GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Cryptogenic → Ps4 6.20 Webkit Code Execution Exploit

Cryptogenic / Ps4 6.20 Webkit Code Execution Exploit

Licence: wtfpl
A WebKit exploit using CVE-2018-4441 to obtain RCE on PS4 6.20.

Programming Languages

javascript
184084 projects - #8 most used programming language

Labels

htmlexploitationwebkit

Projects that are alternatives of or similar to Ps4 6.20 Webkit Code Execution Exploit

Blazefox
Blazefox exploits for Windows 10 RS5 64-bit.
Stars: ✭ 134 (-31.98%)
Mutual labels:  exploitation
Flashsploit
Exploitation Framework for ATtiny85 Based HID Attacks
Stars: ✭ 155 (-21.32%)
Mutual labels:  exploitation
Node Webkitgtk
webkitgtk bindings for 🚀 Node.js
Stars: ✭ 185 (-6.09%)
Mutual labels:  webkit
Fuxploider
File upload vulnerability scanner and exploitation tool.
Stars: ✭ 1,997 (+913.71%)
Mutual labels:  exploitation
Ropa
GUI tool to create ROP chains using the ropper API
Stars: ✭ 151 (-23.35%)
Mutual labels:  exploitation
Antimalware Research
Research on Anti-malware and other related security solutions
Stars: ✭ 163 (-17.26%)
Mutual labels:  exploitation
Mail
Mail app designed for elementary OS
Stars: ✭ 130 (-34.01%)
Mutual labels:  webkit
Awesome Bbht
A bash script that will automatically install a list of bug hunting tools that I find interesting for recon, exploitation, etc. (minus burp) For Ubuntu/Debain.
Stars: ✭ 190 (-3.55%)
Mutual labels:  exploitation
Ps4 5.01 Webkit Exploit Poc
PS4 5.01 WebKit Exploit PoC
Stars: ✭ 155 (-21.32%)
Mutual labels:  webkit
Blisqy
Version 0.2 - Exploit Time-based blind-SQL injection in HTTP-Headers (MySQL/MariaDB).
Stars: ✭ 179 (-9.14%)
Mutual labels:  exploitation
Mida Multitool
Bash script purposed for system enumeration, vulnerability identification and privilege escalation.
Stars: ✭ 144 (-26.9%)
Mutual labels:  exploitation
Adium
Official mirror of hg.adium.im
Stars: ✭ 146 (-25.89%)
Mutual labels:  webkit
Karkinos
A thorough library database to assist with binary exploitation tasks.
Stars: ✭ 170 (-13.71%)
Mutual labels:  exploitation
Arm exploitation
Exploitation on ARM-based Systems (Troopers18)
Stars: ✭ 139 (-29.44%)
Mutual labels:  exploitation
Vulnerable Kext
A WIP "Vulnerable by Design" kext for iOS/macOS to play & learn *OS kernel exploitation
Stars: ✭ 188 (-4.57%)
Mutual labels:  exploitation
Ephemeral
A private-by-default, always-incognito browser for elementary OS
Stars: ✭ 133 (-32.49%)
Mutual labels:  webkit
Mqtt Pwn
MQTT-PWN intends to be a one-stop-shop for IoT Broker penetration-testing and security assessment operations.
Stars: ✭ 156 (-20.81%)
Mutual labels:  exploitation
Xrop
Tool to generate ROP gadgets for ARM, AARCH64, x86, MIPS, PPC, RISCV, SH4 and SPARC
Stars: ✭ 195 (-1.02%)
Mutual labels:  exploitation
Exploitation Course
Offensive Software Exploitation Course
Stars: ✭ 189 (-4.06%)
Mutual labels:  exploitation
Xerror
fully automated pentesting tool
Stars: ✭ 173 (-12.18%)
Mutual labels:  exploitation
View All Similar Projects ➔

PS4 6.20 WebKit Code Execution PoC

This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in wkexploit.js. It will then setup a framework to run ROP chains in index.html and by default will provide two hyperlinks to run test ROP chains - one for running the sys_getpid() syscall, and the other for running the sys_getuid() syscall to get the PID and user ID of the process respectively.

Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found here.

Note: It's been patched in the 6.50 firmware update.

Files

Files in order by name alphabetically;

  • index.html - Contains post-exploit code, going from arb. R/W -> code execution.
  • rop.js - Contains a framework for ROP chains.
  • syscalls.js - Contains an (incomplete) list of system calls to use for post-exploit stuff.
  • wkexploit.js - Contains the heart of the WebKit exploit.

Notes

  • This vulnerability was patched in 6.50 firmware!
  • This only gives you code execution in userland. This is not a jailbreak nor a kernel exploit, it is only the first half.
  • This exploit targets firmware 6.20. It should work on lower firmwares however the gadgets will need to be ported, and the p.launchchain() method for code execution may need to be swapped out.
  • In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit. This is part of the reason why syscalls.js contains only a small number of system calls.

Usage

Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;

  1. Fake DNS spoofing to redirect the manual page to the exploit page, or

  2. Using the web browser to navigate to the exploit page (not always possible).

Vulnerability Credit

I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.

Resources

Chromium Bug Report - The vulnerability.

Phrack: Attacking JavaScript Engines by saelo - A life saver. Exploiting this would have been about 1500x more difficult without this divine paper.

Thanks

lokihardt - The vulnerability

st4rk - Help with the exploit

qwertyoruiop - WebKit School

saelo - Phrack paper

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].