PS4-3.55-Code-Execution-PoC icon indicating copy to clipboard operation
PS4-3.55-Code-Execution-PoC copied to clipboard

Published 20 hours ago verified publisher icon Fire30

Module Information is wrong

Open Cryptogenic opened this issue 8 years ago • 0 comments

Edit: I forgot this issue was discussed in a previously opened issue :p point still stands that it should be reverted as it isn't functional anyway

After going back to some PS4 work, I noticed the newer changes to the PoC, particularly the module information printing. The merge from @Thunder07's branch broke module information printing completely as sys_dynlib_get_info only gives null bytes for every module at the offsets he's provided. The only way to get the base address is from sys_dynlib_get_info_ex, which was the system call used in the official PoC.

Because Sony stripped the system call, every piece of information returned by the PoC about a given module is wrong, as it just returns null.

$ python server.py
Modified arr length = 0x80000000
Modified arr length = 0x80000000
Found ArrayBufferView in memory!
Modified index is 51
Found modified ArrayBufferView!
Found modified ArrayBuffer!
vtable = 0x81ebf0d80
webkit_base_addr = 0x81c5f0000
buffer addr = 0x201fa1000
Starting ROP...
Printing module information...
Module name: libkernel.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceLibcInternal.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSysmodule.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceNet.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceNetCtl.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceIpmi.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceMbus.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceRegMgr.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceRtc.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libScePad.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceVideoOut.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceOrbisCompat.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceWebKit2.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSysCore.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSystemService.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceSsl.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceVideoCoreServerInterface.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============
Module name: libSceWebBrowserInjectedBundle.sprx
Module Base: 0x0
Module size: 0x0
Module Unknown Data Base: 0x0
Module Unknown Data size: 0x0
Module Data Base: 0x0
Module Data size: 0x0
===============

Latest commit d79db657b5e54d25f1d7217133a259fe96d8a55a should be reverted.

Cryptogenic avatar Mar 14 '17 04:03 Cryptogenic