Exploit Chains: Difference between revisions
Jump to navigation
Jump to search
(I created this page to showcase exploit chain status, rather than individual exploits; for both personal and public documentation) |
CelesteBlue (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
This page presents a compilation of exploit chains that utilize various [[Vulnerabilities]] identified on the PS5. It outlines the current functionalities of different potential and complete exploit chains for specific firmware versions. | This page presents a compilation of exploit chains that utilize various [[Vulnerabilities]] identified on the PS5. It outlines the current functionalities of different potential and complete exploit chains for specific firmware versions. | ||
{| class="wikitable" | {| class="wikitable" | ||
|+ | |+ | ||
| Line 6: | Line 6: | ||
!Hypervisor Exploit | !Hypervisor Exploit | ||
!Kernel Exploit | !Kernel Exploit | ||
! | !Usermode Exploit | ||
!Chain | !Exploit Chain Implementation | ||
!Capability | !Capability | ||
|- | |- | ||
|2.50 | | <=2.50 | ||
|Rumored [https://www.psxhax.com/threads/flat_z-confirms-ps5-hypervisor-exploitation-from-ps4-save-game.16063/] | |Rumored [https://www.psxhax.com/threads/flat_z-confirms-ps5-hypervisor-exploitation-from-ps4-save-game.16063/] | ||
|Unknown | |Unknown | ||
| Line 17: | Line 17: | ||
|Full Access to the system | |Full Access to the system | ||
|- | |- | ||
| | |<=4.03 | ||
|N/A | |N/A | ||
|[[Vulnerabilities#FW%20%253C%3D%204.03%20-%20exFAT%20driver%20heap-based%20buffer%20overflow|exFAT Driver Heap Exploit]] There is no implementation because of the difficulty in writing the exploit without a kernel dump. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute. | |[[Vulnerabilities#FW%20%253C%3D%204.03%20-%20exFAT%20driver%20heap-based%20buffer%20overflow|exFAT Driver Heap Exploit]] There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute. | ||
| | | any usermode exploit | ||
|N/A (PS4 uses [https://github.com/ChendoChap/pOOBs4 pOOBs4 by ChendoChap]) | |N/A (PS4 uses [https://github.com/ChendoChap/pOOBs4 pOOBs4 by ChendoChap]) | ||
|N/A | |N/A | ||
|- | |- | ||
|3.00 - 4.51 | |3.00-4.51 | ||
|N/A | |N/A | ||
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457)]] | |[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457)]] | ||
| | |WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]] | ||
| need to mix [https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation] and PsFree implementation by abc | |||
|Elf Loader | |||
|- | |||
|3.00-4.51 | |||
|N/A | |||
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457)]] | |||
|WebKit [[Vulnerabilities#FW_3.00-4.51_-_WebCore::CSSFontFaceSet_vulnerabilities_leading_to_usermode_ROP_code_execution|CSSFontFaceSet]] | |||
|[https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation] | |[https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation] | ||
|Elf Loader | |Elf Loader | ||
|- | |- | ||
| | |3.00-4.51 | ||
|N/A | |N/A | ||
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457)]] | |[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457)]] | ||
Revision as of 21:23, 13 September 2024
This page presents a compilation of exploit chains that utilize various Vulnerabilities identified on the PS5. It outlines the current functionalities of different potential and complete exploit chains for specific firmware versions.
| Firmware Version | Hypervisor Exploit | Kernel Exploit | Usermode Exploit | Exploit Chain Implementation | Capability |
|---|---|---|---|---|---|
| <=2.50 | Rumored [1] | Unknown | Rumored: PS4 Game Save | Unreleased by Flatz | Full Access to the system |
| <=4.03 | N/A | exFAT Driver Heap Exploit There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute. | any usermode exploit | N/A (PS4 uses pOOBs4 by ChendoChap) | N/A |
| 3.00-4.51 | N/A | IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457) | WebKit loadInSameDocument | need to mix Cryptogenic's Implementation and PsFree implementation by abc | Elf Loader |
| 3.00-4.51 | N/A | IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457) | WebKit CSSFontFaceSet | Cryptogenic's Implementation | Elf Loader |
| 3.00-4.51 | N/A | IPV6_2292PKTOPTIONS Use after free (CVE-2020-7457) | bd-jb by TheOfficialFlow | ps5-invoke-native by john-tornblom | Native code execution within Blu-ray context |