Oh wow, just hours after tweeting that this needed to be “ironed out”, SpecterDev has now released their implementation of the PS5 IPV6 Kernel exploit!
This build relies on the Webkit vulnerability as an entry point, meaning it will work on any PS5 (including the PS5 Digital Edition) running firmware 4.03. Lower firmwares may work (although the exploit may require tweaking). Higher firmwares will not work at this time (they are not vulnerable to the Webkit exploit)
The PS5 4.03 kernel exploit is here!
SpecterDev warns against important limitations of this feat. Notably :
- The exploit is quite unstable and in his experience will work about 30% of the time. If you try to run it, don’t give up, it may take several tries before the exploit passes
- Perhaps more importantly, this exploit gives us read/write access, but no execute! This means that there is no ability to load and run binary files at the moment, everything is restricted as part of the ROP chain. The current implementation does, however, enable debug settings.
Specifically, from the exploit’s readme file:
Currently included
- Gets arbitrary read/write and can run a basic RPC server for reads/writes (or a dump server for large reads) (must change your own address/port in the exploit file at lines 673-677)
- Enables the debug settings menu (note: you will have to completely exit settings and go back to see it).
- Get root privileges
- This exploit allows to read/write, but not code execution. This is because we cannot currently dump kernel code for gadgets, as kernel .text pages are marked as eXecute Only Memory (XOM). Trying to read kernel .text pointers will cause panic!
- As noted above + the hypervisor (HV) enforcing kernel write protection, this exploit also cannot install patches or hooks into kernel spacewhich means there is no homebrew related code at the moment.
- Clang-based fine-grained control flow integrity (CFI) is present and enforced.
- Supervisor Mode Access Prevention/Enforcement (SMAP/SMEP) cannot be disabled due to HV.
- The write primitive is somewhat constrained, as bytes 0x10-0x14 must be zero (or a valid network interface).
- The stability of the exploit is currently poor. More on that below.
- In the event of a successful run, exit browser with circle button, panic PS button for currently unknown reason.
Notes on stability
The stability of this exploit is around 30% and has multiple potential points of failure. In order of decreasing probability observed:
- Step 1 causes more than one UAF due to failure to catch one or more during recovery, causing latent corruption that causes a panic some time later.
- Step 4 finds the overlay/victim socket, but the pktopts is the same as the master socket, so the ‘read’ primitive just re-reads the pointer you are trying to read instead of the contents of that pointer. This needs some improvement and fixing if possible because it’s really annoying.
- Step 1The attempt to retrieve the UAF fails and something else steals the pointer, causing an immediate panic.
- The kqueue leak fails and fails to find a recognized kernel .data pointer.
In other words, this build is only useful for hackers or people curious to dig inside the PS5. Note, however, that despite its limitations, this is the very first public release of such a powerful hack for the PS5, which means further discoveries are inevitable!
PS5 IPV6 Exploit Overview Video
Scene member Echo Stretch managed to perform the feat and provide us with a video of it in action, as seen below. In the video you can see the debug menu and package installer unlocked on the PS5
PS5 4.03 Core Mining Test for Disc or Digital PS5@frwololo @ps4_hacking pic.twitter.com/K8p8j0owoq
– Stretch Echo (@StretchEcho) October 3, 2022
Download and run
You can download the hack here.
You’ll need Python to run the SpecterDev implementation, and you’ll run a web server on your local PC that your PS5 can access.
- Configure fakedns via
dns.confpointmanuals.playstation.netto your PC’s IP address - Run fake DNS:
python fakedns.py -c dns.conf - Run the HTTPS server:
python host.py - Go to the PS5 advanced network settings and set the primary DNS to your PC’s IP address and leave the secondary on
0.0.0.0- Sometimes the manual still won’t load and a reboot is needed, I don’t know why it’s really weird
- Go to user manual in settings and accept untrusted certificate prompt, run
- Optional: run rpc/dump server scripts (note: address/port must be replaced as binary in exploit.js)
This is a developing story as more and more people will be testing and reporting on this hack in the coming days, so stay tuned!
Source: SpectreDev
#Posted #PS5 #Kernel #Exploit #Webkit #Vulnerability #Firmware #Wololo.net