hours of no sleep later i am finally happy about the ps4 exploit
    • So it turns out sony is doing sneaky syscall shit. updated code some further, you'll have to manually call libkernel syscall stubs
    • updated ps4 rce with actually functioning fcall and syscall primitives
    • updated ps4 exploit with rop code exec (for 4.06 specifically).
    • updated the ps4 exploit with some more comments and it no longer alerts a JSValue, but prints a function pointer

 
Last edited:
Click to expand...
bguerville
Yes it means emulators among other homebrews (if development follows like I said earlier!)...
Not much point staying in 3.55 at this stage, you can now definitely update if you wish....
 
barelynotlegal
its my understanding that i need to share internet or run a proxy to get the webkit to work? havent had coffee yet so i got to the website of the webkit, on my pc its says not vulnerable (testing) but on the ps4 i click go and it just sits there. now if i run a proxy (skfu's) can i edit my pc host file to overide the "manuals
site and go straight to webkit page or would that be host migrating and do thru router if supported?

UPDATE/ EDIT
so after using pinky's CCProxy tut, i cant seem to get to the google homepage to enter address. is there another method? worked once and now it doesnt load.
(once on the about google page top left corner click on google and loads homepage/ not working for me)

edit again, sorry but you can use the privacy tab instead of about google still nothing when i click go (rce.party)
 
Last edited:
pinky
it works for me on 4.07:

2a65gd5.jpg

@barelynotlegal , I'm blocking those update urls from my tutorial. I was able to connect to google. I believe that u can list the site u want as ur homepage. make sure ur system isn't in rest mode. I think the exploit will still be active in that case, and it could be y it's nor working for u - it's already active.
 
barelynotlegal
pinky said:
it works for me on 4.07:

2a65gd5.jpg

@barelynotlegal , I'm blocking those update urls from my tutorial. I was able to connect to google. I believe that u can list the site u want as ur homepage. make sure ur system isn't in rest mode. I think the exploit will still be active in that case, and it could be y it's nor working for u - it's already active.
Click to expand...
Ill unplug and try again. I folloed your tut to a T so... To clarify once i get to google just search for webkit address, once there it is a white screen that has a go button correct?
I will completely power down and attemp again with my lan line and ccproxy. I will reboot pc as well. Maybe i should update to 4.05?
 
bguerville
If I am not mistaken, I think that in the current website setup by qwertyuiop, the exploit is actually hard coded for 4.06.
I have not given this a try yet & no source files have been released to check so I could be wrong but that may be the reason for your problems...
 
Last edited:
pinky
I was in rest mode when the power went out at some point in the past, so my system had to be powered on fully, check system disk, all that sort of thing when the power goes out. I went to the website, and yes, I believe it was just a blank page with a go button. I made sure that updates were being blocked via psn as well as system settings - they were = error forgot the number. I'm on 4.07 btw, so I don't know how about lower firmware working, but it's supposed to. what firmware r u on?
 
bguerville
pinky said:
I'm on 4.07 btw, so I don't know how about lower firmware working, but it's supposed to. what firmware r u on?
Click to expand...
No it's not automatically supposed to. The kernel exploit can be run on any 4.0x or 4.50 but not the webkit exploit. It is possible that wk is different on the fw he uses.
Edit:
It is actually written on test site page above the Go link...
This exploit supports all non-4.50 firmwares, but right now it specifically targets 4.06 due to rop gadgets being hardcoded
Click to expand...
 
Last edited:
pinky
well, barelynotlegal said he was getting a white screen where the system would hang. it worked once, but not again for some reason. I merely took that photo to show that the userland aspect of the exploit works. that's probably y the additional options rn't listed for me. I only tried it myself when he mentioned having issues. I'm not talking about the kernel exploit, I'm talking about getting something to happen other than the system hanging or nothing happening.
 
bguerville
If wk among other things is different in his fw, there is no telling what result you would get from applying the rop gadgets with incorrect memory addressing. In such a case where binary code would get called at wrong memory addresses, a freeze is one of the possible outcomes during exploitation.
If there are version checks & the likes in the javascript before the rop gadgets are used then the exploits may not even be applied to avoid issues but if not...
It's impossible to tell what kind/level of error management is in place as we cannot browse the source. The only thing we can do is test or ask qwertyuiop directly.
 
Last edited:
barelynotlegal
dumb, i am sorry. i have not done anything kernal side. i assumed that the webkit included the kernal exploit, an all in one kind of like henkaku. i knew it seemed to easy. sorry to waste your time. that probably why i get to the go button and it just hangs
 

Attachments

  • 20170403_131627-1.jpg
    20170403_131627-1.jpg
    127 KB · Views: 395
bguerville
You assumed right afaik.
The kernel exploit should be included in this online hack along the wk exploit just like in CTurt's 1.76 playground or henkaku. You should not need to install anything else...
 
barelynotlegal
So it is? I just got done reading on wololo that he uses 4.06 and is said working. Maybe thats my issue. ( to get wkexploit to work) from what i understand should still work. The kernal exploit is for a "elevated" inquiry or what you want to call it. Webkit will work just no access without kernal. Right? Or have i spun myself lol
 
bguerville
I already told you that you the current hack is hard coded for 4.06. If you really want to test this hack, you should install 4.06. At this stage there is no point in holding back anyway because future development will not take place on fw < 4.06 anyway. Given the current situation with this new kernel exploit running on fw up to 4.50, we can probably expect 4.50 to become the next milestone in ps4 hacking after 1.76...

And you should read my previous posts, the kernel exploit can work on any 4.0x or 4.50. If the webkit exploit works then the kernel exploit should also work but your problem is most likely with the rop gadgets used by the hack or similar.
Look at this file from CTurt, https://github.com/CTurt/PS4-playground/blob/gh-pages/js/gadgets.js, it shows how the gadgets are hard coded with specific memory addresses that correspond to the fw for which it was written. I assume that qwertyuiop is using exactly the same type of implementation.
 
Last edited:
pinky
I'd do as @bguerville suggests or u might hold off a little. my photo was of the userland portion of the hack working which is y I can't call syscalls with it. I'm on 4.07 instead of 4.06, just so I could play the damn FF XV and Tales of Berseria demos as well as grab a DQ theme from the Japanese store. I haven't played the FFXV demo, the Tales one was kinda meh (good combat though), and the DQ theme kinda looks ugly. I was on 3.55, so I'll wait like I've been doing. all of my games require earlier firmware anyway. like both @STLcardsWS and bogey (I think u said it, didn't u), the main hack for the system will most likely be on the latest firmware if possible. now, that we know the kernel exploit should work on 4.50, we'll just have to wait for an entry point to be discovered.
 
sbp
Here is a 3.50 - 4.07 port from Specter which just released on git.
News on his twitter as well.
https://github.com/Cryptogenic/PS4-4.0x-Code-Execution-PoC

Readme from his git states.
"PS4 4.0x Code Execution

This repo is my edit of the 4.0x webkit exploit released by qwertyoruiopz. The edit re-organizes, comments, and adds portability across 3.50 - 4.07 (3.50, 3.55, 3.70, 4.00, and of course 4.06/4.07). The commenting and reorganization was mostly for my own learning experience, however hopefully others can find these comments helpful and build on them or even fix them if I've made mistakes. The exploit is much more stable than FireKaku and sets up the foundation for running basic ROP chains and returns to normal execution. Credit for the exploit goes completely to qwertyoruiopz."
 
Last edited:
bguerville
Good idea to unify the webkit exploit code from 3.50 to 4.07...
For those interested, this repo only contains the webkit exploit, not the kernel exploitation....
 
barelynotlegal
Can confirm 4.01 is working. Thanx for the clean up.
sbp said:
Here is a 3.50 - 4.07 port from Specter which just released on git.
News on his twitter as well.
https://github.com/Cryptogenic/PS4-4.0x-Code-Execution-PoC

Readme from his git states.
"PS4 4.0x Code Execution

This repo is my edit of the 4.0x webkit exploit released by qwertyoruiopz. The edit re-organizes, comments, and adds portability across 3.50 - 4.07 (3.50, 3.55, 3.70, 4.00, and of course 4.06/4.07). The commenting and reorganization was mostly for my own learning experience, however hopefully others can find these comments helpful and build on them or even fix them if I've made mistakes. The exploit is much more stable than FireKaku and sets up the foundation for running basic ROP chains and returns to normal execution. Credit for the exploit goes completely to qwertyoruiopz."
Click to expand...
 
pinky
and, now the switch has an exploit in its webkit. this exploit has been patched in 2.1, so don't update if u can. this ps4 exploit will probably be patched in the next firmware version as well.
 
S
pinky said:
and, now the switch has an exploit in its webkit. this exploit has been patched in 2.1, so don't update if u can. this ps4 exploit will probably be patched in the next firmware version as well.
Click to expand...

4.50 already patched this. For people on 4.07 thinking it won't work on 4.07 it will. qwertyoruiop was just on 4.06 so that had most of the work. 3.55 is also good.

https://github.com/Cryptogenic/PS4-4.0x-Code-Execution-PoC
 
Last edited:
You must log in or register to reply here.

Similar threads

Featured content

Trending content

Latest posts

Back
Top