Exploiting PS4 Video Apps

by
m0rph3us1987
Agenda
● Intro
● analysis
● 1.76 Webkit exploit details
● Memory dumping
● What's next?
● The master plan :
○ Spraying
○ Identify objects
○ Trigger ROP execution / ROP Chain
● Conclusion
Intro
• @ m0rph3us1987
• Software developer (ERP area)
• Fetish for reverse engineering and for low level programming
languages
• PS4 was intended as a present for me (early 2015)
• Looking for a console with FW 1.76 (bundle)
• Amazon dealer
• FW 3.15 • ☎
 IGN
Analyse
Youtube

Vevo
PS4

Netflix
tcpdum
p

Prime Video
Analyse
• Some video apps (IGN, Vevo, etc.) use AppleWebkit / 531.3 and no
SSL

• Theoretically, the 1.76 webkit exploit should still work in these video
apps
Analyse

IGN
PS4

DN
S

1.76 Webkit exploit

Analyse
• Exploit attempt...
• u32 size: 0x1cdda9a0
• u32base = 0x21cdda980
• verify base = 0x81480ff8
• WebKit2 base address = 0x80adfe60

• u32base always at the same address. No ASLR ???

1.76 Webkit exploit details (credits NAS und proxima)
• Use a bug in the array.sort () function
• Writes the pointer address and length of an array
• Enables the attacker to read / write arbitrary memory addresses via a
u32 array

• u32base -> Address of the Arrays

• setBase(0x8000000);
• var value = u32[0];
• u32[0] = 0xdeadbeef;
Memory dumping

IGN
PS4

DN
S

aja
Dumper 1.76 Webkit exploit
x
Memory dumping
Memory dumping
• Access to memory of the app
• Wrong offsets mean crash of the app or the console
• Read small chunks (4096 bytes best result)
• Code starts at 0x400000 like FreeBSD. (Exceptions)
• Heap was from 0x200000000
• Modules are always 16KB apart. (OrbisOS PAGE_SIZE)
• Very very long time ....
Memory dumping
What's next?
• How can I handle the program flow with an arbitrary read / write?
What's next?

• vtable
vtable

RW RX

• Applies to every method in a class

• getter / setter for object properties
• vtable is in the RX area, the object instance in the RW area
vtable vs fake vtable
• vtable pointers are on the heap
• Heap is controlled by us
• Replace vtable pointer with a fake vtable pointer
The master plan

• Spray objects (in my case textareas)

• Find / Find an object instance on the heap
• Memory address + object index in the array
• find vtable of the object
• swap vtable with fake vtable
• Trigger ROP Execution
Object spraying…

• Protect textareas from garbage collection

• Number of objects = 0x1000
• textarea.rows serves for identification. (el.rows = 0xDEADC0DE)
The Master Plan
• Spray objects (in my case textareas)
• Find / Find an object instance on the heap
• Memory address + object index in the array
• find vtable of the object
• swap vtable with fake vtable
• Trigger ROP Execution
Identify object instance
Identify object instance

• If the value 0xDEADC0DE was found, it is replaced with 0xDEADBEEF

• Address of the object instance: el_adr = HeapBase + (i * 4) - 0xC8
● Check which
element in the
array has
changed

● Change value in
0xC0EDBABE to
be 100% sure
(and maybe
because it's fun!)
The Master Plan
• Spray objects (in my case textareas)
• Find / Find an object instance on the heap
Memory address + object index in the array
• find vtable of the object
• swap vtable with fake vtable
• Trigger ROP Execution
Find vtable
• Analyze memory area around the instance

• Looking for a pointer in a code area that could be a vtable

• Determining vtable is easy!

Find vtable
The Master Plan
• Spray objects (in my case textareas)
• Find / Find an object instance on the heap
Memory address + object index in the array
• find vtable of the object
• swap vtable with fake vtable
• Trigger ROP Execution
Triggering ROP execution
• Fake vtable allows us to run a gadget
• So there must be a gadget that puts RSP under our control (stack
pivot gadget)
• Only useful gadget push rax; pop rsp; ret
• This means that the Ropchain must be placed in the place
pointing to the RAX!
• How do I determine the value of RAX?
Triggering ROP execution
GDB und PCBSD
• PCBSD9 VM, with old Midori browser
GDB und PCBSD
• RAX = Memory address vtable / fake vtable
GDB und PCBSD
• RAX = Memory address vtable / fake vtable
• vtable entry 30 =
textarea.setselectionstart
• Stack pivot gadget needs to get to
this point
• ROP chain must be at the
beginning of the fake vtable
because RSP will point there
when the stack pivot gadget is
executed
Triggering ROP execution
The Master plan
• Spray objects (in my case textareas)
• Find / Find an object instance on the heap
Memory address + object index in the array
• find vtable of the object
• swap vtable with fake vtable
• Trigger ROP Execution
The ROP chain
• Small number of possible gadgets due to vtable size

• So we only use the first 2/3 entries to RSP to put it somewhere where
we have room for a bigger chain

• The real chain is somewhere on the heap

The ROP chain
ROP chain trigger
The Master Plan
• Spray objects (in my case textareas)
• Find / Find an object instance on the heap
Memory address + object index in the array
• find vtable of the object
• swap vtable with fake vtable
• Trigger ROP Execution
ROP chain
Conclusion
• Video apps need PSN access
• No JIT access (from FW 3.15 onwards)
• Video apps do not support threading
• sandbox
• Can be easily fixed
• Totally OK to trigger a kernel exploit :D
Thank you for your attention