7.50, expects payload on 9020/tcp. Applied patches: mmap, mprotect, syscall everywhere, kexec, delayed panics. Note: there is no Mira/HEN for 7.50 yet!
Some valid 7.02 addresses:
0x200eb00d8
0x200f300d8
0x200fb00d8
0x2011100d8
The success rate is about 10% for the last one. Unfortunately the exploit then crashes in the critical section in leakJSC. Will now investigate how to fix it.
Another FreeBSD PoC, now utilizing TheFlow's hint. Does not do any zone drains, so should be more portable.
Fun fact: it **seems** that the function tweeted by TheFlow does not need to be buggy. A patched one would also do its job.
Fix for the crash in leakJSC():
after debug_log("[+] Got a relative read"); insert
var tmp_spray = {};
for(var i = 0; i < 100000; i++)
tmp_spray['Z'.repeat(8 * 2 * 8 - 5 - LENGTH_STRINGIMPL) + (''+i).padStart(5, '0')] = 0x1337;
A crazy idea for "PS4 modchip" makers (that just bundle a wifi hotspot with preloaded hosts into an esp8266 chip): make your chips also emulate a usb connection and insert/remove the fake drive at the right time. This way your stuff will be finally of some use.
Seems that I've finally caught the post-exploit instability issue some people discussed. Here it is:
(You will also want to diff that to the original poc, there are some other changes)
PoC for the FontFaceSet vulnerability, which was wrongly classified as a use-after-free. Works only on PC for now. Please check if this prints "failed to guess..." for you. Especially interested in reports from 9.00.
The porting tool for ps5-kstuff is now complete. If your firmware is not supported yet, please follow [this guide]() and dump the offsets. ESPECIALLY if you're on some weird firmware like 3.10 or 4.02.
BTW just finished another something-to-browser port. Remote package installation over NetCat! (Well, not actually...)
Source code:
Windows EXE:
Linux users, build from source.
"Mira not working" turned out to be ENTIRELY my own fault. I accidentially pointed the kexec syscall to "jmp rsi" instead of "jmp [rsi]". Regexe match groups do not play well with AT&T notation...
P.S. Still needs checking whether homebrew will run...
Just in case anybody still cares:
HTMLTextAreaElement address statistics on 7.02. key = address in decimal, value = number of occurrencies per 30 runs.
Extracted using a debugger with HEN already activated, not via the exploit, so no survivorship bias.
Unfortunately, type-confusing these pointers does not seem to be possible, due to it using a special mbuf type (MT_CONTROL). It may be possible to turn it into UAF on struct file, but that is also zone-allocated, and most file destructors put it into invalid state.
@SpecterDev
@tihmstar
select (f_poll) is a better target than ioctl (f_ioctl) imo. It only checks that the refcount is nonzero, while ioctl also checks that the mode allows either read or write.
@SpecterDev
Regarding zone reclaim on PS4, in this specific exploit the PS4 (for some weird reason) allocates even small packets in mbufs with clusters, i.e. the mbuf_packet zone, and to drain that you need to exhaust all clusters. That is the only way to do it, uma_reclaim does not work.
Hamachi ready:
P.S. IDK whether PS4 games will work through it. Only tested with the web browser. At least the console can still be pinged when running a game.
Regarding the new exploit disclosed at BHEU: could anybody run this () or equivalent code on 5.05/other non-6.XX firmware and send the logs to me? The pattern is obvious, but I'd like to know what differences to expect and what to brute for.
You can verify the found offsets by running the script test_offsets.py with the same arguments. It should launch a ps5-kstuff that can run fPKG files.If that works, please submit your JSON file either [here](),or to the "testing" channel on PS5 R&D Discord.
Once again, for those who didn't get the point. This link () should be visited from your PS4 which is on **5.05**. It is not a new exploit, all it does is collect some statistics that could be useful for porting the BHEU exploit to 7.02.
If someone does PS Vita homebrew development on Nix/NixOS, you may want to give my flake a try. I haven't tested much, but all packages now at least build, and those that I have tested work fine.
@_AlAzif
Just tried to run the 7.02 Mira build. And you guessed it, it does not run. I can't even see the "waiting for payloads" popup. [Probably the boot patches are the cause.]
UPDATE: I made a one-click 5.05 version of the code from previous post. Cannot test it though:(
P.S. Please do not post-scan/exploit/DDoS the server. I hope it is secure, but please do not abuse.
P.P.S. The logs will be sent unencrypted.
@PS4Trainer
I identified the problem with WebRTE on my exploit host. Your payload expects being loaded at a constant address (possibly 0x926200000), i.e. is not PIE, but MiraLoader maps the payload at a system-provided address, so it only works with PIE payloads.
Я конечно максимально далёк от политики, но в это воскресенье некто ВВП пойдёт продлеваться ещё на 6 лет. Если вам тоже кажется, что это плохая идея -- идите на участки и голосуйте за любого другого кандидата. Или ставьте несколько галочек: порча бюллетеня -- голос против всех.
Something very weird is happening. I do see requests to static stuff in the server logs, but no POST requests with actual logs. Probably the code fails somewhere. Any chance to get a screenshot with error?
P.S. You do not need to activate any HEN first. At least I think so.
@_AlAzif
The way it has been added is wrong. It is now broken due to exploit.js being minified. Please upload a non-minified version of exploit.js instead.
Also the success rate is more like 30%, 10 retries is my personal worst-case.
@zhovner
@stripe
If you wished them luck, you wouldn't turn them away. Flipper is by no means a telephone, and that means that this is a PERSONAL attack on this specific project. Either get the fact that this is OK, or stop playing a role and tell the real reason.
@Harsh83106577
No, I have 6.72 data myself. What i want to see is how 5.05 is different from 6.72, to get an insight into what how it changes between firmwares and what to expect on 7.02.
@AR_JRIDI
This is not an exploit. I am trying to collect statistics about how the unknown address changes between firmwares. I have the 6.72 data myself and am trying to collect some logs from 5.05 owners.