Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 159: | Line 159: | ||
|Carol Vorderman's Sudoku | |Carol Vorderman's Sudoku | ||
|Stack Buffer Overflow via unchecked string length | |Stack Buffer Overflow via unchecked string length | ||
|The | |The savefile stores plaintext profile & highscore names. There are no checks regarding the size-length of the profile & highscore names. Once can use a very large string to overwrite and gain control of the stack and jump to unsigned code. | ||
This vulnerability | This vulnerability was ported over to the PSP version of the game. See [https://github.com/ChampionLeake/SudokuSTACK here] | ||
|N/A | |N/A | ||
|December 2021 | |December 2021 | ||
|ChampionLeake | |ChampionLeake | ||
|- | |- | ||
|Star Wars Racer Revenge | |Star Wars Racer Revenge | ||
|Stack-Smash via unchecked "Record Name" length | |Stack-Smash via unchecked "Record Name" length | ||
|The game allows players | |The game allows players record their names when breaking lap records on a course. However, the size of the name is not checked. Using a very large name can overwrite addresses on the stack and gain control of the $ra, which can be used to jump to unsigned code. | ||
|N/A | |N/A | ||
|August 2023 | |August 2023 | ||
Line 198: | Line 198: | ||
===== Bug Description ===== | ===== Bug Description ===== | ||
Okage Shadow King has a typical stack buffer overflow if you extend the player or town name in a savedata. | Okage Shadow King has a typical stack buffer overflow if you extend the player or town name in a savedata. | ||
===== Exploit Implementation ===== | ===== Exploit Implementation ===== | ||
Line 206: | Line 205: | ||
===== Save data format ===== | ===== Save data format ===== | ||
* The save data has no digest | * The save data has no digest. Strings can be modified and extended without making any crash. | ||
* The records pages data are stored as follows: for each record, signed int (4 bytes) for the time/most KO's | * The records pages data are stored as follows: for each record, signed int (4 bytes) for the time/most KO's, followed by ?22?-byte string. | ||
===== Bug description ===== | ===== Bug description ===== | ||
* To trigger the exploit, in the main menu, go to Options then Hall of Fame. The Hall of Fame will trigger the exploit when you go to the page where the player name was extended in save data to more than 256 characters as the code copies from save data the best players' names without checking length. | * To trigger the exploit, in the main menu, go to Options then Hall of Fame. The Hall of Fame will trigger the exploit when you go to the page where the player name was extended in save data to more than 256 characters as the code copies from save data the best players' names without checking length. | ||
* Player name max length allowed when breaking a record: 10 characters as the keyboard gets disabled | * Player name max length allowed when breaking a record: 10 characters as the keyboard gets disabled | ||
** Player name is registered in save data the first time that you make a new record but it seems not used at all. | ** Player name is registered in save data the first time that you make a new record but it seems not used at all. | ||
* Player name max length displayed in the record page: 21 characters as it is done a sort of "memcpy(src, dst, 21)" in a 22-byte | * Player name max length displayed in the record page: 21 characters as it is done a sort of "memcpy(src, dst, 21)" in a 22-byte buffer | ||
** 9 player names are displayed on each Hall of Fame page, stored temporarily in memory respectively at addresses: 0xF98B20, 0xFADB60, 0xFB29D0, 0xFB4E00, 0xFB7210, 0xFB9640, 0xFBBA50, 0xFBDE80, 0xCCE320 | ** 9 player names are displayed on each Hall of Fame page, stored temporarily in memory respectively at addresses: 0xF98B20, 0xFADB60, 0xFB29D0, 0xFB4E00, 0xFB7210, 0xFB9640, 0xFBBA50, 0xFBDE80, 0xCCE320 | ||
* buffer size: expected to be 256 bytes from tests (nothing happens when length is 256 characters followed by a zero byte) | * buffer size: expected to be 256 bytes from tests (nothing happens when length is 256 characters followed by a zero byte) | ||
Line 223: | Line 221: | ||
* $ra -> 5857565554535251 (bottom), 0000000000005A59 (top) | * $ra -> 5857565554535251 (bottom), 0000000000005A59 (top) | ||
* $s0 -> 4847005A59585756 (bottom), 504F4E4D4C4B4A49 (top) | * $s0 -> 4847005A59585756 (bottom), 504F4E4D4C4B4A49 (top) | ||
* savedata string address: 0x61b76c in pcsx2 but maybe depends on PS2 BIOS | * savedata string address: 0x61b76c in pcsx2 but maybe depends on PS2 BIOS | ||
===== Official cheat codes ===== | ===== Official cheat codes ===== | ||
* It might be useful to unlock more tracks in order to have more possibilities to trigger the buffer overflow in the records menu. | * It might be useful to unlock more tracks in order to have more possibilities to trigger the buffer overflow in the records menu. | ||
* To enable cheat codes, it is often forgotten in guides that you have to make a new record, then type "NO TIME" as player name. This has to be done only once as it is stored in save data. Then at the main menu, hold R1, R2, L1 and L2 while you press | * To enable cheat codes, it is often forgotten in guides that you have to make a new record, then type "NO TIME" as player name. This has to be done only once as it is stored in save data. Then at the main menu, hold R1, R2, L1 and L2 while you press succesively the following cheat combos. The cheats remain in save data but some can be disabled at wish. The following cheat codes were found by looking at the debug strings of the binary files: | ||
** No Player Damage Cheat ON/OFF: uuddlrlrscsc ON/OFF -> up, up, down, down, left, right, left, right, square, circle, square, circle | ** No Player Damage Cheat ON/OFF: uuddlrlrscsc ON/OFF -> up, up, down, down, left, right, left, right, square, circle, square, circle | ||
** (NOT CONFIRMED) No Player Overheat Cheat ON/OFF: balrefsc -> ?ba?, left, right, ?ef?, square, circle. | ** (NOT CONFIRMED) No Player Overheat Cheat ON/OFF: balrefsc -> ?ba?, left, right, ?ef?, square, circle. | ||
Line 256: | Line 253: | ||
https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3 | https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3 | ||
==== Viewtiful Joe 2 demo on the NTSC U/C region 2004 Holiday Demo Disc ==== | ==== Viewtiful Joe 2 demo on the NTSC U/C region 2004 Holiday Demo Disc ==== | ||
Line 267: | Line 261: | ||
=== Possible vulnerable games === | === Possible vulnerable games === | ||
==== World War Zero Iron Storm ==== | ==== World War Zero Iron Storm ==== | ||
Line 301: | Line 277: | ||
==== All FIFA games ==== | ==== All FIFA games ==== | ||
FIFA06, FIFA08, FIFA Street 2 are vulnerable on Nintendo DS. See [https://github.com/CTurt/Dara|DARA by CTurt]. | Possibly vulnerable FIFA06, FIFA08, FIFA Street 2 are vulnerable on Nintendo DS. See [https://github.com/CTurt/Dara|DARA by CTurt]. | ||
==== List of other games ==== | ==== List of other games ==== | ||
See [https://github.com/libretro/LRPS2/blob/main/resources/GameIndex.yaml a list of almost all PS2 games]. Some may be vulnerable. | See [https://github.com/libretro/LRPS2/blob/main/resources/GameIndex.yaml a list of almost all PS2 games]. Some may be vulnerable. |