Webkit is pretty buggy, we know that. My PSVita is on 1.80 and thus, some wonder how I’ve been doing things with my vita. How about a history lesson?
It all started in early 2012 with a bunch of people looking into webkit. After a bit of time, a really smart dude called @cmwdotme shows us string dumps and a table of a few memory locations for the vita, and tells us that they were obtained using webkit. He tells us that he couldn’t share the bug used to dump but that ROP can be achieved using CVE-2010-1807. Then we didn’t hear much from him afterwards. No interest perhaps, but regardless I had work to do. Motivation was dwindling as my knowledge about the system and software was poor; i’d never hacked anything other than the PSP which is honestly a joke of security. A read bug was required for us to get any details out of the system. Performing ROP blindly is extremely difficult.
Then a small breakthrough for us after searching hours and hours through CVE records we found this: CVE-2010-4577. This allows an attack to perform a remote read, which is perfect for us. We need to read some memory to do make ROP feasible. So I started work on getting ROP. It didn’t take long, things fell like dominos and I soon had very tediously written ROP. So, my 1.61 vita was running “code”, this was a good day for me.
So now you know the story, here is the program used to convert ROPTool payloads to exploitable html files: HTMLIt
Currently only supports 1.50, 1 .691 and 1.80 / 1.81 but should be trivial to extend.
Embarrassingly, my vita was (unintentionally) updated to firmware 1.80 before this tool or roptool was complete.
As always, the credits:
Proxima – Webkit stuff and 1.50 support
Bubbletune – floating point crap