Editing Exploit Chains

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
== Exploit Chains ==
This page presents a compilation of exploit chains that utilize various [[Vulnerabilities]] identified on the PS5. It outlines the current functionalities of different potential and complete exploit chains for specific firmware versions.
This page presents a compilation of exploit chains that utilize various [[Vulnerabilities]] identified on the PS5. It outlines the current functionalities of different potential and complete exploit chains for specific firmware versions.
{| class="wikitable"
{| class="wikitable"
|+
|+
!System Software Version
!Firmware Version
!Hardware requirement
!Hypervisor Exploit
!Hypervisor Exploit
!Kernel Exploit
!Kernel Exploit
!Usermode Exploit
!Userland Exploit
!Exploit Chain Implementation
!Chain
!Capability
!Capability
|-
|-
|<=2.70
|2.50
|none
|Rumored [https://www.psxhax.com/threads/flat_z-confirms-ps5-hypervisor-exploitation-from-ps4-save-game.16063/]
|
|Unknown
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|Rumored: PS4 Game Save
|any usermode exploit
|Unreleased by [https://github.com/flatz Flatz]
|Unreleased by [https://github.com/flatz Flatz]
|Full Access to the system, HEN, Platform Secure Processor dump
|Full Access to the system
|-
|-
|<=2.70
|1.00? - 4.03
|none
|
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|any usermode exploit: WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]] or BD-JB2 or LUA escape from PS4 disc-based game savedata
|[https://github.com/PS5Dev/Byepervisor Byepervisor by Specter]
|Full Access to the system, HEN
|-
|<=4.03
|USB storage media
|N/A
|N/A
|[[Vulnerabilities#FW%20%253C%3D%204.03%20-%20exFAT%20driver%20heap-based%20buffer%20overflow|exFAT Driver Heap Exploit]] There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute.
|[[Vulnerabilities#FW%20%253C%3D%204.03%20-%20exFAT%20driver%20heap-based%20buffer%20overflow|exFAT Driver Heap Exploit]] There is no implementation because of the difficulty in writing the exploit without a kernel dump. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute.
|any usermode exploit
|N/A (PS4 uses [[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457)]])
|N/A (PS4 uses [https://github.com/ChendoChap/pOOBs4 pOOBs4 by ChendoChap])
|N/A (PS4 uses [https://github.com/ChendoChap/pOOBs4 pOOBs4 by ChendoChap])
|N/A
|N/A
|-
|-
|3.00-4.51
|3.00 - 4.51
|none
|N/A
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]]
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]]
|need to mix [https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation] and PsFree implementation by abc
|Elf Loader
|-
|3.00-4.51
|none
|N/A
|N/A
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]]
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457)]]
|WebKit [[Vulnerabilities#FW_3.00-4.51_-_WebCore::CSSFontFaceSet_vulnerabilities_leading_to_usermode_ROP_code_execution|CSSFontFaceSet]]
|Webkit
|[https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation]
|[https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation]
|Elf Loader
|Elf Loader
|-
|-
|3.00-4.51
|1.00? - 4.51?
|BD reader for PS5 + BD writer + BD-RE
|N/A
|N/A
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]]
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457)]]
|[[Vulnerabilities#FW_%3C=_4.51_-_BD-JB_-_Five_vulnerabilities_chained_by_TheFloW|BD-JB]]
|[https://github.com/TheOfficialFloW/bd-jb bd-jb by TheOfficialFlow]
|[https://github.com/john-tornblom/bdj-sdk/tree/master/samples/ps5-invoke-native ps5-invoke-native by john-tornblom], [https://github.com/TheOfficialFloW/bd-jb bd-jb by TheFloW]
|[https://github.com/john-tornblom/bdj-sdk/tree/master/samples/ps5-invoke-native ps5-invoke-native by john-tornblom]
|Native code execution within Blu-ray context
|Native code execution within Blu-ray context
[https://github.com/john-tornblom/bdj-sdk/tree/master/samples Here are some functions by john-tornblom]
[https://github.com/john-tornblom/bdj-sdk/tree/master/samples Here are some functions by john-tornblom]
|-
|1.00-5.50
|none
|N/A
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]]
|[https://github.com/PS5Dev/PS5-UMTX-Jailbreak WebKit implementation for PS5 1.00-5.50 chained with PS Free by Specter]
|Elf Loader on 1.00-4.51, ROP on 5.00-5.51
|-
|6.00-7.61
|none
|N/A
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|WebKit [[Vulnerabilities#FW_6.00-8.60_-_JSC_DFG_Abstract_Intepreter_clobberWorld_Type_Confusion_(no_CVE)_leading_to_arbitrary_RW|clobberWorld]] or [[Vulnerabilities#FW_6.00-9.60_-_Unknown_heap_and_string_overflow_(no_CVE)_leading_to_crash|unknown heap and string overflow]]
|N/A (WebKit vulnerabilities only lead to OOM as of now)
|Elf Loader
|-
|1.00-7.61
|BD reader for PS5 + BD writer + BD-RE
|N/A
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|[[Vulnerabilities#FW_%3C=_7.61_-_BD-JB2_-_Path_traversal_sandbox_escape_by_TheFloW|BD-JB2]]
|[https://github.com/hammer-83/ps5-jar-loader] based on JAVA PoC by flatz
|Native code execution within Blu-ray context
|-
|1.00-7.61
|vulnerable game in disc or PS Store version + exploit game save data on the SSD
|N/A
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|PS4 disc-based game save data exploit that hijacks the LUA interpreter
|LUA PoC by flatz but the exploit game save data is missing
|Elf Loader
|}
|}
Please note that all contributions to PS5 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS5 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)
Retrieved from "http://www.psdevwiki.com/ps5/Exploit_Chains"