(adsbygoogle = window.adsbygoogle || []).push({}); You must login or register to view this content.

Roughly ninteen hours ago I got a Tweet from developer naehrwert regarding exploiting LV2 of the PlayStation 3. Unfortunately life takes it's toll and I was unable to get this information to you quicker. With that said he also stated in a previous Tweet, "sadly this is not as nice as it looks like". So don't get too excited yet. In a recent blog post by the developer he highlights a stack overflow vulnerability in the PS3's lv2_kernel. But the kernel exploit has it's challenges and he invokes other developers who might be up to the challenge. Here is a quote from the developer.


About lv2_kernel exploit:
A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems:

The vulnerability is in a protected syscall (the SELF calling it got to have the 0×40… control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges.
The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2′s heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload.


Here is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.

You must login or register to view this content.