Hacking CVE-2016-4657 walk-through and intro to browser exploitation

[AecdArmy]

Yes, it's a proof of concept, but a critical part of the proof is seeing that the length changed, and I'm not reaching that alert. So this makes me curious exactly what his setup was, if he was reliably having success.

Edit: Okay, now if I set up my server with his exact files freshly unzipped from his github master (not just poc1.html but also his index.html which redirects to it), then I am able to get to the end of the PoC reliably.

Same thing when im using it on my domain instead of localhosting it.

 

[recgame77]

no aslr on the switch ?

 

[ehnoah]

New
Well I understood absolute nothing But it was informative and I watched it til the End :X

So the exploit give us access to the Memory Range of the Web Browser? Like we can access 100 MB of the RAM? From there we can try go deeper?

 

[gluffl]

really bad, this was published. now it's a matter of hours or a few days, until it's fixed. IT's also really easy for Nintendo to fix it, just updating a few files of the webkit.

 

[ehnoah]

really bad, this was published. now it's a matter of hours or a few days, until it's fixed. IT's also really easy for Nintendo to fix it, just updating a few files of the webkit.

Just stay on 2.0 :>

 

[gluffl]

Just stay on 2.0 :>

I don't own a Switch (yet). Really really bad, the exploit was made public until an useful hack was developed...

 

[ehnoah]

I don't own a Switch (yet). Really really bad, the exploit was made public until an useful hack was developed...

Well that is the reason why I think about buy switch now and keep it. But since there is lot of Hardware Protection I doubt we get any useful without wire cables to the board.

 

[empulse]

Think it was released because there is more coming, has advanced further. already have seen 2 diff emulators load -- no gameplay, but they loaded.

 

[InsaneNutter]

I don't own a Switch (yet). Really really bad, the exploit was made public until an useful hack was developed...

The exploit looks to have been public since May 2016.

 

[koffieleut]

I loved the part where he stated that he was just a noob. On that point I thought that I would understand what he was saying about the code.... I understood like 5% of the story

 

[hitodesu]

Does fiddler work with this? And what about the public dns's for browsing?

 

[cherryduck]

Does fiddler work with this? And what about the public dns's for browsing?

I've got Fiddler set up and a local web server (I use Abyss, it's a bare bones Windows client), redirect to the index.html and poc1.html on my local machine, works perfectly.

 

[McHaggis]

The Switch notices and recovers from the exception much like the 3DS used to for non-exploitable vulnerabilities, so I'm skeptical as to how useful this is.

 

[studio1b]

this is just the start and this is a great tool that will lead to alot of stuff.

right now we are looking for aes key for dfu mode.

but with this we might be able to hit something that gives us the info we need
to everyone that keeps saying a hack will make they devs run away this is not true at all. every console get a hacked and only effects Sales of the console. so more and more people will buy the console. and just beause some one runs backups don't mean they don't buy games

 

[yeddish]

Does fiddler work with this? And what about the public dns's for browsing?

Fiddler will work. It has many of the same basic features that Burp Suite has. Burp Suite is better, though, IMO. It also has a basic free version that will do what is needed for this hack. I would recommend giving it a look.

EDIT: Also, the public DNS works for me for browsing.

 

[NexoCube]

Give it a bit we need a DEP Bypass first

rop

 

[hitodesu]

Fiddler will work. It has many of the same basic features that Burp Suite has. Burp Suite is better, though, IMO. It also has a basic free version that will do what is needed for this hack. I would recommend giving it a look.

EDIT: Also, the public DNS works for me for browsing.

If you went to the CVE page on that with the public DNS, did it do a successful run through?

 

[gluffl]

The exploit looks to have been public since May 2016.

*Picard double face palm* Public, that this webkit version is used on the Switch.

 

[StarTrekVoyager]

The fun part will be when all the LJoycondefect-free Switches will be shipped with 3.0

 

[chaoskagami]

Remember to keep in mind that they still have to develop a format for homebrew as well, along with tools to develop the homebrew (or sdk leaks). Kinda like how the 3ds has it's .3dsx format

Can we all for the love of god just use ELF for once? Preferably PIE/PIC.

The exploit looks to have been public since May 2016.

...I have no words.