The libungif vulnerability is not usable to create a working exploit out of it.
It allows writing any number of bytes with any data you want that has to pass two limitations (mask and maximum uint size) to specific offsets between 0x08a7xxxx and 0x09FFFFFF on 2.0 - 2.5 FW PSP's. This did prove as not sufficient.
The code injection worked in theory, however fails as the libungif vuln. is writing using two buffers (Suffix, Prefix in the list) into memory.Code:Offsetlist: Struct Offset: 0x08a7c0e0 Suffix Offset: 0x08a7d223 Prefix Offset: 0x08a7e224 BPP: VUL Suffix Off Prefix Off Mask ClearCode 0x0c: OOB 0x08a7e225 0x08a8222c 0x00000001 0x00001000 0x0d: OOB 0x08a7f225 0x08a8622c 0x00000010 0x00002000 0x0e: OOB 0x08a81225 0x08a8e22c 0x00000002 0x00004000 0x0f: OOB 0x08a85225 0x08a9e22c 0x00000040 0x00008000 0x10: OOB 0x08a8d225 0x08abe22c 0x00000003 0x00010000 0x11: OOB 0x08a9d225 0x08afe22c 0x00000080 0x00020000 0x12: OOB 0x08abd225 0x08b7e22c 0x00000004 0x00040000 0x13: OOB 0x08afd225 0x08c7e22c 0x00000020 0x00080000 0x14: OOB 0x08b7d225 0x08e7e22c 0x0000001b 0x00100000 0x15: OOB 0x08c7d225 0x0927e22c 0x00002000 0x00200000 0x16: OOB 0x08e7d225 0x09a7e22c 0x0000001a 0x00400000 0x17: OOB 0x0927d225 0x0aa7e22c 0x00004000 0x00800000 0x18: OOB 0x09a7d225 0x0ca7e22c 0x0000001c 0x01000000 0x19: OOB 0x0aa7d225 0x10a7e22c 0x00001000 0x02000000 0x1a: OOB 0x0ca7d225 0x18a7e22c 0x0000001d 0x04000000 0x1b: OOB 0x10a7d225 0x28a7e22c 0x00008000 0x08000000 0x1c: OOB 0x18a7d225 0x48a7e22c 0x0000001e 0x10000000 ... (other values cycle through the same offsets with a different mask)
Unfortunately picking an offset (by picking a BPP value, like 0x18) for the first buffer which would overwrite code to be executed, results in the other buffer attempting to write off-memory thus resulting in an immediate crash which makes this not usable.
Please notice that you should not post any "proposals" as I can guarantee almost 90% of what can be done has been attempted by experts in the past weeks and fails due to the exotic and highly complex nature of this vulnerability.
Also notice that we have understood the inner workings of the vulnerability by 100% and created appropriate tools to allow generation of anykind of crafted GIF files to work with this vulnerability.
Some people are looking into the research at the moment however it is not likely that it will have success.
Thanks go out to all those who helped in the research, you know who you are, thanks a LOT. :)
The research material and tools can be freely requested by PM if you have a serious idea how to use it.