Exploiting (?) lv2

A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:

  1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0x40… control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.
  2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2’s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.

Here is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.

9 thoughts on “Exploiting (?) lv2

  1. M$ CRT overwrites freed heap buffer only when application is compiled in DEBUG mode no idea about linux and ps3 especially but such heap cleanups is huge performance impact especially if you going to free large buffer.

  2. Might be obvious but:
    Can’t you use mprotect() on this memory pages before it’s freed and write a signal handler (cause trying to write on it will trigger a SEGV).

  3. Pingback: [Rumour] Naehrwert’s Exploiting lv2?!: | Console Gamers

  4. First things first.
    What is the system trying to do at the time of the stack overflow?
    Is it called over and over or does it just occur once at a certain time?

    Some background info like this would be a good place for the rest of us to start.

  5. Pingback: [NEWS]Rilasciato un metodo per exploitare il lv2_kernel ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s