PS4 6.70 - 6.72 Kernel Exploit

Summary

In this project you will find a full implementation of the "ipv6 uaf" kernel exploit for the PlayStation 4 on 6.70 - 6.72. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. will launch the usual payload launcher (on port 9020).

This bug was originally discovered by Fire30, and subsequently found by Andy Nguyen

Patches Included

The following patches are applied to the kernel:

Allow RWX (read-write-execute) memory mapping (mmap / mprotect)
Syscall instruction allowed anywhere
Dynamic Resolving (sys_dynlib_dlsym) allowed from any process
Custom system call #11 (kexec()) to execute arbitrary code in kernel mode
Allow unprivileged users to call setuid(0) successfully. Works as a status check, doubles as a privilege escalation.

Notes

The page will crash on successful kernel exploitation, this is normal
There are a few races involved with this exploit, losing one of them and attempting the exploit again might not immediately crash the system but stability will take a hit.

Contributors

Specter - advice + 5.05 webkit and (6.20) rop execution method
kiwidog - advice
Fire30 - bad_hoist
Andy Nguyen - disclosed exploit code
SocraticBliss - Shakespeare dev & crash test dummy