Professional Documents
Culture Documents
Exploiting Ps4 Video Apps English
Exploiting Ps4 Video Apps English
by
m0rph3us1987
Agenda
● Intro
● analysis
● 1.76 Webkit exploit details
● Memory dumping
● What's next?
● The master plan :
○ Spraying
○ Identify objects
○ Trigger ROP execution / ROP Chain
● Conclusion
Intro
• @ m0rph3us1987
• Software developer (ERP area)
• Fetish for reverse engineering and for low level programming
languages
• PS4 was intended as a present for me (early 2015)
• Looking for a console with FW 1.76 (bundle)
• Amazon dealer
• FW 3.15 • ☎
IGN
Analyse
Youtube
Vevo
PS4
Netflix
tcpdum
p
Prime Video
Analyse
• Some video apps (IGN, Vevo, etc.) use AppleWebkit / 531.3 and no
SSL
• Theoretically, the 1.76 webkit exploit should still work in these video
apps
Analyse
IGN
PS4
DN
S
IGN
PS4
DN
S
aja
Dumper 1.76 Webkit exploit
x
Memory dumping
Memory dumping
• Access to memory of the app
• Wrong offsets mean crash of the app or the console
• Read small chunks (4096 bytes best result)
• Code starts at 0x400000 like FreeBSD. (Exceptions)
• Heap was from 0x200000000
• Modules are always 16KB apart. (OrbisOS PAGE_SIZE)
• Very very long time ....
Memory dumping
What's next?
• How can I handle the program flow with an arbitrary read / write?
What's next?
• vtable
vtable
RW RX
● Change value in
0xC0EDBABE to
be 100% sure
(and maybe
because it's fun!)
The Master Plan
• Spray objects (in my case textareas)
• Find / Find an object instance on the heap
Memory address + object index in the array
• find vtable of the object
• swap vtable with fake vtable
• Trigger ROP Execution
Find vtable
• Analyze memory area around the instance
• So we only use the first 2/3 entries to RSP to put it somewhere where
we have room for a bigger chain