ps4-3.55-code-execution-poc's People
Stargazers
Watchers
Forkers
miayotlan ieswxia cryptogenic volksport lalospidey lovesuae geekwish 4nh51rk gotohack zer0xff maxton owntheall jaicrab momohime smamsoft manouchehri damnya proximav ntauth ajmalmsali brztitouan tmrocha89 mikalv darekspy sploitamos devschnitzel turxy10 benquike 5l1v3r1 valeriemoore900ps4-3.55-code-execution-poc's Issues
>> Could not start server -- is another program on udp:53?
Module Information is wrong
Edit: I forgot this issue was discussed in a previously opened issue :p point still stands that it should be reverted as it isn't functional anyway
After going back to some PS4 work, I noticed the newer changes to the PoC, particularly the module information printing. The merge from @Thunder07's branch broke module information printing completely as sys_dynlib_get_info only gives null bytes for every module at the offsets he's provided. The only way to get the base address is from sys_dynlib_get_info_ex, which was the system call used in the official PoC.
Because Sony stripped the system call, every piece of information returned by the PoC about a given module is wrong, as it just returns null.
$ python server.py
Modified arr length = 0x80000000
Modified arr length = 0x80000000
Found ArrayBufferView in memory!
Modified index is 51
Found modified ArrayBufferView!
Found modified ArrayBuffer!
vtable = 0x81ebf0d80
webkit_base_addr = 0x81c5f0000
buffer addr = 0x201fa1000
Starting ROP...
Printing module information...
Module name: libkernel.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceLibcInternal.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSysmodule.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceNet.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceNetCtl.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceIpmi.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceMbus.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceRegMgr.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceRtc.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libScePad.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceVideoOut.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceOrbisCompat.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceWebKit2.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSysCore.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSystemService.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSsl.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceVideoCoreServerInterface.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceWebBrowserInjectedBundle.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Latest commit d79db65 should be reverted.
Blank Screen
I've tryed running this on my ps4 version 3.55 and it only gives me a blank white screen with no information on it or on the server where as when I type the ip into another pc it say its unsupported it doesnt look it its working on version 3.55 at the moment
CE-36329-3 THERE IS NOT ENOUGH FREE SYSTEM MEMORY
i have tried many times to run the exploit with both methods but the result is THERE IS NOT ENOUGH FREE SYSTEM MEMORY. X Enter (OK) O Back and then nothing happens.
here is it the log file (sorry for the english)
log.txt
is says also
Modified arr length = 0x80000000
Found ArrayBufferView in memory!
Modified index is 48
!! ERROR: Did not find ArrayBufferView in memory.
cannot load new modules
in ps4sploit.html, sceSysmoduleLoadModule(11, 0, 0, 0) is used for loading libSceAvSetting.sprx. However, I cannot find libSceAvSetting.sprx in module list after "loading". Does Sony add more checks for webkit process, or it's just misused?
when i get to libSceNetCtl.sprx IT GIVES ME THE SYSTEM MEMORY ERROR PLZ HELP
Executing Commands
How can I use this to execute commands on the playstation such as ls or uname -a
Log stops at libSceWebBrowserInjectedBundle.sprx everytime and returns as not enough free memory on PS4.
Here is what is shown in the command line. The end is where it stops everytime. I can't seem to get it working. What am i doing wrong?
Modified arr length = 0x80000000
Found ArrayBufferView in memory!
Modified index is 48
!! ERROR: Did not find ArrayBufferView in memory.
Modified arr length = 0x80000000
Found ArrayBufferView in memory!
Modified index is 50
Found modified ArrayBufferView!
Found modified ArrayBuffer!
vtable = 0x8043a8d80
webkit_base_addr = 0x801da8000
buffer addr = 0x201cbb000
Starting ROP...
Printing module information...
Module name: libkernel.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceLibcInternal.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceSysmodule.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceNet.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceNetCtl.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceIpmi.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceMbus.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceRegMgr.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceRtc.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libScePad.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceVideoOut.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceOrbisCompat.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceWebKit2.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceSysCore.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceSystemService.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceSsl.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceVideoCoreServerInterface.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
Module name: libSceWebBrowserInjectedBundle.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
ReferenceError: Can't find variable: dcodeIO
This issue may just be specific to my console, it's never been online and I'm currently running it through the User Guide using a DNS proxy.
I've never been able to get this PoC to run on my 3.55 PS4 up until now, no matter what it always produced the following issue:
Modified arr length = 0x80000000
Found ArrayBufferView in memory!
Modified index is 50
Found modified ArrayBufferView!
!! ERROR: ReferenceError: Can't find variable: dcodeIO
stack: global code@http://manuals.playstation.net/document/gb/ps4/index.html:109:39
I've now found that for whatever reason any globals defined in the first <script> tag will not be available in the global context/window object until the following browser tick. If I move jQuery to first <script> tag it will say $ is undefined, etc.
If I simply create a scripts/dummy.js with an empty global define and include that as the first <script> tag the example will run perfectly fine.
ps4sploit.html
+ <script src="/scripts/dummy.js"></script>
<script src="/scripts/long.js"></script>
scripts/dummy.js
function dummy() {}
Result:
Modified arr length = 0x80000000
Found ArrayBufferView in memory!
Modified index is 50
Found modified ArrayBufferView!
Found modified ArrayBuffer!
vtable = 0x83a1c8d80
webkit_base_addr = 0x837bc8000
buffer addr = 0x201996000
Starting ROP...
Printing module information...
Module name: libkernel.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceLibcInternal.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSysmodule.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceNet.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceNetCtl.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceIpmi.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceMbus.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceRegMgr.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceRtc.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libScePad.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceVideoOut.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceOrbisCompat.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceWebKit2.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSysCore.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSystemService.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSsl.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceVideoCoreServerInterface.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceWebBrowserInjectedBundle.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.