So the psp needs to crash for an exploit right?
Printable View
So the psp needs to crash for an exploit right?
It's not always that simple, but if a crash occurs it has like an 85% chance of being exploitable
Not even close to that percent. More like maybe 5-10%
But when it crashes doesnt it turn off? So how could something run after it crashes?
You need a buffer overflow similar to the one on 2.0 that allows arbitrary code to be run.
TO the chip came today. If the etching finishes I'll make it tonight.
So do you have any idea how on 2.71?
Awesome, thanks a lot.
so ho much will this chip influence the psp world? is it meant for everyone or just for dev?
I dont know but if it works there are gonna be alot of psps unbricked!
if you could unbrick a psp... couldnt you just as well flash another firmware to it?
this site was posted earlier
http://www.frsirt.com/english/advisories/2006/2585
i found more info on it :)
libpng would overflow if a chunk_name of the png was copied to a insufficiently sized buffer
this prob was fixed by changing one line in pngrutil.c of the libpng :)
from char umsg[50];
to char umsg[52];
to increase the buffer of course :)
can anyone find out more about this??
So the most likely exploit would bw this on: CVE-2006-0481Zitat:
Zitat von TeamOverload
http://rhn.redhat.com/errata/RHSA-2006-0205.html
http://secunia.com/advisories/18654/
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. The Common Vulnerabilities and Exposures project has assigned the
name CVE-2006-0481 to this issue.
Am i right? Should we continue looking into this one, or is this out of the question?
Those with answers, please respond....
well find more would be just like the description says :
"chunk_name of the png was copied to a insufficiently sized buffer"
But this shouldn't be so easy to find how exploit this buffer overflow
If you feel brave read http://en.wikipedia.org/wiki/Buffer_overflow
Go to your C editor and come back with the POC :D
Ho it come from frsirt, old name was k-otik.com. a french security team =)
did u read up ..
clean post
http://forums.qj.net/psp-speculation/60426-libpng-zlib-possible-exploits-2-71-firmware.html
Damn it didn't notice that with our new ugly law 'LCEN' they stopped sahring sources of POC.Zitat:
Zitat von tenshu
Well france is getting a strange way those days ...
Fusion, that would likely be the ideal one to look into.
Did anyone notice this .PRX called/loaded from vshmain.prx:
usbstorboot.prx
Some sort of recovery mode via USB???
just some more info thats likely been posted: http://www.kb.cert.org/vuls/id/388984
Is no one in here a c coder? Because that seems like that's all we need now. We know the file that let's you run the buffer overflow and we know that the libpng version is flawed so what's holding us back? That one alpha whatever file is what needs to be exploited to run the overflow so please, what's going on?
I think Chaotic Ghost knows some C coding, not sure.
i do but nothing that can help this i only no minimal i use vb more only just got started on C sadly :(Zitat:
Zitat von SasukeXIII
Oh well, there should be other in this forum that should know C coding, right?
yeh and if not i spose could also look else were for someone willing to helpZitat:
Zitat von SasukeXIII
get me a poc of that libpng overflow and i'll c what i can compile
Does anyone else think that we are going around in circles?
If we could somehow keep a note on what everyone is up to on a fresh board without spamming it (ie write rules for it and we keep to them) we could maybe track what has failed and what is currently being worked on, and if someone could post every file type the PSP can read and we try each one... one at a time, I'm sure we will finally get something which will work..
That's my 2 Cents... don't know if this make sense, or if a waste of time?
As i undrestand, atm no one have tried that "libpng exploit" jet? Might this really work?
Anyway, so far no one has tried it, is it because of what freeplay posted?
yay im finally back :) i was thinking... if we are looking for an image exploit, we should call the person who made the previous one... MPH made the last one? whats in the way of him making another breakthrough? he knows what to do...
Actually a team called toc2rta created it.
So could anyone contact that team to see if they are on to doing a new one or if they could help us?
Makes sense I guess./hopefully they can give us insight as to waht we are missing.
All we need is their email addressZitat:
Zitat von X omega v5
Sonyxteam.com dont work
Anyone tried going on their irc?
Server: irc.toc2rta.com
no ones on...
Maybe they'll be on later cause different timezones
people are always on irc.toc2rta.com #noobz
I'l try
I shot an e-mail to the guy that made the POC for libpng 1.2.5. We'll see what he comes up with.
You did tell him we need something for libpng 1.2.6 right?