| View previous topic :: View next topic |
| Author |
Message |
jimparis
Joined: 10 Jun 2005
Posts: 1179
Location: Boston
|
 Posted: Thu Jun 23, 2005 1:21 pm Post subject: Format string vulnerability on 1.51 and 1.52 |
 |
|
Split from the psp-dev have released their exploit for ver. 1.5 thread.
It appears that the reason the single-card KXploit works on 1.5 is twofold:
- Treating the filename as a format string causes the HELLO% folder name to be translated to HELLO when being passed to the bootstrap code
- The 1.50 bootstrap executes a bare ELF if it's been passed one
Of course, the bare ELF execution was fixed on 1.51 and 1.52, so it no longer works there, failing after boot with 80020148 ("file type unsupported"). But this would only work if the format string vulnerability were still there. Experimentation verifies this:
When danj tried using %p etc, the error changes to 80010002, which would be because HELLO%p changed to e.g. HELLO12345678, and 80010002 is ENOENT.
When Nick Fury tried %c, the error is 8001000D, which is EACCESS and could be caused by %c generating an invalid character in the filename.
When danj tried using %n, it crashes his PSP, because %n causes writes to memory. That's the vulnerability.
I convinced a friend to upgrade 1.51 -> 1.52 and verified that this bug does still exist on 1.52. Writing an exploit is non-trivial, partially because we can't see the result of the format string expansion, and partially because MIPS exploits could be annoying (need to flush dcache)... but it's definitely got potential. |
|
| Back to top |
|
 |
Nick Fury
Joined: 22 Jun 2005
Posts: 45
|
| Posted: Thu Jun 23, 2005 11:16 pm Post subject: |
|
|
| Is there an emulator that exists that would allow us to determine the output maybe? |
|
| Back to top |
|
|
FrostAie
Joined: 14 May 2005
Posts: 18
|
| Posted: Fri Jun 24, 2005 2:08 pm Post subject: ALSO |
|
|
| i extracted all the files from the update to 1.52 and used the icon the param and the .psar but replaced the .psp to the hello psp one it seems it trys to execute it and get a different error |
|
| Back to top |
|
|
DrKickflip13
Joined: 25 Jun 2005
Posts: 14
|
| Posted: Sat Jun 25, 2005 5:22 am Post subject: |
|
|
Just to let you know..
the update HAS to be run from the folder UPDATE, not UPDATE% or any other thing like that
You probably know that but most morons at the other forums kept making folders like TEST and wondered why it didn't work
Last edited by DrKickflip13 on Sat Jun 25, 2005 5:30 am; edited 1 time in total |
|
| Back to top |
|
|
Nick Fury
Joined: 22 Jun 2005
Posts: 45
|
| Posted: Sat Jun 25, 2005 5:25 am Post subject: |
|
|
| Thank you Dr Obvious. |
|
| Back to top |
|
|
HaredX
Joined: 03 Apr 2005
Posts: 35
|
| Posted: Sat Jun 25, 2005 5:27 am Post subject: |
|
|
I tried to add the = sign to the end of my second folder and I got
80020130 |
|
| Back to top |
|
|
Nick Fury
Joined: 22 Jun 2005
Posts: 45
|
| Posted: Sat Jun 25, 2005 5:30 am Post subject: |
|
|
According to errno.h 0130 is:
EPROCLIM
Not sure what that means.. Perhaps someone else can enlighten us.
EDIT: Unless my sources are wrong that means you have too many processes. This seems like a strange error.
Last edited by Nick Fury on Sat Jun 25, 2005 5:43 am; edited 1 time in total |
|
| Back to top |
|
|
DrKickflip13
Joined: 25 Jun 2005
Posts: 14
|
| Posted: Sat Jun 25, 2005 5:31 am Post subject: |
|
|
Nick Fury the reason I was telling them about the UPDATE folder was because ->
You probably know that but most morons at the other forums kept making folders like TEST and wondered why it didn't work... |
|
| Back to top |
|
|
mrbrown
Joined: 17 Jan 2004
Posts: 1536
|
| Posted: Sat Jun 25, 2005 6:14 am Post subject: |
|
|
| Nick Fury wrote: | According to errno.h 0130 is:
EPROCLIM
Not sure what that means.. Perhaps someone else can enlighten us.
|
Only error codes that begin 8001xxxx refer to standard error codes. Error codes that begin with 8002xxxx or any other error codes are PSP-specific. |
|
| Back to top |
|
|
Nick Fury
Joined: 22 Jun 2005
Posts: 45
|
| Posted: Sat Jun 25, 2005 6:16 am Post subject: |
|
|
| mrbrown wrote: | | Only error codes that begin 8001xxxx refer to standard error codes. Error codes that begin with 8002xxxx or any other error codes are PSP-specific. |
That's good information to know. |
|
| Back to top |
|
|
Roscco
Joined: 07 Jun 2005
Posts: 7
Location: Edinburgh, Scotland
|
| Posted: Sat Jun 25, 2005 8:43 am Post subject: |
|
|
| Nick Fury wrote: | | Is there an emulator that exists that would allow us to determine the output maybe? |
Does PSPE not allow for instances such as this ?
_________________
Prayin to God won't help, I never listen |
|
| Back to top |
|
|
mvpo.geo
Joined: 25 Jun 2005
Posts: 20
|
| Posted: Sat Jun 25, 2005 3:40 pm Post subject: |
|
|
a %%n after the folders name will allow the PSP to boot to the White PSP Screen/ Splash Screen. Then it will freeze there and eventually crash..... hope this helps
_________________
Spamming in your Sig? I never heard of such a thing.... |
|
| Back to top |
|
|
HaredX
Joined: 03 Apr 2005
Posts: 35
|
| Posted: Sat Jun 25, 2005 3:55 pm Post subject: |
|
|
| it does that with a single %n it is explained in the original post.... |
|
| Back to top |
|
|
mvpo.geo
Joined: 25 Jun 2005
Posts: 20
|
| Posted: Sat Jun 25, 2005 3:58 pm Post subject: |
|
|
no it doesn't how bout you try it. %n just crashes it right there
%%n will boot to the white screen with PSP then crash thus making progress....
_________________
Spamming in your Sig? I never heard of such a thing.... |
|
| Back to top |
|
|
HaredX
Joined: 03 Apr 2005
Posts: 35
|
| Posted: Sat Jun 25, 2005 5:07 pm Post subject: |
|
|
| no not really cause whatever you put before %n, it will still be telling the psp to write to memory which will crash it no matter what, so theres no way we will be running homebrew with anything%n attached to the end of the folder name |
|
| Back to top |
|
|
mvpo.geo
Joined: 25 Jun 2005
Posts: 20
|
| Posted: Sat Jun 25, 2005 5:27 pm Post subject: |
|
|
you my friend are an idiot.......did I say it would make us run homebrew?
I just said that the %%n is progress from the %n and that the two aren't the same.
_________________
Spamming in your Sig? I never heard of such a thing.... |
|
| Back to top |
|
|
F9zDark
Joined: 02 Apr 2005
Posts: 127
|
| Posted: Sat Jun 25, 2005 10:39 pm Post subject: |
|
|
Actually, it doesn't matter. When the PSP is given an EBOOT file, it will show the white PSP screen, read memstick and then give an error message. So no, it really is not progress. The PSP boot animation is given to any EBOOT.PBP when its boot is initiated.
After that, whether it crashes or gives an error, isn't really progress. It runs app in both cases, just the former its memory is filled with garble and the latter it refuses to continue since there is no key or signature. |
|
| Back to top |
|
|
mvpo.geo
Joined: 25 Jun 2005
Posts: 20
|
| Posted: Sat Jun 25, 2005 11:18 pm Post subject: |
|
|
once again, how bout guys try the codes before trying to say something. Running %n will automatically freeze the PSP and crash it. the %%n will run to the White PSP Screen then it will crash.
_________________
Spamming in your Sig? I never heard of such a thing.... |
|
| Back to top |
|
|
HaredX
Joined: 03 Apr 2005
Posts: 35
|
| Posted: Sun Jun 26, 2005 2:41 am Post subject: |
|
|
| I tried it, you didn't make any progress, like I said putting anything %n on a folder will cause your psp to crash because it is telling it to write to the memory stick progress would be getting the psp NOT to crash |
|
| Back to top |
|
|
F9zDark
Joined: 02 Apr 2005
Posts: 127
|
| Posted: Sun Jun 26, 2005 3:51 am Post subject: |
|
|
| mvpo.geo wrote: | | once again, how bout guys try the codes before trying to say something. Running %n will automatically freeze the PSP and crash it. the %%n will run to the White PSP Screen then it will crash. |
So put another % in there and perhaps you'll get further along...
HAH yeah right.
All this tells us is that the first % is written to memory, maybe it causes a brief system lag(I dont know what % does to the PSP. In C++, using math functions, its modulus). Perhaps the PSP is writing whatever the % does to memory, which might take time, so that white screen loads, then it gets to the %n and just craps out.
I have a 1.50 PSP, so trying this will not work on mine(since homebrew can already run on it.)
I do suppose I could try it with just the homebrew app placed on the memstick(no swaploit or kxploit) and see what the outcome is. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
