Developer Naehrwert Explains Possible lv2_kernel Exploit

Published on 09-20-2012 01:09 PM

17 Comments

Roughly ninteen hours ago I got a Tweet from developer naehrwert regarding exploiting LV2 of the PlayStation 3. Unfortunately life takes it's toll and I was unable to get this information to you quicker. With that said he also stated in a previous Tweet, "sadly this is not as nice as it looks like". So don't get too excited yet. In a recent blog post by the developer he highlights a stack overflow vulnerability in the PS3's lv2_kernel. But the kernel exploit has it's challenges and he invokes other developers who might be up to the challenge. Here is a quote from the developer.

About lv2_kernel exploit:

A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:

The vulnerability is in a protected syscall (the SELF calling it got to have the 0×40… control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.
The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.

Here is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.

Source: @naehrwert via nwert.wordpress

PSX-SCENE: The Pinnacle Scene Xenocracy

● Latest News ● Report News ● Search Forums ● Hall of Fame ●
● Facebook.com/PSXScene ● RSS ● Twitter.com/psx_scene ●

Share
- Share this post on
- Digg
- Del.icio.us
- Technorati
- Twitter

nullptr likes this.

Categories:

_{Tags :

naehrwert,

ps3,

ps3 custom firmware,

ps3 exploit,

ps3 hacking}

17 Comments

JOshISPoser - 09-20-2012, 01:56 PM
- Reply
anyone care to explain this in laymen terms? I thought we already have done something with lv2...

Mathematician - 09-20-2012, 03:00 PM
- Reply
Is there anyway to modify the free call to write the payload instead of 0xABADCAFE?

I guess if that was possible, it would be possible to write the free call elsewhere where it wouldn't interfere with the payload or just have it modified to not write anything at all.

Is there anyway to protect the memory addresses to prevent the freecall to have write access in the payload regions. Maybe before lv2 functions, be able to escalate protections in the payload region to only read instead of write after the payload is written? (which brings up a good question, when does the payload get written there)

Does the freecall function eventually time out if it cannot write the free space?

Witchfinder - 09-20-2012, 03:21 PM
- Reply
Originally Posted by Mathematician

Is there anyway to modify the free call to write the payload instead of 0xABADCAFE?

I guess if that was possible, it would be possible to write the free call elsewhere where it wouldn't interfere with the payload or just have it modified to not write anything at all.

Is there anyway to protect the memory addresses to prevent the freecall to have write access in the payload regions. Maybe before lv2 functions, be able to escalate protections in the payload region to only read instead of write after the payload is written? (which brings up a good question, when does the payload get written there)

Does the freecall function eventually time out if it cannot write the free space?

How about 1xAGOODCAFE ?

SlayeD - 09-20-2012, 03:50 PM
- Reply
Just pls say! this is a Big step for a new 3.60+ CFW.

JOshISPoser - 09-20-2012, 03:53 PM
- Reply
we need an encrypt key for that.

cloud17 - 09-20-2012, 08:58 PM
- Reply
Originally Posted by Witchfinder

How about 1xAGOODCAFE ?

LMAO you made my day sir xD

Gradius - 09-20-2012, 09:57 PM
- Reply
This ain't for new "CFW 3.60".

This is for CFW 4.25 !

Ramosxtreme1976 - 09-20-2012, 10:06 PM
- Reply
i hope a cfw does come out that would the shit

JOshISPoser - 09-20-2012, 10:13 PM
- Reply
so, i guess i was kinda wrong. i don't understand this too much at all.

Ziken - 09-20-2012, 10:56 PM
- Reply
Originally Posted by Gradius

This ain't for new "CFW 3.60".

This is for CFW 4.25 !

So, basically, what this article is telling us is that, if LV2 is possible, then it mean that CFW 4.25 is possible?

crossx - 09-21-2012, 03:44 AM
- Reply
life takes it's toll

the kernel exploit has it's challenges

please fix this

romaan - 09-21-2012, 05:20 AM
- Reply
did not understand one: why so many nop (empty cycle) need?

CS67700 - 09-21-2012, 06:15 AM
- Reply
Bragging about things that will "presumably work" isn't gonna do it.

If those guys really knew what they were doing, they wouldn't wait for someone else to do it, but would actually do it.

We had our share of brag and drama with 13 yo devs like matthieul, enough of it.

Some results, please.

C4 eva never brags about anything, takes time for him to release stuff, but he always gets the job done properly.

vronz - 09-21-2012, 06:48 AM
- Reply
Originally Posted by Witchfinder

How about 1xAGOODCAFE ?

there are no "G" and "O" in hexadecimal numbers, that's why it's 0xABADCAFE, because hexadecimal numbers include the letters A, B, C, D, E, F and the digits from 0 to 9, as well "0x" is used in C-language notation to denote that hexadecimal number follows and thus no "1x" either. so, you're out of luck with "1xAGOODCAFE".

Mathematician - 09-21-2012, 11:15 AM
- Reply
Replace G = 6 O = 0
1xA600DCAFE

(It's not the same, we need to make base 17 numbers to include G). Not to mention, mathematically the symmetricness of base 17 would be quite chaotic.

preciousRoy - 09-21-2012, 01:55 PM
- Reply
Originally Posted by romaan

did not understand one: why so many nop (empty cycle) need?

It's a nop sled. It's a common method in exploits to get your payload code to the correct offset of a page of memory. Basically you're using the empty cycles as padding to overwrite a chunk of code in RAM.