Skip to content
This repository has been archived by the owner before Nov 9, 2022. It is now read-only.

ChendoChap/ps4-ipv6-uaf

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

PS4 5.05 - 7.02 Kernel Exploit


Summary

In this project you will find a full implementation of the "ipv6 uaf" kernel exploit for the PlayStation 4 for firmwares 7.00 - 7.02. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. will launch the usual payload launcher (on port 9020).

This bug was originally discovered by Fire30, and subsequently found by Andy Nguyen

Implementations

Patches Included

The following patches are applied to the kernel:

  1. Allow RWX (read-write-execute) memory mapping (mmap / mprotect)
  2. Syscall instruction allowed anywhere
  3. Dynamic Resolving (sys_dynlib_dlsym) allowed from any process
  4. Custom system call #11 (kexec()) to execute arbitrary code in kernel mode
  5. Allow unprivileged users to call setuid(0) successfully. Works as a status check, doubles as a privilege escalation.

Notes

  • The page will crash on successful kernel exploitation, this is normal
  • There are a few races involved with this exploit, losing one of them and attempting the exploit again might not immediately crash the system but stability will take a hit, upon seeing an '[ERROR] ...' alert it is best to reboot the system.
  • 6.xx's webkit side is occasionally unstable atm and may trigger a 'few' extra OOM's
  • the payload loader does not mmap at a static address, make sure payloads are made with this in mind.

Contributors

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Packages

No packages published