Following his first weblog submit 2 days in the past, safety researcher McCaulay Hudson has now shared his second article (out of an anticipated 4), the place he describes how he achieves PS2 unsigned code execution, after having demonstrated modify the PS2 save file partially 1.
What is Mast1c0re for PS5 and PS4?
Mast1c0re is an unpatched exploit for PS4 and PS5, which leverages a vulnerability within the PS2 emulation layer of Sony’s newer consoles. The vulnerability was disclosed, and described with nice element, by PlayStation hacker CTurt in September final 12 months, however no full “consumer pleasant” implementation has been launched but.
Back then, CTurt said Sony had no plan to repair the vulnerability, which appears to be confirmed by latest movies, exhibiting that the vulnerability continues to be right here, within the newest PS5 6.50 firmware (and, it’s protected to imagine, in PS4 10.01 as properly) as of January 2023.
Recently launched Beta firmwares PS5 7.00 and PS4 10.50 nonetheless should be confirmed, however there’s good purpose to imagine they’re susceptible as properly.
Mast1c0re Exploit – what’s new, and what’s subsequent
Hudson retains digging into CTurt’s exploit, and guides us via all of the steps which can be required to finally with the ability to load PS2 isos from inside the exploit, on a PS4 or a PS5.
In Today’s submit we study that the exploited Game, Okage Shadow King performs an integrity verify on the savedata (with a CRC), which implies that for those who modify e.g. the participant’s title to set off a buffer overflow, the integrity verify fails and the savegame received’t be loaded. Hudson (and, presumably, CTurt earlier than him) due to this fact needed to reverse engineer the CRC verify for the sport, to determine modify the savedata and nonetheless go the sport’s integrity verify. This is what he explains within the first third of his submit at present.
The remainder of the article is extraordinarily paying homage to my private expertise of PSP buffer overflows: again in that period, there have been little to no safety of the execution pointer, and a easy buffer overflow sometimes meant usermode entry granted. This is what the hacker demonstrates within the second a part of his submit. The shellcode to execute can also be built-in within the savefile, which has been loaded in reminiscence, so it’s “fairly” straightforward to ship the execution pointer there. I recognize that Hudson goes into nice element for every step even for a “easy” buffer overflow, one thing that almost all skilled hackers don’t do sometimes as a result of that sort of stuff would possibly seem trivial to them.
So far he has demonstrated run PS2 arbitrary code inside the PS2 emulation layer on the PS4/PS5. The upcoming weblog submit guarantees to be extra fascinating, as it is going to give us a PS4/PS5 usermode exploit.
Source: McCaulay Hudson (due to @mikeyknight84 for the tip!)
