Exploit Chains: Difference between revisions

From PS5 Developer wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 26: Line 26:
|3.00-4.51
|3.00-4.51
|N/A
|N/A
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457)]]
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]]
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]]
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]]
| need to mix [https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation] and PsFree implementation by abc
| need to mix [https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation] and PsFree implementation by abc
Line 33: Line 33:
|3.00-4.51
|3.00-4.51
|N/A
|N/A
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457)]]
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]]
|WebKit [[Vulnerabilities#FW_3.00-4.51_-_WebCore::CSSFontFaceSet_vulnerabilities_leading_to_usermode_ROP_code_execution|CSSFontFaceSet]]
|WebKit [[Vulnerabilities#FW_3.00-4.51_-_WebCore::CSSFontFaceSet_vulnerabilities_leading_to_usermode_ROP_code_execution|CSSFontFaceSet]]
|[https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation]
|[https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation]
Line 40: Line 40:
|3.00-4.51
|3.00-4.51
|N/A
|N/A
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457)]]
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]]
|[https://github.com/TheOfficialFloW/bd-jb bd-jb by TheOfficialFlow]
|[[Vulnerabilities#FW_%3C=_4.51_-_BD-JB_-_Five_vulnerabilities_chained_by_TheFloW|BD-JB]]
|[https://github.com/john-tornblom/bdj-sdk/tree/master/samples/ps5-invoke-native ps5-invoke-native by john-tornblom]
|[https://github.com/john-tornblom/bdj-sdk/tree/master/samples/ps5-invoke-native ps5-invoke-native by john-tornblom], [https://github.com/TheOfficialFloW/bd-jb bd-jb by TheFloW]
|Native code execution within Blu-ray context
|Native code execution within Blu-ray context
[https://github.com/john-tornblom/bdj-sdk/tree/master/samples Here are some functions by john-tornblom]
[https://github.com/john-tornblom/bdj-sdk/tree/master/samples Here are some functions by john-tornblom]
|-
|1.00-5.50
|N/A
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]]
|N/A
|Elf Loader
|-
|6.00-7.61
|N/A
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|WebKit [[Vulnerabilities#FW_6.00-8.60_-_JSC_DFG_Abstract_Intepreter_clobberWorld_Type_Confusion_(no_CVE)_leading_to_arbitrary_RW|clobberWorld]] or [[Vulnerabilities#FW_6.00-9.60_-_Unknown_heap_and_string_overflow_(no_CVE)_leading_to_crash|unknown heap and string overflow]]
|N/A
|Elf Loader
|-
|1.00-7.61
|N/A
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]]
|[[Vulnerabilities#FW_%3C=_7.61_-_BD-JB2_-_Path_traversal_sandbox_escape_by_TheFloW|BD-JB2]]
|N/A
|Native code execution within Blu-ray context
|}
|}

Revision as of 22:12, 13 September 2024

This page presents a compilation of exploit chains that utilize various Vulnerabilities identified on the PS5. It outlines the current functionalities of different potential and complete exploit chains for specific firmware versions.

Firmware Version Hypervisor Exploit Kernel Exploit Usermode Exploit Exploit Chain Implementation Capability
<=2.50 Rumored [1] Unknown Rumored: PS4 Game Save Unreleased by Flatz Full Access to the system
<=4.03 N/A exFAT Driver Heap Exploit There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute. any usermode exploit N/A (PS4 uses pOOBs4 by ChendoChap) N/A
3.00-4.51 N/A IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) WebKit loadInSameDocument need to mix Cryptogenic's Implementation and PsFree implementation by abc Elf Loader
3.00-4.51 N/A IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) WebKit CSSFontFaceSet Cryptogenic's Implementation Elf Loader
3.00-4.51 N/A IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) BD-JB ps5-invoke-native by john-tornblom, bd-jb by TheFloW Native code execution within Blu-ray context

Here are some functions by john-tornblom

1.00-5.50 N/A umtx UaF WebKit loadInSameDocument N/A Elf Loader
6.00-7.61 N/A umtx UaF WebKit clobberWorld or unknown heap and string overflow N/A Elf Loader
1.00-7.61 N/A umtx UaF BD-JB2 N/A Native code execution within Blu-ray context