HENkaku: more steps of the exploit reverse engineered
Developers KoriTama and “H” have stepped up for Yifanlu’s challenge to reverse engineer the HENkaku exploit. After H’s explanation of the first stage of the exploit a few days ago, more has been pouring in today.
KoriTama first posted an explanation of the exploit’s second stage, followed quickly by H. If I’m following correctly refers to this step as “stage 3, ROP payload 2”, but their pastebins are about the same stage of the exploit. Both hackers explain that this step’s role is to leak kernel pointers and create a kernel thread to basically do privilege escalation. This seems to confirm, for those who still doubted it, that HENkaku indeed ships with a Kernel exploit. The Kernel vulnerability apparently lies in some APIs of the Vita’s Network library (SceNet).
If you want to look into this and try to understand what’s going on, it’s recommended that you read these explanations while yourself attempting the reverse (the files can be found on Yifanlu’s github here)
The second ROP payload prepares the stage for a kernel attack. After it’s done, another ROP chain should be starting on the kernel side. This chain relies on kernel pointers that were leaked during the second payload’s execution and is built beforehand. The data portion of the chain is additionally obfuscated/encrypted with kernel-only functions.
To further reverse the exploit, one must dump the target kernel modules, rebuild the kernel ROP and deobfuscate/decrypt the data region.