A WebKit exploit using CVE-2018-4441 to obtain RCE on PS4 6.20.
This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in
wkexploit.js. It will then setup a framework to run ROP chains in
index.htmland by default will provide two hyperlinks to run test ROP chains - one for running the
sys_getpid()syscall, and the other for running the
sys_getuid()syscall to get the PID and user ID of the process respectively.
Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found here.
Note: It's been patched in the 6.50 firmware update.
Files in order by name alphabetically;
index.html- Contains post-exploit code, going from arb. R/W -> code execution.
rop.js- Contains a framework for ROP chains.
syscalls.js- Contains an (incomplete) list of system calls to use for post-exploit stuff.
wkexploit.js- Contains the heart of the WebKit exploit.
p.launchchain()method for code execution may need to be swapped out.
syscalls.jscontains only a small number of system calls.
Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;
1) Fake DNS spoofing to redirect the manual page to the exploit page, or
2) Using the web browser to navigate to the exploit page (not always possible).
I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.
Chromium Bug Report - The vulnerability.
lokihardt - The vulnerability
st4rk - Help with the exploit
qwertyoruiop - WebKit School
saelo - Phrack paper