PS4 5.05 - 7.02 Kernel Exploit

Summary

In this project you will find a full implementation of the "ipv6 uaf" kernel exploit for the PlayStation 4 for firmwares 7.00 - 7.02. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. will launch the usual payload launcher (on port 9020).

This bug was originally discovered by Fire30, and subsequently found by Andy Nguyen

Implementations

• 5.05
• 5.50
• 5.53
• 5.55 - 5.56
• 6.00 - 6.02
• 6.20
• 6.50 - 6.51
• 6.70 - 6.72
• 7.00 - 7.02

Patches Included

The following patches are applied to the kernel:

1. Allow RWX (read-write-execute) memory mapping (mmap / mprotect)
2. Syscall instruction allowed anywhere
3. Dynamic Resolving (sys_dynlib_dlsym) allowed from any process
4. Custom system call #11 (kexec()) to execute arbitrary code in kernel mode
5. Allow unprivileged users to call setuid(0) successfully. Works as a status check, doubles as a privilege escalation.

Notes

• The page will crash on successful kernel exploitation, this is normal
• There are a few races involved with this exploit, losing one of them and attempting the exploit again might not immediately crash the system but stability will take a hit, upon seeing an '[ERROR] ...' alert it is best to reboot the system.
• 6.xx's webkit side is occasionally unstable atm and may trigger a 'few' extra OOM's
• the payload loader does not mmap at a static address, make sure payloads are made with this in mind.

Contributors

• Specter - advice + 5.05 webkit and (6.20) rop execution method
• kiwidog - advice
• Fire30 - bad_hoist
• Andy Nguyen - disclosed exploit code
• SocraticBliss - Shakespeare dev & crash test dummy
• Znullptr - drunk.dev
• synacktiv - webkit exploit
• sleirsgoevy - ^ ported webkit exploit to 7.02 (and add addrof js prim)