This repo contains an experimental WebKit ROP implementation of a PS5 kernel exploit based on TheFlow's IPV6 Use-After-Free (UAF), which was reported on HackerOne. The exploit strategy is for the most part based on TheFlow's BSD/PS4 PoC with some changes to accommodate the annoying PS5 memory layout (for more see Research Notes section). It establishes an arbitrary read / (semi-arbitrary) write primitive. This exploit and its capabilities have a lot of limitations, and as such, it's mostly intended for developers to play with to reverse engineer some parts of the system.
With latest stability improvements, reliability is at about 80%. This document will contain research info about the PS5, and this exploit will undergo continued development and improvements as time goes on.
Those interested in contributing to PS5 research/dev can join a discord I have setup here.
Exploit should now support the following firmwares:
dns.conf to point manuals.playstation.net to your PCs IP addresspython fakedns.py -c dns.confpython host.py0.0.0.0To use the ELF loader, run the exploit until completion. Upon completion it'll run a server on port :9020. Connect and send your ELF to the PS5 over that port and it'll run it. Assuming the ELF doesn't crash the browser, it can continue to run ELFs forever.
This exploit works in 5 stages, and for the most part follows the same exploit strategy as theflow's poc.
1) Trigger the initial UAF on ip6_pktopts and get two sockets to point to the same pktopts / overlap (master socket <-> overlap spray socket)
2) Free the pktopts on the master socket and fake it with an ip6_rthdr spray containing a tagged tclass overlap.
3) Infoleak step. Use pktopts/rthdr overlap to leak a kqueue from the 0x200 slab and pktopts from the 0x100 slab.
4) Arbitrary read/write step. Fake pktopts again and find the overlap socket to use IPV6_RTHDR as a read/write primitive.
4) Cleanup + patch step. Increase refcount on corrupted sockets for successful browser exit + patch data to enable debug menu and patch ucreds for uid0.
4) Run ELF loader server that will accept and load/run ELFs. Currently WIP, does not support relocations at the moment.
Stability for this exploit is at about ~~30%~~ 80-90%, and has two potential points of failure. In order of observed descending liklihood: 1) Stage 1 fails to reclaim the UAF, causing immediate crash or latent corruption that causes crash. 2) Stage 4 fails to find a victim socket
After further research, the page size is indeed still 0x4000, however due to some insane allocator changes, different slabs can be allocated in the same virtual page.
It also seems on PS5 that adjacent pages rarely belong to the same slab, as you'll get vastly different data in adjacent pages. Memory layout seems more scattered.
$ claude mcp add PS5-IPV6-Kernel-Exploit \
-- python -m otcore.mcp_server <graph>