CVE-2016-4657 walk-through and intro to browser exploitation

Discussion in 'Switch - Hacking & Homebrew' started by parrotgeek1, Mar 13, 2017.

  1. parrotgeek1
    OP

    parrotgeek1 Advanced Member

    Newcomer
    68
    31
    Dec 2, 2012
    United States
  2. iAqua

    iAqua

    Member
    2,831
    2,459
    Dec 7, 2015
    Antarctica
    well that was fast :).
     
    Last edited by iAqua, Jul 23, 2017
  3. jupitteer

    jupitteer idk what i'm doing

    Member
    879
    831
    Feb 17, 2017
    Antarctica
    Subcon
    damn, can't wait for userland. Wanna play dem emulators.
     
    HoroHoro and alpmaster like this.
  4. AecdArmy

    AecdArmy Because Its Nintendo

    Member
    489
    170
    Jan 4, 2016
    The Ninty Ninja HQ
    Give it a bit we need a DEP Bypass first :P
     
    alpmaster and mark.m.moran like this.
  5. jupitteer

    jupitteer idk what i'm doing

    Member
    879
    831
    Feb 17, 2017
    Antarctica
    Subcon
    Yep, but it's still great to see progress so quickly.

    — Posts automatically merged - Please don't double post! —

    At this rate, the switch will be hacked before we get sighax.
     
  6. studio1b

    studio1b Advanced Member

    Newcomer
    57
    29
    Mar 14, 2009
    United States
    NEW YORK CITY
    keep it up :) great news
     
    alpmaster and mark.m.moran like this.
  7. TheCyberQuake

    TheCyberQuake Certified Geek

    Member
    3,305
    2,234
    Dec 2, 2014
    United States
    Las Vegas, Nevada
    Remember to keep in mind that they still have to develop a format for homebrew as well, along with tools to develop the homebrew (or sdk leaks). Kinda like how the 3ds has it's .3dsx format
     
    alpmaster likes this.
  8. Sasori

    Sasori GBAtemp Maniac

    Member
    1,437
    844
    Jan 28, 2015
    United States
    I have taken the liberty of recording this webpage in action in case anyone is curious as to what it does currently without sitting through an 18 minute video
     
  9. AecdArmy

    AecdArmy Because Its Nintendo

    Member
    489
    170
    Jan 4, 2016
    The Ninty Ninja HQ
    Its kinda weird last night I finished the whole thing saying the switch will now crash now I get up to that part only then it crashes...
     
  10. Sasori

    Sasori GBAtemp Maniac

    Member
    1,437
    844
    Jan 28, 2015
    United States
    It depends on how the script runs I assume since it doesnt even have a 100% success rate. I noticed it should have said that for me as well.
     
  11. Hillary_Clinton

    Hillary_Clinton Member

    Newcomer
    23
    129
    Apr 23, 2016
    United States
    always crashes before the end for me
     
  12. Sasori

    Sasori GBAtemp Maniac

    Member
    1,437
    844
    Jan 28, 2015
    United States
    It's supposed too
     
  13. Hillary_Clinton

    Hillary_Clinton Member

    Newcomer
    23
    129
    Apr 23, 2016
    United States
    What I mean is, it doesn't get to the part where it's supposed to alert "smash.length is now: 0x1337"

    It should get there before crashing.
     
  14. Sasori

    Sasori GBAtemp Maniac

    Member
    1,437
    844
    Jan 28, 2015
    United States
    You installed/set it up wrong. If you want to test a working version set your DNS to go too http://dnswitch.redthetrainer.com/

    Once there click "tap to test webkit"
     
  15. Hillary_Clinton

    Hillary_Clinton Member

    Newcomer
    23
    129
    Apr 23, 2016
    United States
    Still crashes after the first two alerts. :huh: Is it working any better for you?
     
  16. Sasori

    Sasori GBAtemp Maniac

    Member
    1,437
    844
    Jan 28, 2015
    United States
    Like I said. Its supposed to crash. You can see so in my video above as well.
     
  17. Hillary_Clinton

    Hillary_Clinton Member

    Newcomer
    23
    129
    Apr 23, 2016
    United States
    But it's not supposed to crash; if you watch the first video, he gets all the way through. What I think you're saying is: this is expected behavior since it's just a really touchy exploit?

    Edit: It sometimes makes it to the "misaligned" alert.
     
    Last edited by Hillary_Clinton, Mar 13, 2017
  18. Sasori

    Sasori GBAtemp Maniac

    Member
    1,437
    844
    Jan 28, 2015
    United States
    The same exact thing happens in the video he crashes. You're crashing because it doesn't do anything yet and is just a POC. You won't be pirating games or using homebrew with this right now. This "exploit" won't do anything other then crash your system
     
    Subtle Demise likes this.
  19. Hillary_Clinton

    Hillary_Clinton Member

    Newcomer
    23
    129
    Apr 23, 2016
    United States
    Yes, it's a proof of concept, but a critical part of the proof is seeing that the length changed, and I'm not reaching that alert. So this makes me curious exactly what his setup was, if he was reliably having success.

    Edit: Okay, now if I set up my server with his exact files freshly unzipped from his github master (not just poc1.html but also his index.html which redirects to it), then I am able to get to the end of the PoC reliably.
     
    Last edited by Hillary_Clinton, Mar 13, 2017
    Subtle Demise likes this.
  20. gudenau

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,286
    1,252
    Jul 7, 2010
    United States
    /dev/random
    New to find gadgets and such. ^^

    Edit:
    Got to love use after free exploits. So fun.
     
    Last edited by gudenau, Mar 13, 2017
    alpmaster likes this.