Hacking Wii U Hacking & Homebrew Discussion

[Marionumber1]

-1 is access denied

That's what I suspected.

 

[arbiter34]

FSA Return Values from documentation(language ripped from docs):

Spoiler

FSA_STATUS_OK 0

FSA_STATUS_NOT_INIT (-1) /* FSA service is not initialized */
FSA_STATUS_BUSY (-2) /* FSA shim or IPC was too busy */
FSA_STATUS_CANCELED (-3) /* Command canceled */
FSA_STATUS_END_OF_DIRECTORY (-4) /* Indicates end of directory */
FSA_STATUS_END_OF_FILE (-5) /* Indicates end of file */

FSA_STATUS_MAX_MOUNTPOINTS (-16) /* Reached to max number of mount points */
FSA_STATUS_MAX_VOLUMES (-17) /* Reached to max number of volumes */
FSA_STATUS_MAX_CLIENTS (-18) /* Reached to max number of clients */
FSA_STATUS_MAX_FILES (-19) /* Reached to max number of file handles */
FSA_STATUS_MAX_DIRS (-20) /* Reached to max number of dir handles */
FSA_STATUS_ALREADY_OPEN (-21) /* Target is already opened or locked by another transaction */
FSA_STATUS_ALREADY_EXISTS (-22) /* Target path already exists */
FSA_STATUS_NOT_FOUND (-23) /* Target path is not found */
FSA_STATUS_NOT_EMPTY (-24) /* Target path already exists */
FSA_STATUS_ACCESS_ERROR (-25) /* Attempted to access file with bad file mode */
FSA_STATUS_PERMISSION_ERROR (-26) /* Did not have permission to complete operation */
FSA_STATUS_DATA_CORRUPTED (-27) /* Cannot complete transaction due to corrupted data block */
FSA_STATUS_STORAGE_FULL (-28) /* Request would cause one of the ancestor directories to exceed its quota
/ Or no free space left in storage */
FSA_STATUS_JOURNAL_FULL (-29) /* Transaction journal is full, need to flush */

FSA_STATUS_UNSUPPORTED_CMD (-32) /* Operation is not supported by FS */
FSA_STATUS_INVALID_PARAM (-33) /* Specified parameter is invalid */
FSA_STATUS_INVALID_PATH (-34) /* Specified path is invalid */
FSA_STATUS_INVALID_BUFFER (-35) /* Specified buffer is invalid */
FSA_STATUS_INVALID_ALIGNMENT (-36) /* Specified alignment is invalid */
FSA_STATUS_INVALID_CLIENT_HANDLE (-37) /* Specified client handle is invalid */
FSA_STATUS_INVALID_FILE_HANDLE (-38) /* Specified file handle is invalid */
FSA_STATUS_INVALID_DIR_HANDLE (-39) /* Specified dir handle is invalid */
FSA_STATUS_NOT_FILE (-40) /* Specified path is directory instead of a file. */
FSA_STATUS_NOT_DIR (-41) /* Specified path is file instead of a directory. */
FSA_STATUS_FILE_TOO_BIG (-42) /* Request would push the file over the size limit (not the quota limit). */
FSA_STATUS_OUT_OF_RANGE (-43) /* Attempted to access out of accessible area */
FSA_STATUS_OUT_OF_RESOURCES (-44) /* Internal resources ran short */

FSA_STATUS_MEDIA_NOT_READY (-64) /* Medium is not ready to use, user has to put medium correctly */
FSA_STATUS_MEDIA_ERROR (-65) /* Medium is in some bad condition */
FSA_STATUS_WRITE_PROTECTED (-66) /* Medium is in some bad condition */

FSA_STATUS_SYSTEM_ERROR (-1024) /* Fatal system error, call FSAGetError() to get precise error codes */

 

[Bug_Checker_]

Ok quick question so I can get a little bit of clarification:
There's a difference between rop410.txt
0x60 - Shellcode length 0x400
0xEC - Shellcode length 0x450
0x144 - Shellcode length 0x400

and mn1-build\stack.txt
0x60 - Shellcode length 0x8000
0xEC - Shellcode length 0x8000
0x144 - Shellcode length 0x8000

But isn't the true Shellcode length 0x34C or 844 bytes? Otherwise does it not clobber the values at 0x4FC and beyond?

 

[Marionumber1]

Ok quick question so I can get a little bit of clarification:
There's a difference between rop410.txt
0x60 - Shellcode length 0x400
0xEC - Shellcode length 0x450
0x144 - Shellcode length 0x400

and mn1-build\stack.txt
0x60 - Shellcode length 0x8000
0xEC - Shellcode length 0x8000
0x144 - Shellcode length 0x8000

But isn't the true Shellcode length 0x34C or 844 bytes? Otherwise does it not clobber the values at 0x4FC and beyond?

The reason for making the shellcode length 0x8000 is a bit complicated, but I'll do my best to explain it. When you first visit the web hack, it will use the WebKit vulnerability to begin execution of our ROP chain. This ROP chain takes some shellcode embedded in our Javascript buffer, copies it to the JIT area, and executes it. However, this code copied to the JIT area is actually a very simple loader responsible for copying a larger amount of shellcode to the JIT. It searches for another Javascript buffer, denoted by 0xCAFECAFE at the beginning, and then patches the ROP chain to copy that buffer into the JIT and executes it again. There can be up to 0x8000 bytes of code in this buffer, meaning the amount of shellcode to copy has to be 0x8000.

 

[Bug_Checker_]

The reason for making the shellcode length 0x8000 is a bit complicated, but I'll do my best to explain it. When you first visit the web hack, it will use the WebKit vulnerability to begin execution of our ROP chain. This ROP chain takes some shellcode embedded in our Javascript buffer, copies it to the JIT area, and executes it. However, this code copied to the JIT area is actually a very simple loader responsible for copying a larger amount of shellcode to the JIT. It searches for another Javascript buffer, denoted by 0xCAFECAFE at the beginning, and then patches the ROP chain to copy that buffer into the JIT and executes it again. There can be up to 0x8000 bytes of code in this buffer, meaning the amount of shellcode to copy has to be 0x8000.

So the shellcode that is 1st loaded into the function sprayInc(n) at 0x1b0 is the loader from findcode.bin. If I understand correctly.

 

[Marionumber1]

So the shellcode that is 1st loaded into the function sprayInc(n) at 0x1b0 is the loader from findcode.bin. If I understand correctly.

Yes, that's correct.

 

[Snailface]

I've taken the browser exploit toolkit and modified it to use only one python script to manage the building process. No more sh scripts and cygwin.
Tested in Windows and Linux, python 2 or 3. Download here.

 

[Bug_Checker_]

I've taken the browser exploit toolkit and modified it to use only one python script to manage the building process. No more sh scripts and cygwin.
Tested in Windows and Linux, python 2 or 3. Download here.

Google chrome now detects this as "Failed - Virus detected"
"Marionumber1-wiiu-userspace-python-build.zip Anti-virus software detected a virus."
"Antivirus software detected a virus. Your downloaded file may have a virus, as a result the file you attempted to download was removed by the Windows Attachment Manager"
Downloaded ok with Free Download Manager (FDM)

Only test410.html flags as virus in Windows Defender
containerfile:C:\Downloads\Marionumber1-wiiu-userspace-python-build\Marionumber1-wiiu-userspace-python-build\test410.html
file:C:\Downloads\Marionumber1-wiiu-userspace-python-build\Marionumber1-wiiu-userspace-python-build\test410.html->(SCRIPT0000)

 

[Snailface]

Google chrome now detects this as "Failed - Virus detected"
"Marionumber1-wiiu-userspace-python-build.zip Anti-virus software detected a virus."
"Antivirus software detected a virus. Your downloaded file may have a virus, as a result the file you attempted to download was removed by the Windows Attachment Manager"
Downloaded ok with Free Download Manager (FDM)

Only test410.html flags as virus in Windows Defender
containerfile:C:\Downloads\Marionumber1-wiiu-userspace-python-build\Marionumber1-wiiu-userspace-python-build\test410.html
file:C:\Downloads\Marionumber1-wiiu-userspace-python-build\Marionumber1-wiiu-userspace-python-build\test410.html->(SCRIPT0000)

I removed the html file and it seems to be working now.

 

[the_randomizer]

Google chrome now detects this as "Failed - Virus detected"
"Marionumber1-wiiu-userspace-python-build.zip Anti-virus software detected a virus."
"Antivirus software detected a virus. Your downloaded file may have a virus, as a result the file you attempted to download was removed by the Windows Attachment Manager"
Downloaded ok with Free Download Manager (FDM)

Only test410.html flags as virus in Windows Defender
containerfile:C:\Downloads\Marionumber1-wiiu-userspace-python-build\Marionumber1-wiiu-userspace-python-build\test410.html
file:C:\Downloads\Marionumber1-wiiu-userspace-python-build\Marionumber1-wiiu-userspace-python-build\test410.html->(SCRIPT0000)

Sounds like a false positive, I highly doubt the file/site was malicious

 

[Bug_Checker_]

Sounds like a false positive, I highly doubt the file/site was malicious

No it is a true positive for a malicious file but that's the only kind of shellcode embedded file we want. The malicious kind is what we want. We wouldn't find any use for the benign kind of shellcode.

 

[naxil]

Marionumber1 , what is the point now? u make some more with your exploit? can u show some to us?
the porting on 5.* is in develop?

 

[uyjulian]

Marionumber1 , what is the point now? u make some more with your exploit? can u show some to us?
the porting on 5.* is in develop?

People need to go to work. They don't spend all their time doing one thing.

 

[Goku Junior]

Marionumber1 , what is the point now? u make some more with your exploit? can u show some to us?
the porting on 5.* is in develop?

In the FAQ they say it need be ported to 5.0 first (if they work only for 4.1.0, think all the people will lost homebrew), after that they will work in using the exploit to load apps, but they need hack the kernel too.

 

[NWPlayer123]

Like MN1 said earlier in one of these 5 different threads, we're kinda doing both, AFAIK we haven't done much with porting to v5 recently because it'd be easier to first get the keys using 4.1.0 so we can download the binaries from nintendo's server and make it easier (or ask someone who has fully hacked their console to get it for us). Doing it blind by bruteforcing the address with tons of resets and incrementing the address isn't much use, just like bruteforcing encryption isn't much use. We ARE looking for a kernel/loader exploit though, we thought we found one but it isn't exploitable, so we're still looking.

 

[Goku Junior]

Like MN1 said earlier in one of these 5 different threads, we're kinda doing both, AFAIK we haven't done much with porting to v5 recently because it'd be easier to first get the keys using 4.1.0 so we can download the binaries from nintendo's server and make it easier (or ask someone who has fully hacked their console to get it for us). Doing it blind by bruteforcing the address with tons of resets and incrementing the address isn't much use, just like bruteforcing encryption isn't much use. We ARE looking for a kernel/loader exploit though, we thought we found one but it isn't exploitable, so we're still looking.

No problem, thanks for all the work you two make, it is great! I don't have a new router yet so I don't have internet in my Wii U so it doesn't affect me you took more time .

 

[FPSRussi4]

HAY GAIZ IS IT SAEF TO UPDAET TO VERSEEON FIEV YET!1!
In all seriousness, it sounds easier to work with version 4.1.0, why don't you guys find the keys, then focus on porting it to 5.0, or find the keys then keep looking for a kernel exploit?

 

[Relys]

HAY GAIZ IS IT SAEF TO UPDAET TO VERSEEON FIEV YET!1!
In all seriousness, it sounds easier to work with version 4.1.0, why don't you guys find the keys, then focus on porting it to 5.0, or find the keys then keep looking for a kernel exploit?

The section option isn't possible because you need a kernel/loader exploit to escalate privileges to GET THE KEYS which are stored in the Starbuck.

 

[Relys]

Why don't posts automerge?

 

[koalaboy13]

How did you end up choosing this particular use-after-free vuln? Comex said in the 30c3 talk that he had used a (probably heap) buffer overflow, though I'm guessing it was CVE-2012-3748 which was patched in 4.0.0. I would think that a heap overflow would be more useful because you could, like comex did, just dump memory though a JS array with a modified length and avoid trashing the browser too terribly.