Welcome to my collection of exploit writeups. This repo is where my current and future writeups for public exploits, vulnerability research, and CTF challenge solves will go. Below is a directory of the current writeups that I've published.
An overview of the PS4 kernel exploit codenamed "namedobj", which targets a type confusion vulnerability in the
sys_namedobj_* Sony system calls. This overview covers the basic exploit strategy required to leverage the type confusion bug into a fully fledged exploit.
A full writeup on how the "namedobj" type confusion vulnerability can be leveraged to achieve arbitrary code execution in kernel mode, via a targetted use-after-free (UAF).
A writeup containing the technical details behind a kernel exploit targetting the Berkely Packet Filter (BPF) system shipped on standard FreeBSD systems, but specifically targetting the Playstation 4 on 4.55FW. The bug is a race condition leading to a stack out-of-bounds (OOB) write. The writeup shows how this can easily be leveraged to escalate privileges to execute arbitrary code in kernel mode.
A writeup targetting another BPF vulnerability - another, very similar race condition, but a different approach. Rather than targetting the use-after-free(), this exploit targets a double free() in order to obtain heap corruption on a target object. Again, the writeup shows that this can be leveraged to obtain code execution in kernel mode, however it also contains details on bypassing an SMAP-like implementation developed by Sony.
This writeup contains a technical analysis on qwertyoruiopz's WebKit exploit targetting the PS4 on 4.0x firmwares. The writeup details how a stack uninitialized read can be leveraged to obtain arbitrary R/W, and eventually code execution.
A writeup detailing the setAttributeNodeNS() use-after-free (UAF) vulnerability discovered by lokihardt from Google's Project Zer0 (p0). It contains technical details about how an attacker can combine it with an information disclosure (infoleak) to misalign JSValues to establish an arbitrary R/W primitive, which again will eventually lead to code execution.