Advertising (This ad goes away for registered users. You can Login or Register)

sceVideocodecStop() kxploit

Open discussions on programming specifically for the PS Vita.
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Post Reply
User avatar
GBOT
Developer
Posts: 321
Joined: Wed Apr 25, 2012 8:00 pm
Contact:

sceVideocodecStop() kxploit

Post by GBOT » Fri Feb 27, 2015 6:34 pm

So I escaped from my studies for a while and decided to get back to reversing and trying to show people a little of sony's flaws. Ugly C reverse included!

The kermit function that breaks the kernel is sceMeWrapper_driver_4D78330C but we have to access it using sceVideocodecStop()
sceVideocodecStop() requires the values passed as argument0 to be valid. So it calls sub_00000C38() to make sure they dont stomp on any kernel address.
You might wonder how do we get past that values check of sub_00000C38()?. Well this is possible because of race conditions.
Basically we feed that sub with valid values, and when it succeeds (returns 0) we change the values using another thread that is being executed parallely.
After that, sceMeWrapper_driver_4D78330C is called and it nops 8 contiguous bytes on any address.
There are some conditions on the values you have to use that you might want to check by reading the C code I wrote.

C reverse fully commented

You can also see the reversed code assembly sceVideocodecStop.s, sceMeWrapper_driver_4D78330C.s

This is a try and fail case, thats is why we have to swap between valid and the exploited values a lot of times until it succeeds and our kernel code is executed.

Also, if you missed it you can check out the sceSdGetLastIndex() kxploit reverse and explanation

Enjoy
Advertising
Last edited by GBOT on Tue Apr 07, 2015 5:31 am, edited 1 time in total.
Github
Twitter

Can't give enough crepes

TakeHomeTheCup
Posts: 3
Joined: Sat Feb 28, 2015 12:44 am

Re: sceVideocodecStop() kxploit

Post by TakeHomeTheCup » Sat Feb 28, 2015 12:47 am

If you don't mind me asking, you guys can get stuff from the Vita/PSP and turn it into C?
Advertising

User avatar
qwikrazor87
Guru
Posts: 2874
Joined: Sat Apr 21, 2012 1:23 pm
Location: The North Pole

Re: sceVideocodecStop() kxploit

Post by qwikrazor87 » Sat Feb 28, 2015 1:34 am

TakeHomeTheCup wrote:If you don't mind me asking, you guys can get stuff from the Vita/PSP and turn it into C?
Yeah, just need to learn C and MIPS, once you get a good hang of them it'll be pretty easy to reverse MIPS to C and vice versa.
PSP 2001 - TA-085 - 6.61 PRO-C2
PS Vita 3G - PCH-1101 - 3.65 HENkaku Ensō
Alcatel phone - Android 8.1.0
Laptop - Toshiba Satellite L305D-S5974 - Ubuntu 16.04 LTS

User avatar
GBOT
Developer
Posts: 321
Joined: Wed Apr 25, 2012 8:00 pm
Contact:

Re: sceVideocodecStop() kxploit

Post by GBOT » Sat Feb 28, 2015 2:55 am

You could also get to qwik's level, where you disassemble binary in real time and turn any random offset you like into an exploit
Github
Twitter

Can't give enough crepes

TakeHomeTheCup
Posts: 3
Joined: Sat Feb 28, 2015 12:44 am

Re: sceVideocodecStop() kxploit

Post by TakeHomeTheCup » Sat Feb 28, 2015 3:23 am

Yeah, just need to learn C and MIPS, once you get a good hang of them it'll be pretty easy to reverse MIPS to C and vice versa.
You could also get to qwik's level, where you disassemble binary in real time and turn any random offset you like into an exploit
Thanks for the information.

User avatar
qwikrazor87
Guru
Posts: 2874
Joined: Sat Apr 21, 2012 1:23 pm
Location: The North Pole

Re: sceVideocodecStop() kxploit

Post by qwikrazor87 » Sat Feb 28, 2015 5:08 am

GBOT wrote:You could also get to qwik's level, where you disassemble binary in real time and turn any random offset you like into an exploit
:lol:
PSP 2001 - TA-085 - 6.61 PRO-C2
PS Vita 3G - PCH-1101 - 3.65 HENkaku Ensō
Alcatel phone - Android 8.1.0
Laptop - Toshiba Satellite L305D-S5974 - Ubuntu 16.04 LTS

User avatar
Acid_Snake
Retired Mod
Posts: 3099
Joined: Tue May 01, 2012 11:32 am
Location: Behind you!

Re: sceVideocodecStop() kxploit

Post by Acid_Snake » Sun Mar 01, 2015 12:27 pm

qwikrazor87 wrote:
GBOT wrote:You could also get to qwik's level, where you disassemble binary in real time and turn any random offset you like into an exploit
:lol:
What's even funnier is that TakeHomeTheCup seems to not see this was a joke.

User avatar
Joel16
Posts: 914
Joined: Wed Oct 12, 2011 8:47 pm

Re: sceVideocodecStop() kxploit

Post by Joel16 » Sun Mar 01, 2015 2:55 pm

Acid_Snake wrote:
qwikrazor87 wrote:
GBOT wrote:You could also get to qwik's level, where you disassemble binary in real time and turn any random offset you like into an exploit
:lol:
What's even funnier is that TakeHomeTheCup seems to not see this was a joke.
:mrgreen:
"Forever in darkness, a guardian devil."

User avatar
Omega2058
Developer
Posts: 246
Joined: Tue Sep 28, 2010 4:27 am
Contact:

Re: sceVideocodecStop() kxploit

Post by Omega2058 » Mon Mar 02, 2015 10:08 am

This was interesting to read, thanks for the information. I never knew what a race-condition was, but now that I see how to do it I can finally do something with the modules tests I have. Kudos.

User avatar
DS_Marine
Developer
Posts: 276
Joined: Wed Oct 10, 2012 1:32 pm
Location: Argentina
Contact:

Re: sceVideocodecStop() kxploit

Post by DS_Marine » Wed Mar 04, 2015 9:36 pm

Good to see you in the front page mate :D
ImagePSP-Controlled drone
"Hackers don't have superpowers. Just a hackable PSP and a brain (ships by default on most humans models)" - A famous guy
Image

Post Reply

Return to “Programming and Security”