Last active
March 21, 2016 21:00
-
-
Save psxdev/bf86fe3555a3f4dbc498 to your computer and use it in GitHub Desktop.
ps4 poc with libps4/ps4link/ps4sh dlclose root Privilege escalation+ prison break+sandbox break
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| debug.sh | |
| [PS4][INFO]: debugnet initialized | |
| [PS4][INFO]: Copyright (C) 2010,2016 Antonio Jose Ramos Marquez aka bigboss @psxdev | |
| [PS4][INFO]: ready to have a lot of fun... | |
| [PS4][DEBUG]: executing kernel_exec | |
| [PS4][DEBUG]: [PS4LINK] Server payload thread UID: 0x802E5860 | |
| [PS4][DEBUG]: [PS4LINK] Server request thread UID: 0x802F83A0 | |
| [PS4][DEBUG]: [PS4LINK] Server command thread UID: 0x802ADF20 | |
| [PS4][DEBUG]: [PS4LINK] Created ps4link_requests_sock: 114 | |
| [PS4][DEBUG]: [PS4LINK] bind to ps4link_requests_sock done | |
| [PS4][DEBUG]: [PS4LINK] Ready for connection 1 | |
| [PS4][DEBUG]: [PS4LINK] Waiting for connection | |
| [PS4][DEBUG]: [PS4LINK] Command Thread Started. | |
| [PS4][DEBUG]: [PS4LINK] Created ps4link_commands_sock: 153 | |
| [PS4][DEBUG]: [PS4LINK] Command listener waiting for commands... | |
| [PS4][DEBUG]: socket opened is now equeals fd 3840 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F01 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F02 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F03 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F04 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F05 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F06 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F07 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F08 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F09 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F0F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F10 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F11 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F12 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F13 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F14 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F15 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F16 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F17 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F18 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F19 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F1F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F20 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F21 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F22 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F23 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F24 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F25 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F26 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F27 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F28 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F29 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F2F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F30 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F31 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F32 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F33 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F34 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F35 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F36 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F37 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F38 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F39 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F3F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F40 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F41 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F42 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F43 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F44 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F45 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F46 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F47 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F48 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F49 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F4F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F50 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F51 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F52 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F53 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F54 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F55 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F56 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F57 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F58 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F59 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5A | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5B | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5C | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5D | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5E | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F5F | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F60 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F61 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F62 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F63 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F64 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F65 | |
| [PS4][DEBUG]: m event queue created 0x00000F65 | |
| [PS4][DEBUG]: Created event queue 0x0000000000000F66 | |
| [PS4][DEBUG]: m2 event queue created 0x00000F66 | |
| [PS4][DEBUG]: sceKernelDeleteEqueue return: 0x00000000 | |
| [PS4][DEBUG]: mapping pointer 20146c000 | |
| [PS4][DEBUG]: [+] UID: 1, GID: 1 | |
| [PS4][DEBUG]: before SYS_dynlib_prepare_dlclose | |
| [PS4][DEBUG]: SYS_dynlib_prepare_dlclose: -1 | |
| [PS4][DEBUG]: before sceKernelDeleteEqueue | |
| [+] Entered critical payload | |
| [+] cred | |
| [+] cred->cr_uid cred->cr_ruid cred->cr_rgid set to 0 | |
| [+] set group0 to 0 | |
| [+] get prison0 | |
| [+] set prison0 | |
| [+] get td_fdp_fd_rdir | |
| [+] get td_fdp_fd_jdir | |
| [+] get rootnode | |
| [+] set rootnode to td_fdp_fd_rdir | |
| [+] set rootnode to td_fdp_fd_jdir | |
| now we have uploaded our payload and ps4link loaded :) do you wanna ha fun? | |
| ./ps4sh | |
| ps4sh version 1.0 | |
| /Users/bigboss/.ps4shrc: No such file or directory | |
| Connecting to fio ps4link ip 192.168.1.17 | |
| log: [HOST][INFO]: [PS4SH] Ready | |
| log: [PS4][DEBUG]: [PS4LINK] Client connected from 192.168.1.3 port: 26817 | |
| log: [PS4][DEBUG]: [PS4LINK] sock ps4link_fileio set 148 connected 1 | |
| log: [PS4][DEBUG]: [PS4LINK] Waiting for connection | |
| log: [PS4][DEBUG]: [PS4LINK] Initialized and connected from pc/mac ready to receive commands | |
| ps4sh> execsprx | |
| log: [HOST][DEBUG]: [PS4SH] [PS4SH] argc=0 argv=��������� | |
| log: [PS4][DEBUG]: [PS4LINK] commands listener received packet size (266) | |
| log: [PS4][DEBUG]: [PS4LINK] Received command whoami argc=0 argv= | |
| log: [PS4][DEBUG]: [+] UID: 0, GID: 0 | |
| log: [PS4][DEBUG]: [DIR]: . | |
| log: [PS4][DEBUG]: [DIR]: .. | |
| log: [PS4][DEBUG]: [DIR]: adm | |
| log: [PS4][DEBUG]: [DIR]: app_tmp | |
| log: [PS4][DEBUG]: [DIR]: data | |
| log: [PS4][DEBUG]: [DIR]: dev | |
| log: [PS4][DEBUG]: [DIR]: eap_user | |
| log: [PS4][DEBUG]: [DIR]: eap_vsh | |
| log: [PS4][DEBUG]: [DIR]: hdd | |
| log: [PS4][DEBUG]: [DIR]: host | |
| log: [PS4][DEBUG]: [DIR]: hostapp | |
| log: [PS4][DEBUG]: [FILE]: mini-syscore.elf | |
| log: [PS4][DEBUG]: [DIR]: mnt | |
| log: [PS4][DEBUG]: [DIR]: preinst | |
| log: [PS4][DEBUG]: [DIR]: preinst2 | |
| log: [PS4][DEBUG]: [FILE]: safemode.elf | |
| log: [PS4][DEBUG]: [FILE]: SceBootSplash.elf | |
| log: [PS4][DEBUG]: [FILE]: SceSysAvControl.elf | |
| log: [PS4][DEBUG]: [DIR]: system | |
| log: [PS4][DEBUG]: [DIR]: system_data | |
| log: [PS4][DEBUG]: [DIR]: system_ex | |
| log: [PS4][DEBUG]: [DIR]: system_tmp | |
| log: [PS4][DEBUG]: [DIR]: update | |
| log: [PS4][DEBUG]: [DIR]: usb | |
| log: [PS4][DEBUG]: [DIR]: user | |
| ps4sh> | |
| :) achieved on March 21th a few months late but doesn't matter because i am going to have a lot of fun now |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment