Hacking Contenthax - a Vulnerability in Wii U File System Verification

VinsCool

Persona Secretiva Felineus
OP
Global Moderator
Joined
Jan 7, 2014
Messages
14,317
Trophies
3
Location
Another World
Website
www.gbatemp.net
XP
20,533
Country
Canada
Contenthax
[EDIT from December 25th: This thread is now obsolete, please look at official posts made by FIX94]

Haxchi


Haxchi 2.0 has been released by FIX94!
It now comes with its own installer and does not need iosuhax, wupclient or any additional scripts anymore, just your wiiu, a DS VC game and a way to run the homebrew launcher.
If you happen to have a DS VC title that is listed in this readme then go ahead and grab both haxchi .elf and .zip from here:
https://github.com/FIX94/haxchi/releases
The .elf goes into sd:/wiiu/apps and the .zip should just be extracted to sd:/haxchi with all its contents inside. That content right now just consists of a simple replacement icon, logo and replacing the game title with "Haxchi", its example config.txt will boot homebrew launcher by default and a fw.img on your sd card when holding A. The content of this haxchi folder can be changed to your liking - if you want to you can also add in an alternative bootSound.btsnd to replace the original which I did not do in this example haxchi folder.
After setting up the content to your liking all you have to do is run the haxchi .elf in homebrew launcher, select the game you want to install it on and that is it!
Please note, this will ONLY WORK WITH GAMES ON NAND, if you have a game on USB you want to use then please move it to your NAND first and ideally detach your usb device before using this installer .elf.


haxchi demonstration from a console booting a hacked Brain Age Virtual Console game (thanks @FIX94 for the video)



Haxchi is an exploit for the Nintendo DS virtual console emulator on Wii U (hachihachi). It was originally made for Kirby Squeak Squad. Theorically, all DS virtual console games can be exploited. It is possible due to "contenthax", a vulnerability in the wii u's title integrity design: only code and critical descriptors are signed, with all other contents left at the mercy of attackers. this can be exploited simply by asking IOSU to copy over files in /content/ directories on either MLC or USB. contenthax can also be exploited from powerpc userland by using the MCP_CopyTitle command (not all processes have access, but for example home menu and system settings have it). as there is no integrity data for that content, CopyTitle cannot validate the malicious content and will therefore happily copy it from SD card to MLC or USB if asked.

it is likely that virtually all apps can be exploited in some way through contenthax, due to developers being less likely to program defensively against content that they should be the only ones to have control over. the Nintendo DS virtual console app was selected for this exploit because it has the ability to dynamically emit executable code. as a nice bonus, hachihachi includes symbols for its code. haxchi exploits a bug in the emulator's rom loader, and basically gets it to perform arbitrary memcpy operations. from there, achieving code execution is trivial given that there is no ASLR in place.

note that haxchi was smea's first time doing PPC ROP so... yeah


credit

smea, plutoo, yellows8, naehrwert, derrek, FIX94 and dimok



Custom TGA files for nicer icons and splashscreens can be found here:
https://filetrip.net/dl?AoRl1jO1KU

Install process is similar to the rom upload using IOSUHAX and wupclient.py

-----------------------------------------------------------------------

Yellows8 added informations regarding contenthax for N64 Virtual Console games on WiiUbrew!

N64 VC contenthax
Present in system versions
: N/A

Publicly exploited: No

Discovered by: yellows8 (Early 2016)

The Wii U N64 VC emulator title("VESSEL") has two known vulns which can be attacked via contenthax. These vulns were tested on hardware, but actual exploitation wasn't tested.

Note that this title can only write to codegen(JIT) via using OSCodegenCopy(), unlike other titles.

Currently this is the only known VC platform(N64) which is affected by any of these VESSEL vulns(not all platforms were checked for this).

The .ini loading occurs much earlier during title boot than the font loading. These vulns(or at least the .ini one) trigger while the system is still displaying the application spash-screen(from the title's meta/ directory).

  • Stack buffer overflow when handling BMFont "pages". The entire block is copied to stack using just the size, without checking the size. The loaded data is not checked either, other than converting uppercase to lowercase('A'..'Z' to 'a'..'z'). This string is used with sprintf + PNG texture loading afterwards.
  • Heap buffer overflow during .ini parsing with field-data string starting with '"'. The allocated heap buffer is 0x100-bytes, but the size is not checked when copying the value string into this buffer. During copying/etc this string content is not checked/modified, besides checking for the end of the string with '"'. For example: HAX = "LONGSTRINGHERE"
Source :arrow:https://wiiubrew.org/w/index.php?title=Exploits

I personally attempted to understand N64 VC vulnerabilities. Apart from replicable crashes and some minor memory manipulation, nothing of value has come out of it. Feel free to contact me if you are interested, because I am not very experienced in this sort of thing :)
 
Last edited by VinsCool,
General chit-chat
Help Users
  • No one is chatting at the moment.
    SG854 @ SG854: The comedians are going to have a field day with this