vitasploit - Exploitation Framework

[Hykem]

Hi, Thank you all for your work and sharing it.

I'm trying to find offsets for 3.35. (I should update to 3.36 but it will be less... interesting )
I have found SceWebKit module and get modules import infos from it.
So I get two offsets : scewkbase_off and scelibcentry_off,
But no success finding Scelibc module with scanm so scelibcbase_off offset is missing.
Is there any way to get an address closer from Scelibc module (and others) ? in which range of address should I found it ?
Exploit often crash and I'm not sure to follow the right way .

Hi Sethpaien!
I'm very interested on porting the exploit for the missing 3.30 and 3.35 firmware versions (for the sake of completeness).
You can get a close address for SceLibc by looking at it's first import used in SceWebKit. Just send me a PM and I'll be happy to help you port the exploit.

Advertising

[InnocentSam]

Hey guys, my PSTV gets caught in a loop; I force exploit.js to think 3.20 is 3.18, and it gets to:

Code: Select all

			libraries = init_ggts(bases, caller, version);
			logdbg("Loaded libraries...\n");
			
			// List all modules visible by the WebKit process
			ex_mod_list = list_modules("All", false);

"Loaded libraries" is the last thing printed into the console before the PSTV reloads the web page, forcing it to restart. I'm using the latest version from Github, any ideas?

Advertising

[Hykem]

Thanks to Sethpaien the offsets for firmware 3.35 have been added to vitasploit. Just need to push some minor changes to lib.js and rop.js and it's fully supported.

Only firmware 3.30 support is missing for which HarmfulMushroom is already giving a hand, but 3.30 is significantly different from 3.35 and 3.36, so that may take a while.

Hey guys, my PSTV gets caught in a loop; I force exploit.js to think 3.20 is 3.18, and it gets to:

Code: Select all

			libraries = init_ggts(bases, caller, version);
			logdbg("Loaded libraries...\n");
			
			// List all modules visible by the WebKit process
			ex_mod_list = list_modules("All", false);

"Loaded libraries" is the last thing printed into the console before the PSTV reloads the web page, forcing it to restart. I'm using the latest version from Github, any ideas?

Hmm... Up until now I've been guessing that 3.20 would be nearly identical to 3.18, but I never found anyone who could test this.
Forcing 3.20 to be recognized as 3.18 would use it's ROP chain and libraries' offsets, but if that's not working than 3.20 binaries are different enough to break this.
Could you please contact me via PM so we can sort out the implementation for 3.20? Thanks!

[Sethpaien]

Hi,

I'm trying to get MichelMichel syscall fuzzer working on 3.35,
But it always crash at the very first try ; At the begining I just think to be out of luck.
But I notice a weird things : Math.random() always give the same sequence of random numbers at each webbrowser restart !?
I have take a look if javascript random is seedable but without luck.

It's me or Sony is in bad terms with random numbers ? (cf. PS3 Hacking )

I should add another random number generator but does anyone else get same result ?

[Zecoxao]

hi, i get this:

Code: Select all

[+] DBG:  Initialization
[+] DBG:  Spraying Elements...
[+] DBG:  Done spraying
[+] DBG:  Searching for Element signature...
[+] DBG:  Changing textarea.rows at addr 0x8530e080
[+] DBG:  Searching for corrupted Element...
[+] DBG:  Found corrupted textarea at index #0
[+] DBG:  Textarea vptr: 0x824abafc
[+] DBG:  WebCore::HTMLBodyElement::setScrollLeft is at 0x81e06e19
[+] DBG:  Fake vtable at: 0x839e01b0
[+] DBG:  Copying vtable...
[+] DBG:  Error: 22 TypeError: 'undefined' is not an object (evaluating 'aspace[addr + i].toString')
[+] DBG:  Initialization failed!

can you help me out? thanks.

[Sethpaien]

Hi, what's your FW version ?
If I remember well that was what I get when calling libraries.SceLibc.functions.time(0) when offsets weren't defined
(I have add it for 3.35 and time function was already there for 3.36 thanks again to Xyzz for the exploit for 3.3x).
Try to comment out :

var t = libraries.SceLibc.functions.time(0);
logdbg("Time: " + t);

at line 130 & 131 of exploit.js and you should reach the shell.
If your FW isn't supported yet you won't be able to do much things, but I may help you if you want to port it.

And maybe you should answer my previous post

[Hykem]

Thanks to Proxima, vitasploit has finally been ported to firmware version 3.20.
The syscall fuzzer now also supports firmwares 2.05 and 3.20.

Enjoy!

[TheFloW]

I just want to share this with you that I've found with your Vitasploit.

ScePsp2Compat_v336 =
{
sceKernelSyncVMDomain : 0x002becdc,
sceKernelOpenVMDomain : 0x002becfc,
sceKernelGetMemBlockBase : 0x002bed3c,
sceKernelAllocMemBlock : 0x002bed4c,
sceKernelCloseVMDomain : 0x002bed5c,
sceKernelAllocMemBlockForVM : 0x002bed6c
}

In FW 3.30-3.36 you've got these functions imported in this module. However the VM open/close functions result with 0x80024B08 (SCE_KERNEL_ERROR_PROCESS_CANNOT_REMAP_MEMBLOCK) and the allocate funtion results with 0x80010058 (SCE_ERROR_ERRNO_ENOSYS).
But as they are actually used I wonder whether there's a trigger or something to make them working.
If we manage to get these functions working we can have rejuvenate running from webkit

TheFloW

[yifanlu]

Yup, I think if you reverse how those calls are used, you can find out. However, the main reason rejuvenate isn't ported is because cleanup will be very difficult. It seems that WebKit doesn't own the rendering process so you can't use gxm or anything unless you manage to hijack the scewebprocess and get it to release the graphics context.

[Hykem]

Yup, I think if you reverse how those calls are used, you can find out. However, the main reason rejuvenate isn't ported is because cleanup will be very difficult. It seems that WebKit doesn't own the rendering process so you can't use gxm or anything unless you manage to hijack the scewebprocess and get it to release the graphics context.

As I've told TheFloW via PM, Proxima and I already investigated these some time ago (with the help of Sethpaien who dumped the ScePsp2Compat module).
WebKit itself is not capable of mapping these new memory blocks (ManxMemblockRX). Some other process probably does this before hand (possibly SceWebKitProcess) and locks out any chance of creating new ones.
The problem would be exactly the same as with acquiring the graphics context, we must hijack a different module to be able to access those calls.
From what we reverse-engineered, if this could be done then yes, Rejuvenate could be ported to take advantage of code execution from WebKit.