|
|
| Line 51: |
Line 51: |
| | | 3.60 || 0x21F4428D | | | 3.60 || 0x21F4428D |
| | |} | | |} |
| − | === sceNetRecvFromForDriver === | + | === sceNetRecvfromForDriver === |
| | {| class="wikitable" | | {| class="wikitable" |
| | |- | | |- |
| Line 58: |
Line 58: |
| | | 3.60 || 0x49B1669C | | | 3.60 || 0x49B1669C |
| | |} | | |} |
| | + | |
| | === sceNetSetsockoptForDriver === | | === sceNetSetsockoptForDriver === |
| | {| class="wikitable" | | {| class="wikitable" |
Revision as of 23:38, 18 December 2018
Module
Known NIDs
| Version |
Name |
World |
Privilege |
NID
|
| 1.69 |
SceNetPs |
Non-secure |
Kernel |
0x32573904
|
| 3.60 |
SceNetPs |
Non-secure |
Kernel |
0x5A7BCCDA
|
Libraries
Known NIDs
SceNetPsForDriver
sceNetListenForDriver
| Version |
NID
|
| 3.60 |
0x080C7992
|
sceNetConnectForDriver
| Version |
NID
|
| 3.60 |
0x13491DA1
|
sceNetCloseForDriver
| Version |
NID
|
| 3.60 |
0x21F4428D
|
sceNetRecvfromForDriver
| Version |
NID
|
| 3.60 |
0x49B1669C
|
sceNetSetsockoptForDriver
| Version |
NID
|
| 3.60 |
0x4BF5FAB4
|
sceNetBindForDriver
| Version |
NID
|
| 3.60 |
0x84AB650F
|
sceNetAcceptForDriver
| Version |
NID
|
| 3.60 |
0x880A5423
|
sceNetGetsocknameForDriver
| Version |
NID
|
| 3.60 |
0x8F1BB0E7
|
sceNetGetsockoptForDriver
| Version |
NID
|
| 3.60 |
0x92EE24A6
|
sceNetSendtoForDriver
| Version |
NID
|
| 3.60 |
0xAB746734
|
sceNetGetPeerNameForDriver
| Version |
NID
|
| 3.60 |
0xB949AFD5
|
sceNetSocketForDriver
| Version |
NID
|
| 3.60 |
0xEB95B024
|
sceNetShutdownForDriver
| Version |
NID
|
| 3.60 |
0xEEB19FB6
|
SceNetPsForSyscalls
sceNetSyscallSetsockopt
| Version |
NID
|
| 1.69 |
0x10DE34EA
|
sceNetSyscallRecvfrom
| Version |
NID
|
| 1.69 |
0x144C9758
|
sceNetSyscallConnect
| Version |
NID
|
| 1.69 |
0x14A4DE52
|
sceNetSyscallClose
| Version |
NID
|
| 1.69 |
0x1EBC2E28
|
sceNetSyscallDumpClose
| Version |
NID
|
| 1.69 |
0x263E52FD
|
sceNetSyscallBind
| Version |
NID
|
| 1.69 |
0x267F1EF9
|
sceNetSyscallIoctl
| Version |
NID
|
| 1.69 |
0x310F0725
|
sceNetSyscallRecvmsg
| Version |
NID
|
| 1.69 |
0x32C1AE45
|
sceNetSyscallSendto
| Version |
NID
|
| 1.69 |
0x39796C01
|
sceNetSyscallDumpRead
| Version |
NID
|
| 1.69 |
0x3CBE7071
|
sceNetSyscallSysctl
| Version |
NID
|
| 1.69 |
0x3D7495B0
|
sceNetSyscallDumpCreate
| Version |
NID
|
| 1.69 |
0x3FC34171
|
sceNetSyscallAccept
| Version |
NID
|
| 1.69 |
0x45EAAD89
|
sceNetSyscallDumpAbort
| Version |
NID
|
| 1.69 |
0x5CD20B54
|
sceNetSyscallGetsockname
| Version |
NID
|
| 1.69 |
0x6AA945D9
|
sceNetSyscallEpollClose
| Version |
NID
|
| 1.69 |
0x75E82300
|
sceNetSyscallSocket
| Version |
NID
|
| 1.69 |
0x81A120BE
|
sceNetSyscallDescriptorClose
| Version |
NID
|
| 1.69 |
0x854AFB6F
|
sceNetSyscallGetIfList
| Version |
NID
|
| 1.69 |
0x878274CE
|
sceNetSyscallIcmConnect
| Version |
NID
|
| 1.69 |
0x8C3FBC87
|
sceNetSyscallEpollAbort
| Version |
NID
|
| 1.69 |
0x94C3AE47
|
sceNetSyscallShutdown
| Version |
NID
|
| 1.69 |
0xA4014519
|
sceNetSyscallDescriptorCtl
| Version |
NID
|
| 1.69 |
0xA7064C2C
|
sceNetSyscallEpollCreate
| Version |
NID
|
| 1.69 |
0xA98AEF04
|
sceNetSyscallSendmsg
| Version |
NID
|
| 1.69 |
0xAEC6BE5D
|
sceNetSyscallListen
| Version |
NID
|
| 1.69 |
0xAEEB7CA0
|
sceNetSyscallDescriptorCreate
| Version |
NID
|
| 1.69 |
0xB518A2DE
|
sceNetSyscallGetsockopt
| Version |
NID
|
| 1.69 |
0xBC472DC5
|
sceNetSyscallGetpeername
| Version |
NID
|
| 1.69 |
0xBD7B0213
|
sceNetSyscallEpollCtl
| Version |
NID
|
| 1.69 |
0xDF30BE68
|
sceNetSyscallControl
| Version |
NID
|
| 1.69 |
0xEA0C1B71
|
sceNetSyscallGetSockinfo
| Version |
NID
|
| 1.69 |
0xF7748E56
|
sceNetSyscallSocketAbort
| Version |
NID
|
| 1.69 |
0xF9203B48
|
sceNetSyscallEpollWait
| Version |
NID
|
| 1.69 |
0xF933D6FC
|
Custom malloc()/free() implementation
This module contains a custom malloc() and free() implementation. In 3.35 void *malloc(int size, char flags, int align) is located at offset 0x57b8 and void free(void *ptr) at 0x5a40. Another way to find them is search for immediate value 0x4D61416B, one will be in a data segment and referenced by malloc, another is an immediate value used from free.
Here's an illustration of how allocated/free chunks work:
The primary problem with exploiting heap overflows are the red "heap cookies": BuSy, MaAk, FrEe. When a chunk is allocated and the freelist is iterated it checks for the presence of "FrEe" on every iterated chunk. When a chunk is freed, it checks for "BuSy" and "MaAk". If cookies don't match, the code does an *(int*)0 = 0 which crashes the system.
Note that "MaAk" is appended right after the user provided "size" bytes, so it might not be aligned.
