jigsaw wrote: Davee wrote:
jigsaw wrote:@Z tiff, gta, etc. are just user level exploits.
I think he means the associated kernel level exploits.
basically though, from what I've seen:
- kernel flagged ELF - 1.00
- swaptrick/kxploit - 1.50
- Reused index.dat key - 2.00/2.01
- loadexec buffer overflow - 2.50/2.60 (2.71?)
- Registry error store 2.80 + ?
- service mode - 3.52+
- psheet - 5.03
- ifhandle - 5.70
- utility/power - 6.10/6.20
- http storage - 6.39
- ifhandle - 6.60
Thats a basic list off the top of my head of public exploits. There are a bunch that are patched, such as the GEN/M33 contested wlan exploit which exists upto 5.50 and such. I've been working on compiling a list of the previous exploits as a learning resource so if you need to know any details on an exploit, feel free to ask.
That would be GREAT. AFAICT, kexploits from 503 and later have already been explained in depth by Freddy, Davee and some1.
But I can't find src code or explanation to the older ones. (older than 503).
I know about the loadexec buffer overflow, since the fix in loadexec is "evident", just a quick explanation:
There was one subroutine that took a path as an argument, it looked for the character ":" in that path, and calculated the lenght of the drive name from that (e.g. "ms0:"), it then copied the drive name onto the stack with strncpy, using the calculated lenght, you can guess how it was exploited, can't you?
In later firmwares, loadexec checks if the drive name is longer than 0x1F bytes, if it is, it gives an error.
Look at sub_21E0 (taken from 6.60 loadexec_01g) and you'll see
Service mode exploit was explained by SilverSpring here
I don't know about the others, except for the swap/kxploit that involved either swapping memory stick after loading a valid ELF with one that contained an unsigned one (I believe) or using the path hack.