Write up has been posted and the source code is now available. (https://github.com/Fullmetal5/str2hax)
$ ./make_it.sh wiimmfi.elf
pack_payload.c: In function ‘main’:
pack_payload.c:42:32: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘uint32_t {aka unsigned int}’ [-Wformat=]
printf("Failed to allocate %ld bytes!\n", size);
~~^
%d
EGG: PONY
Size: 0x00025858
Checksum: 0xFEC3B70C
convert: ../../magick/image.c:3187: SetImageVirtualPixelMethod: Zusicherung »image != (const Image *) NULL« nicht erfüllt.
./make_it.sh: Zeile 9: 23269 Abgebrochen (Speicherabzug geschrieben) convert -depth 8 -size $(expr $(stat -c%s out.bin) / 4)x1+0 rgba:out.bin payload.png
$
$ convert -depth 8 -size 153704x1+0 rgba:out.bin payload.png
convert: ../../magick/image.c:3187: SetImageVirtualPixelMethod: Zusicherung »image != (const Image *) NULL« nicht erfüllt.
Abgebrochen (Speicherabzug geschrieben)
You can try with different widths and heights, it should work just fine since it will get laid out the same. However if it's too large already it definitely isn't going to be able to download. Opera will just fail when downloading it and never run the call back so the page will just appear to do nothing. I highly recommend just using the network loader so that it can be as big as you want.Apparently my payload is way too large, convert only supports up to 15999x1. I guess I have to use the network loader. Or recompile imagemagick.
Or could we use, like 10000x10 instead of 100000x1? Or would that result in another (invalid) image binary?
No, that's optional. If Google's DNS servers work for you there is no need to go change it back.Excuse my if this is a very stupid question. But do you have to change the "Auto-Obtain DNS" back to "Yes" after the installation of the homebrew channel?
So it just hangs there on the pony and never even so much as crashes? Even after ~2 minutes?So it looks like there needs to be some more clarification upon hosting the exploit on an own webserver.
I have Apache2 set up and the files compiled. Everything runs fine with one exception:
I get to the screen with the pony. Redirects are working. Modules mime, cgi, php7.0, rewrite are enabled.
...but it still won't boot the network loader. AllowOverride is set to "All". System Menu is v4.1.
I used the stripped ELF for compiling and the boot.elf from the Hackmii Installer.
Any ideas or suggestions why the site isn't executing the payload? From what i can see in the Apache2 logs,
there are no errors and it definitely "GET"s the "payload.png". I don't need that DNS stuff as i redirect the URL
to my local web server inside a Raspberry Pi 3 using DNSMASQ in the router (works).
Any help would be great.
Thanks in advance.
So it just hangs there on the pony and never even so much as crashes? Even after ~2 minutes?
Just to make sure, are you using the network loader or are you trying to use the boot.elf from the hackmii installer directly?
If you are using the network loader as the boot.elf did you build libogc with -Os and compile the network loader with THAT version of libogc rather than the default?
Hm, can you upload the "WiiNetworkLoader-master.elf" file?That's what i did:
1.) libOGC Makefile = ..."-O2"... -> ..."-Os"...
2.) sh make_it.sh WiiNetworkLoader-master.elf
3.) It sits on the pony site and never loads anything nor does it crash.
Hm, can you upload the "WiiNetworkLoader-master.elf" file?
Looks like you didn't strip it. That's adding a significant amount to the file. Use the stripped version that was made for you by the makefile and it should work.in a few seconds...
https://www.dropbox.com/s/lsidshq16wx5lkx/WiiNetworkLoader-master.elf?dl=0
Try this one...
Looks like you didn't strip it. That's adding a significant amount to the file. Use the stripped version that was made for you by the makefile and it should work.
Looks like you didn't strip it. That's adding a significant amount to the file. Use the stripped version that was made for you by the makefile and it should work.
Sorry for the late reply, gbatemp decided to stop telling me when people responded to me.Well, just to correct you: It doesn't!
Try this one:
https://www.dropbox.com/s/763favp89vgnpc7/site.zip?dl=0
If this works for you but not for me, there must be something really wrong... [emoji853]
I will do later. I just woke up. [emoji111]️[emoji57]Sorry for the late reply, gbatemp decided to stop telling me when people responded to me.
The issue isn't anything to do with the payload. It seems the build of the index.html file failed. If you look in index.html there should be a giant decimal right after the parseFloat function but it's gone.
Can you show me the output of when you run './create.sh'?