Advertising (This ad goes away for registered users. You can Login or Register)

vitasploit - Exploitation Framework

Open discussions on programming specifically for the PS Vita.
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Hykem
Guru
Posts: 75
Joined: Sat Jan 15, 2011 8:11 pm

Re: vitasploit - Exploitation Framework

Post by Hykem » Sat Jun 13, 2015 11:10 am

Sethpaien wrote:Hi, Thank you all for your work and sharing it.

I'm trying to find offsets for 3.35. (I should update to 3.36 but it will be less... interesting :D )
I have found SceWebKit module and get modules import infos from it.
So I get two offsets : scewkbase_off and scelibcentry_off,
But no success finding Scelibc module with scanm so scelibcbase_off offset is missing.
Is there any way to get an address closer from Scelibc module (and others) ? in which range of address should I found it ?
Exploit often crash and I'm not sure to follow the right way ;) .
Hi Sethpaien!
I'm very interested on porting the exploit for the missing 3.30 and 3.35 firmware versions (for the sake of completeness).
You can get a close address for SceLibc by looking at it's first import used in SceWebKit. Just send me a PM and I'll be happy to help you port the exploit. :)
Advertising

User avatar
InnocentSam
Posts: 124
Joined: Mon Apr 30, 2012 3:16 pm
Contact:

Re: vitasploit - Exploitation Framework

Post by InnocentSam » Tue Jun 16, 2015 6:04 pm

Hey guys, my PSTV gets caught in a loop; I force exploit.js to think 3.20 is 3.18, and it gets to:

Code: Select all

			libraries = init_ggts(bases, caller, version);
			logdbg("Loaded libraries...\n");
			
			// List all modules visible by the WebKit process
			ex_mod_list = list_modules("All", false);
"Loaded libraries" is the last thing printed into the console before the PSTV reloads the web page, forcing it to restart. I'm using the latest version from Github, any ideas?
Advertising
“You never understood games. Maybe that's why the world was such a mystery to you.”
Daniel Suarez, Daemon

Hykem
Guru
Posts: 75
Joined: Sat Jan 15, 2011 8:11 pm

Re: vitasploit - Exploitation Framework

Post by Hykem » Fri Jun 19, 2015 2:09 pm

Thanks to Sethpaien the offsets for firmware 3.35 have been added to vitasploit. Just need to push some minor changes to lib.js and rop.js and it's fully supported.

Only firmware 3.30 support is missing for which HarmfulMushroom is already giving a hand, but 3.30 is significantly different from 3.35 and 3.36, so that may take a while.
InnocentSam wrote:Hey guys, my PSTV gets caught in a loop; I force exploit.js to think 3.20 is 3.18, and it gets to:

Code: Select all

			libraries = init_ggts(bases, caller, version);
			logdbg("Loaded libraries...\n");
			
			// List all modules visible by the WebKit process
			ex_mod_list = list_modules("All", false);
"Loaded libraries" is the last thing printed into the console before the PSTV reloads the web page, forcing it to restart. I'm using the latest version from Github, any ideas?
Hmm... Up until now I've been guessing that 3.20 would be nearly identical to 3.18, but I never found anyone who could test this.
Forcing 3.20 to be recognized as 3.18 would use it's ROP chain and libraries' offsets, but if that's not working than 3.20 binaries are different enough to break this.
Could you please contact me via PM so we can sort out the implementation for 3.20? Thanks! :)

Sethpaien
Posts: 10
Joined: Fri Jun 12, 2015 10:52 am

Re: vitasploit - Exploitation Framework

Post by Sethpaien » Fri Jul 17, 2015 5:57 am

Hi,

I'm trying to get MichelMichel syscall fuzzer working on 3.35,
But it always crash at the very first try ; At the begining I just think to be out of luck.
But I notice a weird things : Math.random() always give the same sequence of random numbers at each webbrowser restart !?
I have take a look if javascript random is seedable but without luck.

It's me or Sony is in bad terms with random numbers ? (cf. PS3 Hacking :lol: )

I should add another random number generator but does anyone else get same result ?

User avatar
Zecoxao
Posts: 281
Joined: Mon Sep 27, 2010 7:27 pm

Re: vitasploit - Exploitation Framework

Post by Zecoxao » Sat Aug 15, 2015 6:30 pm

hi, i get this:

Code: Select all

[+] DBG:  Initialization
[+] DBG:  Spraying Elements...
[+] DBG:  Done spraying
[+] DBG:  Searching for Element signature...
[+] DBG:  Changing textarea.rows at addr 0x8530e080
[+] DBG:  Searching for corrupted Element...
[+] DBG:  Found corrupted textarea at index #0
[+] DBG:  Textarea vptr: 0x824abafc
[+] DBG:  WebCore::HTMLBodyElement::setScrollLeft is at 0x81e06e19
[+] DBG:  Fake vtable at: 0x839e01b0
[+] DBG:  Copying vtable...
[+] DBG:  Error: 22 TypeError: 'undefined' is not an object (evaluating 'aspace[addr + i].toString')
[+] DBG:  Initialization failed!
can you help me out? thanks.
My sig is original :D

Sethpaien
Posts: 10
Joined: Fri Jun 12, 2015 10:52 am

Re: vitasploit - Exploitation Framework

Post by Sethpaien » Thu Aug 20, 2015 6:09 pm

Hi, what's your FW version ?
If I remember well that was what I get when calling libraries.SceLibc.functions.time(0) when offsets weren't defined
(I have add it for 3.35 and time function was already there for 3.36 thanks again to Xyzz for the exploit for 3.3x).
Try to comment out :

var t = libraries.SceLibc.functions.time(0);
logdbg("Time: " + t);

at line 130 & 131 of exploit.js and you should reach the shell.
If your FW isn't supported yet you won't be able to do much things, but I may help you if you want to port it.

And maybe you should answer my previous post ;)

Hykem
Guru
Posts: 75
Joined: Sat Jan 15, 2011 8:11 pm

Re: vitasploit - Exploitation Framework

Post by Hykem » Tue Sep 29, 2015 3:28 pm

Thanks to Proxima, vitasploit has finally been ported to firmware version 3.20.
The syscall fuzzer now also supports firmwares 2.05 and 3.20.

Enjoy! :)

TheFloW
Guru
Posts: 57
Joined: Sun Jun 28, 2015 11:13 am

Re: vitasploit - Exploitation Framework

Post by TheFloW » Sat Nov 28, 2015 8:35 pm

I just want to share this with you that I've found with your Vitasploit.

ScePsp2Compat_v336 =
{
sceKernelSyncVMDomain : 0x002becdc,
sceKernelOpenVMDomain : 0x002becfc,
sceKernelGetMemBlockBase : 0x002bed3c,
sceKernelAllocMemBlock : 0x002bed4c,
sceKernelCloseVMDomain : 0x002bed5c,
sceKernelAllocMemBlockForVM : 0x002bed6c
}

In FW 3.30-3.36 you've got these functions imported in this module. However the VM open/close functions result with 0x80024B08 (SCE_KERNEL_ERROR_PROCESS_CANNOT_REMAP_MEMBLOCK) and the allocate funtion results with 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).
But as they are actually used I wonder whether there's a trigger or something to make them working.
If we manage to get these functions working we can have rejuvenate running from webkit :D

TheFloW

yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: vitasploit - Exploitation Framework

Post by yifanlu » Sat Nov 28, 2015 9:11 pm

Yup, I think if you reverse how those calls are used, you can find out. However, the main reason rejuvenate isn't ported is because cleanup will be very difficult. It seems that WebKit doesn't own the rendering process so you can't use gxm or anything unless you manage to hijack the scewebprocess and get it to release the graphics context.

Hykem
Guru
Posts: 75
Joined: Sat Jan 15, 2011 8:11 pm

Re: vitasploit - Exploitation Framework

Post by Hykem » Sun Nov 29, 2015 3:50 pm

yifanlu wrote:Yup, I think if you reverse how those calls are used, you can find out. However, the main reason rejuvenate isn't ported is because cleanup will be very difficult. It seems that WebKit doesn't own the rendering process so you can't use gxm or anything unless you manage to hijack the scewebprocess and get it to release the graphics context.
As I've told TheFloW via PM, Proxima and I already investigated these some time ago (with the help of Sethpaien who dumped the ScePsp2Compat module).
WebKit itself is not capable of mapping these new memory blocks (ManxMemblockRX). Some other process probably does this before hand (possibly SceWebKitProcess) and locks out any chance of creating new ones.
The problem would be exactly the same as with acquiring the graphics context, we must hijack a different module to be able to access those calls.
From what we reverse-engineered, if this could be done then yes, Rejuvenate could be ported to take advantage of code execution from WebKit.

Post Reply

Return to “Programming and Security”