Exploit natif vitasploit par Hykem

Soumis par Attila le ven, 14/11/2014 - 16:51

Voici une implémentation de l'exploit Webkit de la PS Vita (Firmware 3.18 maximum) par Hykem permettant de faire plusieurs opérations avec la mémoire ou l'OS de la Vita, exécuter du code ROP.

Il s'agit d'un outil pour développeur. Si vous n'êtes pas développeur/hackeur, ça ne servira à rien de l'essayer ...

Avec vitasploit vous pourrez explorer un peu votre PS Vita.

Instructions

Quote:
Start up the server by running the server.py script. Using your Vita browse to the address printed by the script (http://:8888).

Memory reading/writing mode:

In the main html file (index.html) set initMemoryHole(false);
With this setting the script will launch an interactive shell for memory reading/writing;
Commands:
read -> Read "len" bytes from "addr" (the output is printed to the shell)
disasm -> Disassemble "len" bytes at "addr" with "mode" (mode can be "arm" or "thumb)
dump -> Dump "len" bytes from "addr" to "outfile" (dumped files are saved under "dumps" folder)
ss -> Search for string "pattern" from "beginaddr" to "endaddr"
scanm -> Scan for modules starting at "beginaddr"
dispx -> Display module exports starting at "beginaddr"
dispim -> Display module imports starting at "beginaddr"
dispminf -> Display module info starting at "beginaddr"
scanback -> Scan back memory until it crashes starting at "beginaddr" using "step"
reload -> Reload the interactive shell
help -> Print the available commands and their syntax
exit -> Terminate the interactive shell

ROP mode:

In the main html file (index.html) set initMemoryHole(true);
With this setting the script will launch a pre-programmed, firmware dependent, ROP chain;
You can use the functions availabe at include/samples.js to interact in a SDK-like fashion with the Vita;
The functions are called from the include/exploit.js file. Simply uncomment them and modify as you wish;
The following tests are currently implemented for firmwares 3.00, 3.15 and 3.18:
Module dumping test -> Based on CodeLion/BrianBTB/BBalling1's module dumping code and complemented by nas's sysmodule loading code. Forces all user modules to be loaded into memory and dumps them to "dumps" folder
Memory test -> A simple memory alloc/free test using the SceLibKernel syscalls
Socket connection test -> Original (akai) socket test to send messages to/from the Vita
Directory listing test -> Original (akai) test to list directories inside the Vita
File retrieval test -> Original (akai) test to find and dump user files from the Vita

https://github.com/Hykem/vitasploitSite officiel : https://github.com/Hykem/vitasploit

Tags: 
Exploit
natif
hykem


Identifiez vous pour télécharger les fichiers.

Contenu similaire