Changes

Jump to navigation Jump to search

Vulnerabilities

2,351 bytes added, 12 October
[https://github.com/TheOfficialFloW/h-encore/blob/master/WRITE-UP.md#buffer-overflow h-encore writeup by TheFloW]
 
=== Youtube sp control exploit ===
 
There was a vulnerability in the Youtube application that could manipulate sp.
 
but, Sony has already stopped delivering applications.
 
And it ’s not DRM Free and ca n’t be exploited.
=== PSP Emulator escape ===
==== sceKernelGetMutexInfo_089 can write into kernel memory ====
 
SceThreadmgr_69B78A12 should have been exported as a kernel function, but Sony mistakenly exported it as a user function.
 
sceKernelGetMutexInfo_089 vulnerability is a restricted kernel write from userland
No PoC available.
 
<source lang="C">
 
// user export
int SceThreadmgr_69B78A12(SceUID mutexid, SceKernelMutexInfo *info)
{
int res;
SceUID kernel_mutexid;
void *soma_ptr;
 
kernel_mutexid = ksceKernelKernelUidForUserUid(0, mutexid);
if (kernel_mutexid < 0)
return 0xC0028141;
 
res = ksceKernelGetMutexInfo(kernel_mutexid, info);
if (res < 0)
return res;
 
info->mutexId = mutexid;
res = SceSysmemForKernel_86E83C0D(0, mutexid, &soma_ptr);
if (res < 0)
return res;
 
a4 = *(uint32_t *)(soma_ptr) << 0xC;
FLAGS = a4;
if (N == 0) // signed > 0
goto loc_8102D744;
 
*(uint32_t *)((int)info + 0x28) |= 0x80000;
 
loc_8102D744:
return res;
}
 
// kernel export
int ksceKernelGetMutexInfo(SceUID mutexid, SceKernelMutexInfo *info)
{
int state;
int res;
void *some_ptr;
SceKernelMutexInfo mutex_info;
 
ENTER_SYSCALL(state);
 
if (info == NULL){
res = 0x80020006;
goto loc_8100E862;
}
 
if ((uint32_t)(info->size) > 0x40){
res = 0x8002000B;
goto loc_8100E862;
}
 
res = sub_8100D344(mutexid, &mutex_info);
if (res < 0)
goto loc_8100E862;
 
asm("mrc p15, #0, r3, c13, c0, #3\n");
a4 = a4 << 0xF;
FLAGS = a4;
if (N == 0) // signed > 0
goto loc_8100E852;
 
if (mutex_info.currentOwnerId != 0) {
 
res = ksceKernelGUIDGetObject(mutexid, &some_ptr);
if (res < 0)
goto loc_8100E862;
 
mutex_info.currentOwnerId = *(uint32_t *)(*(uint32_t *)(some_ptr) + 0xC0);
}
 
loc_8100E852:
memcpy(info, &mutex_info, ((uint32_t)(info->size) >= 0x40) ? 0x40 : info->size);
 
loc_8100E862:
EXIT_SYSCALL(state);
return res;
}
 
</source>
 
ex:
 
<source lang="C">
 
kernel memory
0x018E2540 : 25 00 00 00 00 FF 00 00 01 00 00 00 05 00 01 00
0x018E2550 : FF FF FF FF 2D 91 07 00 55 55 00 00 3B 57 A2 00
0x018E2560 : 00 00 02 00 78 56 34 12 00 09 00 00 FF FF FF FE
 
SceThreadmgr_69B78A12(0x40010173, (SceKernelMutexInfo *)0x18E2540);
 
</source>
 
In this case, only 0x25 bytes from 0x18E2540 will be overwritten by mutex info
=== SceNgs design flaws (h-encore) ===

Navigation menu