- 精华
- 0
- 帖子
- 2912
- 威望
- 0 点
- 积分
- 3025 点
- 种子
- 393 点
- 注册时间
- 2004-1-22
- 最后登录
- 2025-2-26
|
本帖最后由 shadowl 于 2017-12-31 00:16 编辑
PS4 4.05 Kernel Exploit
Summary
In this project you will find a full implementation of the "namedobj" kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, does not contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port 9020 and will execute them upon receival.
You can find fail0verflow's original write-up on the bug here, you can find my technical write-up which dives more into implementation specifics here.
Patches Included
The following patches are made by default in the kernel ROP chain:
Disable kernel write protection
Allow RWX (read-write-execute) memory mapping
Dynamic Resolving (sys_dynlib_dlsym) allowed from any process
Custom system call #11 (kexec()) to execute arbitrary code in kernel mode
Allow unprivileged users to call setuid(0) successfully. Works as a status check, doubles as a privilege escalation.
Notes
This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel.
I've built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads.
A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel.
An SDK is not provided in this release, however a barebones one to get started with may be released at a later date.
I've released a sample payload here that will make the necessary patches to access the debug menu of the system via settings, jailbreaks, and escapes the sandbox.
PS4 4.05内核开发
总结
在这个项目中你会找到一个全面实施“namedobj“内核开发PlayStation 4游戏机4.05。它将允许您运行任意代码为核心,让越狱和系统内核的修改。但是这个版本,不含任何击败反散装光盘机制或运行程序的相关代码。这个漏洞不包括装载机在9020端口监听的有效载荷和执行他们在收。
你可以找到fail0verflow的原来写在这里的bug,你会发现我写了更多的技术实现细节在这里潜水。
补丁包括
以下是在内核ROP链中默认执行的补丁程序:
禁用内核写保护
允许rwx(读写执行)内存映射
动态解析(sys_dynlib_dlsym)允许从任何过程
自定义的系统调用# 11(kexec())在内核模式下执行任意代码
允许非特权用户调用setuid(0)成功。作为状态检查工作,兼作权限提升。
笔记
这个漏洞实际上非常稳定,在我的测试中大约为95%。WebKit很少崩溃,同样是真实的内核。
我建立了一个补丁,所以内核的漏洞只能在系统上运行一次。您仍然可以通过有效负载生成额外的补丁程序。
添加一个自定义的系统调用(# 11)在内核模式下执行任何rwx内存,这可以被用来执行的有效载荷,想做有趣的事情就像越狱和编译内核。
一个SDK这个版本不提供,但是一个准系统一开始可能会在晚些时候发布。
我已经发布了一个样品的重量,会使必要的补丁进入调试的系统菜单通过设置,越狱,逃避沙盒。
ps4光盘dump教程
https://www.bilibili.com/video/av16375168/ |
|
[复制链接]
川公网安备 51019002005286号
楼主
发表于 2017-12-30 23:48 · 广东
