mast1c0re: Introduction – Exploiting the PS4 and PS5 through a game save

McCaulayConsole, Exploit Development, mast1c0re, PS2, PS4, PS5, Vulnerability Research

Introduction

The following multi-part blog series will cover how I (McCaulay Hudson) developed the mast1c0re exploit on both the PlayStation 4 and PlayStation 5. The initial research on the vulnerabilities used within this blog series were conducted by CTurtE with assistance from flatz, balika011, theflow0, chicken(s). The blog “mast1c0re: Hacking the PS4 / PS5 through the PS2 Emulator – Part 1 – Escape” posted by CTurtE on September 14th, 2022, covers the necessary vulnerabilities to gain userland code execution on the PlayStation 4 and PlayStation 5 and contains the fundamental knowledge required for me to produce this blog series.

For this research, I used Windows 11 for running a PlayStation 2 emulator, a Debian Linux distribution for tooling development in Python, C and C++, a PlayStation 4 (firmware v5.05) for importing save files, testing and debugging purposes, and a PlayStation 5 for testing the vulnerability.

Part 1 – Modifying PS2 game save files

The initial step in developing the mast1c0re exploit is to create a PlayStation 2 game save file for the Okage: Shadow King game and extract the data file containing the profile name. This blog post covers creating the save file, extracting the .psu file from the .ps2 file, then developing a tool to extract files from the .psu file.

Jump directly to part 1 here.

Part 2 – Arbitrary PS2 code execution

The next step is to edit the game save name to exploit a traditional stack-based buffer overflow within the Okage: Shadow King game. This requires constructing two stager shellcode payloads to execute a memory card file that contains a compiled PlayStation 2 ELF executable file

Jump directly to part 2 here.

Part 3 – Escaping the emulator

The final step in gaining userland code execution on the PlayStation 4 and PlayStation 5 involves exploiting an out-of-bounds write vulnerability within the emulator. This allows us to overwrite a read function pointer and leak .text and stack addresses. Next, we can then overwrite a write function pointer to execute existing .text instructions with an argument passed to the RSI register.

Jump directly to part 3 here.

The Result

By executing PlayStation 4 and PlayStation 5 code we can download a PS2 .ISO file from the remote network, mount it in the filesystem using the existing eboot.bin functionality, then load the game using the PS2 function LoadExecPS2 as shown on Twitter:

We are not limited to loading PlayStation 2 games however, as we can execute anything in userland.

Continue to mast1c0re: Part 1 – Modifying PS2 game save files