Editing Webbrowser

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 15: Line 15:


== Known Useragents ==
== Known Useragents ==
=== YouTube ===
  PlayStation Vita YouTube/1.0 libhttp/1.67 (PS Vita)
  PlayStation Vita YouTube/1.0 libhttp/1.67 (PS Vita)
  PlayStation Vita YouTube/2.1 libhttp/2.60 (PS Vita)
  PlayStation Vita YouTube/2.1 libhttp/2.60 (PS Vita)
=== WebBrowser ===
   
   
Useragent (Vita TV has trailing "Silk/3.2 VTE/2.50" or "Silk/3.2 VTE/3.30" as subidentifier):
Useragent (Vita TV has trailing "Silk/3.2 VTE/2.50" or "Silk/3.2 VTE/3.30" as subidentifier):
Line 32: Line 27:
|-
|-
| Mozilla/5.0 (PlayStation Vita 1.00) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.000.000_CEX|01.000.000]] || {{yes}}
| Mozilla/5.0 (PlayStation Vita 1.00) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.000.000_CEX|01.000.000]] || {{yes}}
|-
| Mozilla/5.0 (PlayStation Vita 1.03) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.030.010_CEX|01.030.010]] || {{yes}}
|-
| Mozilla/5.0 (PlayStation Vita 1.04) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.040.000_CEX|01.040.000]] || {{yes}}
|-
| Mozilla/5.0 (PlayStation Vita 1.05) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.050.000_CEX|01.050.000]] || {{yes}}
|-
| Mozilla/5.0 (PlayStation Vita 1.06) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.060.010_CEX|01.060.010]] || {{yes}}
|-
|-
| Mozilla/5.0 (Playstation Vita 1.50) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.500.000_CEX|01.500.000]] || {{yes}}
| Mozilla/5.0 (Playstation Vita 1.50) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 || [[01.500.000_CEX|01.500.000]] || {{yes}}
Line 99: Line 86:
| Mozilla/5.0 (PlayStation Vita 3.20) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 || [[03.200.000_CEX|03.200.000]] || {{yes}}
| Mozilla/5.0 (PlayStation Vita 3.20) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 || [[03.200.000_CEX|03.200.000]] || {{yes}}
|-
|-
| Mozilla/5.0 (PlayStation Vita 3.30) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.300.000_CEX|03.300.000]] || {{yes}}
| Mozilla/5.0 (PlayStation Vita 3.30) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.300.000_CEX|03.300.000]] || {{no}}
|-
| Mozilla/5.0 (PlayStation Vita 3.35) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.350.000_CEX|03.350.000]] || {{yes}}
|-
| Mozilla/5.0 (PlayStation Vita 3.36) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.360.000_CEX|03.360.000]] || {{yes}}
|-
| Mozilla/5.0 (PlayStation Vita 3.50) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.500.000_CEX|03.500.000]] || {{yes}}
|-
| Mozilla/5.0 (PlayStation Vita 3.52) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.520.000_CEX|03.520.000]] || {{yes}}
|-
| Mozilla/5.0 (PlayStation Vita 3.55) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.550.000_CEX|03.550.000]] || {{yes}}
|-
| Mozilla/5.0 (PlayStation Vita 3.57) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.570.000_CEX|03.570.000]] || {{yes}}
|-
| Mozilla/5.0 (PlayStation Vita 3.60) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.600.000_CEX|03.600.000]] || {{yes}}
|-
| Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.610.000_CEX|03.610.000]] || {{no}}
|-
| Mozilla/5.0 (PlayStation Vita 3.63) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.630.000_CEX|03.630.000]] || {{no}}
|-
|-
| Mozilla/5.0 (PlayStation Vita 3.65) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.650.000_CEX|03.650.000]] || {{no}}
| Mozilla/5.0 (PlayStation Vita 3.35) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.350.000_CEX|03.350.000]] || {{no}}
|-
|-
| ? || [[03.670.000_CEX|03.670.000]] || {{no}}
| Mozilla/5.0 (PlayStation Vita 3.36) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 || [[03.360.000_CEX|03.360.000]] || {{no}}
|-
| ? || [[03.680.000_CEX|03.680.000]] || {{no}}
|-
| ? || [[03.690.000_CEX|03.690.000]] || {{no}}
|-
|-
|}
|}


== Webkit exploits ==
== Webkit exploit ==
 
=== Terminology ===
=== Terminology ===
<div style="color: #000000; background-color: #e5e4e2; border: 1px solid #808000; padding: 5px; {{box-shadow|4px|4px|8px|#b0b090}}">
<div style="color: #000000; background-color: #e5e4e2; border: 1px solid #808000; padding: 5px; {{box-shadow|4px|4px|8px|#b0b090}}">
  An information security '''vulnerability''' is a mistake in software that can be directly used by a hacker to gain access to a system or network.
  An information security '''vulnerability''' is a mistake in software that can be directly used by a hacker to gain access to a system or network.
Line 141: Line 104:


=== '''C'''ommon '''V'''ulnerabilities and '''E'''xposures list ===
=== '''C'''ommon '''V'''ulnerabilities and '''E'''xposures list ===
*http://www.lolhax.org/2014/10/28/psvita-webkit-for-2-00/


1.50-1.81 (CVE-2010-1807 and CVE-2010-4577)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
* http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html
 
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577
* https://code.google.com/p/chromium/issues/detail?id=63866
 
2.00-3.20 (CVE-2013-0903-1)
* [http://acez.re/ps-vita-level-1-webkitties-3 Acama's write-up]
* http://packetstormsecurity.com/files/123088/
* http://packetstormsecurity.com/files/123089/Packet-Storm-Advisory-2013-0903-1-Apple-Safari-Heap-Buffer-Overflow.html
* related to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3748 and https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748
 
3.30-3.36 (CVE-2014-1303)
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1303
* http://wololo.net/2015/04/22/new-webkit-exploit-found-vita-maybe-playstation-4
* https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF
* https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not-WP.pdf
* https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf
 
3.50-3.60 (no CVE at the time it was written, credits to xyz)
* https://blog.xyz.is/2016/webkit-360.html
* [https://pastebin.com/Av2YCR5Q Mike H.'s write-up]
* [https://pastebin.com/aSJQbJyd Mike H.'s write-up #2]
 
=== Repositories ===
 
<=1.81 webkit exploit PoC:
* [http://www.lolhax.org/2014/10/28/psvita-webkit-for-2-00 article] by '''Davee'''
* [https://github.com/joshaxey/badnanna181/tree/master discarded repro reduction for <=1.81] by '''Josh Axey'''
 
1.50-1.69-1.80 HTMLit:
* [https://bitbucket.org/DaveeFTW/htmlit htmlit] by '''Davee'''
 
ROPtool:
* [https://www.lolhax.org/2014/10/04/roptool roptool article] by '''Davee'''
* [https://github.com/xyzz/roptool-legacy old version] by '''Davee'''
* [http://wololo.net/downloads/index.php/download/8233 first release] by '''Davee'''
* [https://bitbucket.org/DaveeFTW/roptool new version] by '''Davee'''
 
1.61 files for HTMLit and ROPtool:
* [https://github.com/xyzz/wk161 files+webkit]by '''xyz'''
 
1.80 files for ROPtool:
* [https://bitbucket.org/DaveeFTW/wk180-roptool-target files] by '''Davee'''


1.81 ROP:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577
* [https://web.archive.org/web/20150811215153/http://pastebin.com/XNeALEbC Support_Uri ROP script] by '''SMOKE'''
* [https://github.com/SMOKE5/VitaROP VitaROP] by '''SMOKE'''


2.60 webkit exploit PoC:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3748 / https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748
* [https://www.lolhax.org/2014/10/19/psvita-webkit-exploit-information-and-credits credits article]
* [https://bitbucket.org/DaveeFTW/psvita-260-webkit psvita-260-webkit] by '''Davee'''
* [https://github.com/173210/psvita-webkit psvita-webkit] by '''Davee'''


3.18 webkit exploit PoC:
=== Test & Tool ===
* [https://github.com/BrianBTB/codelion_poc codelion_poc] by '''Codelion''' and '''BrianBTB'''


3.01-3.15-3.18 memory dumping:
* [http://www.lolhax.org/vita.htm live test] [http://wololo.net/v/webkit/vita.htm live test (miror)], [http://wololo.net/v/260.htm live test (old)]
* [https://bitbucket.org/Archaemic/memory-splicer memory-splicer] by '''Archaemic'''
* [https://bitbucket.org/DaveeFTW/psvita-260-webkit/ repo]
* [https://github.com/BrianBTB/JSoS-Module-Dump-Release JSoS-Module-Dump-Release] by '''BrianBTB'''
* [https://github.com/BrianBTB/codelion_poc repo]
* [https://bitbucket.org/Archaemic/memory-splicer repo]  
* [https://github.com/joshaxey/badnanna181/tree/master discarded repro reduction for <=1.81]
* [http://wololo.net/downloads/index.php/download/8231 memtools_vita] https://github.com/BrianBTB/memtools_vita/
* https://github.com/xyzz/vitadump
* [http://wololo.net/downloads/index.php/download/8233 ROPTool]
* [http://wololo.net/downloads/index.php/download/8234 HTMLIt]
* http://acez.re/ps-vita-level-1-webkitties-3/ https://github.com/acama/webkitties
* https://github.com/BrianBTB/JSoS-Module-Dump-Release/tree/master/akai
** http://pastie.org/private/ugchhaqctvmw5rrg5w37ka <- load more modules for the JSoS module dumper :)
** http://pastie.org/private/ugchhaqctvmw5rrg5w37ka <- load more modules for the JSoS module dumper :)
* [https://github.com/BrianBTB/memtools_vita memtools_vita] by '''BrianBTB'''
* https://github.com/Hykem/vitasploit/
 
* [http://pastebin.com/XNeALEbC SMOKE's Support_Uri Rop script]
3.15-3.18 webkitties:
* [https://github.com/acama/webkitties webkitties] by '''Acama'''
 
3.00-3.15-3.18 vitasploit:
* [https://github.com/Hykem/vitasploit vitasploit] (dead link) by '''Hykem'''
* [https://github.com/wargio/vitasploit vitasploit] (mirror) by '''Hykem'''
 
2.02-2.12-3.00-3.01-3.18 vitasploit:
* [https://github.com/xyzz/vitasploit vitasploit] by '''xyz'''
 
3.36 webkit exploit:
* [http://wololo.net/talk/viewtopic.php?f=54&t=42501 3.36 webkit exploit] by '''xyz'''
 
2.00-2.01-2.02-2.05-2.10-2.11-2.12-2.50-2.60-2.61-3.00-3.01-3.10-3.12-3.18-3.20 + 3.30-3.35-3.36 vitasploit:
* [https://github.com/Sorvigolova/vitasploit vitasploit] by '''Sorvigolova'''
 
Other tools:
* [https://github.com/xyzz/vitadump vitadump IDA plugin] by '''xyz'''
 
=== Online Tests ===
 
* [http://www.lolhax.org/vita.htm live test]
* [http://wololo.net/v/webkit/vita.htm live test (miror)]
* [http://wololo.net/v/260.htm live test 2.60 (old)]


=== Webkit Modules ===
=== Webkit Modules ===
 
* http://rghost.net/private/59665268/46690bd89ae7f298e4df145059c0d3e2 (3.18 dump)
* [http://rghost.net/private/59665268/46690bd89ae7f298e4df145059c0d3e2 (3.18 dump)] dead link


{| class="wikitable sortable"
{| class="wikitable sortable"
Line 456: Line 353:
|-
|-
| SceWebKitProcess ||  
| SceWebKitProcess ||  
|-
|}
|}


Please note that all contributions to Vita Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see Vita Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Templates used on this page: