It is possible to steal/manipulate user data.Īnd from sirdarckcat via comes the PoC source code, as follows: XNU: Multiple IP6_EXTHDR_CHECK Use-After-Free/Double Free Vulnerabilities.In conjunction with a WebKit exploit, a fully chained remote attack can be achieved.The reliability of poc.c is very high, around 80%, whereasps4.c is not very high, I guess around 20%.
Attached is also ps4.c which is slightly adjusted to work on the PS4 (you'd need to add includes etc to be able to compile it with your official ***, I compiled it with a custom framework).It demonstrates being able to escalate privileges to kernel. Attached is poc.c which must run with root privileges on a FreeBSD 9 machine.However, for some reason on the PS4 SOCK_RAW sockets can be opened in Webkit process! Normally, this path would not be triggerable, because sending to loopback interface requires SOCK_RAW root privileges. }Hence, when parsing next headers, the mbuf can be free'd once again, leading to a double free which behaves like a use-after-free when we allocate mbuf's again. IP6_EXTHDR_CHECK(m, off, sizeof(*dstopts), return IPPROTO_DONE) For example in dest6_input(), the double pointer is not updated:ĭest6_input(struct mbuf **mp, int *offp, int proto)
This fact is not considered in dest6_input(), frag6_input() and more. The macro IP6_EXTHDR_CHECK can free the mbuf if the packet is sent to loopback interface. Memory corruption can be achieved by sending fragmented IPv6 packets to loopback interface due to poor and inconsistent use of IP6_EXTHDR_CHECK.
#Get hub ps4 macro code#
It's important to note that PS4 Scene developers recommend NOT updating your PlayStation 4 Firmware at this time!ĭownload: 7.55&8.00-Payloads.7z (33.97 KB) via Al Azif / Patches755-Loader.cpp / Patches755-Kernel.cpp / ps4punch.7.55.rar (725.65 KB) / 4.00-8.00-Payloads.7z (34.68 KB) / ipv6-df-2.c - FreeBSD 9 PoC of kernel code execution using the new TheFlow vulnerability via / Linux Loader 7.55 / PS4JB PayloadsĬurrent 7.55 / 8.00 PS4 Payloads Include:įrom theflow0 via, to quote: SOCK_RAW sockets reachable from Webkit process allows triggering double free in IP6_EXTHDR_CHECK
#Get hub ps4 macro full#
Following his previous PS4 7.02 Kernel Exploit (KEX), the PS4 7.02 / 7.51 / 7.55 WebKit Exploit, PS4 7.02 Full Stack and PS4JB 7.02 Jailbreak today developer theflow0 via bug bounty site publicly disclosed a PS4 vulnerability he reported this past July that when properly chained with a WebKit Exploit allows for dumping and running PS4 game backups!