Editing Bugs & Vulnerabilities
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
Ps3 save data exploit | |||
Unsigned codencan be added to the sfo coz the console doesnt recognize special characters | |||
http://www.exploit-db.com/exploits/25718/ | |||
Firmwware target 4.31 | |||
Working on 4.31 | |||
PoC: PARAM.SFO | PoC: PARAM.SFO | ||
PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4 | PSF�� Ä @� � � � � � ��� � � � ��� � � � ��h � � % � � � �� , � � � �� 4 ��� � | ||
��� � | $� C ��� @ (� V ��� � h� j �� | ||
$� C ��� @ (� V ��� � h� j �� | € p� t ��� € ð� | ||
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE TITLE | |||
ACCOUNT_ID ATTRIBUTE CATEGORY DETAIL PARAMS PARAMS2 PARENTAL_LEVEL SAVEDATA_DIRECTORY SAVEDATA_LIST_PARAM SUB_TITLE | 40ac78551a88fdc | ||
TITLE | SD | ||
40ac78551a88fdc | |||
SD | |||
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] | PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!] | ||
Hackizeit: 1:33:07 | Hackizeit: 1:33:07 | ||
ExpSkills: VL-LAB-TRAINING | ExpSkills: VL-LAB-TRAINING | ||
Operation: 1% | Operation: 1% | ||
Trojaners: 0% | Trojaners: 0% | ||
... | ... Õõ~\˜òíA×éú�;óç� 40ac78551a88fdc | ||
... | ... | ||
BLES00371-NARUTO_STORM-0 | BLES00371-NARUTO_STORM-0 | ||
HACKINGBKM 1 | HACKINGBKM 1 | ||
PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]; | PSHACK: Benjamin Ninja H%20'>"<[PERSISTENT INJECTED SYSTEM COMMAND OR CODE!]; | ||
"rsx syscall bug" - in most syscalls sony reduces a pointer to 32 bits and would use a special function to write to that pointer.<br> however, in certain rsx syscalls, sony forgot about it, allowing the attacker to write to any part of lv2 memory. | |||
patched: 4.45 | |||
http://crypto.stackexchange.com/questions/14628/why-do-we-use-xts-over-ctr-for-disk-encryption CTR bugs on SELFs (and ebootroms maybe?) | |||
patched: since Vita pre-retail 0.9.9.6 (SELFs, should match with ps3 firmware at release date), unknown (ebootroms) | |||
http://cxsecurity.com/issue/WLB-2007030183 "Remote Play" Remote DoS Exploit<br /> | |||
patched: ? | |||
http://cxsecurity.com/issue/WLB-2008070060 Memory corruption and NULL pointer in Unreal Tournament III 1.2<br /> | |||
unsure if applies to PS3? | |||
http://cxsecurity.com/issue/WLB-2010010162 MacOS X 10.5/10.6 libc/strtod(3) buffer overflow<br /> | |||
unsure if applies to PS3? | |||
http://seclists.org/fulldisclosure/2007/Jan/474 OpenPrinter() stack-based buffer overflow<br /> | |||
patched: ? | |||
http://seclists.org/fulldisclosure/2009/Jul/299 DOM flaw<br /> | |||
patched: ? | |||
http://seclists.org/fulldisclosure/2013/May/113 PARAM.SFO stack-based buffer overflow<br /> | |||
patched: since 2012-05-01 (4.40 and later) | |||
AVP patch bypass exploit<br /> | |||
patched: since 3.70 and later | |||
PSN security intrusion | |||
patched: since 3.61 enforced password change<br /> | |||
= | http://www.vulnerability-lab.com/get_content.php?id=740 Sony PSN Account Service - Password Reset Vulnerability<br /> | ||
patched: since 2012-05-01 | |||
Private key nonrandom fail<br /> | |||
patched: since 3.56 | |||
JIG downgrade<br /> | |||
patched: since 3.56 | |||
USB config stack-based buffer overflow (PSjailbreak/PSGroove)<br /> | |||
patched: since 3.42 and later | |||
Lead year bug<br /> | |||
patched: since 3.40 and later | |||
MP4 vulnerability<br /> | |||
patched: since 3.21 and later | |||
Playback of Cinavia DRM protected titles<br /> | |||
patched: since 3.10 and later | |||
Open Remote Play<br /> | |||
patched: since 2.80 and later | |||
BD-J homebrew<br /> | |||
patched: since 2.50 and later | |||
[[Downgrading with Hardware flasher]]<br /> | |||
patched: since 2.20 and later (by adding [[CoreOS]] hashing in [[Syscon Hardware|Syscon]] to be checked by [[Hypervisor Reverse Engineering|hypervisor]]; worked around by patching hypervisor on 3.56 and lower capable consoles) | |||
Full RSX access in OtherOS<br /> | |||
patched: since 2.10 and later | |||
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> | {{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> |