Advertising (This ad goes away for registered users. You can Login or Register)

vitasploit - Exploitation Framework

Open discussions on programming specifically for the PS Vita.
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Hykem
Guru
Posts: 75
Joined: Sat Jan 15, 2011 8:11 pm

Re: vitasploit - Exploitation Framework

Post by Hykem » Sun Dec 14, 2014 9:05 pm

Just pushed a couple more changes to vitasploit.

Thanks to Netrix one critical issue was addressed this time, which was the problem of running out of memory using the standard JSoS modus operandi. Instead of defining all functions and variables immediately, additional scripts are now delayed from execution and run after the exploit has access to the full user memory space provided by the Vita.

A lot of new function wrappers were added and the batch tests' system was changed. In terms of design, it's now looking closer to a pseudo javascript based SDK.

You can find the sceMotion functions and the motion test as well, which became popular due to Brian's video demonstrating the Vita's gyroscope. The test simply prints the xyz coordinates of the gyroscope, but using the sceNet functions it's possible to send them back to the computer and write a simple application to read them (like the one showcased in the referred video).

The errors related to module loading should now be fixed as well.
Advertising

addddd
Posts: 9
Joined: Fri Jun 28, 2013 4:14 am

Re: vitasploit - Exploitation Framework

Post by addddd » Mon Dec 15, 2014 11:30 pm

I dont have ScePaf and SceCommonDialogMain modules on 3.01. Is it ok?

[spoiler]

Code: Select all

Starting server on 192.168.58.131:8888
[+] DBG:  Initialization
[+] DBG:  Spraying ArrayBuffers...
[+] DBG:  Done spraying
[+] DBG:  Searching for ArrayBuffer signature...
[+] DBG:  ...
[+] DBG:  Found ArrayBuffer signature at u32[0xf24] -> 0x82d80008
[+] DBG:  Spraying Elements...
[+] DBG:  Done spraying
[+] DBG:  Searching for Element signature...
[+] DBG:  ...
[+] DBG:  Found Element signature at u32[0x7268]
[+] DBG:  Changing size of Element object: 0x66656463 -> 0x55555555
[+] DBG:  Looking for modified Element object...
[+] DBG:  Found modified Element object at esprays[0x81]
[+] DBG:  Changing size of object: 0xabc0 -> 0xdeadbabe
[+] DBG:  Looking for modified object...
[+] DBG:  Found modified object at sprays[0x5]
[+] DBG:  Address of u32: 0x82d0cd00
[+] DBG:  Base of u32: 0x82d0c8d0
[+] DBG:  Vtab of u32: 0x82234444
[+] DBG:  Leaked ptr: 0x81dd73a9
[+] DBG:  Element vtable pointer at: 0x82d29208
[+] DBG:  Element vtable at: 0x822b22f0
[+] DBG:  Fake vtable at: 0x8290c8d0
[+] DBG:  Copying vtable...

[+] DBG:  Module UIDs: 
0x829128D0: 6F010140 69010140 59010140 4D010140              o..@i..@Y..@M..@
0x829128E0: 47010140 31010140 2D010140 25010140              G..@1..@-..@%..@
0x829128F0: 23000140 21000140 1F000140 1D000140              #..@!..@...@...@
0x82912900: 1B000140 19000140 17000140 15000140              ...@...@...@...@
0x82912910: 13000140 11000140 0F000140 0D000140              ...@...@...@...@
0x82912920: 0B000140 01000140                                ...@...@

[+] DBG:  Found module: SceWebKit
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x81a00000
[+] DBG:  Module segment memsz: 0x8ea860
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x81188000
[+] DBG:  Module segment memsz: 0xc7cc
[+] DBG:  Found module: SceHafnium
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x81880000
[+] DBG:  Module segment memsz: 0x56668
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x8103e000
[+] DBG:  Module segment memsz: 0x54
[+] DBG:  Found module: ScePsp2Compat
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x81200000
[+] DBG:  Module segment memsz: 0x3b0a70
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x81168000
[+] DBG:  Module segment memsz: 0xb944
[+] DBG:  Found module: SceWebFiltering
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x81158000
[+] DBG:  Module segment memsz: 0x5920
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x81160000
[+] DBG:  Module segment memsz: 0x4d64
[+] DBG:  Found module: SceLibVitaJSExtObj
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x810cc000
[+] DBG:  Module segment memsz: 0x4d3c
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x8103d000
[+] DBG:  Module segment memsz: 0x78
[+] DBG:  Found module: SceLibHttp
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe05e4000
[+] DBG:  Module segment memsz: 0x1c440
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0057000
[+] DBG:  Module segment memsz: 0x630
[+] DBG:  Found module: SceLibNetCtl
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe0189000
[+] DBG:  Module segment memsz: 0x7aae
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0042000
[+] DBG:  Module segment memsz: 0x1400
[+] DBG:  Found module: SceNet
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe0511000
[+] DBG:  Module segment memsz: 0xbdf0
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0039000
[+] DBG:  Module segment memsz: 0xc90
[+] DBG:  Found module: SceAppUtil
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x81090000
[+] DBG:  Module segment memsz: 0x96a4
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x81039000
[+] DBG:  Module segment memsz: 0x70
[+] DBG:  Found module: SceLibPvf
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe009c000
[+] DBG:  Module segment memsz: 0xcf24
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0017000
[+] DBG:  Module segment memsz: 0x8
[+] DBG:  Found module: SceLibft2
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe00c4000
[+] DBG:  Module segment memsz: 0x4db54
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0016000
[+] DBG:  Module segment memsz: 0x2f4
[+] DBG:  Found module: SceLibDbg
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe0044000
[+] DBG:  Module segment memsz: 0x5d4
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0013000
[+] DBG:  Module segment memsz: 0x8c
[+] DBG:  Found module: SceCommonDialog
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe01a4000
[+] DBG:  Module segment memsz: 0x11108
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0026000
[+] DBG:  Module segment memsz: 0x289
[+] DBG:  Found module: SceShellSvc
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe016c000
[+] DBG:  Module segment memsz: 0x12000
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0025000
[+] DBG:  Module segment memsz: 0x8e9
[+] DBG:  Found module: SceLibc
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x81100000
[+] DBG:  Module segment memsz: 0x4d3bc
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x8103a000
[+] DBG:  Module segment memsz: 0x26f0
[+] DBG:  Found module: SceLibFios2
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x810a0000
[+] DBG:  Module segment memsz: 0x2b12c
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x81084000
[+] DBG:  Module segment memsz: 0x523d
[+] DBG:  Found module: SceGxm
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe006c000
[+] DBG:  Module segment memsz: 0x1fe44
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0014000
[+] DBG:  Module segment memsz: 0x72c
[+] DBG:  Found module: SceGpuEs4User
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe003d000
[+] DBG:  Module segment memsz: 0x2844
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0012000
[+] DBG:  Module segment memsz: 0x3c
[+] DBG:  Found module: SceAvcodecUser
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe0036000
[+] DBG:  Module segment memsz: 0x2340
[+] DBG:  Found module: SceDriverUser
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe0018000
[+] DBG:  Module segment memsz: 0xc334
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0028000
[+] DBG:  Module segment memsz: 0x8f50
[+] DBG:  Found module: SceLibKernel
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe0002000
[+] DBG:  Module segment memsz: 0xdb58
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0011000
[+] DBG:  Module segment memsz: 0x50
[+] DBG:  Found module: SceWebKitProcess
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x81000000
[+] DBG:  Module segment memsz: 0x151c0
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x81016000
[+] DBG:  Module segment memsz: 0x215cc
[+] DBG:  sceSysmoduleLoadModuleWithArgs(0x80000012): 0x80000012
[+] DBG:  sceSysmoduleLoadModuleWithArgs(0x8000000f): 0x8000000f
[+] DBG:  sceSysmoduleLoadModuleWithArgs(0x80000008): 0x80000008
[+] DBG:  Module UIDs: 
0x829134CC: 6F010140 69010140 59010140 4D010140              o..@i..@Y..@M..@
0x829134DC: 47010140 31010140 2D010140 25010140              G..@1..@-..@%..@
0x829134EC: 23000140 21000140 1F000140 1D000140              #..@!..@...@...@
0x829134FC: 1B000140 19000140 17000140 15000140              ...@...@...@...@
0x8291350C: 13000140 11000140 0F000140 0D000140              ...@...@...@...@
0x8291351C: 0B000140 01000140                                ...@...@

[+] DBG:  Found module: SceWebKit
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x81a00000
[+] DBG:  Module segment memsz: 0x8ea860
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x81188000
[+] DBG:  Module segment memsz: 0xc7cc
[+] DBG:  Found module: SceHafnium
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x81880000
[+] DBG:  Module segment memsz: 0x56668
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x8103e000
[+] DBG:  Module segment memsz: 0x54
[+] DBG:  Found module: ScePsp2Compat
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x81200000
[+] DBG:  Module segment memsz: 0x3b0a70
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x81168000
[+] DBG:  Module segment memsz: 0xb944
[+] DBG:  Found module: SceWebFiltering
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x81158000
[+] DBG:  Module segment memsz: 0x5920
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x81160000
[+] DBG:  Module segment memsz: 0x4d64
[+] DBG:  Found module: SceLibVitaJSExtObj
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x810cc000
[+] DBG:  Module segment memsz: 0x4d3c
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x8103d000
[+] DBG:  Module segment memsz: 0x78
[+] DBG:  Found module: SceLibHttp
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe05e4000
[+] DBG:  Module segment memsz: 0x1c440
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0057000
[+] DBG:  Module segment memsz: 0x630
[+] DBG:  Found module: SceLibNetCtl
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe0189000
[+] DBG:  Module segment memsz: 0x7aae
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0042000
[+] DBG:  Module segment memsz: 0x1400
[+] DBG:  Found module: SceNet
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe0511000
[+] DBG:  Module segment memsz: 0xbdf0
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0039000
[+] DBG:  Module segment memsz: 0xc90
[+] DBG:  Found module: SceAppUtil
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x81090000
[+] DBG:  Module segment memsz: 0x96a4
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x81039000
[+] DBG:  Module segment memsz: 0x70
[+] DBG:  Found module: SceLibPvf
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe009c000
[+] DBG:  Module segment memsz: 0xcf24
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0017000
[+] DBG:  Module segment memsz: 0x8
[+] DBG:  Found module: SceLibft2
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe00c4000
[+] DBG:  Module segment memsz: 0x4db54
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0016000
[+] DBG:  Module segment memsz: 0x2f4
[+] DBG:  Found module: SceLibDbg
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe0044000
[+] DBG:  Module segment memsz: 0x5d4
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0013000
[+] DBG:  Module segment memsz: 0x8c
[+] DBG:  Found module: SceCommonDialog
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe01a4000
[+] DBG:  Module segment memsz: 0x11108
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0026000
[+] DBG:  Module segment memsz: 0x289
[+] DBG:  Found module: SceShellSvc
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe016c000
[+] DBG:  Module segment memsz: 0x12000
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0025000
[+] DBG:  Module segment memsz: 0x8e9
[+] DBG:  Found module: SceLibc
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x81100000
[+] DBG:  Module segment memsz: 0x4d3bc
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x8103a000
[+] DBG:  Module segment memsz: 0x26f0
[+] DBG:  Found module: SceLibFios2
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x810a0000
[+] DBG:  Module segment memsz: 0x2b12c
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x81084000
[+] DBG:  Module segment memsz: 0x523d
[+] DBG:  Found module: SceGxm
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe006c000
[+] DBG:  Module segment memsz: 0x1fe44
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0014000
[+] DBG:  Module segment memsz: 0x72c
[+] DBG:  Found module: SceGpuEs4User
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe003d000
[+] DBG:  Module segment memsz: 0x2844
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0012000
[+] DBG:  Module segment memsz: 0x3c
[+] DBG:  Found module: SceAvcodecUser
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe0036000
[+] DBG:  Module segment memsz: 0x2340
[+] DBG:  Found module: SceDriverUser
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe0018000
[+] DBG:  Module segment memsz: 0xc334
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0028000
[+] DBG:  Module segment memsz: 0x8f50
[+] DBG:  Found module: SceLibKernel
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0xe0002000
[+] DBG:  Module segment memsz: 0xdb58
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0xe0011000
[+] DBG:  Module segment memsz: 0x50
[+] DBG:  Found module: SceWebKitProcess
[+] DBG:  Module segment info: #0
[+] DBG:  Module segment vaddr: 0x81000000
[+] DBG:  Module segment memsz: 0x151c0
[+] DBG:  Module segment info: #1
[+] DBG:  Module segment vaddr: 0x81016000
[+] DBG:  Module segment memsz: 0x215cc
[+] DBG:  -------------------------------------------------
[+] DBG:  SceWebKit base: 0x81a00000
[+] DBG:  SceLibc base: 0x81100000
[+] DBG:  SceNet base: 0xe0511000
[+] DBG:  SceLibKernel base: 0xe0002000
[+] DBG:  SceWebKitProcess base: 0x81000000
[+] DBG:  SceCommonDialog base: 0xe01a4000
[+] DBG:  SceAppUtil base: 0x81090000
[+] DBG:  SceDriverUser base: 0xe0018000
[+] DBG:  SceGxm base: 0xe006c000
[+] DBG:  Error: 6 TypeError: 'undefined' is not an object
[/spoiler]
Advertising

mr.gas
Guru
Posts: 163
Joined: Sat Apr 05, 2014 6:35 pm
Location: YEMEN

Re: vitasploit - Exploitation Framework

Post by mr.gas » Tue Dec 16, 2014 8:47 am

I get the same error .. fw 3.01

Hykem
Guru
Posts: 75
Joined: Sat Jan 15, 2011 8:11 pm

Re: vitasploit - Exploitation Framework

Post by Hykem » Sun Dec 21, 2014 9:14 pm

I've just pushed a ton of changes to vitasploit. The 3.01 bug should now be fixed and ScePaf and the other modules should now load.
With the precious help of blue78, Sparky and heleius I've ported vitasploit to firmwares 2.02 and 2.12. Both firmwares use an entirely different ROP chain.
I've also added a new test that allows dumping full directories from the Vita, instead of doing it file by file.
The delayed script loading mechanism has also been improved thanks to Netrix.

Only ScePaf functions are missing from firmware 2.02, since I'm still investigating them better.

Enjoy! :)

barnabe42
Posts: 4
Joined: Sun Feb 02, 2014 5:30 pm

Re: vitasploit - Exploitation Framework

Post by barnabe42 » Mon Feb 09, 2015 7:55 pm

Hello,

I have played a bit with the framework and was able to create minimal pong version using the Test_Motion example.
Pong.jpg
Pong.jpg (142.41 KiB) Viewed 2606 times
If you feel that it could be useful for others I could upload the code on the source control.
This is just using already existing features so nothing fancy ...

I will try to explore more the framework it is really interesting.
Last edited by barnabe42 on Tue Feb 17, 2015 11:42 am, edited 2 times in total.

yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: vitasploit - Exploitation Framework

Post by yifanlu » Mon Feb 09, 2015 11:55 pm

You should ask wololo for your $20 http://wololo.net/2014/12/18/vita-nativ ... itasploit/

barnabe42
Posts: 4
Joined: Sun Feb 02, 2014 5:30 pm

Re: vitasploit - Exploitation Framework

Post by barnabe42 » Tue Feb 10, 2015 5:47 am

yifanlu wrote:You should ask wololo for your $20 http://wololo.net/2014/12/18/vita-nativ ... itasploit/
OK thanks, I am surprise nobody claim that before hand.
I will send him a PM.

n00b81
HBL Collaborator
Posts: 31
Joined: Sat Oct 09, 2010 6:39 pm

Re: vitasploit - Exploitation Framework

Post by n00b81 » Fri Feb 13, 2015 12:58 pm

Not sure if it works.. since I don't have the right vita version... but I threw the Pong files out my web space for people who aren't interested in muckin' round with python. Lemme know if it works - http://vitapong.gq

EDIT: Just realized that this won't let you grab the gyro feedback data of course. But whatever... still good for playing pong lol.

Gezine
Posts: 51
Joined: Fri Dec 13, 2013 4:32 pm

Re: vitasploit - Exploitation Framework

Post by Gezine » Fri Feb 13, 2015 1:22 pm

n00b81 wrote:Not sure if it works.. since I don't have the right vita version... but I threw the Pong files out my web space for people who aren't interested in muckin' round with python. Lemme know if it works - http://vitapong.gq

EDIT: Just realized that this won't let you grab the gyro feedback data of course. But whatever... still good for playing pong lol.
PCH-2005 3.18 Worked :D

n00b81
HBL Collaborator
Posts: 31
Joined: Sat Oct 09, 2010 6:39 pm

Re: vitasploit - Exploitation Framework

Post by n00b81 » Fri Feb 13, 2015 1:41 pm

Gezine wrote:
n00b81 wrote:Not sure if it works.. since I don't have the right vita version... but I threw the Pong files out my web space for people who aren't interested in muckin' round with python. Lemme know if it works - http://vitapong.gq

EDIT: Just realized that this won't let you grab the gyro feedback data of course. But whatever... still good for playing pong lol.
PCH-2005 3.18 Worked :D
Awesome - thanks for the feedback.

Post Reply

Return to “Programming and Security”