Desvelados dos supuestos exploits en lv2
Publicado: 24 Sep 2012, 11:40
En los últimos días han llegado informaciones acerca de dos supuestos exploits en el lv2 de PS3.
Primero fue el desarrollador naehrwert, quien comentaba tener un posible exploit lv2_kernel.
En las últimas horas, otro desarrollador de nombre KDSBest parece haber localizado otro.
Fuentes:
naehrwert
KDSBest
Primero fue el desarrollador naehrwert, quien comentaba tener un posible exploit lv2_kernel.
A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:
The vulnerability is in a protected syscall (the SELF calling it got to have the 0×40… control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.
The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.
Here is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.
En las últimas horas, otro desarrollador de nombre KDSBest parece haber localizado otro.
Since @naehrwert posted an lv2 exploit I will do so too . The stack pointer points to lv2 and if we do a syscall, the syscall saves register to the stack HAHA. Btw. It just crashes the console for now, since I totaly overwrite dump the lv2 or some memory addresses I don't know. Feel free to try around, adjust the address of the stackpointer and so on. If you managed to get the panic payload executed. Tell me!!! ^^
Fuentes:
naehrwert
KDSBest