Sony Playstation 4 (PS4) 3.15 < 3.55 - WebKit Code Execution (PoC)

ID EDB-ID:44199
Type exploitdb
Reporter Exploit-DB
Modified 2016-09-06T00:00:00


Sony Playstation 4 (PS4) 3.15 < 3.55 - WebKit Code Execution (PoC). Local exploit for Hardware platform

                                            PS4 3.55 Unsigned Code Execution
This GitHub Repository contains all the necessary tools for getting PoC Unsigned Code Execution on a Sony PS4 System with firmwares 3.15, 3.50 and 3.55. &lt;br /&gt;
This Exploit, is based-off [Henkaku's]( WebKit Vulnerability for the Sony's PSVita. &lt;br /&gt;
It includes basic ROP and is able to return to normal execution. &lt;br /&gt;

1. A PC
  1. Running Windows, macOS or Linux
  2. A already set up basic server where the PS4 User's Guide launcher will point for loading the payload
  3. [Python]( 2.7.X
    * Python 3.X gives problems, since they included major changes on the syntax and on the libraries in comparison with 2.7
2. A Sony PlayStation 4
  1. Running the following firmwares:
    * 3.15, 3.50 or 3.55
3. Internet Connection (PS4 and PC directly wired to the Router is the mostly preferred option)

There are two different methods to execute the Exploit, but first let's clarify how we will know which one to use. &lt;br /&gt;
If your PlayStation 4 has got an already set-up PlayStation Network Account on it, you should use method 1. &lt;br /&gt;
Else, if your PlayStation 4 -NEVER- had a PlayStation Network Account on it, you should use method 2. &lt;br /&gt;
Probably you will ask why, it's pretty much easy to explain and understand: &lt;br /&gt;
When you buy a PS4, comes unactivated, meaning that nobody has entered SEN Account on it. (Method 2) &lt;br /&gt;
Once you use a SEN Account on it, the PS4 becomes an activated console. (Method 1) &lt;br /&gt;
This doesn't affect the actual payload, but you should take in mind which method use. &lt;br /&gt;

Method 1:
Run this command on the folder you've downloaded this repo: &lt;br /&gt;
`python` &lt;br /&gt;
All the debug options will be outputted during the Exploit process. &lt;br /&gt;
Navigate to your PS4's Web Browser and simply type on the adress bar, your PC's IP Adress. &lt;br /&gt;
Wait until the exploit finishes, once it does, PS4 will return to it's normal state. &lt;br /&gt;
An example of what will look like found [HERE]( &lt;br /&gt;

Method 2:
A dns.conf file which is present on the source, needs to be edited accordingly your local PC's IP Adress. &lt;br /&gt;
PlayStation 4's DNS Settings must be changed in order to point the PC's IP Adress where the Exploit is located. &lt;br /&gt;
Once you've edited the dns.conf file, simply run the next command on the folder where you downloaded this repo: &lt;br /&gt;
`python -c dns.conf` &lt;br /&gt;
And then: &lt;br /&gt;
`python` &lt;br /&gt;
All the debug options will be outputted during the Exploit process. &lt;br /&gt;
Once Python part is done, get into your PlayStation 4, navigate to the User's Guide page and wait until exploit finishes out. &lt;br /&gt;
An example of what will look like found [HERE]( &lt;br /&gt;

If you want to try the socket test, change the IP Address located at the bottom of the ps4sploit.html file with your computer's one and run this command: &lt;br /&gt;
`netcat -l 8989 -v`  &lt;br /&gt;
You should see something like: &lt;br /&gt;
Listening on [] (family 0, port 8989)
Connection from [] port 8989 [tcp/sunwebadmins] accepted (family 2, sport 59389)
Hello From a PS4!
Notes about this exploit:
* Currently, the exploit does not work 100%, but is around 80% which is fine for our purposes. &lt;br /&gt;
* Although it is confirmed to work, sometimes will fail, just wait some seconds and re-run the payload. &lt;br /&gt;
* Performing too much memory allocation after sort() is called, can potentially lead to more instability and it may crash more. &lt;br /&gt;
* The process will crash after the ROP payload is done executing. &lt;br /&gt;
* This is only useful for researchers. There are many many more steps needed before this becomes useful to normal users. &lt;br /&gt;

xyz - Much of the code is based off of his code used for the Henkaku project  
Anonymous contributor - WebKit Vulnerability PoC  
CTurt - I basically copied his JuSt-ROP idea  
xerpi - Used his idea for the socket code  
rck\`d - Finding bugs such as not allocating any space for a stack on function calls  
Maxton - 3.50 support and various cleanup  
Thunder07 - 3.15 support

The code currently is a bit of a mess, so if you have any improvements feel free to send a pull request or make an issue. Also I am perfectly fine if you want to fork and create your own project.