vitasploit - Exploitation Framework

[Ruben_Wolfe]

You know it's entirely possible to make games with just JS/HTML? The main reason for "native" hacks is to take advantage of the full processing power of the Vita which you don't get with webkit hacks (it's even less powerful than PSM, which supports JIT).

Yes. I am fully aware of it.
This is just for fun; to gain some knowledge about how things are done here on both HTML the vita.
My main motive for using the webkit exploit isn't to make games. I ache to learn and help the scene, therefore my question.
Sure, I could make a text based adventure using PSM, but what would be the point? what will I learn that I havent already?

Well if that's the case, then yes, it's possible. I'm afraid you won't learn much though.
Like yifanlu and josh_axey already stated HTML+JS or the PSM alone are much better alternatives for what you want.
Since all you want is to learn about the native side of the Vita then you need to look into the functions that handle dialogs. I can add them and a small test to showcase it to Vitasploit if you wish.

I will appreciate it if you do, thanks.

Advertising

[MichelMichel]

Hello,

I have just written a begining of Syscall fuzzer using this incredible/amazing framework !
If you want to have a System crash with report at restart,
call @0x5D8C syscall with 4 null arguments.
The offset in SceLibKernel.seg0 is @0x5D8C (for 3.18 VITA).

Here is the request... (I really don't care about this VITA :p )

Code: Select all

GET /download/crepo/VITA/NPXS19998/config.xml?log=826252a06d711513182196bcdaf8976df5c3ecbd6a034a5a529813d9ffcf581094dd6f2dba5a8ce77bf13bb66230237e890648a6e88b4474f6dc395a3f919c76749d7bb4b8a85c4ee14cd6de36cd9a5fda8eadcaf762bc70ea7ae62ce38ead33 HTTP/1.1
Host: crepo.ww.dl.playstation.net
User-Agent: CorefileUploader/1.00 libhttp/1.00 libhttp/3.18 (PS Vita)
Connection: Keep-Alive

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

404, NPXS19998 sony does not give config.xml for WebKit process, *** !... let's try with NPXS19999 ...
Seems OK, the file is in base64 !

Code: Select all

AABGQUNFQ1MCAAAAAAAAAAMAAAAAAAAAAQAAAAAAAADAAAAAAAAAACAAAAAAAAAAAAAAAAAAAADA
AAAAAAAAACAAAAAAAAAAAQAAAAAAAAAEAAAAAAAAAGssKGf37CFcNbUdUHOk0msAAAAAAAAAAAAA
AAAAAAAAzku+QzPIOsgT+AxTbQIUH6p2KkPV8NUbc9uI94V89m0AAAAAAAAAAORx6W3PUbGgVUTj
gDTo7ojVCeK7SYulC6Jq0FD/6q1T7wdZj3sdabfQ9VOhfqK2SB1BCxPkrhbXWys2XZYn54Q=

EDIT: This file does not work for WebKit process... Maybe this file could be used for an other bug.

Advertising

[MichelMichel]

Hi,

I now able to fuzz some unexported syscalls... I mean unexported when the syscall is unreachable from sceLibKernel.

At this point in time, no crash in unexported syscall, but some syscall seems to be really interesting !
Example:

Code: Select all

[+] DBG:  @951 CALL 318 ( 0x852b7451, 0x11b6f477, 0xbc54756f, 0x86cdcf5e )
[+] DBG:  res 0
[+] DBG:  @952 CALL 318 ( 0x90909cac, 0x3541f1e3, 0x5d7e8746, 0xacc26d78 )
[+] DBG:  res 0x80022005

Example 2:

Code: Select all

[+] DBG:  @596 CALL 30d ( 0x9020c62c, 0xf8b8d109, 0xed8d4072, 0x2bee4c4d )
[+] DBG:  res 0x80022005
[+] DBG:  @597 CALL 30d ( 0x86b494ea, 0x9f6ba, 0xe9c4fa57, 0xe61b0d8f )
[+] DBG:  res 0x0

I will now work on a better Fuzzing technique and on syscall blacklisting to avoid webkit restarts.

[Hykem]

Glad to see you got it working. I'm really interested in the method you're using for the fuzzing.
Please feel free to share the code when you're satisfied with it. This can be easily added to the vitasploit framework.
Thanks!

[haxxey]

Glad this is active and someone is still working on WebKit.

[MichelMichel]

Please feel free to share the code when you're satisfied with it.

Sur, I will do it with pleasure as soon as I've optimized the research process of mapped syscalls

[Hykem]

Glad this is active and someone is still working on WebKit.

The project is still active. I have a few interesting things to push (audio via ScePaf, graphics, etc.) which I'll probably add soon.
Developments on this are a bit stalled to due another Vita related side project I'm working on (open source SDK and crude ARMv7 emulator). Expect to hear more on that in a few weeks.

Please feel free to share the code when you're satisfied with it.

Sur, I will do it with pleasure as soon as I've optimized the research process of mapped syscalls

Thanks, much appreciated!

[MichelMichel]

Not sur about what I am going to say, but the result of some tests:
* Syscal arn't filtered but only exported or not per process
* sceLibKernel is build at process startup and is different per process
* "Unexisting" syscall are all redirected to exit() acting as a "trap"

Good news, some "unexported" syscall are crashing :

Code: Select all

[+] DBG:  @61 CALL 555 ( 0xe07f9b2e, 0xb1230a59, 0xa9e1fad5, 0xffffffff )
[+] DBG:  res 0x80022005
[+] DBG:  @62 CALL 555 ( 0xa56587bc, 0xdd183b6a, 0x22e85b86, 0x887cd405 )
[+] DBG:  res 0x80022005
[+] DBG:  @63 CALL 555 ( 0x2f90d98c, 0x186ecad8, 0xe0484d88, 0xe40a7 )
[+] DBG:  res 0x80022005
[+] DBG:  @64 CALL 555 ( 0x86b0d977, 0xffffffff, 0xffffffff, 0xa3 )
[+] DBG:  res 0x80800001
[+] DBG:  @65 CALL 555 ( 0x0, 0xffffffff, 0x0, 0x0 )
<<CRASH HAPPEN>>

I am still looking for a way to fast-scan 4096 syscall number without being traped by exit() causing Webkit restart...

[Netrix]

Not sur about what I am going to say, but the result of some tests:
* Syscal arn't filtered but only exported or not per process
* sceLibKernel is build at process startup and is different per process
* "Unexisting" syscall are all redirected to exit() acting as a "trap"

Good news, some "unexported" syscall are crashing :

Code: Select all

[+] DBG:  @61 CALL 555 ( 0xe07f9b2e, 0xb1230a59, 0xa9e1fad5, 0xffffffff )
[+] DBG:  res 0x80022005
[+] DBG:  @62 CALL 555 ( 0xa56587bc, 0xdd183b6a, 0x22e85b86, 0x887cd405 )
[+] DBG:  res 0x80022005
[+] DBG:  @63 CALL 555 ( 0x2f90d98c, 0x186ecad8, 0xe0484d88, 0xe40a7 )
[+] DBG:  res 0x80022005
[+] DBG:  @64 CALL 555 ( 0x86b0d977, 0xffffffff, 0xffffffff, 0xa3 )
[+] DBG:  res 0x80800001
[+] DBG:  @65 CALL 555 ( 0x0, 0xffffffff, 0x0, 0x0 )
<<CRASH HAPPEN>>

I am still looking for a way to fast-scan 4096 syscall number without being traped by exit() causing Webkit restart...

I think it's not really calling "exit()", but rather causing an exception within the Webkit process, resulting in it restarting. Though I don't know what code you are running in particular, so it's just a guess.

[MichelMichel]

@Netrix, Thank for the information

@Hykem, I found a way to have (almost? 823) all syscall number, even unexported one, without scan, without webkit restart... My code is ready to merge !

I can now fuzz a particular syscall even if the Vita restarted !

Edit: I MITMed my vita during crash report... the vita POST the core dump with HTTPS on zeke.scea.com...
Edit2: @Hykem, I forked the project because, I'm going to do really dirty thing on it... and only 3.18 support.
https://github.com/JumpCallPop/vitasploit