Hacking Exploit in youtube, might lead to something?

  • Thread starter Thread starter rondoh70
  • Start date Start date
  • Views Views 17,882
  • Replies Replies 94
a part of the video is load in ram, that's where you look. You put your compiled code in the file and it's loaded in the ram... (or a part... or something.. ahah)

Anyway, since there's sandboxing, it requires more then a user exploit like this... but it's still one open door... no? (if it's exploitable by any means)


you're right, maybe if inject a ARM Code like a Jump(B instruction) and a MVN or MOV to edit register r0(Program Counter), it's will work :p
 
If it would be that easy, we would most likely already have something for 7.X. Some peoples should really look into how the ARM architecture works and learn ARM ASM.

And again, such things should not be posted public.

But this is most likely useless anyway. It crashes because of a unsupported video/audio stream, i think.
 
If it would be that easy, we would most likely already have something for 7.X. Some peoples should really look into how the ARM architecture works and learn ARM ASM.

And again, such things should not be posted public.

But this is most likely useless anyway. It crashes because of a unsupported video/audio stream, i think.

it's not like there's a lot of possibility for exploit...
So if a certain type of video isn't supported, it's logic to crash the console? ahah
 
Well, inject a code in *3gp*(or MP4) video to make a ROP Chain, that is possible ?
That would be the only possible way load an exploit past 4.5 that we know of. I will look into the ROP chain and how the .mp4 or .3gp files are read and executed, when I have time. But without a ram setup this will most likely turn into a pointless guessing game.


Edit: I found out that the only way I can test the vulnerability, as I don't have the equipment. Is to create a .txt file with code in it and rename it to .mp4 or .3gp and test. not expecting much though.
 
It's probably been mentioned, but depending on your vulns, sandboxing still plays a part. at least in most applications. To make any real system changes you'll end up needing a kernel exploit to get most of anything done.

No idea if the 3DS operates in the same manner, but you would need some sort of privelege escalation. As far as I know, GW achieved this through a kernel exploit. To exploit from an app would require that a payload rewrite memory for an ROP chain, escape said sandbox, patch the kernel before anything could be done. All assuming that 3DS hasn't had any ASLR written for it (I don't believe it does, but who knows if future FW would)
 
The situation is that the only hope for this glitch to work is if someone with a ram dump setup comes across this thread and can do a rop chain through a mp4 file. Right now it's a dead end until that happens.
 
Well from what i know there is some kind of protection to not load code/data from crashes like this one... And the ROP chains was fixed... (?)If an exploit was to be found it should try a different approach...(?)
 
Making a rop chain is probably the worst part of this and before making one, someone need to take a look at this crash to see if it's usuable or not.

Edit: rop chain can't be used anymore??? Srsly ? How can they patch this type of code...
 
Well from what i know there is some kind of protection to not load code/data from crashes like this one... And the ROP chains was fixed... (?)If an exploit was to be found it should try a different approach...(?)

You could be right. The story I heard was that ROP chain still existed, the exploit that allowed them to execute the chain was patched.

Edit: Rop chains is what allowed, Yellows8? to bypass the sandbox.
 
Making a rop chain is probably the worst part of this and before making one, someone need to take a look at this crash to see if it's usuable or not.

Edit: rop chain can't be used anymore??? Srsly ? How can they patch this type of code...

I don't think they can, pretty sure it's a problem with the ARM architecture.
 
The point of the rop chain attack is to reuse existing code or function to do what you want. Since we don't have the right to load our code.. we can always do pointer after pointer to create what we want. This implies you know everything about the 3ds system and the address of the function you want.
 
The point of the rop chain attack is to reuse existing code or function to do what you want. Since we don't have the right to load our code.. we can always do pointer after pointer to create what we want. This implies you know everything about the 3ds system and the address of the function you want.

And this is why i said the youtube glitch is useless until someone with with a ram setup takes the time to look into the crash.
 
my knowledge is not the best when it comes to assembly language, but the ram dump will give you enough information to see what happened during the crash and get an idea of what code is needed to manipulate the crash.
 

Site & Scene News

Popular threads in this forum