Page 4 of 11
Re: vitasploit - Exploitation Framework
Posted: Sun Dec 14, 2014 9:05 pm
by Hykem
Just pushed a couple more changes to vitasploit.
Thanks to Netrix one critical issue was addressed this time, which was the problem of running out of memory using the standard JSoS modus operandi. Instead of defining all functions and variables immediately, additional scripts are now delayed from execution and run after the exploit has access to the full user memory space provided by the Vita.
A lot of new function wrappers were added and the batch tests' system was changed. In terms of design, it's now looking closer to a pseudo javascript based SDK.
You can find the sceMotion functions and the motion test as well, which became popular due to Brian's video demonstrating the Vita's gyroscope. The test simply prints the xyz coordinates of the gyroscope, but using the sceNet functions it's possible to send them back to the computer and write a simple application to read them (like the one showcased in the referred video).
The errors related to module loading should now be fixed as well.
Re: vitasploit - Exploitation Framework
Posted: Mon Dec 15, 2014 11:30 pm
by addddd
I dont have ScePaf and SceCommonDialogMain modules on 3.01. Is it ok?
[spoiler]
Code: Select all
Starting server on 192.168.58.131:8888
[+] DBG: Initialization
[+] DBG: Spraying ArrayBuffers...
[+] DBG: Done spraying
[+] DBG: Searching for ArrayBuffer signature...
[+] DBG: ...
[+] DBG: Found ArrayBuffer signature at u32[0xf24] -> 0x82d80008
[+] DBG: Spraying Elements...
[+] DBG: Done spraying
[+] DBG: Searching for Element signature...
[+] DBG: ...
[+] DBG: Found Element signature at u32[0x7268]
[+] DBG: Changing size of Element object: 0x66656463 -> 0x55555555
[+] DBG: Looking for modified Element object...
[+] DBG: Found modified Element object at esprays[0x81]
[+] DBG: Changing size of object: 0xabc0 -> 0xdeadbabe
[+] DBG: Looking for modified object...
[+] DBG: Found modified object at sprays[0x5]
[+] DBG: Address of u32: 0x82d0cd00
[+] DBG: Base of u32: 0x82d0c8d0
[+] DBG: Vtab of u32: 0x82234444
[+] DBG: Leaked ptr: 0x81dd73a9
[+] DBG: Element vtable pointer at: 0x82d29208
[+] DBG: Element vtable at: 0x822b22f0
[+] DBG: Fake vtable at: 0x8290c8d0
[+] DBG: Copying vtable...
[+] DBG: Module UIDs:
0x829128D0: 6F010140 69010140 59010140 4D010140 o..@i..@Y..@M..@
0x829128E0: 47010140 31010140 2D010140 25010140 G..@1..@-..@%..@
0x829128F0: 23000140 21000140 1F000140 1D000140 #..@!..@...@...@
0x82912900: 1B000140 19000140 17000140 15000140 ...@...@...@...@
0x82912910: 13000140 11000140 0F000140 0D000140 ...@...@...@...@
0x82912920: 0B000140 01000140 ...@...@
[+] DBG: Found module: SceWebKit
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81a00000
[+] DBG: Module segment memsz: 0x8ea860
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81188000
[+] DBG: Module segment memsz: 0xc7cc
[+] DBG: Found module: SceHafnium
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81880000
[+] DBG: Module segment memsz: 0x56668
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x8103e000
[+] DBG: Module segment memsz: 0x54
[+] DBG: Found module: ScePsp2Compat
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81200000
[+] DBG: Module segment memsz: 0x3b0a70
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81168000
[+] DBG: Module segment memsz: 0xb944
[+] DBG: Found module: SceWebFiltering
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81158000
[+] DBG: Module segment memsz: 0x5920
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81160000
[+] DBG: Module segment memsz: 0x4d64
[+] DBG: Found module: SceLibVitaJSExtObj
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x810cc000
[+] DBG: Module segment memsz: 0x4d3c
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x8103d000
[+] DBG: Module segment memsz: 0x78
[+] DBG: Found module: SceLibHttp
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe05e4000
[+] DBG: Module segment memsz: 0x1c440
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0057000
[+] DBG: Module segment memsz: 0x630
[+] DBG: Found module: SceLibNetCtl
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0189000
[+] DBG: Module segment memsz: 0x7aae
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0042000
[+] DBG: Module segment memsz: 0x1400
[+] DBG: Found module: SceNet
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0511000
[+] DBG: Module segment memsz: 0xbdf0
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0039000
[+] DBG: Module segment memsz: 0xc90
[+] DBG: Found module: SceAppUtil
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81090000
[+] DBG: Module segment memsz: 0x96a4
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81039000
[+] DBG: Module segment memsz: 0x70
[+] DBG: Found module: SceLibPvf
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe009c000
[+] DBG: Module segment memsz: 0xcf24
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0017000
[+] DBG: Module segment memsz: 0x8
[+] DBG: Found module: SceLibft2
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe00c4000
[+] DBG: Module segment memsz: 0x4db54
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0016000
[+] DBG: Module segment memsz: 0x2f4
[+] DBG: Found module: SceLibDbg
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0044000
[+] DBG: Module segment memsz: 0x5d4
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0013000
[+] DBG: Module segment memsz: 0x8c
[+] DBG: Found module: SceCommonDialog
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe01a4000
[+] DBG: Module segment memsz: 0x11108
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0026000
[+] DBG: Module segment memsz: 0x289
[+] DBG: Found module: SceShellSvc
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe016c000
[+] DBG: Module segment memsz: 0x12000
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0025000
[+] DBG: Module segment memsz: 0x8e9
[+] DBG: Found module: SceLibc
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81100000
[+] DBG: Module segment memsz: 0x4d3bc
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x8103a000
[+] DBG: Module segment memsz: 0x26f0
[+] DBG: Found module: SceLibFios2
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x810a0000
[+] DBG: Module segment memsz: 0x2b12c
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81084000
[+] DBG: Module segment memsz: 0x523d
[+] DBG: Found module: SceGxm
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe006c000
[+] DBG: Module segment memsz: 0x1fe44
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0014000
[+] DBG: Module segment memsz: 0x72c
[+] DBG: Found module: SceGpuEs4User
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe003d000
[+] DBG: Module segment memsz: 0x2844
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0012000
[+] DBG: Module segment memsz: 0x3c
[+] DBG: Found module: SceAvcodecUser
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0036000
[+] DBG: Module segment memsz: 0x2340
[+] DBG: Found module: SceDriverUser
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0018000
[+] DBG: Module segment memsz: 0xc334
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0028000
[+] DBG: Module segment memsz: 0x8f50
[+] DBG: Found module: SceLibKernel
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0002000
[+] DBG: Module segment memsz: 0xdb58
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0011000
[+] DBG: Module segment memsz: 0x50
[+] DBG: Found module: SceWebKitProcess
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81000000
[+] DBG: Module segment memsz: 0x151c0
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81016000
[+] DBG: Module segment memsz: 0x215cc
[+] DBG: sceSysmoduleLoadModuleWithArgs(0x80000012): 0x80000012
[+] DBG: sceSysmoduleLoadModuleWithArgs(0x8000000f): 0x8000000f
[+] DBG: sceSysmoduleLoadModuleWithArgs(0x80000008): 0x80000008
[+] DBG: Module UIDs:
0x829134CC: 6F010140 69010140 59010140 4D010140 o..@i..@Y..@M..@
0x829134DC: 47010140 31010140 2D010140 25010140 G..@1..@-..@%..@
0x829134EC: 23000140 21000140 1F000140 1D000140 #..@!..@...@...@
0x829134FC: 1B000140 19000140 17000140 15000140 ...@...@...@...@
0x8291350C: 13000140 11000140 0F000140 0D000140 ...@...@...@...@
0x8291351C: 0B000140 01000140 ...@...@
[+] DBG: Found module: SceWebKit
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81a00000
[+] DBG: Module segment memsz: 0x8ea860
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81188000
[+] DBG: Module segment memsz: 0xc7cc
[+] DBG: Found module: SceHafnium
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81880000
[+] DBG: Module segment memsz: 0x56668
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x8103e000
[+] DBG: Module segment memsz: 0x54
[+] DBG: Found module: ScePsp2Compat
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81200000
[+] DBG: Module segment memsz: 0x3b0a70
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81168000
[+] DBG: Module segment memsz: 0xb944
[+] DBG: Found module: SceWebFiltering
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81158000
[+] DBG: Module segment memsz: 0x5920
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81160000
[+] DBG: Module segment memsz: 0x4d64
[+] DBG: Found module: SceLibVitaJSExtObj
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x810cc000
[+] DBG: Module segment memsz: 0x4d3c
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x8103d000
[+] DBG: Module segment memsz: 0x78
[+] DBG: Found module: SceLibHttp
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe05e4000
[+] DBG: Module segment memsz: 0x1c440
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0057000
[+] DBG: Module segment memsz: 0x630
[+] DBG: Found module: SceLibNetCtl
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0189000
[+] DBG: Module segment memsz: 0x7aae
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0042000
[+] DBG: Module segment memsz: 0x1400
[+] DBG: Found module: SceNet
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0511000
[+] DBG: Module segment memsz: 0xbdf0
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0039000
[+] DBG: Module segment memsz: 0xc90
[+] DBG: Found module: SceAppUtil
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81090000
[+] DBG: Module segment memsz: 0x96a4
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81039000
[+] DBG: Module segment memsz: 0x70
[+] DBG: Found module: SceLibPvf
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe009c000
[+] DBG: Module segment memsz: 0xcf24
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0017000
[+] DBG: Module segment memsz: 0x8
[+] DBG: Found module: SceLibft2
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe00c4000
[+] DBG: Module segment memsz: 0x4db54
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0016000
[+] DBG: Module segment memsz: 0x2f4
[+] DBG: Found module: SceLibDbg
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0044000
[+] DBG: Module segment memsz: 0x5d4
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0013000
[+] DBG: Module segment memsz: 0x8c
[+] DBG: Found module: SceCommonDialog
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe01a4000
[+] DBG: Module segment memsz: 0x11108
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0026000
[+] DBG: Module segment memsz: 0x289
[+] DBG: Found module: SceShellSvc
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe016c000
[+] DBG: Module segment memsz: 0x12000
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0025000
[+] DBG: Module segment memsz: 0x8e9
[+] DBG: Found module: SceLibc
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81100000
[+] DBG: Module segment memsz: 0x4d3bc
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x8103a000
[+] DBG: Module segment memsz: 0x26f0
[+] DBG: Found module: SceLibFios2
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x810a0000
[+] DBG: Module segment memsz: 0x2b12c
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81084000
[+] DBG: Module segment memsz: 0x523d
[+] DBG: Found module: SceGxm
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe006c000
[+] DBG: Module segment memsz: 0x1fe44
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0014000
[+] DBG: Module segment memsz: 0x72c
[+] DBG: Found module: SceGpuEs4User
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe003d000
[+] DBG: Module segment memsz: 0x2844
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0012000
[+] DBG: Module segment memsz: 0x3c
[+] DBG: Found module: SceAvcodecUser
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0036000
[+] DBG: Module segment memsz: 0x2340
[+] DBG: Found module: SceDriverUser
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0018000
[+] DBG: Module segment memsz: 0xc334
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0028000
[+] DBG: Module segment memsz: 0x8f50
[+] DBG: Found module: SceLibKernel
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0xe0002000
[+] DBG: Module segment memsz: 0xdb58
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0xe0011000
[+] DBG: Module segment memsz: 0x50
[+] DBG: Found module: SceWebKitProcess
[+] DBG: Module segment info: #0
[+] DBG: Module segment vaddr: 0x81000000
[+] DBG: Module segment memsz: 0x151c0
[+] DBG: Module segment info: #1
[+] DBG: Module segment vaddr: 0x81016000
[+] DBG: Module segment memsz: 0x215cc
[+] DBG: -------------------------------------------------
[+] DBG: SceWebKit base: 0x81a00000
[+] DBG: SceLibc base: 0x81100000
[+] DBG: SceNet base: 0xe0511000
[+] DBG: SceLibKernel base: 0xe0002000
[+] DBG: SceWebKitProcess base: 0x81000000
[+] DBG: SceCommonDialog base: 0xe01a4000
[+] DBG: SceAppUtil base: 0x81090000
[+] DBG: SceDriverUser base: 0xe0018000
[+] DBG: SceGxm base: 0xe006c000
[+] DBG: Error: 6 TypeError: 'undefined' is not an object
[/spoiler]
Re: vitasploit - Exploitation Framework
Posted: Tue Dec 16, 2014 8:47 am
by mr.gas
I get the same error .. fw 3.01
Re: vitasploit - Exploitation Framework
Posted: Sun Dec 21, 2014 9:14 pm
by Hykem
I've just pushed a ton of changes to vitasploit. The 3.01 bug should now be fixed and ScePaf and the other modules should now load.
With the precious help of
blue78,
Sparky and
heleius I've ported vitasploit to firmwares 2.02 and 2.12. Both firmwares use an entirely different ROP chain.
I've also added a new test that allows dumping full directories from the Vita, instead of doing it file by file.
The delayed script loading mechanism has also been improved thanks to
Netrix.
Only ScePaf functions are missing from firmware 2.02, since I'm still investigating them better.
Enjoy!
Re: vitasploit - Exploitation Framework
Posted: Mon Feb 09, 2015 7:55 pm
by barnabe42
Hello,
I have played a bit with the framework and was able to create minimal pong version using the Test_Motion example.
- Pong.jpg (142.41 KiB) Viewed 2043 times
If you feel that it could be useful for others I could upload the code on the source control.
This is just using already existing features so nothing fancy ...
I will try to explore more the framework it is really interesting.
Re: vitasploit - Exploitation Framework
Posted: Mon Feb 09, 2015 11:55 pm
by yifanlu
Re: vitasploit - Exploitation Framework
Posted: Tue Feb 10, 2015 5:47 am
by barnabe42
OK thanks, I am surprise nobody claim that before hand.
I will send him a PM.
Re: vitasploit - Exploitation Framework
Posted: Fri Feb 13, 2015 12:58 pm
by n00b81
Not sure if it works.. since I don't have the right vita version... but I threw the Pong files out my web space for people who aren't interested in muckin' round with python. Lemme know if it works -
http://vitapong.gq
EDIT: Just realized that this won't let you grab the gyro feedback data of course. But whatever... still good for playing pong lol.
Re: vitasploit - Exploitation Framework
Posted: Fri Feb 13, 2015 1:22 pm
by Gezine
n00b81 wrote:Not sure if it works.. since I don't have the right vita version... but I threw the Pong files out my web space for people who aren't interested in muckin' round with python. Lemme know if it works -
http://vitapong.gq
EDIT: Just realized that this won't let you grab the gyro feedback data of course. But whatever... still good for playing pong lol.
PCH-2005 3.18 Worked
Re: vitasploit - Exploitation Framework
Posted: Fri Feb 13, 2015 1:41 pm
by n00b81
Gezine wrote:n00b81 wrote:Not sure if it works.. since I don't have the right vita version... but I threw the Pong files out my web space for people who aren't interested in muckin' round with python. Lemme know if it works -
http://vitapong.gq
EDIT: Just realized that this won't let you grab the gyro feedback data of course. But whatever... still good for playing pong lol.
PCH-2005 3.18 Worked
Awesome - thanks for the feedback.