Homebrew Why exploit images or else

[Pikolino]

https://twitter.com/aquaaaah/status/897209862416809985
god damn my mii is sexy

Tried to remap some url to loadiine.ovh with charles?

 

[gudenau]

Just because the error is properly handled means you can't use a MP4 at all. It's not a valid image so it shows an invalid image image.

 

[Dr.Hacknik]

In order to cause an exploit to occur. You must cause a Buffer Overflow. Allowing the application to crash and fall back onto some code. I'm not sure how to do this with an image file, but performing it with a .mp4 is easy. On the other hand, MiiVerse includes a video player, with the MPEG Codec. Allowing things like YouTube videos to play. If you can redirect a Video, to a corrupted one you might be able to cause a buffer Overflow. I'm just speculating.

 

[gudenau]

In order to cause an exploit to occur. You must cause a Buffer Overflow. Allowing the application to crash and fall back onto some code. I'm not sure how to do this with an image file, but performing it with a .mp4 is easy. On the other hand, MiiVerse includes a video player, with the MPEG Codec. Allowing things like YouTube videos to play. If you can redirect a Video, to a corrupted one you might be able to cause a buffer Overflow. I'm just speculating.

Buffer overflows are not needed. :3

 

[Dr.Hacknik]

Buffer overflows are not needed. :3

How? I remember using them, especially in early Wii U exploits.

 

[gudenau]

How? I remember using them, especially in early Wii U exploits.

There are several ways to exploit stuff. Undocumented APIs, bad memory permissions letting you write where you shouldn't, integer overflows for index values, plain old not checking inputs, stack overflows, buffer over and underflows, type confusion, abusing hardware DMA, use after free.

Lots of things are possible. IIRC the Stagefright stuff is an interger overflow. I know for a fact that the Pegasus thing uses a use after free to create a flat array that is 0xFFFFFFFF bytes long and starts at 0x00000000.

 

[Wolfer473]

https://twitter.com/aquaaaah/status/897209862416809985
god damn my mii is sexy

How did you get Charles to watch your Wii U's connections? It keeps being weird for me.

 

[iAqua]

How did you get Charles to watch your Wii U's connections? It keeps being weird for me.

set it as proxy

 

[Wolfer473]

set it as proxy

Yeah lol I figured it out right after I posted that. I'm now banned from Miiverse and eShop. Can't tell if it's because I was trying to replace an eShop video and it detected an invalid certificate or because the NNU-Patcher stopped working while I was still in the eShop.

 

[gbatempfan1]

In order to cause an exploit to occur. You must cause a Buffer Overflow. Allowing the application to crash and fall back onto some code. I'm not sure how to do this with an image file,.

Several things to check, I wrote a decoder in python 4 or 5 years ago, so it is a bit vague, but from what I remember... You can check how it handles the memory situation by creating pngs that deflate quite large through several methods. Each chunk can be 4mb, there are 4 primrary chunk types such as image data, color palettes, and a dozen or maybe even more extra types like text data, besides making fields in headers large, since it uses DEFLATE compression, just see how many series of blocks of 0 or 1s you can encode, which it will subsequently expand, you can also create literal blocks of 64k in size, and keep on pushing them. Also I think filtering bits can expand things even more. Besides checking low memory conditions to see if any of the 14 chunk types overflow, you can check which version of libpng it uses, if it does use that library, you can check for CVEs https://www.cvedetails.com/vulnerability-list/vendor_id-7294/Libpng.html

I'd imagine with some googling there might be some specially crafted pngs online for testing these things. Of course that gets you half way, if you test out a bunch and you get a crash, like you said, the other half is the code execution.

 

[aykay55]

https://twitter.com/aquaaaah/status/897209862416809985
god damn my mii is sexy

I know this thread is dated but:

Is this visible to others or just you. Otherwise it's Inspect Element Craze all over again