PS4 5.05 - 7.02 Kernel Exploit
In this project you will find a full implementation of the "ipv6 uaf" kernel exploit for the PlayStation 4 for firmwares 7.00 - 7.02. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. will launch the usual payload launcher (on port 9020).
The following patches are applied to the kernel:
- Allow RWX (read-write-execute) memory mapping (mmap / mprotect)
- Syscall instruction allowed anywhere
- Dynamic Resolving (
sys_dynlib_dlsym) allowed from any process
- Custom system call #11 (
kexec()) to execute arbitrary code in kernel mode
- Allow unprivileged users to call
setuid(0)successfully. Works as a status check, doubles as a privilege escalation.
- The page will crash on successful kernel exploitation, this is normal
- There are a few races involved with this exploit, losing one of them and attempting the exploit again might not immediately crash the system but stability will take a hit, upon seeing an '[ERROR] ...' alert it is best to reboot the system.
- 6.xx's webkit side is occasionally unstable atm and may trigger a 'few' extra OOM's
- the payload loader does not mmap at a static address, make sure payloads are made with this in mind.
- Specter - advice + 5.05 webkit and (6.20) rop execution method
- kiwidog - advice
- Fire30 - bad_hoist
- Andy Nguyen - disclosed exploit code
- SocraticBliss - Shakespeare dev & crash test dummy
- Znullptr - drunk.dev
- synacktiv - webkit exploit
- sleirsgoevy - ^ ported webkit exploit to 7.02 (and add addrof js prim)