/output.txt
Created Mar 20, 2016
ps4 poc with libps4/ps4link/ps4sh dlclose root Privilege escalation achieved
| debug.sh | |
| [PS4][INFO]: ready to have a lot of fun... | |
| [PS4][DEBUG]: [PS4LINK] Server payload thread UID: 0x80659740 | |
| [PS4][DEBUG]: [PS4LINK] Server request thread UID: 0x80607500 | |
| [PS4][DEBUG]: [PS4LINK] Server command thread UID: 0x806549E0 | |
| [PS4][DEBUG]: executing kernel_exec | |
| [PS4][DEBUG]: [PS4LINK] Created ps4link_requests_sock: 160 | |
| [PS4][DEBUG]: [PS4LINK] bind to ps4link_requests_sock done | |
| [PS4][DEBUG]: [PS4LINK] Ready for connection 1 | |
| [PS4][DEBUG]: [PS4LINK] Waiting for connection | |
| [PS4][DEBUG]: [PS4LINK] Command Thread Started. | |
| [PS4][DEBUG]: [PS4LINK] Created ps4link_commands_sock: 205 | |
| [PS4][DEBUG]: [PS4LINK] Command listener waiting for commands... | |
| [PS4][DEBUG]: socket opened is now equeals fd 3840 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F01 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F02 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F03 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F04 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F05 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F06 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F07 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F08 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F09 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F10 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F11 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F12 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F13 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F14 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F15 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F16 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F17 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F18 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F19 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F20 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F21 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F22 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F23 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F24 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F25 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F26 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F27 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F28 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F29 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F30 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F31 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F32 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F33 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F34 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F35 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F36 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F37 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F38 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F39 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F40 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F41 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F42 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F43 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F44 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F45 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F46 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F47 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F48 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F49 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F50 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F51 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F52 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F53 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F54 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F55 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F56 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F57 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F58 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F59 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F60 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F61 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F62 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F63 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F64 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F65 | |
| [PS4][DEBUG]: m event queue created 0x00000F65 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F66 | |
| [PS4][DEBUG]: m2 event queue created 0x00000F66 | |
| [PS4][DEBUG]: sceKernelDeleteEqueue return: 0x00000000 | |
| [PS4][DEBUG]: mapping pointer 200a04000 | |
| [PS4][DEBUG]: [+] UID: 1, GID: 1 | |
| [PS4][DEBUG]: before SYS_dynlib_prepare_dlclose | |
| [PS4][DEBUG]: SYS_dynlib_prepare_dlclose: -1 | |
| [PS4][DEBUG]: before sceKernelDeleteEqueue | |
| [+] Entered critical payload | |
| [+] cred | |
| [+] cred->cr_uid cred->cr_ruid cred->cr_rgid set to 0 | |
| [+] set group0 to 0 | |
| [+] output critical payload | |
| now payload executed and ps4link running on ps4 | |
| ./ps4sh | |
| ps4sh version 1.0 | |
| /Users/bigboss/.ps4shrc: No such file or directory | |
| Connecting to fio ps4link ip 192.168.1.17 | |
| log: [HOST][INFO]: [PS4SH] Ready | |
| log: [PS4][DEBUG]: [PS4LINK] Client connected from 192.168.1.3 port: 7638 | |
| log: [PS4][DEBUG]: [PS4LINK] sock ps4link_fileio set 200 connected 1 | |
| log: [PS4][DEBUG]: [PS4LINK] Waiting for connection | |
| log: [PS4][DEBUG]: [PS4LINK] Initialized and connected from pc/mac ready to receive commands | |
| ps4sh> execsprx | |
| log: [HOST][DEBUG]: [PS4SH] [PS4SH] argc=0 argv=��������� | |
| log: [PS4][DEBUG]: [PS4LINK] commands listener received packet size (266) | |
| log: [PS4][DEBUG]: [PS4LINK] Received command whoami argc=0 argv= | |
| log: [PS4][DEBUG]: [+] UID: 0, GID: 0 | |
| log: [PS4][DEBUG]: [PS4LINK] commands listener waiting for next command | |
| ps4sh>ps4sh> status | |
| log: [HOST][INFO]: [PS4SH] TCP srv fd = 3 | |
| log: [HOST][INFO]: [PS4SH] UDP log fd = 5 | |
| log: [HOST][INFO]: [PS4SH] PS4SH cmd fd = 6 | |
| log: [HOST][INFO]: [PS4SH] Logging to stdout | |
| log: [HOST][INFO]: [PS4SH] Verbose mode is off | |
| log: [HOST][INFO]: [PS4SH] Debug is on | |
| ps4sh> exitps4 | |
| log: [HOST][DEBUG]: [PS4SH] argc=0 argv= | |
| ps4sh> | |
| Next will be Jailbreak and sandbox :) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment