Exploit Chains: Difference between revisions
Jump to navigation
Jump to search
CelesteBlue (talk | contribs) No edit summary |
CelesteBlue (talk | contribs) No edit summary |
||
| (6 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
{| class="wikitable" | {| class="wikitable" | ||
|+ | |+ | ||
! | !System Software Version | ||
!Hardware requirement | |||
!Hypervisor Exploit | !Hypervisor Exploit | ||
!Kernel Exploit | !Kernel Exploit | ||
| Line 10: | Line 11: | ||
!Capability | !Capability | ||
|- | |- | ||
| <=2. | |<=2.70 | ||
| | |none | ||
| | | | ||
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]] | |||
|any usermode exploit | |||
|Unreleased by [https://github.com/flatz Flatz] | |Unreleased by [https://github.com/flatz Flatz] | ||
|Full Access to the system | |Full Access to the system, HEN, Platform Secure Processor dump | ||
|- | |||
|<=2.70 | |||
|none | |||
| | |||
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]] | |||
|any usermode exploit: WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]] or BD-JB2 or LUA escape from PS4 disc-based game savedata | |||
|[https://github.com/PS5Dev/Byepervisor Byepervisor by Specter] | |||
|Full Access to the system, HEN | |||
|- | |- | ||
|<=4.03 | |<=4.03 | ||
|USB storage media | |||
|N/A | |N/A | ||
|[[Vulnerabilities#FW%20%253C%3D%204.03%20-%20exFAT%20driver%20heap-based%20buffer%20overflow|exFAT Driver Heap Exploit]] There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute. | |[[Vulnerabilities#FW%20%253C%3D%204.03%20-%20exFAT%20driver%20heap-based%20buffer%20overflow|exFAT Driver Heap Exploit]] There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute. | ||
| any usermode exploit | |any usermode exploit | ||
|N/A (PS4 uses [https://github.com/ChendoChap/pOOBs4 pOOBs4 by ChendoChap]) | |N/A (PS4 uses [https://github.com/ChendoChap/pOOBs4 pOOBs4 by ChendoChap]) | ||
|N/A | |N/A | ||
|- | |- | ||
|3.00-4.51 | |3.00-4.51 | ||
|none | |||
|N/A | |N/A | ||
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS | |[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]] | ||
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]] | |WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]] | ||
| need to mix [https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation] and PsFree implementation by abc | |need to mix [https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation] and PsFree implementation by abc | ||
|Elf Loader | |Elf Loader | ||
|- | |- | ||
|3.00-4.51 | |3.00-4.51 | ||
|none | |||
|N/A | |N/A | ||
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS | |[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]] | ||
|WebKit [[Vulnerabilities#FW_3.00-4.51_-_WebCore::CSSFontFaceSet_vulnerabilities_leading_to_usermode_ROP_code_execution|CSSFontFaceSet]] | |WebKit [[Vulnerabilities#FW_3.00-4.51_-_WebCore::CSSFontFaceSet_vulnerabilities_leading_to_usermode_ROP_code_execution|CSSFontFaceSet]] | ||
|[https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation] | |[https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation] | ||
| Line 39: | Line 52: | ||
|- | |- | ||
|3.00-4.51 | |3.00-4.51 | ||
|BD reader for PS5 + BD writer + BD-RE | |||
|N/A | |N/A | ||
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS | |[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]] | ||
|[ | |[[Vulnerabilities#FW_%3C=_4.51_-_BD-JB_-_Five_vulnerabilities_chained_by_TheFloW|BD-JB]] | ||
|[https://github.com/john-tornblom/bdj-sdk/tree/master/samples/ps5-invoke-native ps5-invoke-native by john-tornblom] | |[https://github.com/john-tornblom/bdj-sdk/tree/master/samples/ps5-invoke-native ps5-invoke-native by john-tornblom], [https://github.com/TheOfficialFloW/bd-jb bd-jb by TheFloW] | ||
|Native code execution within Blu-ray context | |Native code execution within Blu-ray context | ||
[https://github.com/john-tornblom/bdj-sdk/tree/master/samples Here are some functions by john-tornblom] | [https://github.com/john-tornblom/bdj-sdk/tree/master/samples Here are some functions by john-tornblom] | ||
|- | |||
|1.00-5.50 | |||
|none | |||
|N/A | |||
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]] | |||
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]] | |||
|[https://github.com/PS5Dev/PS5-UMTX-Jailbreak WebKit implementation for PS5 1.00-5.50 chained with PS Free by Specter] | |||
|Elf Loader on 1.00-4.51, ROP on 5.00-5.51 | |||
|- | |||
|6.00-7.61 | |||
|none | |||
|N/A | |||
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]] | |||
|WebKit [[Vulnerabilities#FW_6.00-8.60_-_JSC_DFG_Abstract_Intepreter_clobberWorld_Type_Confusion_(no_CVE)_leading_to_arbitrary_RW|clobberWorld]] or [[Vulnerabilities#FW_6.00-9.60_-_Unknown_heap_and_string_overflow_(no_CVE)_leading_to_crash|unknown heap and string overflow]] | |||
|N/A (WebKit vulnerabilities only lead to OOM as of now) | |||
|Elf Loader | |||
|- | |||
|1.00-7.61 | |||
|BD reader for PS5 + BD writer + BD-RE | |||
|N/A | |||
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]] | |||
|[[Vulnerabilities#FW_%3C=_7.61_-_BD-JB2_-_Path_traversal_sandbox_escape_by_TheFloW|BD-JB2]] | |||
|[https://github.com/hammer-83/ps5-jar-loader] based on JAVA PoC by flatz | |||
|Native code execution within Blu-ray context | |||
|- | |||
|1.00-7.61 | |||
|vulnerable game in disc or PS Store version + exploit game save data on the SSD | |||
|N/A | |||
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]] | |||
|PS4 disc-based game save data exploit that hijacks the LUA interpreter | |||
|LUA PoC by flatz but the exploit game save data is missing | |||
|Elf Loader | |||
|} | |} | ||
Latest revision as of 04:28, 30 October 2024
This page presents a compilation of exploit chains that utilize various Vulnerabilities identified on the PS5. It outlines the current functionalities of different potential and complete exploit chains for specific firmware versions.
| System Software Version | Hardware requirement | Hypervisor Exploit | Kernel Exploit | Usermode Exploit | Exploit Chain Implementation | Capability |
|---|---|---|---|---|---|---|
| <=2.70 | none | umtx UaF | any usermode exploit | Unreleased by Flatz | Full Access to the system, HEN, Platform Secure Processor dump | |
| <=2.70 | none | umtx UaF | any usermode exploit: WebKit loadInSameDocument or BD-JB2 or LUA escape from PS4 disc-based game savedata | Byepervisor by Specter | Full Access to the system, HEN | |
| <=4.03 | USB storage media | N/A | exFAT Driver Heap Exploit There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute. | any usermode exploit | N/A (PS4 uses pOOBs4 by ChendoChap) | N/A |
| 3.00-4.51 | none | N/A | IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) | WebKit loadInSameDocument | need to mix Cryptogenic's Implementation and PsFree implementation by abc | Elf Loader |
| 3.00-4.51 | none | N/A | IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) | WebKit CSSFontFaceSet | Cryptogenic's Implementation | Elf Loader |
| 3.00-4.51 | BD reader for PS5 + BD writer + BD-RE | N/A | IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) | BD-JB | ps5-invoke-native by john-tornblom, bd-jb by TheFloW | Native code execution within Blu-ray context |
| 1.00-5.50 | none | N/A | umtx UaF | WebKit loadInSameDocument | WebKit implementation for PS5 1.00-5.50 chained with PS Free by Specter | Elf Loader on 1.00-4.51, ROP on 5.00-5.51 |
| 6.00-7.61 | none | N/A | umtx UaF | WebKit clobberWorld or unknown heap and string overflow | N/A (WebKit vulnerabilities only lead to OOM as of now) | Elf Loader |
| 1.00-7.61 | BD reader for PS5 + BD writer + BD-RE | N/A | umtx UaF | BD-JB2 | [1] based on JAVA PoC by flatz | Native code execution within Blu-ray context |
| 1.00-7.61 | vulnerable game in disc or PS Store version + exploit game save data on the SSD | N/A | umtx UaF | PS4 disc-based game save data exploit that hijacks the LUA interpreter | LUA PoC by flatz but the exploit game save data is missing | Elf Loader |