Đăng bởi

PS4 IPv6 UAF 6.70-6.72 Kernel Exploit with Patches, Maybe More Stable!

Since his PS4 Save Mounter Utility release, the PS4 6.20 ROP Execution MethodPS4 Webkit Bad_Hoist Exploit7.02 PS4 KEXPS4 Webkit Exploit 6.72 PortPS4 6.72 Jailbreak ExploitBackporting PS4 InstructionsESP8266 Xploit 6.72 Host and 6.72 PS4 Exploit Menu today ChendoChap shared a PS4 IPv6 UAF 6.70-6.72 Kernel Exploit implementation with patches that may be more stable according to @SpecterDev on Twitter

:fire:

Download: ps4-ipv6-uaf-master.zip / GIT / Live Demo Test Page via Leeful

Other PlayStation 4 Firmware Revisions with Patches Included via fabrebatalla18:

From the README.md, to quote: PS4 6.70 – 6.72 Kernel Exploit

Summary

In this project you will find a full implementation of the “ipv6 uaf” kernel exploit for the PlayStation 4 on 6.70 – 6.72. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. will launch the usual payload launcher (on port 9020).

This bug was originally discovered by Fire30, and subsequently found by Andy Nguyen

Patches Included

The following patches are applied to the kernel:

  1. Allow RWX (read-write-execute) memory mapping (mmap / mprotect)
  2. Syscall instruction allowed anywhere
  3. Dynamic Resolving (sys_dynlib_dlsym) allowed from any process
  4. Custom system call #11 (kexec()) to execute arbitrary code in kernel mode
  5. Allow unprivileged users to call setuid(0) successfully. Works as a status check, doubles as a privilege escalation.

Notes

  • The page will crash on successful kernel exploitation, this is normal
  • There are a few races involved with this exploit, losing one of them and attempting the exploit again might not immediately crash the system but stability will take a hit.

Contributors

:idea:

Some tips…

1) When you navigate to the site, you will get an “There is not enough free system memory.” message if it is successful, any other message means restart your PS4.
2) Once you see this message, DON’T press OK! Press the PS button
3) Re-open site -> Awaiting Payload

🔥

 Also heating things up in the PS4 scene today is a 6.72 WebRTE Payload from @TylerMods of PS4Trainer.com with some additional details in the Tweets below via kiwidoggie for what’s to come including PS4 injectable trainers using Mira:

Cheers to @S3phi40T@SocraticBliss@SpecterDev and @DEFAULTDNB for the heads up and @hyndrid for the screenshot below on this great progress update! 

🍻
PS4 IPV6 UAF 6.70-6.72 Kernel Exploit with Patches, Maybe More Stable!.jpg