PS Vita kernel exploit: Xyz explains the Henkaku kernel exploit
Developer Xyz of team molecule posted a new article on his recently-created blog, to explain how the kernel exploit (used in HENkaku for the PS Vita hack) works.
This follows the release of more of the HENkaku source code by Yifanlu, after several hackers (in particular St4rk and hexkyz) proved they had been able to reverse engineer most of the exploit.
On a side note, hexkyz stated in one of his writeups that he was able to leak kernel memory, a.k.a a new kernel exploit.
Luckily for me, I already found a way to leak kernel memory while playing with the SceNet syscalls, so, stage 3 is on its way.
Back to the HENkaku kernel exploit, the vulnerability is in SceNetIoctl and is a “use after free” vulnerability. For those of you not familiar with it, it’s basically a pointer that the code forgot to get rid of after freeing the data it was pointing to. The general idea is that two threads are pointing to the same data, and one of the threads is freeing the data in order to then write whatever it wants to it, while the other thread is on hold. By the time the second thread accesses its pointer, it’s pointing to completely arbitrary data (“malicious” code).
Of course, I make it sound easier than it is. Team molecule had to make this happen under the constraints of the exploited functions, and had to defeat ASLR and NX as well. As always, I strongly recommend you read the whole thing while looking at the source code, at the source below.