Ok quick question so I can get a little bit of clarification:
There's a difference between rop410.txt
0x60 - Shellcode length 0x400
0xEC - Shellcode length 0x450
0x144 - Shellcode length 0x400
and mn1-build\stack.txt
0x60 - Shellcode length 0x8000
0xEC - Shellcode length 0x8000
0x144 - Shellcode length 0x8000
But isn't the true Shellcode length 0x34C or 844 bytes? Otherwise does it not clobber the values at 0x4FC and beyond?
The reason for making the shellcode length 0x8000 is a bit complicated, but I'll do my best to explain it. When you first visit the web hack, it will use the WebKit vulnerability to begin execution of our ROP chain. This ROP chain takes some shellcode embedded in our Javascript buffer, copies it to the JIT area, and executes it. However, this code copied to the JIT area is actually a very simple loader responsible for copying a larger amount of shellcode to the JIT. It searches for another Javascript buffer, denoted by 0xCAFECAFE at the beginning, and then patches the ROP chain to copy that buffer into the JIT and executes it again. There can be up to 0x8000 bytes of code in this buffer, meaning the amount of shellcode to copy has to be 0x8000.
So the shellcode that is 1st loaded into the function sprayInc(n) at 0x1b0 is the loader from findcode.bin. If I understand correctly.
I've taken the browser exploit toolkit and modified it to use only one python script to manage the building process. No more sh scripts and cygwin.
Tested in Windows and Linux, python 2 or 3. Download here.
I removed the html file and it seems to be working now.Google chrome now detects this as "Failed - Virus detected"
"Marionumber1-wiiu-userspace-python-build.zip Anti-virus software detected a virus."
"Antivirus software detected a virus. Your downloaded file may have a virus, as a result the file you attempted to download was removed by the Windows Attachment Manager"
Downloaded ok with Free Download Manager (FDM)
Only test410.html flags as virus in Windows Defender
containerfile:C:\Downloads\Marionumber1-wiiu-userspace-python-build\Marionumber1-wiiu-userspace-python-build\test410.html
file:C:\Downloads\Marionumber1-wiiu-userspace-python-build\Marionumber1-wiiu-userspace-python-build\test410.html->(SCRIPT0000)
Google chrome now detects this as "Failed - Virus detected"
"Marionumber1-wiiu-userspace-python-build.zip Anti-virus software detected a virus."
"Antivirus software detected a virus. Your downloaded file may have a virus, as a result the file you attempted to download was removed by the Windows Attachment Manager"
Downloaded ok with Free Download Manager (FDM)
Only test410.html flags as virus in Windows Defender
containerfile:C:\Downloads\Marionumber1-wiiu-userspace-python-build\Marionumber1-wiiu-userspace-python-build\test410.html
file:C:\Downloads\Marionumber1-wiiu-userspace-python-build\Marionumber1-wiiu-userspace-python-build\test410.html->(SCRIPT0000)
Sounds like a false positive, I highly doubt the file/site was malicious
Marionumber1 , what is the point now? u make some more with your exploit? can u show some to us?
the porting on 5.* is in develop?
Marionumber1 , what is the point now? u make some more with your exploit? can u show some to us?
the porting on 5.* is in develop?
Like MN1 said earlier in one of these 5 different threads, we're kinda doing both, AFAIK we haven't done much with porting to v5 recently because it'd be easier to first get the keys using 4.1.0 so we can download the binaries from nintendo's server and make it easier (or ask someone who has fully hacked their console to get it for us). Doing it blind by bruteforcing the address with tons of resets and incrementing the address isn't much use, just like bruteforcing encryption isn't much use. We ARE looking for a kernel/loader exploit though, we thought we found one but it isn't exploitable, so we're still looking.
HAY GAIZ IS IT SAEF TO UPDAET TO VERSEEON FIEV YET!1!
In all seriousness, it sounds easier to work with version 4.1.0, why don't you guys find the keys, then focus on porting it to 5.0, or find the keys then keep looking for a kernel exploit?