Hacking Crash WiiU via browser. Exploitable?

  • Thread starter Thread starter ChrisX930
  • Start date Start date
  • Views Views 67,236
  • Replies Replies 267
  • Likes Likes 6
Status
Not open for further replies.
but its not harder to find how plex is doing that ?

You got a point there. I really don't know what PLEX is really doing. I thought it'll only stream the original file without transcoding or something like that.
Would be great If someone could check it
 
You got a point there. I really don't know what PLEX is really doing. I thought it'll only stream the original file without transcoding or something like that.
Would be great If someone could check it


so i am saying, lets just take the plex program, chack if the crash is exploitable, than doing some copy paste with writing exploit program, a lot more easy than learn plex transcoding or what they are doing
 
I mean, if you or someone else wants to look into it more, there's a few ways you can do it. Try seeing if Plex is transcoding the media, and if so what streams are being transcoded into what, and what streams are just being remuxed. Then you should be able to create your own crash file without having to use Plex. That helps with finding the reason it's crashing, if only just the tiniest bit. Still not much you can do from that front though. There's lower-level stuff we'd like to try in order to to diagnose what's causing this bug and if it's exploitable, but I'd have Marionumber1 explain that if he feels like it.


The idea I have is to debug this crash using the browser exploit we already have. Cafe OS lets us install exception callbacks, which means that when a certain exception (invalid data fetch, invalid instruction fetch, or invalid opcode) occurs, a function that we define gets called. We also get useful debugging information, like in what code the crash occured and the registers at the time of the crash. So once we find the routine in the browser that navigates to a certain address, we can debug the crash like so:
1. Set up exception handlers to catch DSI, ISI, and program exceptions
2. Navigate the browser to the media file that causes the crash
3. Get info from the exception handler and use that to figure out what's happening
 
We can all create the crash easy enough...where would one place "hello world"?
 
We can all create the crash easy enough...where would one place "hello world"?


Few people seem to understand how to turn this crash into an exploit. We would need to:
1. Find out how it works, and if it's viable for an exploit to begin with
2. Modify it to arbitrarily control memory
3. Develop a ROP chain that copies our code from a Javascript buffer into the JIT area

Then we can display "Hello world".
 
so i am saying, lets just take the plex program, chack if the crash is exploitable, than doing some copy paste with writing exploit program, a lot more easy than learn plex transcoding or what they are doing


You probably don't even need to go through the hassle of using Plex. Both of the Plex transcoders have been based off the open source ffmpeg software for transcoding/streaming since day one. I'm sure this isn't a magical Plex only crash and if it does involve something to do with streaming the video it is probably due to a configuration issue in the ffmpeg settings. The real question you should be asking yourself, which would probably save you a ton of time in the long run in trying to figure out why the crash is happening, is whether this is happening due to the streaming process, or if the video itself is damaged. If the problem lies within the video itself (and since its animie there is a fair chance its the video and not Plex) then it would be a lot easier to figure out what encoding mistakes were made when creating that video and not what mistakes were made on the streaming end.

Easiest way to test it:

Option A
  1. Create basic HTTP server
    1. Chrome Webserver App - https://github.com/GoogleChrome/chrome-app-samples/tree/master/webserver
    2. Uniform Server WAMP Stack (Windows, Apache, MySQL, PHP) - http://www.uniformserver.com/
    3. MEAN Stack (Mongodb, Express, AngularJS, Node) - http://mean.io/
  2. Drop video in root of new web server
  3. Browser to video on Wii U (e.g. http://192.168.1.10/video.mkv)
  4. Do a victory dance if it works
Option B
  1. Upload video to Google Drive
  2. Share video and make public
  3. Copy long ridiculous video URL and trim it down with bit.ly
  4. browse new bit.ly URL on Wii U
  5. Do a victory dance if it works
 
  1. I tried and it didn't work.

If it is a streaming issue then the best place to start testing would be the logs. If you are using Plex to test this exploit it would probably be helpful if you cleared your logs first, then started the app app, tried to stream this file, and then zip the logs up and maybe upload them somewhere where they can be analyzed. The logs for Plex are located in the following locations:
  • Windows: %LOCALAPPDATA%\Plex Media Server\Logs\
  • Linux: $PLEX_HOME/Library/Application Support/Plex Media Server/Logs/
  • OS X: ~/Library/Logs/
Remember, if possible, clear your logs completely before testing. It just makes sifting through all that easier.
 
Marionumber1 I do understand the crash != exploit thing, and ROP takes time, etc etc. But with how bad big N's security is, I would give this at least a 50% chance to be a thing. :-)
 
optikalsaint, what I mean is that loading the video file from a server causes the Wii U to say the video is unsupported. I was just clarifying that, without Plex, it won't work.
 
optikalsaint, what I mean is that loading the video file from a server causes the Wii U to say the video is unsupported. I was just clarifying that, without Plex, it won't work.


Unfortunately I am not home and near my Wii U at the moment so I cannot test it myself, but I did put together a small experiment for you if you wanted to test it out. It is just a basic HTML file that tries to load the video in using the HTML5 video tag. If you already have a server installed you can just drop the files in the zip in the root directory of your http server. If you do not have a server set up, I suggest just installing node.js (http://nodejs.org/download/) and then running the "install.bat" file, then "start.bat". If you don't want to use the batch files or cannot use them you have to run the following commands from the command line:

npm install connect serve-static
node server.js

The URL you would use would look like the following, but change "localhost" to the IP Address of your computer you're running the static server from.

http://localhost:8080/index.html

Wii U Crash Test - https://mega.co.nz/#!UA0mwBwL!5gwcAuGD3MHoSgjrXHmM4LJ7tDoC4s83kmkznOqOubU
 
Unfortunately I am not home and near my Wii U at the moment so I cannot test it myself, but I did put together a small experiment for you if you wanted to test it out. It is just a basic HTML file that tries to load the video in using the HTML5 video tag. If you already have a server installed you can just drop the files in the zip in the root directory of your http server. If you do not have a server set up, I suggest just installing node.js (http://nodejs.org/download/) and then running the "install.bat" file, then "start.bat". If you don't want to use the batch files or cannot use them you have to run the following commands from the command line:

npm install connect serve-static
node server.js

The URL you would use would look like the following, but change "localhost" to the IP Address of your computer you're running the static server from.

http://localhost:8080/index.html

Wii U Crash Test - https://mega.co.nz/#!UA0mwBwL!5gwcAuGD3MHoSgjrXHmM4LJ7tDoC4s83kmkznOqOubU

So I'm a bit busy at the moment, so I can't do this right this second, but hopefully this will work B)
 
to anyone who want's to try optikalsaint's wii u crash, I hosted it on my site. I can't test myself because I don't have a wii u, but here's the url.
http://cheatfreak47.cf/personalhost/wiicrashu/index.html

I'll keep it up if it's functional, if not i'll knock it down. Someone let me know.

EDIT: It appears that the video must be played with Plex to allow it to work.
 
I'm pretty sure hosting that is copyright infringement since you're using material from a commercial anime.

It's about as much copy infringment as this is.
screenshot_240.png

Edit: Doesn't matter anyway, I took it down because it doesn't work.
 
Status
Not open for further replies.

Site & Scene News

Popular threads in this forum