Editing Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 49: | Line 49: | ||
FreeMCBoot allows homebrew programs to be launched without a trigger disc required unlike PS2 Independence. | FreeMCBoot allows homebrew programs to be launched without a trigger disc required unlike PS2 Independence. | ||
This also allows | This also allows use of homebrew on unmodded systems without a functional disc drive. However, installation of the exploit to each individual memory card requires either an already exploited/modded system in order to launch the installer, or boot image that can load an app that loads ELF files (network adapter and hard drive also required). Copying from one memory card to another will not work. | ||
It does not work on the very newest PS2s (SCPH-9000x model with BIOS 2.30 and up) but will work on all models prior to that. | It does not work on the very newest PS2s (SCPH-9000x model with BIOS 2.30 and up) but will work on all models prior to that. | ||
Line 89: | Line 89: | ||
==== FreeDVDBoot ==== | ==== FreeDVDBoot ==== | ||
An exploit released in 2020 by CTurt, which exploits the DVD Video Player and allows the execution of code (wLaunchElf in the pre-built ISOs). | An exploit released in 2020 by CTurt, which exploits the DVD Video Player and allows the execution of code (wLaunchElf in the pre-built ISOs). Currently supports all slim consoles, including the ones that don't support FMCB. | ||
==== ESR Vulnerability ==== | ==== ESR Vulnerability ==== | ||
Vulnerability to bypass PS2 disc reader anticopy protection system | Vulnerability to bypass PS2 disc reader anticopy protection system. | ||
Allows to run burnt CD/DVD | Allows to run burnt PS2 CD/DVD on a PS2 without modchip. It is needed to have FreeMCBoot/FreeHDBoot, Fortuna or SwapMagic in order to launch ESR. | ||
It does not yield code-execution, but once you have the ability to load code, you can access content on burned (Video-)DVDs, which have DVD-Video-content. This vulnerability is used in different apps like ESR or SMS and in varying 'formats' like ESR-Discs or simple Video-DVDs with extra-content. | |||
===Playstation 2 Linux RTE=== | |||
====Linux==== | |||
Todo | |||
= | =Games= | ||
== | ==Demo games== | ||
===PS2 Yabasic Exploit=== | |||
=== PS2 Yabasic Exploit === | |||
Released on 12-10-2019 by CTurt. | Released on 12-10-2019 by CTurt. | ||
Line 135: | Line 117: | ||
[https://github.com/CTurt/PS2-Yabasic-Exploit Exploit code by CTurt] | [https://github.com/CTurt/PS2-Yabasic-Exploit Exploit code by CTurt] | ||
== Network games == | ==Network games== | ||
It is possible to exploit Network-capable games, to inject codes!!! | |||
This is perfect for Slim PS2 and people which can not move files to the MC! | |||
TnA scarcely mentioned that method since January 2019, like it can be seen in the comments of @Haldrie's video about the time-swap | TnA scarcely mentioned that method since January 2019, like it can be seen in the comments of @Haldrie's video about the time-swap! TnA got the basic idea from some discoveries someone else mentioned. | ||
The problem is to either inject it elsewhere, or find a way to run it | The problem is to either inject it elsewhere, or find a way to run it! | ||
== PS1 Savedata exploits == | ==PS1 Savedata exploits== | ||
The existing FreePSXBoot exploit chain | The existing FreePSXBoot exploit chain does not work on the PS2 (mainly inside mcman), due to the fact that the internal structure is different. | ||
In mcman, there is no bounds check on linked_block member access relative to arrays on stack: https://github.com/ps2dev/ps2sdk/blob/d976e57349645cb940a9e0f9ec0207c16472ca2c/iop/memorycard/mcman/src/main.c#L3041-L3072 | In mcman, there is no bounds check on linked_block member access relative to arrays on stack: https://github.com/ps2dev/ps2sdk/blob/d976e57349645cb940a9e0f9ec0207c16472ca2c/iop/memorycard/mcman/src/main.c#L3041-L3072 | ||
Line 157: | Line 141: | ||
See [https://psdevwiki.com/ps1/index.php?title=Vulnerabilities PS1 Dev Wiki Vulnerabilities]. | See [https://psdevwiki.com/ps1/index.php?title=Vulnerabilities PS1 Dev Wiki Vulnerabilities]. | ||
=== BOOT.ELF (Fat | ===BOOT.ELF (Fat consoles only)=== | ||
[https://sksapps.haldrie.com/bootleg/tutorials/fmcb/armax2.php Official sp193 guide (backup)] | [https://sksapps.haldrie.com/bootleg/tutorials/fmcb/armax2.php Official sp193 guide (backup)] | ||
Line 170: | Line 153: | ||
!Vulnerability | !Vulnerability | ||
!Description | !Description | ||
! | !Revisions | ||
!Date of discovery | !Date of discovery | ||
!Discovered | !Discovered by | ||
|- | |- | ||
|Carol Vorderman's Sudoku | |Carol Vorderman's Sudoku | ||
|Stack Buffer Overflow via unchecked string length | |Stack Buffer Overflow via unchecked string length | ||
|The | |The savefile stores plaintext profile & highscore names. There are no checks regarding the size-length of the profile & highscore names. Once can use a very large string to overwrite and gain control of the stack and jump to unsigned code. | ||
This vulnerability | This vulnerability was ported over to the PSP version of the game. See [https://github.com/ChampionLeake/SudokuSTACK here] | ||
| | |N/A | ||
|December 2021 | |December 2021 | ||
|ChampionLeake | |ChampionLeake | ||
|- | |||
|Star Wars Racer Revenge | |||
|Stack-Smash via unchecked "Record Name" length | |||
|The game allows players record their names when breaking lap records on a course. However, the size of the name is not checked. Using a very large name can overwrite addresses on the stack and gain control of the $ra, which can be used to jump to unsigned code. | |||
|N/A | |||
|August 2023 | |||
|ChampionLeake | |||
|- | |- | ||
|OKAGE: Shadow King | |OKAGE: Shadow King | ||
|Stack Buffer | |Stack Buffer Oveflow via unchecked "Player/Town" name length | ||
|Successfully exploit through mast1c0re for the PS4/PS5. | |Successfully exploit through mast1c0re for the PS4/PS5. | ||
CTurt's Writeup: [https://cturt.github.io/mast1c0re.html Here] | CTurt's Writeup: [https://cturt.github.io/mast1c0re.html Here] | ||
McCaulay's Writeup: [https://mccaulay.co.uk/mast1c0re-introduction-exploiting-the-ps4-and-ps5-through-a-gamesave/?t=1 Here] | McCaulay's Writeup: [https://mccaulay.co.uk/mast1c0re-introduction-exploiting-the-ps4-and-ps5-through-a-gamesave/?t=1 Here] | ||
| | |N/A | ||
|September 14th, 2022 | |September 14th, 2022 | ||
|CTurt & McCaulay | |CTurt & McCaulay | ||
|} | |} | ||
=== Confirmed vulnerable games === | === Confirmed vulnerable games === | ||
==== OKAGE: Shadow King ==== | ==== OKAGE: Shadow King ==== | ||
Line 245: | Line 207: | ||
===== Save data format ===== | ===== Save data format ===== | ||
* The save data has no digest nor any kind of security. | * The save data has no digest nor any kind of security. | ||
* The records pages data are stored as follows: each | * The records pages data are stored as follows: for each record, signed int (4 bytes) for the time/most KO's count, followed by 21-byte string for the player's name, which must be null-terminated as it is copied using strcpy. | ||
===== Bug description ===== | ===== Bug description ===== | ||
Line 284: | Line 214: | ||
* Player name max length allowed when breaking a record: 10 characters as the keyboard gets disabled | * Player name max length allowed when breaking a record: 10 characters as the keyboard gets disabled | ||
** Player name is registered in save data the first time that you make a new record but it seems not used at all. | ** Player name is registered in save data the first time that you make a new record but it seems not used at all. | ||
* Player name max length displayed in the record page: 21 characters as it is done a sort of "memcpy(src, dst, 21)" in a 22-byte | * Player name max length displayed in the record page: 21 characters as it is done a sort of "memcpy(src, dst, 21)" in a 22-byte buffer | ||
** 9 player names are displayed on each Hall of Fame page, stored temporarily in memory respectively at addresses: 0xF98B20, 0xFADB60, 0xFB29D0, 0xFB4E00, 0xFB7210, 0xFB9640, 0xFBBA50, 0xFBDE80, 0xCCE320 | ** 9 player names are displayed on each Hall of Fame page, stored temporarily in memory respectively at addresses: 0xF98B20, 0xFADB60, 0xFB29D0, 0xFB4E00, 0xFB7210, 0xFB9640, 0xFBBA50, 0xFBDE80, 0xCCE320 | ||
* buffer size: expected to be 256 bytes from tests (nothing happens when length is 256 characters followed by a zero byte) | * buffer size: expected to be 256 bytes from tests (nothing happens when length is 256 characters followed by a zero byte) | ||
Line 290: | Line 220: | ||
* latest valid $ra: 0x1E4048 | * latest valid $ra: 0x1E4048 | ||
* latest valid $pc: 0x1E4050 (jl ra) -> crash when executed so put breakpoint at 0x1E4050 | * latest valid $pc: 0x1E4050 (jl ra) -> crash when executed so put breakpoint at 0x1E4050 | ||
* current savedata payload: 256 non-null bytes then 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 00 00 00 00 00 00 | |||
* $ra -> 5857565554535251 (bottom), 0000000000005A59 (top) | |||
* current savedata payload | * $s0 -> 4847005A59585756 (bottom), 504F4E4D4C4B4A49 (top) | ||
* $ra | |||
* $s0 | |||
* It is guessed that at least 0xB7B bytes of the savedata can be overwritten with a MIPS shellcode without breaking the main menu. | * It is guessed that at least 0xB7B bytes of the savedata can be overwritten with a MIPS shellcode without breaking the main menu. | ||
* savedata string address: 0x61b76c in pcsx2 but | * savedata string address: 0x61b76c in pcsx2 but maybe depends on PS2 BIOS | ||
===== Official cheat codes ===== | ===== Official cheat codes ===== | ||
* It might be useful to unlock more tracks in order to have more possibilities to trigger the buffer overflow in the records menu. | * It might be useful to unlock more tracks in order to have more possibilities to trigger the buffer overflow in the records menu. | ||
* To enable cheat codes, it is often forgotten in guides that you have to make a new record, then type "NO TIME" as player name. This has to be done only once as it is stored in save data. Then at the main menu, hold R1, R2, L1 and L2 while you press | * To enable cheat codes, it is often forgotten in guides that you have to make a new record, then type "NO TIME" as player name. This has to be done only once as it is stored in save data. Then at the main menu, hold R1, R2, L1 and L2 while you press succesively the following cheat combos. The cheats remain in save data but some can be disabled at wish. The following cheat codes were found by looking at the debug strings of the binary files: | ||
** No Player Damage Cheat ON/OFF: uuddlrlrscsc ON/OFF -> up, up, down, down, left, right, left, right, square, circle, square, circle | ** No Player Damage Cheat ON/OFF: uuddlrlrscsc ON/OFF -> up, up, down, down, left, right, left, right, square, circle, square, circle | ||
** (NOT CONFIRMED) No Player Overheat Cheat ON/OFF: balrefsc -> ?ba?, left, right, ?ef?, square, circle. | ** (NOT CONFIRMED) No Player Overheat Cheat ON/OFF: balrefsc -> ?ba?, left, right, ?ef?, square, circle. | ||
Line 320: | Line 239: | ||
* When using a save data that was badly hand-modified to unlock every characters and circuits, a bug can occur in the record page: only one of the pages can be accessed. Pressing left or right to change track page makes sound but remains on this page. | * When using a save data that was badly hand-modified to unlock every characters and circuits, a bug can occur in the record page: only one of the pages can be accessed. Pressing left or right to change track page makes sound but remains on this page. | ||
==== GTA III | ==== GTA III ==== | ||
* [https://github.com/halpz/re3/blob/9a7fa478578beaba947ea867c15a25e411d641d8/src/save/MemoryCard.cpp#L358 vulnerability] | * [https://github.com/halpz/re3/blob/9a7fa478578beaba947ea867c15a25e411d641d8/src/save/MemoryCard.cpp#L358 vulnerability] | ||
Line 326: | Line 245: | ||
The game does a copy from the memory card into a fixed-size buffer with size supplied by the savedata. | The game does a copy from the memory card into a fixed-size buffer with size supplied by the savedata. | ||
==== | ==== Dark Cloud ==== | ||
* [https://www.youtube.com/results?search_query=%22dark+cloud%22+item+glitch+menu+before%3A2008-01-01 video of bug triggering] | |||
Moving the cursor and pressing X on the same frame in the items menu allows us to pick up an item from out-of-bounds memory, which results in exploitable behaviour. | |||
Moving the cursor and pressing X on the same frame in the items menu allows us to pick up an item from out-of-bounds memory, which results in | |||
==== Soul Calibur III ==== | ==== Soul Calibur III ==== | ||
Line 400: | Line 256: | ||
https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3 | https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3 | ||
==== Viewtiful Joe 2 demo on the NTSC U/C region 2004 Holiday Demo Disc ==== | ==== Viewtiful Joe 2 demo on the NTSC U/C region 2004 Holiday Demo Disc ==== | ||
Line 410: | Line 263: | ||
https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3 | https://gamefaqs.gamespot.com/boards/915821-playstation-2/79857492?page=3 | ||
==== | === Possible vulnerable games === | ||
==== World War Zero Iron Storm ==== | ==== World War Zero Iron Storm ==== | ||
Line 431: | Line 280: | ||
==== All FIFA games ==== | ==== All FIFA games ==== | ||
FIFA06, FIFA08, FIFA Street 2 are vulnerable on Nintendo DS. See [https://github.com/CTurt/Dara DARA by CTurt]. | Possibly vulnerable FIFA06, FIFA08, FIFA Street 2 are vulnerable on Nintendo DS. See [https://github.com/CTurt/Dara|DARA by CTurt]. | ||
==== List of other games ==== | ==== List of other games ==== | ||
See [https://github.com/libretro/LRPS2/blob/main/resources/GameIndex.yaml a list of almost all PS2 games]. Some may be vulnerable. | See [https://github.com/libretro/LRPS2/blob/main/resources/GameIndex.yaml a list of almost all PS2 games]. Some may be vulnerable. |