Advertising (This ad goes away for registered users. You can Login or Register)

vitasploit - Exploitation Framework

Open discussions on programming specifically for the PS Vita.
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: vitasploit - Exploitation Framework

Post by yifanlu » Sun Nov 29, 2015 7:11 pm

So there is no code seen from WebKit that uses these functions?
Advertising

TheFloW
Guru
Posts: 57
Joined: Sun Jun 28, 2015 11:13 am

Re: vitasploit - Exploitation Framework

Post by TheFloW » Sun Nov 29, 2015 7:40 pm

yifanlu wrote:So there is no code seen from WebKit that uses these functions?
It seems like none of these exports are used in any webkit module:
ScePsp2Compat_77003AF2 which calls sceKernelSyncVMDomain
ScePsp2Compat_51C41E3E which calls sceKernelOpenVMDomain and sceKernelCloseVMDomain

Only:
ScePsp2Compat_925BD038 calls either sceKernelAllocMemBlock or sceKernelAllocMemBlockForVM dependant on the passed argument.
Advertising

Vladimir2016
Posts: 1
Joined: Tue Dec 29, 2015 11:10 pm

Re: vitasploit - Exploitation Framework

Post by Vladimir2016 » Tue Dec 29, 2015 11:13 pm

Maybe this can lead to anything?

http://www.scei.co.jp/psvita-license/libpng.html 1.2.46

http://www.libpng.org/pub/png/libpng.html
Vulnerability Warning
Virtually all old-branch libpng versions through 1.5.25, 1.4.18, 1.2.55, and 1.0.65, respectively, have a potential out-of-bounds read in png_check_keyword()

Vulnerability Warning
Virtually all libpng versions through 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64, respectively, have a potential pointer overflow/underflow in png_handle_sPLT()/png_handle_pCAL() (and in png_handle_iTXt()/png_handle_zTXt() in the pre-1.6 branches), and all such versions likewise have a bug in their png_set_PLTE() implementations that left it open to the out-of-bounds write

windmark
Posts: 12
Joined: Fri Mar 27, 2015 8:32 pm

Re: vitasploit - Exploitation Framework

Post by windmark » Sun Jan 03, 2016 2:28 am

Vladimir2016 wrote:Maybe this can lead to anything?

http://www.scei.co.jp/psvita-license/libpng.html 1.2.46

http://www.libpng.org/pub/png/libpng.html
Vulnerability Warning
Virtually all old-branch libpng versions through 1.5.25, 1.4.18, 1.2.55, and 1.0.65, respectively, have a potential out-of-bounds read in png_check_keyword()

Vulnerability Warning
Virtually all libpng versions through 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64, respectively, have a potential pointer overflow/underflow in png_handle_sPLT()/png_handle_pCAL() (and in png_handle_iTXt()/png_handle_zTXt() in the pre-1.6 branches), and all such versions likewise have a bug in their png_set_PLTE() implementations that left it open to the out-of-bounds write
Good catch, I think there's something interesting here...

EDIT: After some investigation, I'm afraid there's nothing we can do to take advantage of this bugs as attack vectors on the vita

User avatar
Zafotheninja
Posts: 101
Joined: Wed Apr 18, 2012 10:40 pm
Location: Beyond the furthest ring.

Re: vitasploit - Exploitation Framework

Post by Zafotheninja » Tue Jan 12, 2016 12:33 am

For anyone who is interested, I found a bug in vitasploit on 3.18 vita.

Python outputs "[+] DBG: sceIoDopen() failed" or just reloads the exploit (Most cases both) when a large amount of "list_dir" commands are issued (sporadic, but averages 54 calls before crash)

This is bad for example, if you are trying to brute force the accessible dirs from the webkit :roll: , the exploit will crash without parsing the entire list.

Hopefully someone developing it will see this.

Have a nice day.
If I come off as an ***, I'm sorry, I don't mean to 87.6% of the time.

Hykem
Guru
Posts: 75
Joined: Sat Jan 15, 2011 8:11 pm

Re: vitasploit - Exploitation Framework

Post by Hykem » Mon Jan 18, 2016 3:39 pm

Zafotheninja wrote:For anyone who is interested, I found a bug in vitasploit on 3.18 vita.

Python outputs "[+] DBG: sceIoDopen() failed" or just reloads the exploit (Most cases both) when a large amount of "list_dir" commands are issued (sporadic, but averages 54 calls before crash)

This is bad for example, if you are trying to brute force the accessible dirs from the webkit :roll: , the exploit will crash without parsing the entire list.

Hopefully someone developing it will see this.

Have a nice day.
Unfortunately, that's not a problem in vitasploit. The Vita itself eventually discards the file descriptor of some temporary paths (virtual vs0 paths for example). I believe it's a security measure.

asuka
Posts: 3
Joined: Mon Feb 01, 2016 7:10 am

Re: vitasploit - Exploitation Framework

Post by asuka » Mon Feb 01, 2016 7:12 am

windmark wrote:
Vladimir2016 wrote:Maybe this can lead to anything?

http://www.scei.co.jp/psvita-license/libpng.html 1.2.46

http://www.libpng.org/pub/png/libpng.html
Vulnerability Warning
Virtually all old-branch libpng versions through 1.5.25, 1.4.18, 1.2.55, and 1.0.65, respectively, have a potential out-of-bounds read in png_check_keyword()

Vulnerability Warning
Virtually all libpng versions through 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64, respectively, have a potential pointer overflow/underflow in png_handle_sPLT()/png_handle_pCAL() (and in png_handle_iTXt()/png_handle_zTXt() in the pre-1.6 branches), and all such versions likewise have a bug in their png_set_PLTE() implementations that left it open to the out-of-bounds write
Good catch, I think there's something interesting here...

EDIT: After some investigation, I'm afraid there's nothing we can do to take advantage of this bugs as attack vectors on the vita
Why did you say that?

And by the way, there are lot of open source libraries that psv use:
http://doc.dl.playstation.net/doc/psvita-oss/
Is it possible to find some points in these libraries that we can attach?

xXDarkCodeXx
Posts: 40
Joined: Fri Mar 27, 2015 9:53 pm

Re: vitasploit - Exploitation Framework

Post by xXDarkCodeXx » Tue Jul 12, 2016 7:01 pm

What about this?
I'm sorry for my bad english but i'm italian and my keyboard sux.

Post Reply

Return to “Programming and Security”