Hacking How did it works exactly ?

[NexoCube]

Hello, i want to know somethings :

- Did the payload page for the exploits run a .elf or some raw C++ Code ?

- How does it launch it from a JavaScript page (HTML <script>)

And also btw, can we run or read code or elf with another way than this ? ...

 

[NexoCube]

I suppose that nobody knows that here except the creators of it ... (@Marionumber1 etc...)

 

[Onion_Knight]

I suppose that nobody knows that here except the creators of it ... (@Marionumber1 etc...)

https://github.com/wiiudev/libwiiu

start here

 

[Marionumber1]

Hello, i want to know somethings :

- Did the payload page for the exploits run a .elf or some raw C++ Code ?

- How does it launch it from a JavaScript page (HTML <script>)

And also btw, can we run or read code or elf with another way than this ? ...

It uses a vulnerability in the web browser code to force the CPU to jump to our own code (oversimplified explanation), which is often raw compiled C. There are other similar vulnerabilities, but browser ones are simplest.

 

[NexoCube]

https://github.com/wiiudev/libwiiu

start here

Thanks for the help Mr.Obvious ....

--------------------- MERGED ---------------------------

It uses a vulnerability in the web browser code to force the CPU to jump to our own code (oversimplified explanation), which is often raw compiled C. There are other similar vulnerabilities, but browser ones are simplest.

I thought i see someone like Hykem or you telling that the 5.5.0 exploit or IOSU exploit others vulnerabilities ?

Can i see a little bit chunks of code ? ^^ (If it's NO i totally understand secret is secret)

 

[Onion_Knight]

mn1 posted a very good detailed piece about the kernel exploit.

http://gbatemp.net/threads/osdriver-kernel-exploit-a-technical-description.395444/

Its a good read, but I'm probably just being captain obvious again and you've already seen this.

 

[NexoCube]

mn1 posted a very good detailed piece about the kernel exploit.

http://gbatemp.net/threads/osdriver-kernel-exploit-a-technical-description.395444/

Its a good read, but I'm probably just being captain obvious again and you've already seen this.

No, that's what i was searching for thx

 

[urherenow]

Edit: don't mind me. Confusing myself between 3ds and Wii U progress...

 

[NexoCube]

Edit: don't mind me. Confusing myself between 3ds and Wii U progress...

You're not alone think me A lot of people are confused between these 2 things

 

[NexoCube]

Hey @Marionumber1 ! (Sorry for "spamming" i don't really know others wii u devs gbatemp username)

What about loading raw compiled C code or elf file from the Notification app ?

We just have to know where the Notification app store his cache files or something then add our own notification that load these files

Tell me if you don't undesrtand

 

[NexoCube]

It uses a vulnerability in the web browser code to force the CPU to jump to our own code (oversimplified explanation), which is often raw compiled C. There are other similar vulnerabilities, but browser ones are simplest.

mmhhh, thx for the little explanation.

But

What's the other vulnerabilities ?

If they're unused can you send me one of these ?(Private message or skype : fhtuto.tarik)

 

[Marionumber1]

Hey @Marionumber1 ! (Sorry for "spamming" i don't really know others wii u devs gbatemp username)

What about loading raw compiled C code or elf file from the Notification app ?

We just have to know where the Notification app store his cache files or something then add our own notification that load these files

Tell me if you don't undesrtand

Not sure what you're asking? Is it whether we can modify other apps?

Can i see a little bit chunks of code ? ^^ (If it's NO i totally understand secret is secret)

No, they are private.

 

[NexoCube]

Not sure what you're asking? Is it whether we can modify other apps?



No, they are private.

I was asking for nothing

Just, can you tell me where is the others non-webbrowser vulnerability ? (Or other browser vulnerability) ?

That isn't used with Hykem's IOSU

 

[Marionumber1]

I was asking for nothing

Just, can you tell me where is the others non-webbrowser vulnerability ? (Or other browser vulnerability) ?

That isn't used with Hykem's IOSU

The exploits we have are: 2.0.0-5.1.0 browser (patched), 5.3.2 browser (patched), 5.4.0-5.5.0 browser (private), 2.0.0-5.4.0 kernel (patched), 2.0.0-5.5.0 kernel (private), and two private IOSU exploits in the works for all versions.

 

[NexoCube]

The exploits we have are: 2.0.0-5.1.0 browser (patched), 5.3.2 browser (patched), 5.4.0-5.5.0 browser (private), 2.0.0-5.4.0 kernel (patched), 2.0.0-5.5.0 kernel (private), and two private IOSU exploits in the works for all versions.

I asked where are the vulnerabilities

--------------------- MERGED ---------------------------

The exploits we have are: 2.0.0-5.1.0 browser (patched), 5.3.2 browser (patched), 5.4.0-5.5.0 browser (private), 2.0.0-5.4.0 kernel (patched), 2.0.0-5.5.0 kernel (private), and two private IOSU exploits in the works for all versions.

And i think that you can relase the kernel exploit because you have two IOSU working exploit.

 

[Marionumber1]

I asked where are the vulnerabilities

--------------------- MERGED ---------------------------


And i think that you can relase the kernel exploit because you have two IOSU working exploit.

I said where they are as specifically as I will. As for the kernel exploit, those may be even rarer than IOSU exploits, since the Cafe OS kernel is much smaller. But we'll be the ones deciding when exploits are released.

 

[NexoCube]

I said where they are as specifically as I will. As for the kernel exploit, those may be even rarer than IOSU exploits, since the Cafe OS kernel is much smaller. But we'll be the ones deciding when exploits are released.

Oh ok. Now last question : how a js script (in the payload) can run C++ Code after. What the script exactly do ? (Please this time a real technical description, as little you want but a technical desc.)

 

[NexoCube]

Ok, if there's devellopers here :

I was in devellopement mode with a custom kernel exploit payload then after a few modifications (i mean a lot) it seems to work everything loaded except the frame.html ! There's wasn't any error except in the Network Tab !

What FLC Mean ?

And yeah i use the AIO Kernel exploit !

 

[Marionumber1]

Oh ok. Now last question : how a js script (in the payload) can run C++ Code after. What the script exactly do ? (Please this time a real technical description, as little you want but a technical desc.)

It's exactly what I said already. There is a bug in the Wii U browser's parsing of the page, which the JS exploits to get code running.

 

[Scuba156]

Ok, if there's devellopers here :

I was in devellopement mode with a custom kernel exploit payload then after a few modifications (i mean a lot) it seems to work everything loaded except the frame.html ! There's wasn't any error except in the Network Tab !

View attachment 35040

What FLC Mean ?

And yeah i use the AIO Kernel exploit !

This looks like your trying to use the <5.0 webkit exploits, they will only work on their target version no matter how much editing you do (unless that edit is targeting an existing vulnerability, which would be classed as a rewrite anyway). Same as the AIO Kernel exploit, it will only work on a kernel version is has been targeted for.

If your looking to exploit the 5.4/5.5 webkit, then just look for information on recent webkit exploits. There has been alot released recently and there is a major one that works on 5.4 and 5.5 *hint hint*