Exploit Chains

From PS5 Developer wiki
Jump to navigation Jump to search

This page presents a compilation of exploit chains that utilize various Vulnerabilities identified on the PS5. It outlines the current functionalities of different potential and complete exploit chains for specific System Software versions. It is classified from the most powerful and convenient chains to the least ones.

System Software Version Hardware requirement Hypervisor Exploit Kernel Exploit Usermode Exploit Exploit Chain Implementation Capability
<=2.70 various flatz's umtx UaF any compatible usermode exploit: WebKit loadInSameDocument or BD-JB or Lua escape from PS4 disc-based game savedata or mast1c0re Unreleased by Flatz - Platform Secure Processor dump

- Kernel .text write - HEN

<=2.70 various Byepervisor AIO Double Free any compatible usermode exploit: WebKit loadInSameDocument or BD-JB or Lua escape from PS4 disc-based game savedata or mast1c0re N/A - Kernel .text write

- HEN

<=2.70 various Byepervisor umtx UaF any compatible usermode exploit: WebKit loadInSameDocument or BD-JB or Lua escape from PS4 disc-based game savedata or mast1c0re Byepervisor by Specter - Kernel .text write

- HEN

1.00-5.50 HTTP server N/A AIO Double Free WebKit loadInSameDocument PSFree 1.5rc1 by abc - kstuff

- usermode ELF loader on <=4.51 - usermode ROP

1.00-5.50 HTTP server N/A umtx UaF WebKit loadInSameDocument WebKit implementation for PS5 1.00-5.50 chained with PS Free by Specter - kstuff

- usermode ELF loader on <=4.51 - usermode ROP

3.00-4.51 HTTP server N/A IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) WebKit loadInSameDocument need to mix Cryptogenic's Implementation and PsFree implementation by abc - kstuff

- usermode ELF loader on <=4.51 - usermode ROP

3.00-4.51 HTTP server N/A AIO Double Free WebKit CSSFontFaceSet N/A - kstuff

- usermode ELF loader on <=4.51 - usermode ROP

3.00-4.51 HTTP server N/A IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) WebKit CSSFontFaceSet Cryptogenic's Implementation - kstuff

- usermode ELF loader on <=4.51 - usermode ROP

3.00-4.51 HTTP server N/A umtx UaF WebKit CSSFontFaceSet WebKit implementation for PS5 3.00-4.51 chained with CSSFontFaceSet by Specter - kstuff

- usermode ELF loader on <=4.51 - usermode ROP

3.00-4.51 BD reader for PS5 + BD writer + BD-RE N/A IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) BD-JB ps5-invoke-native by john-tornblom, bd-jb by TheFloW - kstuff

- usermode ELF loader on <=4.51 - usermode ROP - native code execution within Blu-ray context Here are some functions by john-tornblom

1.00-4.51 BD reader for PS5 + BD writer + BD-RE N/A AIO Double Free BD-JB N/A - kstuff

- usermode ELF loader on <=4.51 - usermode ROP - native code execution within Blu-ray context Here are some functions by john-tornblom

1.00-5.50 BD reader for PS5 + BD writer + BD-RE N/A AIO Double Free BD-JB2 N/A - kstuff

- usermode ELF loader on <=4.51 - usermode ROP - native code execution within Blu-ray context Here are some functions by john-tornblom

1.00-4.51 BD reader for PS5 + BD writer + BD-RE N/A umtx UaF BD-JB N/A - kstuff

- usermode ELF loader on <=4.51 - usermode ROP - native code execution within Blu-ray context Here are some functions by john-tornblom

1.00-5.50 BD reader for PS5 + BD writer + BD-RE N/A umtx UaF BD-JB2 [1] based on JAVA PoC by flatz - kstuff

- usermode ELF loader on <=4.51 - usermode ROP - native code execution within Blu-ray context Here are some functions by john-tornblom

6.00-7.61 BD reader for PS5 + BD writer + BD-RE N/A AIO Double Free + GPU DMA copy BD-JB2 N/A - kstuff

- usermode ELF loader on <=4.51 - usermode ROP - native code execution within Blu-ray context Here are some functions by john-tornblom

6.00-7.61 BD reader for PS5 + BD writer + BD-RE N/A umtx UaF + GPU DMA copy BD-JB2 [2] based on JAVA PoC by flatz - kstuff

- usermode ELF loader on <=4.51 - usermode ROP - native code execution within Blu-ray context Here are some functions by john-tornblom

1.00-5.50 vulnerable game in disc or PS Store version + exploit game save data on the SSD N/A AIO Double Free PS4 disc-based game save data exploit that hijacks the Lua interpreter or mast1c0re N/A - kstuff

- usermode ELF loader on <=4.51 - usermode ROP - native code execution within Blu-ray context Here are some functions by john-tornblom

3.00-4.51 vulnerable game in disc or PS Store version + exploit game save data on the SSD N/A IPV6_2292PKTOPTIONS UaF (CVE-2020-7457) PS4 disc-based game save data exploit that hijacks the Lua interpreter or mast1c0re Lua usermode ROP working but not chained yet with ipv6 UaF - kstuff

- usermode ELF loader on <=4.51 - usermode ROP - native code execution within Blu-ray context Here are some functions by john-tornblom

1.00-5.50 vulnerable game in disc or PS Store version + exploit game save data on the SSD N/A umtx UaF PS4 disc-based game save data exploit that hijacks the Lua interpreter or mast1c0re [3] - kstuff

- usermode ELF loader on <=4.51 - usermode ROP

6.00-10.01 vulnerable game in disc or PS Store version + exploit game save data on the SSD N/A AIO Double Free + GPU DMA copy PS4 disc-based game save data exploit that hijacks the Lua interpreter or mast1c0re N/A - kstuff

- usermode ELF loader on <=4.51 - usermode ROP

6.00-7.61 vulnerable game in disc or PS Store version + exploit game save data on the SSD N/A umtx UaF + GPU DMA copy PS4 disc-based game save data exploit that hijacks the Lua interpreter or mast1c0re [4] - kstuff

- usermode ELF loader on <=4.51 - usermode ROP

<=4.03 USB storage media N/A exFAT Driver Heap Exploit There is no implementation because of the difficulty in writing the exploit without a real-time kernel dump or at least kASLR defeat. The proof of concept is a kernel panic when plugging in the USB drive and using the PS5 console for about one e minute. any compatible usermode exploit N/A (PS4 uses pOOBs4 by ChendoChap) - kernel panic
Retrieved from "https://www.psdevwiki.com/ps5/index.php?title=Exploit_Chains&oldid=4012"