Exploit Chains: Difference between revisions
Jump to navigation
Jump to search
CelesteBlue (talk | contribs) No edit summary |
CelesteBlue (talk | contribs) No edit summary |
||
Line 13: | Line 13: | ||
|<=2.50 | |<=2.50 | ||
|none | |none | ||
| | | | ||
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]] | |||
|any usermode exploit | |any usermode exploit | ||
|Unreleased by [https://github.com/flatz Flatz] | |Unreleased by [https://github.com/flatz Flatz] | ||
|Full Access to the system, Platform Secure Processor dump | |Full Access to the system, HEN, Platform Secure Processor dump | ||
|- | |||
|<=2.50 | |||
|none | |||
| | |||
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]] | |||
|any usermode exploit: WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]] or BD-JB2 or LUA escape from PS4 disc-based game savedata | |||
|[https://github.com/PS5Dev/Byepervisor Byepervisor by Specter] | |||
|Full Access to the system, HEN | |||
|- | |- | ||
|<=4.03 | |<=4.03 | ||
Line 23: | Line 31: | ||
|N/A | |N/A | ||
|[[Vulnerabilities#FW%20%253C%3D%204.03%20-%20exFAT%20driver%20heap-based%20buffer%20overflow|exFAT Driver Heap Exploit]] There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute. | |[[Vulnerabilities#FW%20%253C%3D%204.03%20-%20exFAT%20driver%20heap-based%20buffer%20overflow|exFAT Driver Heap Exploit]] There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute. | ||
| any usermode exploit | |any usermode exploit | ||
|N/A (PS4 uses [https://github.com/ChendoChap/pOOBs4 pOOBs4 by ChendoChap]) | |N/A (PS4 uses [https://github.com/ChendoChap/pOOBs4 pOOBs4 by ChendoChap]) | ||
|N/A | |N/A | ||
Line 32: | Line 40: | ||
|[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]] | |[[Vulnerabilities#FW 3.00-4.51 - IPV6 2292PKTOPTIONS UaF (yielding arbitrary kernel R/W) (CVE-2020-7457)|IPV6_2292PKTOPTIONS UaF (CVE-2020-7457)]] | ||
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]] | |WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]] | ||
| need to mix [https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation] and PsFree implementation by abc | |need to mix [https://github.com/Cryptogenic/PS5-IPV6-Kernel-Exploit Cryptogenic's Implementation] and PsFree implementation by abc | ||
|Elf Loader | |Elf Loader | ||
|- | |- | ||
Line 57: | Line 65: | ||
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]] | |[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]] | ||
|WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]] | |WebKit [[Vulnerabilities#FW_%3C=_5.50_-_FrameLoader::loadInSameDocument()_UaF_(CVE-2022-22620)_leading_to_arbitrary_RW|loadInSameDocument]] | ||
| [https://github.com/PS5Dev/PS5-UMTX-Jailbreak WebKit implementation for PS5 1.00- | |[https://github.com/PS5Dev/PS5-UMTX-Jailbreak WebKit implementation for PS5 1.00-5.50 chained with PS Free by Specter] | ||
|Elf Loader on 1.00-4.51, ROP on 5.00-5.51 | |Elf Loader on 1.00-4.51, ROP on 5.00-5.51 | ||
|- | |- | ||
Line 73: | Line 81: | ||
|[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]] | |[[Vulnerabilities#FW_%3C=_7.61_-_umtx_UaF_(yielding_arbitrary_kernel_R/W)_(CVE-2024-43102)|umtx UaF]] | ||
|[[Vulnerabilities#FW_%3C=_7.61_-_BD-JB2_-_Path_traversal_sandbox_escape_by_TheFloW|BD-JB2]] | |[[Vulnerabilities#FW_%3C=_7.61_-_BD-JB2_-_Path_traversal_sandbox_escape_by_TheFloW|BD-JB2]] | ||
|JAVA PoC by flatz | |[https://github.com/hammer-83/ps5-jar-loader] based on JAVA PoC by flatz | ||
|Native code execution within Blu-ray context | |Native code execution within Blu-ray context | ||
|- | |- |
Revision as of 04:42, 26 October 2024
This page presents a compilation of exploit chains that utilize various Vulnerabilities identified on the PS5. It outlines the current functionalities of different potential and complete exploit chains for specific firmware versions.
System Software Version | Hardware requirement | Hypervisor Exploit | Kernel Exploit | Usermode Exploit | Exploit Chain Implementation | Capability |
---|---|---|---|---|---|---|
<=2.50 | none | umtx UaF | any usermode exploit | Unreleased by Flatz | Full Access to the system, HEN, Platform Secure Processor dump | |
<=2.50 | none | umtx UaF | any usermode exploit: WebKit loadInSameDocument or BD-JB2 or LUA escape from PS4 disc-based game savedata | Byepervisor by Specter | Full Access to the system, HEN | |
<=4.03 | USB storage media | N/A | exFAT Driver Heap Exploit There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the drive and using the console for about a minute. | any usermode exploit | N/A (PS4 uses pOOBs4 by ChendoChap) | N/A |
3.00-4.51 | none | N/A | IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) | WebKit loadInSameDocument | need to mix Cryptogenic's Implementation and PsFree implementation by abc | Elf Loader |
3.00-4.51 | none | N/A | IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) | WebKit CSSFontFaceSet | Cryptogenic's Implementation | Elf Loader |
3.00-4.51 | BD reader for PS5 + BD writer + BD-RE | N/A | IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) | BD-JB | ps5-invoke-native by john-tornblom, bd-jb by TheFloW | Native code execution within Blu-ray context |
1.00-5.50 | none | N/A | umtx UaF | WebKit loadInSameDocument | WebKit implementation for PS5 1.00-5.50 chained with PS Free by Specter | Elf Loader on 1.00-4.51, ROP on 5.00-5.51 |
6.00-7.61 | none | N/A | umtx UaF | WebKit clobberWorld or unknown heap and string overflow | N/A (WebKit vulnerabilities only lead to OOM as of now) | Elf Loader |
1.00-7.61 | BD reader for PS5 + BD writer + BD-RE | N/A | umtx UaF | BD-JB2 | [1] based on JAVA PoC by flatz | Native code execution within Blu-ray context |
1.00-7.61 | vulnerable game in disc or PS Store version + exploit game save data on the SSD | N/A | umtx UaF | PS4 disc-based game save data exploit that hijacks the LUA interpreter | LUA PoC by flatz but the exploit game save data is missing | Elf Loader |