[Release] Hykem’s Vitasploit

Native Vita Developer Hykem has just released Vitasploit tool for the PS Vita WebKit exploit.

Quote from Wololo.net/talk:
“Hi. I’ve been working on the PSP/PSVita reverse-engineering scene for quite some time now and I’ve seen a bunch of repositories and source code aimed at the recently revealed WebKit exploit.
I too was working on this particular bug before and I’ve been keeping track of all the latest updates. Recently, I finally got a new unit and began working on native exploitation using the incredible work done by Amat Cama, johntheropper and freebot, who came up with a clean and effective solution to play around with this bug.

Anyway, I’ve opened up a repository with my version of an exploitation framework here: https://github.com/Hykem/vitasploit
It’s obviously based on the “webkitties” project and features CodeLion/BrianBTB/BBalling1’s module dumping code and nas’s sceSysmoduleLoadModule finding (which was published a couple days ago).

The main difference here is that I’ve gathered all code in one single solution, so vitasploit combines webkooz, akai, memtools_vita and JSoS-Module-Dump-Release in a single project. The scripts can be used for both memory reading/writing and ROP code execution by changing a single variable.
I’ve also cleaned up a lot and implemented BBalling1’s module dumper in a more user-friendly fashion.

In addition to the standard ROP tests (from “akai”), I’ve also implemented a memory alloc/free test using SceLibKernel syscalls. The memory allocated using these functions may be useful for writing more extensive payloads in the future.
Also, all the ROP chain code has been ported to firmware 3.00 and I currently intend on porting it over to as many firmwares as possible. Some firmwares (e.g.: 3.01) may still use the same offsets (just like 3.18 uses the same code as 3.15), but it’s most likely that they all need recalculations for this to run on them.
The main goal is to dump all modules across firmwares for differential analysis and study the poisoned NIDs (after firmware 2.06).

On a side note, as you noticed, nas published a method to load more modules into user memory in order to dump them afterwards. This requires finding SceWebKitProcess’ base offset in advance (which you can do by running the module dumper once and take note of it, then change it in include/exploit.js).”

Source: Wololo.net/talk
Download Vitasploit from Github: https://github.com/Hykem/vitasploit