This is for the Pwners: Exploiting a WebKit 0-day in PlayStation 4

Following their Initial Announcement and the recent PS4 WebKit 7.00-7.02 Exploit Talos WebSocket Vulnerability Probe, today abu_y0ussef and 0xdagger via Synacktiv shared at Black Hat Europe 2020 a Webkit exploit that gives arbitrary R/W (Read / Write) permission on 6.XX PS4 Firmware for PS4 Scene developers to further examine. :geek:

Download: / GIT

This comes proceeding the PS4 6.XX JSC_ConcatMemcpy WebKit Exploit PoC, PS4 6.20 WebKit Code Execution Exploit PoC, PS4 Webkit Bad_Hoist Exploit for PlayStation 4 Firmware 6.XX and PS4 Kernel Exploit (KEX) for 7.02 Firmware with developer sleirsgoevy sharing this This Link via Twitter that Jailbroken PS4 5.05 Console owners can visit to aid in collecting statistics for use in porting the BHEU exploit to 7.02 System Software. 🔥

Below is a concluding summary of the This is for the Pwners: Exploiting a WebKit 0-day in PlayStation 4 presentation from, to quote:

Code execution

PS4 browser doesn’t allow allocating RWX memory pages. But with an arbitrary R/W, we can control RIP register. For example, we can overwrite the vtable pointer of one of our previously sprayed HTMLTextAreaElement making it points to data that we control. Calling a JavaScript method on HTMLTextAreaElement will result in a call to an address under our control. From there, we can do code re-use (like ROP or JOP) to implement the next stage.

The exploit is available at Synacktiv’s Github repository.

Porting the exploit on 7.xx firmware

We managed to successfully exploit our bug on 6.xx firmware due to a weakness on ASLR implementation that allowed us to predict the address of HTML objects. The predictable address is hardcoded in the exploit and has been identified thanks to the bad-hoist exploit. However, without a prior knowledge on memory mapping, the only way to determine the address of our sprayed HTMLElement objects is to brute force this address.

Brute forcing on the PS4 is tedious as the browser requires a user interaction in order to restart. Our idea is to plug a Raspberry Pi that acts as a keyboard on the PS4. Its main goal is to hit enter at periodical time (5s) to restart the browser after the crash. The brute forced address is updated at each attempt and stored in a cookie.

Unfortunately, we didn’t get any result so far. We probably haven’t run the brute force for a long enough period of time to cover the entire address space.


// code from the black hat repository

function sprayHTMLTextArea() {
    textarea_div_elem = document.createElement("div");
    document.body.appendChild(textarea_div_elem); = "div1";
    var element = document.createElement("textarea");

    /* Add a style to avoid textarea display */ = 'display:block-inline;height:1px;width:1px;visibility:hidden;';

     * This spray is not perfect, "element.cloneNode" will trigger a fastMalloc
     * allocation of the node attributes and an IsoHeap allocation of the
     * Element. The virtual page layout will look something like that:
     * [IsoHeap] [fastMalloc] [IsoHeap] [fastMalloc] [IsoHeap] [...]
    for (let i = 0; i < 0x6000; i++)

// end copy-paste


var pr_buf = '';
function buf_print(s, last)
    pr_buf += s + '\n';

function dumpAddresses()
    for(var i = 0; i < textarea_div_elem.childNodes.length; i++)
        var addr1 = addrof(textarea_div_elem.childNodes[i]);
        var addr2 = read_ptr_at(addr1 + 0x18);
        buf_print(i+" 0x"+(new Number(addr1)).toString(16)+" 0x"+(new Number(addr2)).toString(16), i == textarea_div_elem.childNodes.length - 1);



This is for the Pwners Exploiting a WebKit 0-day in PlayStation 4.png