WebKit ROP Chain Tutorials [Creation/Editing/Debugging] - PS3 Development

Discussion in 'Ps3Xploit [Official Forum]' started by esc0rtd3w, Dec 18, 2017.

  1. 1,965
    2,428
    123
    aldostools

    aldostools Developer

    Joined:
    Oct 30, 2014
    Messages:
    1,965
    Likes Received:
    2,428
    Trophy Points:
    123
    Gender:
    Male
    Home Page:
    Did you try doing poke 0x38600001 at lv2 memory address 0x800000000000A334 before call the syscall 389 (sys_sm_set_fan_policy)?
    https://github.com/aldostools/webMAN-MOD/blob/master/include/fancontrol.h#L70

    Note: that poke is 32bit - it requires to peek the next 4 bytes.
     
    k9mo and esc0rtd3w like this.
  2. 428
    996
    103
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    428
    Likes Received:
    996
    Trophy Points:
    103
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    i dont think we can poke without elevated privs?? or i should say....i do not know how yet :-p

    but am all ears :D

    i can try it out!
     
    ''tiiok'', k9mo and aldostools like this.
  3. 6,427
    5,033
    123
    bguerville

    bguerville Moderator Developer

    Joined:
    Feb 25, 2015
    Messages:
    6,427
    Likes Received:
    5,033
    Trophy Points:
    123
    Location:
    Earth
    No lv2 peek/poke on 4.8x ofw as long as the kernel protection is not defeated first.
     
    k9mo, esc0rtd3w and aldostools like this.
  4. 10
    12
    3
    Apostol

    Apostol New Member

    Joined:
    Dec 26, 2017
    Messages:
    10
    Likes Received:
    12
    Trophy Points:
    3
    Gender:
    Male
    When the new tutorial files?
     
    k9mo and esc0rtd3w like this.
  5. 428
    996
    103
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    428
    Likes Received:
    996
    Trophy Points:
    103
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    any day now i will post them
     
  6. 1,965
    2,428
    123
    aldostools

    aldostools Developer

    Joined:
    Oct 30, 2014
    Messages:
    1,965
    Likes Received:
    2,428
    Trophy Points:
    123
    Gender:
    Male
    Home Page:
    Hello! It's awesome what the team has achieved!!

    I don't have any experience with ROP, so I have a question:
    - I understand that the exploit let you call any function from any library already loaded in memory.
    - Is it possible to execute code stored on a data area? Especifically: if I download a binary file or load an html page that shows a hand-crafted image containing a valid image header and ps3 code and functions; traces of the downloaded file or of the "corrupted" image probably remain loaded/stored in some memory area that I suppose the exploit could access if somehow we find it's address in memory... is it possible to call these functions or is this idea non-feasible ?
     
    k9mo, esc0rtd3w and pink1 like this.
  7. 428
    996
    103
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    428
    Likes Received:
    996
    Trophy Points:
    103
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    @aldostools hmmm...not really...anything like that would be put in userland and not executable.

    we set registers in userland with unescape hex, and use instructions in exec areas already to jump around and navigate
     
    k9mo and aldostools like this.
  8. 6,427
    5,033
    123
    bguerville

    bguerville Moderator Developer

    Joined:
    Feb 25, 2015
    Messages:
    6,427
    Likes Received:
    5,033
    Trophy Points:
    123
    Location:
    Earth
    Unfortunately you cannot do that because only text segments of loaded self/prx are marked executable by the kernel/NX bit.
    The kernel totally controls which areas get executable permissions & which areas don't. From userland, the permissions cannot be modified without defeating lv2 protection because all provisions to directly create an executable area or make an existing area executable have been removed by s#ny from syscalls & other accessible functions.
     
    Last edited: Jan 27, 2018
    aldostools, esc0rtd3w and k9mo like this.
  9. 88
    61
    18
    k9mo

    k9mo Member

    Joined:
    Aug 7, 2017
    Messages:
    88
    Likes Received:
    61
    Trophy Points:
    18
    Gender:
    Male
    @esc0rtd3w thx for new test files but i think there is a bug in rename syscall if the file size is bigger than 70 kb it wont rename it can you check because i tried a few times and it didnt work with files bigger than 70 kb though it worked for files less than that
     
    esc0rtd3w likes this.
  10. 428
    996
    103
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    428
    Likes Received:
    996
    Trophy Points:
    103
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    you have to be more specific than that. the rename chain does not care about file size, and the read/write chain is hard-coded to 320 bytes for testing. this can be manually changed to exact size of your input file, for now

    the loader.js now also double-checks if converted unescape string for source path had added 00 to it, then the destination path offset automatically sets itself ahead by 0x1 byte to compensate. this has worked well during my testing
     
    Last edited: Jan 29, 2018
    ErikPshat and k9mo like this.
  11. 88
    61
    18
    k9mo

    k9mo Member

    Joined:
    Aug 7, 2017
    Messages:
    88
    Likes Received:
    61
    Trophy Points:
    18
    Gender:
    Male
    You say that is default 340 bytes but in syscall.js size is set 0x00000140 doesnt that means its 140 bytes?
     
  12. 6,427
    5,033
    123
    bguerville

    bguerville Moderator Developer

    Joined:
    Feb 25, 2015
    Messages:
    6,427
    Likes Received:
    5,033
    Trophy Points:
    123
    Location:
    Earth
    You need to get familiar with hexadecimal,
    0x140 is NOT 140 in decimal!
    0x means hex notation.
    0x140 = 320 in decimal.
     
    esc0rtd3w and k9mo like this.
  13. 88
    61
    18
    k9mo

    k9mo Member

    Joined:
    Aug 7, 2017
    Messages:
    88
    Likes Received:
    61
    Trophy Points:
    18
    Gender:
    Male
    Thanks bro ill search more about hexadecimal
     
  14. 6,427
    5,033
    123
    bguerville

    bguerville Moderator Developer

    Joined:
    Feb 25, 2015
    Messages:
    6,427
    Likes Received:
    5,033
    Trophy Points:
    123
    Location:
    Earth
    Understanding of hexadecimal is an essential requirement for ROP, debugging, RE etc.. I suggest getting yourself a good base converter/calculator to help you at the beginning..
     
    esc0rtd3w and k9mo like this.
  15. 88
    61
    18
    k9mo

    k9mo Member

    Joined:
    Aug 7, 2017
    Messages:
    88
    Likes Received:
    61
    Trophy Points:
    18
    Gender:
    Male
    Found one online
    65kb = 0x10400
    Accroding to converter
     
    Last edited: Jan 29, 2018
    ErikPshat likes this.
  16. 10
    12
    3
    Apostol

    Apostol New Member

    Joined:
    Dec 26, 2017
    Messages:
    10
    Likes Received:
    12
    Trophy Points:
    3
    Gender:
    Male
    64,3kb=65936b=0x00010190 haha its working
     
    esc0rtd3w, ErikPshat and k9mo like this.
  17. 6,427
    5,033
    123
    bguerville

    bguerville Moderator Developer

    Joined:
    Feb 25, 2015
    Messages:
    6,427
    Likes Received:
    5,033
    Trophy Points:
    123
    Location:
    Earth
    You didn't account for the fact that 65kb is in probably referring to hexadecimal. Although technically it should be decimal, the kb & kib notation allowing to be sure of the base isn't always used & the old kb still usually means hexadecimal.

    For ref.
    0x10 = 16 bytes
    0x10 * 0x10 = 0x100 = 16 *16 = 256 bytes
    0x4 * 0x100 = 0x400 = 4 * 256 = 1024 bytes
    So in the same way, 65(= 0x41} x 0x400 = 0x10400 bytes.
    64kb would have been 0x10000 bytes, round hex number always a multiple of 16.
     
    esc0rtd3w and k9mo like this.
  18. 305
    246
    53
    lord3490

    lord3490 Member

    Joined:
    Mar 3, 2015
    Messages:
    305
    Likes Received:
    246
    Trophy Points:
    53
    Gender:
    Male
    Occupation:
    IT support
    Location:
    //127.0.0.1/dev_hdd0/home
    Finally something I understand in this thread (hex) :D

    How many people can read hex if only you and DEAD people can read hex?
    DEAE
     
    esc0rtd3w likes this.
  19. 5
    9
    3
    ErikPshat

    ErikPshat New Member

    Joined:
    Nov 7, 2016
    Messages:
    5
    Likes Received:
    9
    Trophy Points:
    3
    Gender:
    Male
    Occupation:
    Russia
    Location:
    Moscow
    Home Page:
    Yes! LIC.EDAT = 0x10190. Its working - together with any backups on 4.8х OFW!!!
     
    demonxyz and Apostol like this.
  20. 428
    996
    103
    esc0rtd3w

    esc0rtd3w Developer

    Joined:
    Mar 10, 2017
    Messages:
    428
    Likes Received:
    996
    Trophy Points:
    103
    Gender:
    Male
    Occupation:
    Hacker
    Location:
    OHIO, USA
    Home Page:
    Update: Added File Size Edit To GUI
     
    ErikPshat likes this.

Share This Page