Suggestion CVE-2016-4622 (WebKit code execution) + Reverse TCP = ?

Discussion in 'Switch - Hacking & Homebrew' started by AlphonseElric, Mar 17, 2017.

  1. AlphonseElric
    OP

    AlphonseElric Member

    Newcomer
    28
    26
    Dec 20, 2014
    United States
    I've been reading a lot into the switch (even though I don't have one and probably won't for a while), and, after watching LiveOverflow's video, decided to get in on the action. I found a similar vulnerability than the one used in his video, allowing arbitrary code execution via shellcode. Here is the link to the writeup/source** for the vulnerability. So, in theory, this could work, but now all we need is some shellcode to make some magic.

    After some searching, I found the python program ARMSCGen, a shellcode generator for ARM, Thumb, and ARM64. Included in the source is a "bindshell" shellcode for ARM64 (the switch's architecture). This means it will listen on a port for a connection and create a local shell for a remote user.

    Now, in no sense is this going to be perfect. There could/will be multiple problems with it, and since I don't personally own a switch, I can't test it on my own.

    So what do you think? Could this work, or is it complete baloney? I'm not the best at this kind of stuff, so I could be wrong on some parts, but constructive criticism please! :)

    Thanks!

    **: This zip is on the bottom, but you need to have a Linux distro, copy everything from right before "begin" and right before "--[EOF" and save it to a file, then run 'uudecode -o output.zip < ./[your_created_file]. You will need to install "sharutils" on your preferred distro.

    EDIT: I have attached the files needed for the exploit, although this assumes there is an SH binary somewhere in the filesystem, which there may not be. In the future I may create something that implements SASH, but I would need some help. This is based on the shellcode created by alexpark07 in ARMSCGen, and CVE-2016-4622. Here's how to run it:

    REQUIREMENTS:



      • A Linux distro
      • gcc-aarch64-elf
      • Python 2.7
      • A web server (like Apache httpd)
      • gnu-netcat
      • A basic knowledge of Linux/Unix commands.
      • A Switch (duh)
    First, go to the terminal, cd to the files, and run "shellcode.py" with the python interpreter. Here are the arguments you will need to enter (respectively):




      • Port -- Enter a port number to bind the shell to. This is required.
      • SH/Bash Location -- Enter the path to the SH/Bash binary. This is not required, and the default is /bin/sh.
    Keep in mind, you will probably have to try a couple of options for the SH/Bash Location argument, since it is not confirmed if it's actually in the Switch filesystem, and if it is, where. This will print out only the assembly for the shellcode, so you can redirect the output to a file with
    Code:
    > shellcode.asm
    at the end of the command.

    Next, run
    Code:
    aarch64-elf-as [your file from shellcode.py] -o [output]
    to get an object file.

    Now we can run a special command that will format a objdump output for easy use in JavaScript:

    Code:
    for i in `aarch64-elf-objdump -d [your output from the assembler] | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "0x$i, " ; done > shellcode_final.txt
    NOTE: If you get an invalid hex character (such as 0xse) in your output, DELETE IT AND EVERYTHING AFTER! This comes from a bug in my code that will confuse as/objdump because I had to add a extra line at the end of the shellcode to format it correctly for Python. Here is a regular objdump to explain this.

    Now that you have your final shellcode, copy it and paste it into the SHELLCODE array in pwn.html (near the bottom). I already have a premade shellcode there for port 31337 and /bin/sh.

    Next, place all the .html and .js files into the root of your web server, and configure your DNS settings on the Switch to redirect you to your pwn.html file (Not sure how to do this, if anyone could shed some light on it I would greatly appreciate it).

    And that's it! If all went as it should, you should be able to connect to your Switch via a netcat session (google it, I'm too tired to write more).

    Post your results here! Again, I don't actually have a Switch yet so I can't test it out, so I'm relying on you guys to help me.

    I'll edit this further in the future, when I have more information.

    EDIT2: I've updated the zip file in the attachments with a new "version." This one implements a "sash" executable, included in the zip, which you will have to put on the SD card root.

    The previous edit now does not apply, as I've already inserted the shellcode into "pwn.html". Now all you need to do is put the .html and .js files on a web server, on any OS, and then after navigating to those files on your Switch, open a connection with netcat to the Switch's IP address on port 1337.

    If all goes as it should, you will have a "real" shell on the Switch. Do whatever you want with it.

    Post your results here, and have a good day!
     

    Attached Files:

    Last edited by AlphonseElric, Mar 19, 2017


  2. RyleWeststar

    RyleWeststar Member

    Newcomer
    34
    13
    Mar 16, 2017
    It's built in mind that it will able to make syscalls to a Linux kernel to accept TCP connections and perform common Linux syscalls for functions. I have my doubts that Nintendo are using an OS that has compatible syscalls.
     
  3. Drakia

    Drakia GBAtemp Maniac

    Member
    1,495
    1,747
    Mar 15, 2008
    Canada
  4. AlphonseElric
    OP

    AlphonseElric Member

    Newcomer
    28
    26
    Dec 20, 2014
    United States
    Yes, I have seen that, but I was thinking more along the lines of a "/bin/sh" shell. Granted, it might not be that exact file and directory, so we may have to go searching around. I know, for example, that Android's "sh" file is located at "/system/bin/sh". Since the switch seems to run on FreeBSD (as per the legal disclaimer on the switch itself), it might just be there.
     
  5. RyleWeststar

    RyleWeststar Member

    Newcomer
    34
    13
    Mar 16, 2017
    Even if it is using a FreeBSD kernel (which so far has not been confirmed), there is no need for them to include userland like a shell on the system. If you're going to deliver a custom payload to open a daemon on the system for remote shell access, may as well include the SASH shell in the payload.
     
  6. AlphonseElric
    OP

    AlphonseElric Member

    Newcomer
    28
    26
    Dec 20, 2014
    United States
    You raise a good point. I'll see what I can do when I get home.
     
  7. Joom

    Joom  ❤❤❤

    Member
    3,709
    2,479
    Jan 8, 2016
    United States
    It's not using the FreeBSD kernel, it's using the network stack from FreeBSD.
     
    natinusala, CrimsonMaple and Mrrraou like this.
  8. AlphonseElric
    OP

    AlphonseElric Member

    Newcomer
    28
    26
    Dec 20, 2014
    United States
    Alright, good to know. I'm still going to work on this a little though, see if I can get anywhere. If I can't, then I'll leave it be.
     
  9. NexoCube
    This message by NexoCube has been removed from public view by Minox, Mar 17, 2017, Reason: Offtopic.
    Mar 17, 2017
  10. Joom
    This message by Joom has been removed from public view by Minox, Mar 17, 2017, Reason: Offtopic.
    Mar 17, 2017
  11. NexoCube
    This message by NexoCube has been removed from public view by Minox, Mar 17, 2017, Reason: Offtopic.
    Mar 17, 2017
  12. daxtsu
    This message by daxtsu has been removed from public view by Minox, Mar 17, 2017, Reason: Offtopic.
    Mar 17, 2017
  13. AlphonseElric
    This message by AlphonseElric has been removed from public view by Minox, Mar 17, 2017, Reason: Offtopic.
    Mar 17, 2017
  14. NexoCube
    This message by NexoCube has been removed from public view by Minox, Mar 17, 2017, Reason: Offtopic.
    Mar 17, 2017
  15. AlphonseElric
    This message by AlphonseElric has been removed from public view by Minox, Mar 17, 2017, Reason: Offtopic.
    Mar 17, 2017
  16. NexoCube
    This message by NexoCube has been removed from public view by Minox, Mar 17, 2017, Reason: Offtopic.
    Mar 17, 2017
  17. bennyman123abc
    This message by bennyman123abc has been removed from public view by Minox, Mar 17, 2017, Reason: Offtopic.
    Mar 17, 2017
  18. Thomas83Lin
    This message by Thomas83Lin has been removed from public view by Minox, Mar 17, 2017, Reason: Offtopic.
    Mar 17, 2017
  19. MadMageKefka
    This message by MadMageKefka has been removed from public view by Minox, Mar 17, 2017, Reason: Offtopic.
    Mar 17, 2017
  20. Amadren
    This message by Amadren has been removed from public view by Minox, Mar 17, 2017, Reason: Offtopic.
    Mar 17, 2017
  21. thomasnet
    This message by thomasnet has been removed from public view by Minox, Mar 17, 2017, Reason: Offtopic.
    Mar 17, 2017
  22. AlphonseElric
    OP

    AlphonseElric Member

    Newcomer
    28
    26
    Dec 20, 2014
    United States
    I've made an edit to my original post with the files and steps required to do this, check it out!
     
    bennyman123abc, loler55 and iAqua like this.
  23. bennyman123abc

    bennyman123abc Master of the Script Kiddies

    Member
    549
    211
    Mar 21, 2013
    United States
    Training some more Script Kiddies
    Wish I had a Switch. If I did, I would be the first to test this :D
     
  24. natinusala

    natinusala GBAtemp Regular

    Member
    164
    104
    Dec 1, 2012
    France
    I really doubt that the Switch OS comes with a "hidden" shell binary. What would be the point ? Nintendo has literally no reason to add one.

    Seeing that they didn't release the web browser by fear of potential exploits, I can understand why they wouldn't add a shell in there.
     
  25. NexoCube

    NexoCube stop using piracy :(

    Member
    1,184
    587
    Nov 3, 2015
    France
    Stack Pointer
    Nintendo Switch will probably be the harder console to fully exploit. The NX OS appear to be re-written 3DS OS
    And they're using an ARM TrustZone (reinforced security)
     
  26. Jhynjhiruu

    Jhynjhiruu GBAtemp Fan

    Member
    398
    72
    Dec 31, 2016
    Has anyone actually tried this yet? It sounds great, but I don't have Linux and stuff so can't try it
     
  27. AlphonseElric
    OP

    AlphonseElric Member

    Newcomer
    28
    26
    Dec 20, 2014
    United States
    Yea, the more I think about it, the more I think this is the case.

    I can try to implement a binary like SASH or Busybox, but that will take a while for me.
     
  28. thomasnet

    thomasnet Advanced Member

    Newcomer
    68
    60
    Mar 6, 2016
    France
    There's already busybox on ARM64, so maybe you could use it...
     
    Last edited by thomasnet, Mar 18, 2017
  29. AlphonseElric
    OP

    AlphonseElric Member

    Newcomer
    28
    26
    Dec 20, 2014
    United States
    It's not that simple. First I have to objdump the aarch64 Busybox/Sash binary, then take all of the hex values and find a way to use it in my shellcode. Granted, I do have some idea on how to do that, it's just that it might take a while since the binary is so big.
     
    Last edited by AlphonseElric, Mar 18, 2017
  30. AlphonseElric
    OP

    AlphonseElric Member

    Newcomer
    28
    26
    Dec 20, 2014
    United States
    Updated the OP, have a look!
     
  31. Classicgamer

    Classicgamer GBAtemp Fan

    Member
    497
    135
    Aug 20, 2012
    United States

    Do whatever you want ^_^ such as...?
     
  32. dAVID_

    dAVID_ GBATemp Shitpost Enthusiast

    Member
    555
    355
    Oct 23, 2016
    Mexico
    Your basement
    Let's hope this exploit can be used to run some homebrew.
     
  33. heyheyitsjoeway

    heyheyitsjoeway Newbie

    Newcomer
    3
    2
    Mar 19, 2017
    United States
    Just wanted to give some test results:

    Firstly, line 70 of the HTML (the SHELLCODE variable) was missing some commas. I added those back in and got the "JSC version not vulnerable" message.

    Secondly, even after bypassing the vulnerability check manually, nothing really happens. The only thing that pops up is the "Script execution is taking a long time" message. I've hit continue about 10 times now and nothing has happened. No netcat connection, no freeze, no crash; nothing.

    Basically, this exploit can't be used on the Switch. The JS engine isn't vulnerable to this particular exploit.
     
    Last edited by heyheyitsjoeway, Mar 19, 2017
    AlphonseElric likes this.