|
|
Line 267: |
Line 267: |
| == Custom malloc()/free() implementation == | | == Custom malloc()/free() implementation == |
|
| |
|
| This library contains a custom malloc() and free() implementation. In 3.35 <code>void *malloc(int size, char flags, int align)</code> is located at offset 0x57b8 and <code>void free(void *ptr)</code> at 0x5a40. Another way to find them is search for immediate value 0x4D61416B, one will be in a data segment and referenced by malloc, another is an immediate value used from free. | | This module contains a custom malloc() and free() implementation. In 3.35 <code>void *malloc(int size, char flags, int align)</code> is located at offset 0x57b8 and <code>void free(void *ptr)</code> at 0x5a40. Another way to find them is search for immediate value 0x4D61416B, one will be in a data segment and referenced by malloc, another is an immediate value used from free. |
|
| |
|
| Here's an illustration of how allocated/free chunks work: | | Here's an illustration of how allocated/free chunks work: |
Revision as of 04:09, 9 November 2016
Module
Known NIDs
Version |
Name |
World |
Privilege |
NID
|
1.69 |
SceNetPs |
Non-secure |
Kernel |
0x32573904
|
Libraries
Known NIDs
SceNetPsForDriver
SceNetPsForSyscalls
sceNetSyscallSetsockopt
Version |
NID
|
1.69 |
0x10DE34EA
|
sceNetSyscallRecvfrom
Version |
NID
|
1.69 |
0x144C9758
|
sceNetSyscallConnect
Version |
NID
|
1.69 |
0x14A4DE52
|
sceNetSyscallClose
Version |
NID
|
1.69 |
0x1EBC2E28
|
sceNetSyscallDumpClose
Version |
NID
|
1.69 |
0x263E52FD
|
sceNetSyscallBind
Version |
NID
|
1.69 |
0x267F1EF9
|
sceNetSyscallIoctl
Version |
NID
|
1.69 |
0x310F0725
|
sceNetSyscallRecvmsg
Version |
NID
|
1.69 |
0x32C1AE45
|
sceNetSyscallSendto
Version |
NID
|
1.69 |
0x39796C01
|
sceNetSyscallDumpRead
Version |
NID
|
1.69 |
0x3CBE7071
|
sceNetSyscallSysctl
Version |
NID
|
1.69 |
0x3D7495B0
|
sceNetSyscallDumpCreate
Version |
NID
|
1.69 |
0x3FC34171
|
sceNetSyscallAccept
Version |
NID
|
1.69 |
0x45EAAD89
|
sceNetSyscallDumpAbort
Version |
NID
|
1.69 |
0x5CD20B54
|
sceNetSyscallGetsockname
Version |
NID
|
1.69 |
0x6AA945D9
|
sceNetSyscallEpollClose
Version |
NID
|
1.69 |
0x75E82300
|
sceNetSyscallSocket
Version |
NID
|
1.69 |
0x81A120BE
|
sceNetSyscallDescriptorClose
Version |
NID
|
1.69 |
0x854AFB6F
|
sceNetSyscallGetIfList
Version |
NID
|
1.69 |
0x878274CE
|
sceNetSyscallIcmConnect
Version |
NID
|
1.69 |
0x8C3FBC87
|
sceNetSyscallEpollAbort
Version |
NID
|
1.69 |
0x94C3AE47
|
sceNetSyscallShutdown
Version |
NID
|
1.69 |
0xA4014519
|
sceNetSyscallDescriptorCtl
Version |
NID
|
1.69 |
0xA7064C2C
|
sceNetSyscallEpollCreate
Version |
NID
|
1.69 |
0xA98AEF04
|
sceNetSyscallSendmsg
Version |
NID
|
1.69 |
0xAEC6BE5D
|
sceNetSyscallListen
Version |
NID
|
1.69 |
0xAEEB7CA0
|
sceNetSyscallDescriptorCreate
Version |
NID
|
1.69 |
0xB518A2DE
|
sceNetSyscallGetsockopt
Version |
NID
|
1.69 |
0xBC472DC5
|
sceNetSyscallGetpeername
Version |
NID
|
1.69 |
0xBD7B0213
|
sceNetSyscallEpollCtl
Version |
NID
|
1.69 |
0xDF30BE68
|
sceNetSyscallControl
Version |
NID
|
1.69 |
0xEA0C1B71
|
sceNetSyscallGetSockinfo
Version |
NID
|
1.69 |
0xF7748E56
|
sceNetSyscallSocketAbort
Version |
NID
|
1.69 |
0xF9203B48
|
sceNetSyscallEpollWait
Version |
NID
|
1.69 |
0xF933D6FC
|
Custom malloc()/free() implementation
This module contains a custom malloc() and free() implementation. In 3.35 void *malloc(int size, char flags, int align)
is located at offset 0x57b8 and void free(void *ptr)
at 0x5a40. Another way to find them is search for immediate value 0x4D61416B, one will be in a data segment and referenced by malloc, another is an immediate value used from free.
Here's an illustration of how allocated/free chunks work:
The primary problem with exploiting heap overflows are the red "heap cookies": BuSy
, MaAk
, FrEe
. When a chunk is allocated and the freelist is iterated it checks for the presence of "FrEe" on every iterated chunk. When a chunk is freed, it checks for "BuSy" and "MaAk". If cookies don't match, the code does an *(int*)0 = 0
which crashes the system.
Note that "MaAk" is appended right after the user provided "size" bytes, so it might not be aligned.