Well this was not going to be released till tomorrow
but I thought I would release a little early.
First a little background on the my idea.
The XMB is the place to exploit as no one yet knows how the linux stuff is integrated into running unsigned code. My idea is that if we exploit the XMB then we can run code as game loading is already granted. So we need to run code in an unsigned way, the best way for this is to hit a shared memory space.
I’ve no idea where this space is?.
PDX have told us to look in the SPEs, I’m going to look into creating buffer overflows in the browser. The integrated browser is built into the XMB and anyone who knows small amounts about security (i’ve been a
for a few years) will also know that every browser is exploitable.
Now the nice thing about the $0ny is that they have attempted to hide the browser in the PS3, the yhave it falsely reporting as Mozilla/5.0 (PLAYSTATION 3; 1.00) but the PlayStation 3 uses a version of the NetFront browser by Access Co. as its internal web browser. It is the same browser used in the PSP (Sony-branded NetFront 2.81) with the same interface, menus and virtual keyboard. Its user agent string is cloaked,
Ummm so why the cloaking????. lets hope it’s cause they know it to be exploitable.
The NetFront Browser is for mobile devices and not PC, it can be grabbed for linux.
I then grabbed some source-code and compiled a nice little package for my Windows Mobile 5 and decided to see if it ran. Yep it did, next I put together some exploits (looking for memory exhaustion and buffer overflows).
I ran them on the Netfront Browser and whooo-hooo I get nice errors, (due to memory crashes - however the browser does try to fix itself if it detects an error)
I know that the PS3 has loads more memory than my winmobile device but it’s a start. I’m currently working away from home and will be back tomorrow where I will test to see if I can crash the XMB and hopefully expose it. I’m also going to look for exploits which can carry a payload ;-) ;-)
Also I know $0ny won’t have fixed these bugs as I was using the latest beta unreleased netfront developer code. It just depends on the mods the guys at $0ny have done to the core browser code, lets hope they have been lazy or are just bad at programming
Anyway thats all for now, more tomorrow.