Webbrowser: Difference between revisions

From Vita Developer wiki
Jump to navigation Jump to search
Line 139: Line 139:
=== Repositories ===
=== Repositories ===


* https://github.com/Hykem/vitasploit/ by '''Hykem'''
<=1.81 webkit exploit PoC:
* [https://github.com/BrianBTB/codelion_poc repo]
* [https://github.com/joshaxey/badnanna181/tree/master discarded repro reduction for <=1.81] by '''joshaxey'''
* [https://github.com/joshaxey/badnanna181/tree/master discarded repro reduction for <=1.81]
 
* https://github.com/xyzz/vitadump
1.50-1.69-1.80 HTMLit:
* https://bitbucket.org/Archaemic/memory-splicer
* [https://bitbucket.org/DaveeFTW/htmlit htmlit] by '''Davee'''
* [https://bitbucket.org/DaveeFTW/psvita-260-webkit/ repo]
 
* https://github.com/acama/webkitties
ROPtool:
* [https://github.com/xyzz/roptool-legacy old version] by '''Davee'''
* [https://bitbucket.org/DaveeFTW/roptool new version] by '''Davee'''
 
1.61 files for HTMLit and ROPtool:
* [https://github.com/xyzz/wk161 wk161]by '''xyz'''
 
1.80 files for ROPtool:
* [https://bitbucket.org/DaveeFTW/wk180-roptool-target] by '''Davee'''
 
1.81 ROP:
* [https://github.com/SMOKE5/VitaROP VitaROP] by '''SMOKE'''
 
2.60 webkit exploit PoC:
* [https://bitbucket.org/DaveeFTW/psvita-260-webkit psvita-260-webkit] by '''Davee'''
 
3.18 webkit exploit PoC:
* [https://github.com/BrianBTB/codelion_poc codelion_poc] by '''Codelion''' and '''BrianBTB'''
 
3.15-3.18 memory dumping:
* [https://github.com/BrianBTB/JSoS-Module-Dump-Release JSoS-Module-Dump-Release] by '''BrianBTB'''
 
3.15-3.18 webkitties:
* [https://github.com/acama/webkitties webkitties] by '''Acama'''
 
3.00-3.15-3.18 vitasploit:
* [https://github.com/Hykem/vitasploit vitasploit] (dead link) by '''Hykem'''
* [https://github.com/wargio/vitasploit vitasploit] (mirror) by '''Hykem'''
 
2.02-2.12-3.00-3.01-3.18 vitasploit:
* [https://github.com/xyzz/vitasploit vitasploit] by '''xyz'''
 
3.36 webkit exploit:
* [http://wololo.net/talk/viewtopic.php?f=54&t=42501 3.36 webkit exploit] by '''xyz'''
 
2.00-2.01-2.02-2.05-2.10-2.11-2.12-2.50-2.60-2.61-3.00-3.01-3.10-3.12-3.18-3.20 + 3.30-3.35-3.36 vitasploit:
* [https://github.com/Sorvigolova/vitasploit vitasploit] by '''Sorvigolova'''
 
Other tools:
* [https://github.com/xyzz/vitadump vitadump IDA plugin] by '''xyz'''
* [https://bitbucket.org/Archaemic/memory-splicer memory-splicer] by '''Archaemic'''


=== Code, Test & Tool ===
=== Code, Test & Tool ===

Revision as of 11:44, 15 June 2018

Web Content Guidelines

Supports

  • Cookies
  • Javascript 1.7
  • partial HTML 5
  • Partial Video support (added from 2.10 update)

Not supported

  • Flash
  • Youtube (no HTML5: video)

Known Useragents

PlayStation Vita YouTube/1.0 libhttp/1.67 (PS Vita)
PlayStation Vita YouTube/2.1 libhttp/2.60 (PS Vita)

Useragent (Vita TV has trailing "Silk/3.2 VTE/2.50" or "Silk/3.2 VTE/3.30" as subidentifier):

Table below indicates known and unknown. "YES" = known vulnerability in use, "NO" = unknown if vulnerability in use.

useragent version vulnerability
Mozilla/5.0 (PlayStation Vita 1.00) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.000.000 Yes
Mozilla/5.0 (PlayStation Vita 1.03) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.030.010 Yes
Mozilla/5.0 (PlayStation Vita 1.04) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.040.000 Yes
Mozilla/5.0 (PlayStation Vita 1.05) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.050.000 Yes
Mozilla/5.0 (PlayStation Vita 1.06) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.060.010 Yes
Mozilla/5.0 (Playstation Vita 1.50) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.500.000 Yes
Mozilla/5.0 (PlayStation Vita 1.51) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.510.000 Yes
Mozilla/5.0 (PlayStation Vita 1.52) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.520.000 Yes
Mozilla/5.0 (PlayStation Vita 1.60) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.600.000 Yes
Mozilla/5.0 (Playstation Vita 1.61) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.610.000 Yes
Mozilla/5.0 (PlayStation Vita 1.65) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.650.000 Yes
Mozilla/5.0 (PlayStation Vita 1.66) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.660.000 Yes
Mozilla/5.0 (PlayStation Vita 1.67) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.670.000 Yes
Mozilla/5.0 (PlayStation Vita 1.69) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.690.000 Yes
Mozilla/5.0 (PlayStation Vita 1.80) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.800.000 Yes
Mozilla/5.0 (PlayStation Vita 1.81) AppleWebKit/531.22.8 (KHTML, like Gecko) Silk/3.2 01.810.000 Yes
Mozilla/5.0 (PlayStation Vita 2.00) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.000.000 Yes
Mozilla/5.0 (PlayStation Vita 2.01) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.010.000 Yes
Mozilla/5.0 (PlayStation Vita 2.02) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.020.000 Yes
Mozilla/5.0 (PlayStation Vita 2.05) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.050.000 Yes
Mozilla/5.0 (PlayStation Vita 2.06) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.060.000 Yes
Mozilla/5.0 (PlayStation Vita 2.10) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.100.000 Yes
Mozilla/5.0 (PlayStation Vita 2.11) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.110.000 Yes
Mozilla/5.0 (PlayStation Vita 2.12) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.120.000 Yes
Mozilla/5.0 (PlayStation Vita 2.50) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.500.000 Yes
Mozilla/5.0 (PlayStation Vita 2.60) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.600.000 Yes
Mozilla/5.0 (PlayStation Vita 2.61) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 02.610.000 Yes
Mozilla/5.0 (PlayStation Vita 3.00) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.000.000 Yes
Mozilla/5.0 (PlayStation Vita 3.01) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.010.000 Yes
Mozilla/5.0 (PlayStation Vita 3.10) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.100.000 Yes
Mozilla/5.0 (PlayStation Vita 3.12) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.120.000 Yes
Mozilla/5.0 (PlayStation Vita 3.15) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.150.000 Yes
Mozilla/5.0 (PlayStation Vita 3.18) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.180.000 Yes
Mozilla/5.0 (PlayStation Vita 3.20) AppleWebKit/536.26 (KHTML, like Gecko) Silk/3.2 03.200.000 Yes
Mozilla/5.0 (PlayStation Vita 3.30) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.300.000 Yes
Mozilla/5.0 (PlayStation Vita 3.35) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.350.000 Yes
Mozilla/5.0 (PlayStation Vita 3.36) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.360.000 Yes
Mozilla/5.0 (PlayStation Vita 3.50) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.500.000 Yes
Mozilla/5.0 (PlayStation Vita 3.52) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.520.000 Yes
Mozilla/5.0 (PlayStation Vita 3.55) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.550.000 Yes
Mozilla/5.0 (PlayStation Vita 3.57) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.570.000 Yes
Mozilla/5.0 (PlayStation Vita 3.60) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.600.000 Yes
Mozilla/5.0 (PlayStation Vita 3.61) AppleWebKit.537.73 (KHTML, like Gecko) Silk/3.2 03.610.000 No

Webkit exploit

Terminology

An information security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.
An information security exposure is a system configuration issue or a mistake in software that allows access to information or 
capabilities that can be used by a hacker as a stepping-stone into a system or network.

Common Vulnerabilities and Exposures list

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4577
http://packetstormsecurity.com/files/123089/Packet-Storm-Advisory-2013-0903-1-Apple-Safari-Heap-Buffer-Overflow.html (related to
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3748 / https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748)

Repositories

<=1.81 webkit exploit PoC:

1.50-1.69-1.80 HTMLit:

ROPtool:

1.61 files for HTMLit and ROPtool:

1.80 files for ROPtool:

1.81 ROP:

2.60 webkit exploit PoC:

3.18 webkit exploit PoC:

3.15-3.18 memory dumping:

3.15-3.18 webkitties:

3.00-3.15-3.18 vitasploit:

2.02-2.12-3.00-3.01-3.18 vitasploit:

3.36 webkit exploit:

2.00-2.01-2.02-2.05-2.10-2.11-2.12-2.50-2.60-2.61-3.00-3.01-3.10-3.12-3.18-3.20 + 3.30-3.35-3.36 vitasploit:

Other tools:

Code, Test & Tool

Webkit Modules

Module Remark
SceAacenc
SceActivityDb
SceAppUtil
SceAtrac
SceAudiocodec
SceAvcodecUser
SceAvPlayer
SceBeisobmf
SceBemp2sys
ScebXCe
SceCheckoutDialogPlugin
SceClipboard
SceCommonDialog
SceCommonGuiDialog
SceDbrecoveryUtility
SceDbutil
SceDriverUser
SceDrmPsmKdc
SceFiber
SceFriendListDialogPlugin
SceGpuEs4User
SceGxm
SceHafnium
SceHandwriting
SceIme
SceImeDialogPlugin
SceIniFileProcessor
SceJpegArm
SceJpegEncArm
SceLibc
ScelibDbg
SceLibFios2
SceLibft2
SceLibG729
SceLibGameUpdate
SceLibHttp
SceLibJson
SceLibKernel
SceLibLocation
SceLibLocationExtension
SceLibMp4Recorder
SceLibNetCtl
SceLibPgf
SceLibPspnetAdhoc
SceLibPvf
SceLibRudp
SceLibSsl
SceLibVitaJSExtObj
SceLibXml
SceLiveAreaUtil
SceMp4
SceMsgDialogPlugin
SceMusicExport
SceNearDialogUtil
SceNearProfile
SceNearUtil
SceNet
SceNetAdhocMatching
SceNetCheckDialogPlugin
SceNgsUser
SceNotificationUtil
SceNpActivity
SceNpActivityNet
SceNpBasic
SceNpCommerce2
SceNpCommon
SceNpCommonPs4
SceNpFriendPrivacyLevel
SceNpKdc
SceNpManager
SceNpMatching2
SceNpMessage
SceNpMessageContactsPlugin
SceNpMessageDialogPlugin
SceNpMessageDlgImplPlugin
SceNpPartyGameUtil
SceNpScore
SceNpSignaling
SceNpSnsFacebook
SceNpTrophy
SceNpTus
SceNpUtility
SceNpWebApi
ScePaf
ScePartyMemberListPlugin
ScePhotoExport
ScePhotoImportDialogPlugin
ScePhotoReviewDialogPlugin
ScePromoterUtil
ScePsp2Compat
SceSasUser
SceSaveDataDialogPlugin
SceScreenShot
SceShellSvc
SceShutterSound
SceSqlite
SceSqliteVsh
SceStoreCheckoutPlugin
SceSystemGesture
SceTeleportClient
SceTeleportServer
SceTrophySetupDialogPlugin
SceUlt
SceVideoExport
SceVoice
SceVoiceQoS
SceWebFiltering
SceWebKit
SceWebKitProcess

Browsertests

Access to the PS3 Store and get content in Vita

Video

[2]

PS Vita's browser has some secrets function, such as enter in ps store or open an app.

For example:

psns:browse?category=PN.P3.US-PN.P3.GAME.US-BASE opens PS3 store US region
psns:browse?product=IP9100-PCSI00002_00-MUSICUNLIMITED00 opens Music Unlimited product

How it works

 psns:browse

This command supports several arguments, the most usables are:

 psns:browse?category=
 
 psns:browse?product=

By defining a category or product ID, this command will redirect you to the PSN Store and show you the chosen category/product. A few examples:

The syntax for categories works as follows:

 PN + CONSOLE ID + REGION ID + PN + CONSOLE ID + STORE ID + REGION ID + PAGE

Common Console ID's are:

 P3 --> PS3
 
 VT --> PS VITA
 
 PC --> MEDIA GO / PSP

Common Store ID's are:

 GAME or VIDEO

Redeem Comand

 psns:redeem?code1=123&code2=456&code3=789

This command will immediantly prompt you to the PSN Stores' redeem function, taking the arguments with it.