ID
VAR-E-201805-0430
EDB ID
44818
TITLE
Sony Playstation 4 (PS4) 5.07 - 'Jailbreak' WebKit / 'bpf v2' Kernel Loader - Hardware local Exploit
Trust: 0.6
DESCRIPTION
Sony Playstation 4 (PS4) 5.07 - 'Jailbreak' WebKit / 'bpf v2' Kernel Loader.. local exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | sony | model: | playstation | scope: | eq | version: | 45.07 | Trust: 1.6 |
EXPLOIT
# PS4 5.05 Kernel Exploit
---
## Summary
In this project you will find a full implementation of the second "bpf" kernel exploit for the PlayStation 4 on 5.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This exploit also contains autolaunching code for Mira and Vortex's HEN payload. Subsequent loads will launch the usual payload launcher.
This bug was discovered by qwertyoruiopz, and can be found hosted on his website [here](http://crack.bargains/505k/). The [GitHub Pages site](https://cryptogenic.github.io/PS4-5.05-Kernel-Exploit/) automatically generated from this repository should also work.
Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/44818.zip
## Patches Included
The following patches are made by default in the kernel ROP chain:
1) Disable kernel write protection
2) Allow RWX (read-write-execute) memory mapping
3) Syscall instruction allowed anywhere
4) Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process
4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode
5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation.
## Payloads included
1) Vortex's HEN (Homebrew Enabler)
2) Mira
## Notes
- The page will crash on successful kernel exploitation, this is normal
## Contributors
Massive credits to the following:
- [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
- [Flatz](https://twitter.com/flat_z)
- [Vortex](https://github.com/xvortex)
- [OpenOrbis Team](https://github.com/OpenOrbis/)
- Anonymous
Trust: 1.0
EXPLOIT LANGUAGE
md
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'Jailbreak' WebKit / 'bpf v2' Kernel Loader
Trust: 1.6
CREDITS
Specter
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 44818 | Trust: 1.6 |
| db: | EDBNET | id: | 98151 | Trust: 0.6 |
REFERENCES
| url: | https://github.com/cryptogenic/ps4-5.05-kernel-exploit/tree/547e0a75251a5add16fdf3b13ea1cc4bf8f2d5d3 | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/44818/ | Trust: 0.6 |
SOURCES
| db: | EXPLOIT-DB | id: | 44818 |
| db: | EDBNET | id: | 98151 |
LAST UPDATE DATE
2022-07-27T09:26:57.396000+00:00
SOURCES RELEASE DATE
| db: | EXPLOIT-DB | id: | 44818 | date: | 2018-05-28T00:00:00 |
| db: | EDBNET | id: | 98151 | date: | 2018-06-02T00:00:00 |