vitasploit - Exploitation Framework

Post by **yifanlu** » Sun Nov 29, 2015 7:11 pm

So there is no code seen from WebKit that uses these functions?

Advertising

Post by **TheFloW** » Sun Nov 29, 2015 7:40 pm

yifanlu wrote:So there is no code seen from WebKit that uses these functions?

It seems like none of these exports are used in any webkit module:
ScePsp2Compat_77003AF2 which calls sceKernelSyncVMDomain
ScePsp2Compat_51C41E3E which calls sceKernelOpenVMDomain and sceKernelCloseVMDomain

Only:
ScePsp2Compat_925BD038 calls either sceKernelAllocMemBlock or sceKernelAllocMemBlockForVM dependant on the passed argument.

Advertising

Vladimir2016 · Post by **Vladimir2016** » Tue Dec 29, 2015 11:13 pm

Maybe this can lead to anything?

http://www.scei.co.jp/psvita-license/libpng.html 1.2.46

http://www.libpng.org/pub/png/libpng.html
Vulnerability Warning
Virtually all old-branch libpng versions through 1.5.25, 1.4.18, 1.2.55, and 1.0.65, respectively, have a potential out-of-bounds read in png_check_keyword()

Vulnerability Warning
Virtually all libpng versions through 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64, respectively, have a potential pointer overflow/underflow in png_handle_sPLT()/png_handle_pCAL() (and in png_handle_iTXt()/png_handle_zTXt() in the pre-1.6 branches), and all such versions likewise have a bug in their png_set_PLTE() implementations that left it open to the out-of-bounds write

windmark · Post by **windmark** » Sun Jan 03, 2016 2:28 am

Vladimir2016 wrote:Maybe this can lead to anything?

http://www.scei.co.jp/psvita-license/libpng.html 1.2.46

http://www.libpng.org/pub/png/libpng.html
Vulnerability Warning
Virtually all old-branch libpng versions through 1.5.25, 1.4.18, 1.2.55, and 1.0.65, respectively, have a potential out-of-bounds read in png_check_keyword()

Vulnerability Warning
Virtually all libpng versions through 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64, respectively, have a potential pointer overflow/underflow in png_handle_sPLT()/png_handle_pCAL() (and in png_handle_iTXt()/png_handle_zTXt() in the pre-1.6 branches), and all such versions likewise have a bug in their png_set_PLTE() implementations that left it open to the out-of-bounds write

Good catch, I think there's something interesting here...

EDIT: After some investigation, I'm afraid there's nothing we can do to take advantage of this bugs as attack vectors on the vita

Zafotheninja · Post by **Zafotheninja** » Tue Jan 12, 2016 12:33 am

For anyone who is interested, I found a bug in vitasploit on 3.18 vita.

Python outputs "[+] DBG: sceIoDopen() failed" or just reloads the exploit (Most cases both) when a large amount of "list_dir" commands are issued (sporadic, but averages 54 calls before crash)

This is bad for example, if you are trying to brute force the accessible dirs from the webkit

, the exploit will crash without parsing the entire list.

Hopefully someone developing it will see this.

Have a nice day.

Post by **Hykem** » Mon Jan 18, 2016 3:39 pm

Zafotheninja wrote:For anyone who is interested, I found a bug in vitasploit on 3.18 vita.

Python outputs "[+] DBG: sceIoDopen() failed" or just reloads the exploit (Most cases both) when a large amount of "list_dir" commands are issued (sporadic, but averages 54 calls before crash)

This is bad for example, if you are trying to brute force the accessible dirs from the webkit , the exploit will crash without parsing the entire list.

Hopefully someone developing it will see this.

Have a nice day.

Unfortunately, that's not a problem in vitasploit. The Vita itself eventually discards the file descriptor of some temporary paths (virtual vs0 paths for example). I believe it's a security measure.

asuka · Post by **asuka** » Mon Feb 01, 2016 7:12 am

windmark wrote:
Vladimir2016 wrote:Maybe this can lead to anything?

http://www.scei.co.jp/psvita-license/libpng.html 1.2.46

http://www.libpng.org/pub/png/libpng.html
Vulnerability Warning
Virtually all old-branch libpng versions through 1.5.25, 1.4.18, 1.2.55, and 1.0.65, respectively, have a potential out-of-bounds read in png_check_keyword()

Vulnerability Warning
Virtually all libpng versions through 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64, respectively, have a potential pointer overflow/underflow in png_handle_sPLT()/png_handle_pCAL() (and in png_handle_iTXt()/png_handle_zTXt() in the pre-1.6 branches), and all such versions likewise have a bug in their png_set_PLTE() implementations that left it open to the out-of-bounds write
Good catch, I think there's something interesting here...

EDIT: After some investigation, I'm afraid there's nothing we can do to take advantage of this bugs as attack vectors on the vita

Why did you say that?

And by the way, there are lot of open source libraries that psv use:
http://doc.dl.playstation.net/doc/psvita-oss/
Is it possible to find some points in these libraries that we can attach?

xXDarkCodeXx · Post by **xXDarkCodeXx** » Tue Jul 12, 2016 7:01 pm

What about this?

wololo.net/talk

vitasploit - Exploitation Framework

Re: vitasploit - Exploitation Framework

Re: vitasploit - Exploitation Framework

Re: vitasploit - Exploitation Framework

Re: vitasploit - Exploitation Framework

Re: vitasploit - Exploitation Framework

Re: vitasploit - Exploitation Framework

Re: vitasploit - Exploitation Framework

Re: vitasploit - Exploitation Framework