This project is yet another Vita exploitation solution for the recent WebKit vulnerability that allows exploring the native part of the Vita's software.
The vitasploit project is merely a continuation of Amat Cama, johntheropper and freebot's amazing work who presented a complete solution for memory reading/writing and code execution using ROP for the Vita.
Python2: https://www.python.org/downloads/
Capstone: http://www.capstone-engine.org/download.html
Start up the server by running the server.py script. Using your Vita browse to the address printed by the script (http://<ipaddr>:8888).
Memory reading/writing mode:
- In the main html file (
index.html) setvar doROP = false; - With this setting the script will launch an interactive shell for memory reading/writing;
- Commands:
read <addr> <len>-> Read "len" bytes from "addr" (the output is printed to the shell)run <script>-> Run a "script" function from the shell (e.g.: "run load_sysmodules()")disasm <addr> <len> <mode>-> Disassemble "len" bytes at "addr" with "mode" (mode can be "arm" or "thumb)dump <addr> <len> <outfile>-> Dump "len" bytes from "addr" to "outfile" (dumped files are saved under "dumps" folder)ss <beginaddr> <endaddr> <pattern>-> Search for string "pattern" from "beginaddr" to "endaddr"sh <beginaddr> <endaddr> <hexpattern>-> Search for an hexadecimal "hexpattern" from "beginaddr" to "endaddr"scanm <beginaddr>-> Scan for modules starting at "beginaddr"dispx <beginaddr> <n>-> Display module exports starting at "beginaddr"dispim <beginaddr> <n>-> Display module imports starting at "beginaddr"dispminf <beginaddr>-> Display module info starting at "beginaddr"scanback <begaddr> <step>-> Scan back memory until it crashes starting at "beginaddr" using "step"reload-> Reload the interactive shellhelp-> Print the available commands and their syntaxexit-> Terminate the interactive shell
ROP mode:
- In the main html file (
index.html) setvar doROP = true; - With this setting the script will launch a pre-programmed, firmware dependent, ROP chain;
- You can use the functions availabe at
include/functions.jsandinclude/functions_ex.jsto interact in a SDK-like fashion with the Vita; - Several batch tests are available at
include/tests.js. Simply uncomment them under Run_Tests() and the tests will run after the exploit is ready; - The following tests are currently implemented for firmwares 2.02, 2.12, 3.00, 3.01, 3.15 and 3.18:
testStructs()-> MrNetrix's test for custom structure allocationTest_Modules()-> Based on CodeLion/BrianBTB/BBalling1's module dumping code and complemented by nas's sysmodule loading code. Forces all user modules to be loaded into memory and dumps them to "dumps" folderTest_Memblock()-> A simple memory alloc/free test using the SceLibKernel syscallsTest_Malloc()-> An exhaustive malloc test that tries to allocate as much memory as possibleTest_Motion()-> A simple test to track and print the gyroscope's coordinatesTest_SupportURI()-> A small test that allows sending URI commands (e.g.: "psgm:", "settings_dlg:") to the VitaTest_Socket()-> Original (akai) socket test to send messages to/from the VitaTest_ListDir()-> Original (akai) test to list directories inside the VitaTest_GetFile()-> Original (akai) test to find and dump user files from the VitaTest_GetDir()-> Dump entire directories from the VitaTest_WriteFile()-> Test file creation by mounting a temporary path and writing a dummy file to itTest_Photos()-> Mount and list the contents of photo0Test_Control()-> Track and print the left and right analog buttons' coordinatesTest_Touch()-> Print the coordinates of the last screen area that was touchedTest_Gxm()-> Test the GXM memory by mapping some if it's components
- Amat Cama, johntheropper and freebot: Original Vita exploit toolkit/SDK code (https://github.com/acama/webkitties);
- CodeLion/BrianBTB/BBalling1: Original PoC, module dumping code and other utilities (https://github.com/BrianBTB/memtools_vita and https://github.com/BrianBTB/JSoS-Module-Dump-Release);
- nas: sceSysmoduleLoadModule finding (http://pastie.org/private/ugchhaqctvmw5rrg5w37ka);
- Davee, Josh_Axey and Archaemic: Individual PoC code to showcase this vulnerability;
- Yifan Lu: UVLoader source code and extensive documentation on the Vita (http://yifan.lu/);
- mr.gas, tomtomdu80 and YANOX: Several findings and reverse-engineer works on the Vita;
- BlackDaemon: Testing.