Editing Exploit Chains

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 3: Line 3:
{| class="wikitable"
{| class="wikitable"
|+
|+
!System Software Version
!Firmware Version
!Hardware requirement
!Hypervisor Exploit
!Hypervisor Exploit
!Kernel Exploit
!Kernel Exploit
Line 11: Line 10:
!Capability
!Capability
|-
|-
|<=2.50
| <=2.50
|none
|Rumored [https://www.psxhax.com/threads/flat_z-confirms-ps5-hypervisor-exploitation-from-ps4-save-game.16063/]
|Rumored [https://www.psxhax.com/threads/flat_z-confirms-ps5-hypervisor-exploitation-from-ps4-save-game.16063/]
|No need for a kernel exploit
|Unknown
|any usermode exploit. Flatz uses a PS4 disc-based game save data exploit that hijacks the LUA interpreter.
|Rumored: PS4 Game Save
|Unreleased by [https://github.com/flatz Flatz]
|Unreleased by [https://github.com/flatz Flatz]
|Full Access to the system, Platform Secure Processor dump
|Full Access to the system
|-
|-
|<=4.03
|<=4.03
|USB storage media
|N/A
|N/A
|[[Vulnerabilities#FW%20%253C%3D%204.03%20-%20exFAT%20driver%20heap-based%20buffer%20overflow|exFAT Driver Heap Exploit]] There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute.
|[[Vulnerabilities#FW%20%253C%3D%204.03%20-%20exFAT%20driver%20heap-based%20buffer%20overflow|exFAT Driver Heap Exploit]] There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute.
Line 28: Line 25:
|-
|-
|3.00-4.51
|3.00-4.51
|none
|N/A
|N/A
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]]
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457)]]
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]]
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]]
| need to mix [https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation] and PsFree implementation by abc
| need to mix [https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation] and PsFree implementation by abc
Line 36: Line 32:
|-
|-
|3.00-4.51
|3.00-4.51
|none
|N/A
|N/A
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]]
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457)]]
|WebKit [[Vulnerabilities#FW_3.00-4.51_-_WebCore::CSSFontFaceSet_vulnerabilities_leading_to_usermode_ROP_code_execution|CSSFontFaceSet]]
|WebKit [[Vulnerabilities#FW_3.00-4.51_-_WebCore::CSSFontFaceSet_vulnerabilities_leading_to_usermode_ROP_code_execution|CSSFontFaceSet]]
|[https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation]
|[https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation]
Line 44: Line 39:
|-
|-
|3.00-4.51
|3.00-4.51
|BD reader for PS5 + BD writer + BD-RE
|N/A
|N/A
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]]
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457)]]
|[[Vulnerabilities#FW_%3C=_4.51_-_BD-JB_-_Five_vulnerabilities_chained_by_TheFloW|BD-JB]]
|[https://github.com/TheOfficialFloW/bd-jb bd-jb by TheOfficialFlow]
|[https://github.com/john-tornblom/bdj-sdk/tree/master/samples/ps5-invoke-native ps5-invoke-native by john-tornblom], [https://github.com/TheOfficialFloW/bd-jb bd-jb by TheFloW]
|[https://github.com/john-tornblom/bdj-sdk/tree/master/samples/ps5-invoke-native ps5-invoke-native by john-tornblom]
|Native code execution within Blu-ray context
|Native code execution within Blu-ray context
[https://github.com/john-tornblom/bdj-sdk/tree/master/samples Here are some functions by john-tornblom]
[https://github.com/john-tornblom/bdj-sdk/tree/master/samples Here are some functions by john-tornblom]
|-
|1.00-5.50
|none
|N/A
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]]
|N/A (PsFree must be ported based on ChendoChap's implementation of the 4.51 CSSFontFaceSet exploit)
|Elf Loader
|-
|6.00-7.61
|none
|N/A
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|WebKit [[Vulnerabilities#FW_6.00-8.60_-_JSC_DFG_Abstract_Intepreter_clobberWorld_Type_Confusion_(no_CVE)_leading_to_arbitrary_RW|clobberWorld]] or [[Vulnerabilities#FW_6.00-9.60_-_Unknown_heap_and_string_overflow_(no_CVE)_leading_to_crash|unknown heap and string overflow]]
|N/A (WebKit exploit only giving OOM as of now)
|Elf Loader
|-
|1.00-7.61
|BD reader for PS5 + BD writer + BD-RE
|N/A
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|[[Vulnerabilities#FW_%3C=_7.61_-_BD-JB2_-_Path_traversal_sandbox_escape_by_TheFloW|BD-JB2]]
|PoC by flatz
|Native code execution within Blu-ray context
|-
|1.00-7.61
|vulnerable game in disc or PS Store version + exploit game save data on the SSD
|N/A
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|PS4 disc-based game save data exploit that hijacks the LUA interpreter
|LUA PoC by flatz but the exploit game save data is missing
|Elf Loader
|}
|}
Please note that all contributions to PS5 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS5 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)
Retrieved from "http://www.psdevwiki.com/ps5/Exploit_Chains"