ID
VAR-E-201802-0287
EDB ID
44196
TITLE
Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' 'setAttributeNodeNS' WebKit 5.02 / 'bpf' Kernel Loader 4.55 - Hardware remote Exploit
Trust: 0.6
DESCRIPTION
Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' 'setAttributeNodeNS' WebKit 5.02 / 'bpf' Kernel Loader 4.55.. remote exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | sony | model: | playstation | scope: | eq | version: | 44.55 | Trust: 1.6 |
EXPLOIT
# PS4 4.55 Kernel Exploit
---
## Summary
In this project you will find a full implementation of the "bpf" kernel exploit for the PlayStation 4 on 4.55. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, *does not* contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port `9020` and will execute them upon receival.
This bug was discovered by qwertyoruiopz, and can be found hosted on his website [here](http://crack.bargains/455/).
## Patches Included
The following patches are made by default in the kernel ROP chain:
1) Disable kernel write protection
2) Allow RWX (read-write-execute) memory mapping
3) Syscall instruction allowed anywhere
4) Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process
4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode
5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation.
## Notes
- Payloads from 4.05 should be fairly trivial to port unless they use hardcoded kernel offsets
- I've built in a patch so the kernel exploit will only run once on the system, you can make additional patches via payloads.
- A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel.
## Contributors
Massive credits to the following:
- [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
- [Flatz](https://twitter.com/flat_z)
- Anonymous
Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/44196-v2.zip
Trust: 1.0
EXPLOIT LANGUAGE
md
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'Jailbreak' 'setAttributeNodeNS' WebKit 5.02 / 'bpf' Kernel Loader 4.55
Trust: 1.0
TAGS
| tag: | Console | Trust: 1.0 |
CREDITS
Specter
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 44196 | Trust: 1.6 |
| db: | EDBNET | id: | 96880 | Trust: 0.6 |
REFERENCES
| url: | https://github.com/cryptogenic/ps4-4.55-kernel-exploit/tree/bb0dfe821d94cb03491b0d4c5136cefd1624fc41 | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/44196/ | Trust: 0.6 |
SOURCES
| db: | EXPLOIT-DB | id: | 44196 |
| db: | EDBNET | id: | 96880 |
LAST UPDATE DATE
2022-07-27T09:37:29.801000+00:00
SOURCES RELEASE DATE
| db: | EXPLOIT-DB | id: | 44196 | date: | 2018-02-27T00:00:00 |
| db: | EDBNET | id: | 96880 | date: | 2018-02-28T00:00:00 |