by Alberto Pasca | generic in , ,

[PS3] Exploit Hypervisor

Ebbene si, finalmente qualcuno c’è l’ha fatta!!!

Il tutto grazie a GeoHot, già noto per il jailbreak su iPhone che ci è riuscito lavorandoci poco più di 5 settimane.

Play Station 3 Exploit

Per eseguire questo exploit, rigorosamente fatto in linguaggio C avanzatissimo direi (a giudicare da come è scritto e dall’utilizzo che fa della memoria…) è necessario avere sulla play station installato linux, che in ogni caso potete seguire la documentazione da qui.

L’exploit è stato rilasciato e si può scaricare tranquillamente. Nel pacchetto troverete il codice sorgente C da compilare, il makefile e lo script per la sua esecuzione.

Volete sapere come funziona? Ecco qui:

geohot: well actually it’s pretty simple
geohot: i allocate a piece of memory
geohot: using map_htab and write_htab, you can figure out the real address of the memory
geohot: which is a big win, and something the hv shouldn’t allow
geohot: i fill the htab with tons of entries pointing to that piece of memory
geohot: and since i allocated it, i can map it read/write
geohot: then, i deallocate the memory
geohot: all those entries are set to invalid
geohot: well while it’s setting entries invalid, i glitch the memory control bus
geohot: the cache writeback misses the memory 🙂
geohot: and i have entries allowing r/w to a piece of memory the hypervisor thinks is deallocated
geohot: then i create a virtual segment with the htab overlapping that piece of memory i have
geohot: write an entry into the virtual segment htab allowing r/w to the main segment htab
geohot: switch to virtual segment
geohot: write to main segment htab a r/w mapping of itself
geohot: switch back
geohot: PWNED
geohot: and would work if memory were encrypted or had ECC
geohot: the way i actually glitch the memory bus is really funny
geohot: i have a button on my FPGA board
geohot: that pulses low for 40ns
geohot: i set up the htab with the tons of entries
geohot: and spam press the button
geohot: right after i send the deallocate call

With great power comes great responsibility…

Fonti:

– Punto Informatico
– Blog GeoHot
– Wiki Play Station Developer

[ref -> albertopasca.it]

 

Alberto Pasca

Software engineer @ Pirelli & C. S.p.A. with a strong passion for mobile  development, security, and connected things.