[source: MaTiAz @ lan.st] So, happy new year. I think presenting a new usermode exploit on the PSP is a good way to start 2009. ;) GripShift has a buffer overflow vulnerability when loading savegames. The savegame contains the profile name which can be easily used to overwrite . The savegame file is pretty big (25kB) so you have lots of space to put your code there. I wrote a simple blob of code to paint the framebuffer completely white (to just indicate that arbitrary code is running :)). The return address is located at offset 0xA9 in the file. In this poc it points to 0x08E4CD50 (which is only a few bytes after the return address), and the code starts at 0xCC in the file.
It was tested on 4.01M33-2 with US version of GripShift (ULUS10040), and psplink.prx, usbhostfs.prx and deemerh.prx loaded (also without psplink and usbhostfs). The decrypted savegame (sorry, couldn't [be bothered to] get Shine's savegame tool working so it's in plaintext form) is in the SDDATA.BIN form which Hellcat's Savegame-Deemer produces (thanks to him, if the program didn't exist I wouldn't have bothered with this. :)). Just copy the ULUS10040SAVE00 directory to /PSP/SAVEPLAIN/ and run the game. :) EDIT: yeah, don't forget to have Savegame-Deemer working, duh.
Credits go to those who deserve them.
Note: This has been confirmed working on PSP-3000 by FreePlay.
