Created
March 20, 2016 23:44
-
-
Save psxdev/5e912b25de6ee72d2456 to your computer and use it in GitHub Desktop.
ps4 poc with libps4/ps4link/ps4sh dlclose root Privilege escalation achieved
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| debug.sh | |
| [PS4][INFO]: ready to have a lot of fun... | |
| [PS4][DEBUG]: [PS4LINK] Server payload thread UID: 0x80659740 | |
| [PS4][DEBUG]: [PS4LINK] Server request thread UID: 0x80607500 | |
| [PS4][DEBUG]: [PS4LINK] Server command thread UID: 0x806549E0 | |
| [PS4][DEBUG]: executing kernel_exec | |
| [PS4][DEBUG]: [PS4LINK] Created ps4link_requests_sock: 160 | |
| [PS4][DEBUG]: [PS4LINK] bind to ps4link_requests_sock done | |
| [PS4][DEBUG]: [PS4LINK] Ready for connection 1 | |
| [PS4][DEBUG]: [PS4LINK] Waiting for connection | |
| [PS4][DEBUG]: [PS4LINK] Command Thread Started. | |
| [PS4][DEBUG]: [PS4LINK] Created ps4link_commands_sock: 205 | |
| [PS4][DEBUG]: [PS4LINK] Command listener waiting for commands... | |
| [PS4][DEBUG]: socket opened is now equeals fd 3840 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F01 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F02 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F03 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F04 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F05 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F06 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F07 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F08 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F09 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F10 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F11 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F12 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F13 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F14 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F15 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F16 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F17 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F18 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F19 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F20 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F21 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F22 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F23 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F24 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F25 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F26 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F27 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F28 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F29 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F30 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F31 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F32 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F33 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F34 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F35 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F36 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F37 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F38 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F39 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F40 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F41 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F42 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F43 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F44 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F45 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F46 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F47 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F48 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F49 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F50 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F51 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F52 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F53 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F54 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F55 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F56 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F57 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F58 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F59 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F60 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F61 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F62 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F63 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F64 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F65 | |
| [PS4][DEBUG]: m event queue created 0x00000F65 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F66 | |
| [PS4][DEBUG]: m2 event queue created 0x00000F66 | |
| [PS4][DEBUG]: sceKernelDeleteEqueue return: 0x00000000 | |
| [PS4][DEBUG]: mapping pointer 200a04000 | |
| [PS4][DEBUG]: [+] UID: 1, GID: 1 | |
| [PS4][DEBUG]: before SYS_dynlib_prepare_dlclose | |
| [PS4][DEBUG]: SYS_dynlib_prepare_dlclose: -1 | |
| [PS4][DEBUG]: before sceKernelDeleteEqueue | |
| [+] Entered critical payload | |
| [+] cred | |
| [+] cred->cr_uid cred->cr_ruid cred->cr_rgid set to 0 | |
| [+] set group0 to 0 | |
| [+] output critical payload | |
| now payload executed and ps4link running on ps4 | |
| ./ps4sh | |
| ps4sh version 1.0 | |
| /Users/bigboss/.ps4shrc: No such file or directory | |
| Connecting to fio ps4link ip 192.168.1.17 | |
| log: [HOST][INFO]: [PS4SH] Ready | |
| log: [PS4][DEBUG]: [PS4LINK] Client connected from 192.168.1.3 port: 7638 | |
| log: [PS4][DEBUG]: [PS4LINK] sock ps4link_fileio set 200 connected 1 | |
| log: [PS4][DEBUG]: [PS4LINK] Waiting for connection | |
| log: [PS4][DEBUG]: [PS4LINK] Initialized and connected from pc/mac ready to receive commands | |
| ps4sh> execsprx | |
| log: [HOST][DEBUG]: [PS4SH] [PS4SH] argc=0 argv=��������� | |
| log: [PS4][DEBUG]: [PS4LINK] commands listener received packet size (266) | |
| log: [PS4][DEBUG]: [PS4LINK] Received command whoami argc=0 argv= | |
| log: [PS4][DEBUG]: [+] UID: 0, GID: 0 | |
| log: [PS4][DEBUG]: [PS4LINK] commands listener waiting for next command | |
| ps4sh>ps4sh> status | |
| log: [HOST][INFO]: [PS4SH] TCP srv fd = 3 | |
| log: [HOST][INFO]: [PS4SH] UDP log fd = 5 | |
| log: [HOST][INFO]: [PS4SH] PS4SH cmd fd = 6 | |
| log: [HOST][INFO]: [PS4SH] Logging to stdout | |
| log: [HOST][INFO]: [PS4SH] Verbose mode is off | |
| log: [HOST][INFO]: [PS4SH] Debug is on | |
| ps4sh> exitps4 | |
| log: [HOST][DEBUG]: [PS4SH] argc=0 argv= | |
| ps4sh> | |
| Next will be Jailbreak and sandbox :) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment