Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The PS5 has a vulnerable version of WebKit to a use after free (UAF) bug in the IPv6 stack. The Github repo is an implementation of the exploit to gain a read/write primitive.

The PS5 has an interesting binary protection called eXecute Only Memory (XOM). This allows for the code to execute, but never be read out while in the kernel. This stifles ROP because we don't know the gadgets to execute. We simply don't know where we are jumping at!

Besides XOM, the PS5 kernel has fine grained CFI, SMAP/SMEP and the hypervisor prevents patching the kernel as well. The PS5 is a masterpiece of defense in depth protections to make the life of exploiters much harder.

The actual details of the exploit in the Github are not very thorough. At a high level... a UAF is triggered to overlap a ip6_rthdr object. This object can then be used get an info leak. From there, a fake pktopts option is used in order to gain an arbitrary read/write primitive. Of course, some clean up is required for this. Overall, interesting to read out the complexity of the PS5 kernel!