PSVita Buffer Overflow...?

[thecobra]

Advertising

thecobra, why not try playing with format strings? Even though you can't actually see the vita's console/syslog, that doesn't mean you can't try tossing in some %n or %hhn format specifiers to potentially jenk around with the instructions. The past 2 iOS jailbreak untethers (sigcheck patches applied at boot time) use format string vulnerabilities =P

I try that first but it seems that the system doesn't patch/convert those special string into anything. just read them like normal characters. but it does interprets the ASCII char for /n

[Davee]

Advertising

thecobra, why not try playing with format strings? Even though you can't actually see the vita's console/syslog, that doesn't mean you can't try tossing in some %n or %hhn format specifiers to potentially jenk around with the instructions. The past 2 iOS jailbreak untethers (sigcheck patches applied at boot time) use format string vulnerabilities =P

I try that first but it seems that the system doesn't patch/convert those special string into anything. just read them like normal characters. but it does interprets the ASCII char for /n

"/n", do you mean "\n" ?

[thecobra]

thecobra, why not try playing with format strings? Even though you can't actually see the vita's console/syslog, that doesn't mean you can't try tossing in some %n or %hhn format specifiers to potentially jenk around with the instructions. The past 2 iOS jailbreak untethers (sigcheck patches applied at boot time) use format string vulnerabilities =P

I try that first but it seems that the system doesn't patch/convert those special string into anything. just read them like normal characters. but it does interprets the ASCII char for /n

"/n", do you mean "\n" ?

oops, yeah I meant "\n". in ASCII character, that be hex 0A. it reads this fine and make a new line when printing it out.

[Lomy]

try other format tokens, any you can think of.
http://en.wikipedia.org/wiki/Format_string_attack

[thecobra]

try other format tokens, any you can think of.
http://en.wikipedia.org/wiki/Format_string_attack

Ok i can say that none of the printf special commands (ex, "%s,%x,...etc") work with these strings.
Second, n00neimp0rtant brought to my attention that it may not be char [] buffer but pointers to string buffers. This is only a possibility of what i may be instead of what i originally thought to be. This is not saying i am wrong but it is saying that i may not be right.

third, I found out that the psvita seems to treat hex "C2" has a special character that print out a special symbol based on the next character on the line. I am searching to see if there any documentation of this online or if this is just something special for PSVita(Which i doubt that).

I noticed that if i put C2 in front of 00, that the string are return empty. I trying to see if there any crash i can cause using this

C1 seem to act the same way has 00 in the sense that the string it read to that point, C2-C7 seem to act about the same.

[Davee]

see utf-8.

[Lomy]

maybe the string can contain some special markers.
ex:{0},{1}..., can be replaced with additional params.
I don't think it only parse "\n".

[Suslik]

Just a quick question. Vita's earlier(<1.80) OFW versions were known to freeze a lot when communicating to poorly-configured wifi-points. How about an idea to find a vulnerability connecting to a customly configured wifi router? I am pretty sure that IEEE 802.11 protocols do have some security failsafes but since earlier OFW versions did freeze it seems like sony has overlooked something on their side and it may be potentially exploitable. Any thoughts?

[sonofskywalker3]

[joeyj34]

i have got corrupt saves to tranfer to the vita and freeze the cm but not crash it im trying to find exploits to
but when i tried to load the save it just says it was corrupt and wont let me load it to cause a crash
im going to try something else with psplink dont know if its possible to use psplink with the vita
but its worth a shot i think seplugins work on tn not sure but im going to kepp experimenting
im good at finding stuff i remember a long time ago i found out how to use shangtu sung in mortal kombat snes
it was a glitch but it worked so i will keep looking