1. ryuutseku85

    OP ryuutseku85 GBAtemp Regular
    Member

    Joined:
    Dec 14, 2015
    Messages:
    104
    Country:
    France
    Hi,
    Honestly it great to see that no one is decouraging me.

    So where am i today ?
    Not so far, because my work keeping me far away from my ps4... I Just manage thé retrieve thé fw_ver, and here i stop the hype of all noobs, no i don't get acess to thé console i only retrieve the user agent and use substring to get it.

    My goal is to auto select the exploit to load depending on the fw

    If i try to recreate the 6.20 exploit, is someone here willing to be my tester ? I put a warning on this : i never donne that before so it's at your own risk and i can't be blâme if something goes wrong.

    See ya
     
    peteruk, Jonna and KiiWii like this.
  2. KiiWii

    KiiWii Contributor
    Contributor

    Joined:
    Nov 17, 2008
    Messages:
    9,830
    Country:
    United Kingdom
    user agent fw string is what we used in x-project to determine firmware.

    Feel free to checkout the code implementation we came up with, all the source is in the HTML.

    My unfinished project from October last year “KrakHEN” was exactly as you described, however I was working to make it a one-pager rather than page redirection; which is what LightningModz did on his site around December last year. I got so far and didn’t find time to finish it.

    FWIW I have a Testkit, so feel free to send through anything you figure out :)
     
    peteruk, Leeful and ryuutseku85 like this.
  3. ryuutseku85

    OP ryuutseku85 GBAtemp Regular
    Member

    Joined:
    Dec 14, 2015
    Messages:
    104
    Country:
    France
    Hi to all,

    i try to recreate the 6.20 exploit by Specter but it's not simple since i have only a 6.70 PS4.

    I have some questions:

    1-The exploit is patched in 6.50 but the 6.00 and 6.70 FW webkit are 605.1.15 so why is this not working?
    2-If i try to make myself a browser with this webkit , will i be able to run the exploit (i know not at this cause it's made for the ps4) i don't want to waste time on trying this if it's not possible.
    3-I really don't understand the return oriented programming thing (i understand that we make a chain to launch our code by triggering gadget one after an other but not how we find those gadgets (by the way i am french with a good level of english , but i think learning something that i don't understand is not helpful) can someone explain me it , even if it's look a dumb question i prefer ask for help on this.

    Thanks for the answers you are going to give me (i hope^^)

    see ya!
     
  4. MostlyUnharmful

    MostlyUnharmful GBAtemp Fan
    Member

    Joined:
    Feb 8, 2018
    Messages:
    346
    Country:
    Italy
    If I'm interpreting the question correctly, patching a vulnerability doesn't mean upgrading the application, they could have simply "cherry picked" the relevant modification and backported it to the WebKit version distributed with FW 6.20

    I suppose you can find a version of Chrome that has that vulnerability, usually it's the other way around, I mean usually a vulnerability is found for Chrome and then ported to PS4. In this case you should search the relevant CVE and eventual PoC.

    Manual inspection, but you can find tools that can automate the search of widget, basically you dump a PS4 library, pass it to the tool, find the offsets, defeat the ASLR and find where the library is loaded, use the gadgets, ..., profit.

    https://github.com/JonathanSalwan/ROPgadget
    https://github.com/t00sh/rop-tool
     
    KiiWii likes this.
  5. ryuutseku85

    OP ryuutseku85 GBAtemp Regular
    Member

    Joined:
    Dec 14, 2015
    Messages:
    104
    Country:
    France
    Hi to all,

    So where am i ?

    my research get me to a point that i need to fork:
    1- Learning rop and hit my head against a wall ( really don't understand it i need to pratice it but i have nothing to make me)
    2- trying to learn more about WEBKIT, i decide to try targetting the JSC(javascript core) and to do so i am trying to compile a debug version of the JSC but since i am on windows (yeah yeah i knox don't hit me please).

    I going the second way and will get back to ROP later.

    So i gonna research two thing , the first will be the commit of the PS4 6.70 to help me , cause if i get it and i can compile it , it will be much easier for me to work.
    (At this time the compilation throw me a fu*****g update vswhere ....)

    The second will be to learn more about exploitation.

    I think i went to fast on this , i think of rop before exploitation and this is not the right way.

    So what have i learn ?

    From 6.00 >> 6.71 the webkit was 605.1.15 but the useragent was freeze for certain reason .
    The 7.00 is 606.4.6.

    thanks to Phrack i am learning some interresting things.

    see ya
     
  6. plasticos201194

    Newcomer

    Joined:
    Dec 1, 2019
    Messages:
    3
    Country:
    Mexico
    In case you want to check out the most recent WebKit Exploit for 6.XX to 6.72, you should visit Fire30 twitter.
     
  7. cyfaws

    cyfaws Advanced Member
    Newcomer

    Joined:
    Feb 18, 2005
    Messages:
    68
    Country:
  8. RiPPERD

    RiPPERD Advanced Member
    Newcomer

    Joined:
    Oct 17, 2018
    Messages:
    75
    Country:
    United Kingdom
    very rare on this forum lol

    good luck to the OP someone needs to do something.... the hackers always used to be 2 steps ahead of the companies... now they all about 5 years behind them lol... too much money and polotics involved now haha
     
    ryuutseku85 likes this.
  9. ryuutseku85

    OP ryuutseku85 GBAtemp Regular
    Member

    Joined:
    Dec 14, 2015
    Messages:
    104
    Country:
    France
    Hi to all ,

    So where am i ?

    i found something and currently exploiting it , but i have a probleme when i get the address of my leak obj ...

    i use int64.js from saelo ( thanks a lot !!) and when i try to "add(0x10)" to it, i can't.
    the error that i've got is : add is not a function .
    so i decided to give it a go with the badhoist exploit and ... it's the same thing .

    so if anyone has a clue ...

    by the way i have succefully compile 600 to 700 webkit (and it's was a pleasure to learn that there is two thing in it ... the webkit and the javascriptcore that are not at the same version ...)

    see ya !!!

    thanks for that but i see it to late XD
     
    TR_mahmutpek likes this.
  10. KiiWii

    KiiWii Contributor
    Contributor

    Joined:
    Nov 17, 2008
    Messages:
    9,830
    Country:
    United Kingdom
    Nice @ryuutseku85 :) I hope you can leverage this to something bigger.

    I found out that 5.05’s ioctls were removed post 5.55, so existing kex “should” work on 5.50-5.55: providing we can get full userland after webkit.

    I think 5.5x exploiting should become the main focus for most, (if people genuinely want an achievable slightly higher kernel exploit) unless you’re able to find something newer that works on FBSD.

    Keep us updated, and good luck :grog:
     
    ryuutseku85 likes this.
  11. ryuutseku85

    OP ryuutseku85 GBAtemp Regular
    Member

    Joined:
    Dec 14, 2015
    Messages:
    104
    Country:
    France
    Hi,
    Sorry to say this, but i have only a 6.70 on my hand.
    To be honest i am not thinking about kex for now, because as this threat mention it : i am learning and try to not give up in front of the task.
    Have you any clues for my "add" problem ?

    And to show to everyone that i am not only taking there is à little picture:)

    See ya
     

    Attached Files:

    TR_mahmutpek and KiiWii like this.
  12. KiiWii

    KiiWii Contributor
    Contributor

    Joined:
    Nov 17, 2008
    Messages:
    9,830
    Country:
    United Kingdom
    Add() appends, are you using it mathematically?
     
  13. TR_mahmutpek

    TR_mahmutpek medic
    Member

    Joined:
    Jul 28, 2015
    Messages:
    1,258
    Country:
    Turkey
    Just an advice, if you found kernel exploit, dont release it. Dump newer games, so Sony cant patch it:ha:

    Anyway, good work!^_^
     
  14. MostlyUnharmful

    MostlyUnharmful GBAtemp Fan
    Member

    Joined:
    Feb 8, 2018
    Messages:
    346
    Country:
    Italy
    Let's see, without a code snippet I suppose you are working with RAM addresses, so you are probably using a "BigInt" object — "Number" objects use an IEEE double precision floating point notation, not a good candidate for it — and according to MDN "The following operators may be used with BigInts (or object-wrapped BigInts): +, *, -, **, %." so:

    Code:
    a = BigInt(0x123456789);
    4886718345n
    a + 0x10n;
    4886718361n
    
    It's this what you are trying to do? As @KiiWii posted there are a few add() methods/functions for some specific objects like strings and sets, but for number types there are "operators" instead of methods. I'm going by memory and I used too much languages with different syntax and Javascript it's one where I'm less confident so double check my claims... ^__^;

    P.S. MDN: Mozilla developers network
     
    KiiWii likes this.
  15. ryuutseku85

    OP ryuutseku85 GBAtemp Regular
    Member

    Joined:
    Dec 14, 2015
    Messages:
    104
    Country:
    France
    So, i try to give it a go with badhoist and this is where crash:
    function setup_obj_leaks() {
    g_leaker.leak = false;
    g_inline_obj.a = g_leaker;
    g_leaker_addr = new Int64(g_confuse_obj["0a"][4], g_confuse_obj["0a"][5]).add(0x10);
    debug_log("obj_leaker address @ " + g_leaker_addr);
    }

    If i use utils.js of fire the struct is not présent
    So i get saleo's one but the int64.js are not the same, so i am guessing this is my mistake
    But i have no clue how to make it work.

    Honestly my head is hurting ^^

    I dont think i am capable of finding a kex, but thanks for thinking that i can
     
    KiiWii and TR_mahmutpek like this.
  16. DaminouTav

    DaminouTav Member
    Newcomer

    Joined:
    Jan 17, 2016
    Messages:
    27
    Country:
    France
    I'm just following this post, and wish you luck, it's nice to see guys wanting to learn and share what he's doing :) Thank you ;)
     
    ryuutseku85 likes this.
  17. MostlyUnharmful

    MostlyUnharmful GBAtemp Fan
    Member

    Joined:
    Feb 8, 2018
    Messages:
    346
    Country:
    Italy
    Oh, I see, in int64.js they define an Int64 object with a few methods for integer operations.

    I didn't want to debug Javascript today, but I nonetheless downloaded the Fire30 "bad_hoist" repository, but on the Chrome version I have here it doesn't trigger anything, on both Chrome and Firefox I only see a couple of the same error (expected as the JS bug was probably fixed last summer). Also, on a vulnerable browser I would expect it to crash a lot as you are trying to exploiting a vulnerability and you don't know the success rate or if it's yet coded to maximize trigger chances...
     
    KiiWii likes this.
  18. RiPPERD

    RiPPERD Advanced Member
    Newcomer

    Joined:
    Oct 17, 2018
    Messages:
    75
    Country:
    United Kingdom
    glad to see this is still in progress, keep up the good work be good to see the "hackers" pull a goal back agaist pony
     
  19. ryuutseku85

    OP ryuutseku85 GBAtemp Regular
    Member

    Joined:
    Dec 14, 2015
    Messages:
    104
    Country:
    France
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - Research,