You can access it on the PS4 by either įake DNS spoofing to redirect the manual page to the exploit page, or Additionally, you could host it on a server. Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. This is part of the reason why syscalls.js contains only a small number of system calls. In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit.It should work on lower firmwares however the gadgets will need to be ported, and the p.launchchain() method for code execution may need to be swapped out. This is not a jailbreak nor a kernel exploit, it is only the first half. This only gives you code execution in userland.This vulnerability was patched in 6.50 firmware!.wkexploit.js - Contains the heart of the WebKit exploit.syscalls.js - Contains an (incomplete) list of system calls to use for post-exploit stuff.
rop.js - Contains a framework for ROP chains.index.html - Contains post-exploit code, going from arb.Note: It's been patched in the 6.50 firmware update. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). It will then setup a framework to run ROP chains in index.html and by default will provide two hyperlinks to run test ROP chains - one for running the sys_getpid() syscall, and the other for running the sys_getuid() syscall to get the PID and user ID of the process respectively.Įach file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in wkexploit.js. This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441.
0 kommentar(er)
