PS4-3.55-Code-Execution-PoC icon indicating copy to clipboard operation
PS4-3.55-Code-Execution-PoC copied to clipboard

Published 20 hours ago verified publisher icon Fire30

ReferenceError: Can't find variable: dcodeIO

Open mgoodings opened this issue 9 years ago • 0 comments

This issue may just be specific to my console, it's never been online and I'm currently running it through the User Guide using a DNS proxy.

I've never been able to get this PoC to run on my 3.55 PS4 up until now, no matter what it always produced the following issue:

Modified arr length = 0x80000000
Found ArrayBufferView in memory!
Modified index is 50
Found modified ArrayBufferView!
!! ERROR: ReferenceError: Can't find variable: dcodeIO
stack: global code@http://manuals.playstation.net/document/gb/ps4/index.html:109:39

I've now found that for whatever reason any globals defined in the first <script> tag will not be available in the global context/window object until the following browser tick. If I move jQuery to first <script> tag it will say $ is undefined, etc.

If I simply create a scripts/dummy.js with an empty global define and include that as the first <script> tag the example will run perfectly fine.

ps4sploit.html

+ <script src="/scripts/dummy.js"></script>
<script src="/scripts/long.js"></script>

scripts/dummy.js

function dummy() {}

Result:

Modified arr length = 0x80000000
Found ArrayBufferView in memory!
Modified index is 50
Found modified ArrayBufferView!
Found modified ArrayBuffer!
vtable = 0x83a1c8d80
webkit_base_addr = 0x837bc8000
buffer addr = 0x201996000
Starting ROP...
Printing module information...
Module name: libkernel.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceLibcInternal.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSysmodule.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceNet.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceNetCtl.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceIpmi.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceMbus.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceRegMgr.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceRtc.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libScePad.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceVideoOut.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceOrbisCompat.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceWebKit2.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSysCore.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSystemService.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSsl.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceVideoCoreServerInterface.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceWebBrowserInjectedBundle.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============

mgoodings avatar Oct 09 '16 04:10 mgoodings