Nintendo Switch

Coto

-
Member
Joined
Jun 4, 2010
Messages
2,979
Trophies
2
XP
2,564
Country
Chile
Instead of pointing flaws by "pros" without providing concise points, I will go ahead and:

@jakeem

https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf

This is an example of a webkit exploit, the name convention is CVE-YYYY

the webkit is widely used as it is well popular worldwide, has source code, documentation AND fixes (this latter part describes how to trace stacks through a debugger)


An exploit of the webkit kind takes control of DOM objects at initialize->runtime, and background, a top - down operation (machine level) happens, done through a compiler, whose program data was already compiled (the nature of an exploit happens when the precompiled program flow causes indefined behaviour by not validating a process already statically revised, such as an invalid/unhandled instruction scheduling path (optimization for compilers) ).

https://en.wikipedia.org/wiki/Instruction_scheduling

There is usually the heap corruption + userland gaining of unprotected pointers to executable memory, such as VTABLES required by OOP (C++)paradigm compiler allocation methods.
Having control of a VTABLE pointer allows through userland to invoke objects to memory in trashed state (either unallocated, or re-allocated but casted as different object, leading to duplicate "allowed" pointers marked as read/writeables for a memory page marked as executable by the OS). This means you can pretty much write ROP code IN user space (machine assembly code it natively understands) + a nop slide/heap corruption, and hope for a processor exception to execute that certain area hand-crafted. This is how exploits begin.

To be honest I don't think the idea of google translate's (as it needs the text DOM at some point to override the length attribute, thus allocating more memory from heap) is far from good, it could even work!

Please refer to page 11:

tempa2.outerHTML="\n" marks the text parsed through DOM as freed memory, right after allocation. Causing an invalid pointer ready to be type-casted.

then later that copy to tempa2 (memory already freed) (const char*)"K33nTeam" causes an exception.

Page 16:

a2.innerHTML (casts an invalid, fake text object). When copying the text, DOM (and the beneath machine code) copies the whole TEXT object. By allocating new memory before the a2.innterHTML write takes place, THEN you copy over such TEXT object (casted by DOM), you get a controlled VTABLE (as in C++ paradigm), allowing to craft a fake VTABLE with ... ROP Code! Then just call the method by DOM, (relative by legit VTABLE start address + method size) for each method and signature, so fake VTABLE built allows you to call ROP -through-VTABLE allocation.

(VTABLE example, page 14)

(I was supposed to write toolchain/emu stuff but this hopefully allow newcomers to not get scared by more "experienced people" . Also, this deserved some background explanation to make sense, and to justify it as not a rant.)
 
Last edited by Coto,

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • K3Nv2 @ K3Nv2:
    @Sicklyboy, $150 isn't that bad for a jtag slim on ebay
  • Veho @ Veho:
    I only wish it was actually playable.
  • Veho @ Veho:
    There's a guy on the Tube of You that makes playable mechanical arcade games out of Lego. This could work on the same principle.
  • Veho @ Veho:
    Just a couple of guys taking their manatee out for some fresh air, why you have to molest them?
  • Veho @ Veho:
    Stupid Chinese shop switched their shipping company and this one is slooooooow.
  • LeoTCK @ LeoTCK:
    STOP BUYING CHINESE CRAP THEN
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Communism lol
  • SylverReZ @ SylverReZ:
    OUR products
  • The Real Jdbye @ The Real Jdbye:
    @LeoTCK actually good quality products are dying out because they can't compete with dropshipped chinese crap
    +2
  • BakerMan @ BakerMan:
    @LeoTCK is your partner the sascrotch or smth?
  • Xdqwerty @ Xdqwerty:
    Good morning
  • Xdqwerty @ Xdqwerty:
    Out of nowhere I got several scars on my forearm and part of my arm and it really itches.
  • AdRoz78 @ AdRoz78:
    Hey, I bought a modchip today and it says "New 2040plus" in the top left corner. Is this a legit chip or was I scammed?
    AdRoz78 @ AdRoz78: Hey, I bought a modchip today and it says "New 2040plus" in the top left corner. Is this a legit...