/Exploit-Writeups

A collection where my current and future writeups for exploits/CTF will go

Do What The F*ck You Want To Public LicenseWTFPL

Exploit Writeups

Welcome to my collection of exploit writeups. This repo is where my current and future writeups for public exploits, vulnerability research, and CTF challenge solves will go. Below is a directory of the current writeups that I've published.

FreeBSD / PS4 Kernel

PS4 4.05 Kernel Exploit Overview

An overview of the PS4 kernel exploit codenamed "namedobj", which targets a type confusion vulnerability in the sys_namedobj_* Sony system calls. This overview covers the basic exploit strategy required to leverage the type confusion bug into a fully fledged exploit.

PS4 4.05 Kernel Exploit Writeup

A full writeup on how the "namedobj" type confusion vulnerability can be leveraged to achieve arbitrary code execution in kernel mode, via a targetted use-after-free (UAF).

PS4 4.55 / FreeBSD BPF Kernel Exploit Writeup

A writeup containing the technical details behind a kernel exploit targetting the Berkely Packet Filter (BPF) system shipped on standard FreeBSD systems, but specifically targetting the Playstation 4 on 4.55FW. The bug is a race condition leading to a stack out-of-bounds (OOB) write. The writeup shows how this can easily be leveraged to escalate privileges to execute arbitrary code in kernel mode.

PS4 5.05 / FreeBSD BPF 2nd Kernel Exploit Writeup

A writeup targetting another BPF vulnerability - another, very similar race condition, but a different approach. Rather than targetting the use-after-free(), this exploit targets a double free() in order to obtain heap corruption on a target object. Again, the writeup shows that this can be leveraged to obtain code execution in kernel mode, however it also contains details on bypassing an SMAP-like implementation developed by Sony.

WebKit

Breaking Down Qwerty's PS4 4.0x WebKit Exploit

This writeup contains a technical analysis on qwertyoruiopz's WebKit exploit targetting the PS4 on 4.0x firmwares. The writeup details how a stack uninitialized read can be leveraged to obtain arbitrary R/W, and eventually code execution.

setAttributeNodeNS Use-After-Free WebKit Exploit

A writeup detailing the setAttributeNodeNS() use-after-free (UAF) vulnerability discovered by lokihardt from Google's Project Zer0 (p0). It contains technical details about how an attacker can combine it with an information disclosure (infoleak) to misalign JSValues to establish an arbitrary R/W primitive, which again will eventually lead to code execution.