Format string vulnerability on 1.51 and 1.52

[jimparis]

Split from the psp-dev have released their exploit for ver. 1.5 thread.

It appears that the reason the single-card KXploit works on 1.5 is twofold:

1. Treating the filename as a format string causes the HELLO% folder name to be translated to HELLO when being passed to the bootstrap code
2. The 1.50 bootstrap executes a bare ELF if it's been passed one

Of course, the bare ELF execution was fixed on 1.51 and 1.52, so it no longer works there, failing after boot with 80020148 ("file type unsupported"). But this would only work if the format string vulnerability were still there. Experimentation verifies this:

When danj tried using %p etc, the error changes to 80010002, which would be because HELLO%p changed to e.g. HELLO12345678, and 80010002 is ENOENT.

When Nick Fury tried %c, the error is 8001000D, which is EACCESS and could be caused by %c generating an invalid character in the filename.

When danj tried using %n, it crashes his PSP, because %n causes writes to memory. That's the vulnerability.

I convinced a friend to upgrade 1.51 -> 1.52 and verified that this bug does still exist on 1.52. Writing an exploit is non-trivial, partially because we can't see the result of the format string expansion, and partially because MIPS exploits could be annoying (need to flush dcache)... but it's definitely got potential.

[Nick Fury]

Is there an emulator that exists that would allow us to determine the output maybe?

[FrostAie]

i extracted all the files from the update to 1.52 and used the icon the param and the .psar but replaced the .psp to the hello psp one it seems it trys to execute it and get a different error

[DrKickflip13]

Just to let you know..
the update HAS to be run from the folder UPDATE, not UPDATE% or any other thing like that
You probably know that but most morons at the other forums kept making folders like TEST and wondered why it didn't work

[Nick Fury]

Thank you Dr Obvious.

[HaredX]

I tried to add the = sign to the end of my second folder and I got
80020130

[Nick Fury]

According to errno.h 0130 is:

EPROCLIM

Not sure what that means.. Perhaps someone else can enlighten us.

EDIT: Unless my sources are wrong that means you have too many processes. This seems like a strange error.

[DrKickflip13]

Nick Fury the reason I was telling them about the UPDATE folder was because ->
You probably know that but most morons at the other forums kept making folders like TEST and wondered why it didn't work...

[mrbrown]

According to errno.h 0130 is:

EPROCLIM

Not sure what that means.. Perhaps someone else can enlighten us.

Only error codes that begin 8001xxxx refer to standard error codes. Error codes that begin with 8002xxxx or any other error codes are PSP-specific.

[Nick Fury]

Only error codes that begin 8001xxxx refer to standard error codes. Error codes that begin with 8002xxxx or any other error codes are PSP-specific.

That's good information to know.

[Roscco]

Is there an emulator that exists that would allow us to determine the output maybe?

Does PSPE not allow for instances such as this ?

[mvpo.geo]

a %%n after the folders name will allow the PSP to boot to the White PSP Screen/ Splash Screen. Then it will freeze there and eventually crash..... hope this helps

[HaredX]

it does that with a single %n it is explained in the original post....

[mvpo.geo]

no it doesn't how bout you try it. %n just crashes it right there

%%n will boot to the white screen with PSP then crash thus making progress....

[HaredX]

no not really cause whatever you put before %n, it will still be telling the psp to write to memory which will crash it no matter what, so theres no way we will be running homebrew with anything%n attached to the end of the folder name

[mvpo.geo]

you my friend are an idiot.......did I say it would make us run homebrew?
I just said that the %%n is progress from the %n and that the two aren't the same.

[F9zDark]

Actually, it doesn't matter. When the PSP is given an EBOOT file, it will show the white PSP screen, read memstick and then give an error message. So no, it really is not progress. The PSP boot animation is given to any EBOOT.PBP when its boot is initiated.

After that, whether it crashes or gives an error, isn't really progress. It runs app in both cases, just the former its memory is filled with garble and the latter it refuses to continue since there is no key or signature.

[mvpo.geo]

once again, how bout guys try the codes before trying to say something. Running %n will automatically freeze the PSP and crash it. the %%n will run to the White PSP Screen then it will crash.

[HaredX]

I tried it, you didn't make any progress, like I said putting anything %n on a folder will cause your psp to crash because it is telling it to write to the memory stick progress would be getting the psp NOT to crash

[F9zDark]

once again, how bout guys try the codes before trying to say something. Running %n will automatically freeze the PSP and crash it. the %%n will run to the White PSP Screen then it will crash.

So put another % in there and perhaps you'll get further along...

HAH yeah right.

All this tells us is that the first % is written to memory, maybe it causes a brief system lag(I dont know what % does to the PSP. In C++, using math functions, its modulus). Perhaps the PSP is writing whatever the % does to memory, which might take time, so that white screen loads, then it gets to the %n and just craps out.

I have a 1.50 PSP, so trying this will not work on mine(since homebrew can already run on it.)

I do suppose I could try it with just the homebrew app placed on the memstick(no swaploit or kxploit) and see what the outcome is.