| |
| |
| |
|
Page: 1 2 3
Comments:
<0> just how crazy is crazyeddy?
<1> crazyeddy is the guy who invented microsoft V-chat
<1> they say after he got laid off he lost his mind and started living in the woods
<2> can someone answer a quick question for me ?
<2> its kind of simple
<3> i can try.
<2> k
<2> Program received signal SIGSEGV, Segmentation fault.
<2> 0xb7f7646b in TIFFFindFieldInfo () from /usr/lib/libtiff.so.3
<2> (gdb) bt
<2> #0 0xb7f7646b in TIFFFindFieldInfo () from /usr/lib/libtiff.so.3
<2> #1 0xb7f74e97 in _TIFFsetDoubleArray () from /usr/lib/libtiff.so.3
<2> #2 0xb7f74f3e in TIFFVSetField () from /usr/lib/libtiff.so.3
<2> #3 0xb7f74f27 in TIFFSetField () from /usr/lib/libtiff.so.3
<2> #4 0xb7f77d80 in TIFFReadDirectory () from /usr/lib/libtiff.so.3
<2> #5 0x40000000 in ?? ()
<2> #6 0x40000000 in ?? ()
<2> #7 0x40000000 in ?? ()
<2> #8 0x40000000 in ?? ()
<2> why did that not crash on 0x40000000
<2> lets theoretically say i had shellcode there at 0x40000000 would it execute anyway?
<3> woah
<3> pastebin
<2> do what
<3> you overrid the ret add with 0x40000000
<2> yea
<3> you can't access 0x40000000
<2> but why idnt it crash there
<2> at 0x40000000
<3> it did
<3> see #5.
<2> yea but it stops at 4 it says
<2> plz dont release this
<2> im working on some psp stuff
<2> it crash's the psp
<2> 0x40000000 is vram address and i got a pic with mips asm in the framebuffer
<2> so im trying to point it there
<3> yeah
<3> #5 is the call/return from #4.
<2> yea it goes down 999 times because thats what i put it as
<3> vram isn't exec ?
<2> then i got some mips nop's which is 0x00 in there
<2> well problem is
<2> :(
<2> i got no way to test
<2> i only have 2.71
<2> it wont let you run code
<2> thats why im hacking it
<3> try pointing elsewhere
<2> i know none of the addresses :(
<3> there's PSP dev kits i guess
<3> where you can code games and ****
<3> or !game
<2> yea but i dont have one :(
<3> goole
<2> or know anyone
<3> google*
<2> but i know a guy with a modchip on his psp
<2> i just have no way to write a debug stub on the dash
<3> you're not the only one who's trying this.
<2> its liek complicated
<2> yea it was done before
<2> its just im the only one suceeding
<2> on this
<2> im the only one who knows about this
<2> well a couple of other people
<2> i havent shown anyone the code
<2> but vram is supposed to be exec from any program
<3> how do you run your code ?
<2> i dont, its a picture
<2> but psp has an ***load of security checks
<3> how do you rewrite the vram/ret ?
<2> and like 4 kernel modes
<2> umm i think you can clear it with syscall 0x20c7
<3> okay
<3> and how does you 0x4000000 get loaded in the equivalent of eip
<2> the vram address starts at 0x40000000 and ends at 0x44000000
<3> #4 0xb7f77d80 in TIFFReadDirectory () from /usr/lib/libtiff.so.3
<3> you're trying this on your box ?
<2> its a buffer overflow in the readcount field of libtif
<2> yea i can get it working on here
<2> im just trying to get it on the psp and nobody can help :(
<3> you won't if you overwrite with 0x400000
<3> there's libtiff on the psp ?!
<2> yea
<3> wtf
<2> that and libungif
<2> yea i know i said the same thing
<2> but they dont sell the OS
<2> just the hardware
<3> how do you get your code executed...
<2> ummm, im going to execute it in vram
<2> i have a pic i made
<3> how do you exploit libtiff
<2> write to much data to the readcount
<3> how
<2> you use libtiff to create a messed up .tif
<2> with to big a readcount
<3> but isn't that just an integer overflow ?
<3> okay i get it
<3> but how do you load your image ?
<4> i dont get it. is it just overwriting eip?
<2> no
<2> hey ned, dont you do psp work?
<3> the equivalent of eip
<4> NOPx86, nope
<2> oh
<2> i'll explain later i got to try to get unbanned from toc2rta for not telling them how i did this
<3> well, say it.
<2> i cant release it yet until i have it working
<3> yeah
<2> and im going to release it on the psp without a warning first
<2> just because sony's an ***hole and so am i
<3> you simply have an image of shellcode in the vram you gotl oaded with libtiff and he kernel
<3> by overwritting the eip or whatever to point to the vram
<2> yea, the image is set as my bg towards the beggining
<2> my first code is just going to clear the cache
<2> so the vram will blank
<2> then i can release it and everyone can have fun
<3> you'd have to load a shell
<3> that'd be great
<3> but you code had to fit the size of the vram
<2> yea, the psp doesnt have one, the psp is like so weird for real
<2> like its retarded
<2> there's like 5 dif kernel modes
<2> some can write to flash some cant
<3> you said 4 earlier.
<2> some cant do ****
<2> like 4 or 5
<2> i'll look for the mem map in a min
<2> so i'll know for sure
<2> then there's like 2 user mode
<2> s
<2> then there's a vsh mode
<2> which is ideal for what i want to do
<3> heh
<2> which is reprogram the flash
<2> go back down to firmware 1.5 so i can run my own code
<2> nobody wants to help, all i keep hearing is there's no exploit released for 2.71 or 2.80 fw
<3> good luck with that
<2> i know there's not, im the one who made it
<3> wait
<3> you didn't made it yet.
<2> like they have to have someon's code to do something
<2> yea i mean i found the vuln
<3> now exploit it.
<2> you have to made the program to make the .tif
<3> how did you find out about libtiff ?
<2> because on the psp
<2> when you goto system settings
<2> and about psp
Return to
#asm
or
Go to some related
logs:
#lisp
opensuse activation registration code 10.1
setting higher resolution in xubuntu
config_lo
network unreachable debian xp
#linux
denu ubuntu
ubuntu antispyware
#lisp
#gentoo
|
|