Hacking GO Exploit

[ernilos]

The other thread is getting fulled with stuff like "halp me plz, it don't works", so I thought on create another thread to talk about the GO exploit...
Going to the website with no 3DS webAgent you get what the memory block is fulled with "counter+4 08 0E" (http://gyazo.com/77fb2460da8543a36e8ebed1d4f30037), when you activate the 3DS UserAgent you get the exploit. Seems the *exploit* is copying a lot of times 0x200 bytes to memory, making overflow or something and then run the *second stage*.
At first look it seems to be a ROPLoader (like on MSetHax). Here we can see "dmc:/Launcher.dat" coded on UTF-16, so this ROPLoader isn't obfuscated, well. A good way to continue studying how it works is getting a RAM dump with browser applet open, it should be easy with the released CFW.
Hope we can get Kernel Execution on FW 4.0-9.2

PD: There's some paste with title "GW_GO_Exploit.bin" with download link of the exploit binary

 

[ken28]

well why not trying to launch the ninjhax launcher with it, instead of launcher.dat?
Just an idea.

 

[Kylecito]

well why not trying to launch the ninjhax launcher with it, instead of launcher.dat?
Just an idea.

Not the same ROP chain, I doubt it.

Has anyone tried to copy the site as-is to a local folder, set up a web server and run it locally? Having to rely on an Internet connection might be a risky business

 

[Zidapi]

It looks like the "GO Exploit" is the Swebug exploit that the enigmatic MathewE documented on this pastebin in early December, as it mentions the 0x200 bytes in the notes.

The Swebug 3DS bug

Bug found: 12/6/14 9:24 PM
Posted: 12/8/14 12:36 AM
Updated: 12/8/2014 7:32 PM

Bug tested on:
-New 3DS 9.2.0-20J
-2DS 9.0.0-20E
-3DS 4.5.0-4U
--EmuNAND 9.2.0-20U
-3DS 5.0.0-11E
-3DS 6.3.0-12J
-3DS 9.1.0-20J
-3DS XL 9.0.0-20U
--EmuNAND 9.2.0-20U
-3DS XL 9.2.0-20U
-Dev 3DS (2)
-New 3DS 9.0.0-20E
-New 3DS 9.3.0-21J

Bug worked:
-New 3DS 9.2.0-20J
-New 3DS 9.0.0-20E
-New 3DS 9.3.0-21J

Bug location:
Internet Browser
Repeating CTR Savegame

"boot.12.8.14.zip" MD5: CE CE F5 8B 99 47 C5 61 DA 52 44 D3 72 3D 85 39
"revision.12.8.14.zip" MD5: 23 CE 1B 24 4E 56 E7 0C 9D A8 17 31 F4 5F 24 00

Contents:
"webkit_root.zip" webkit bug
"savetest_multi.zip" pre-written savegame bug (AQNx) (ACVx)
"savecreate_root.zip" savegame bug
"extdata_root.zip" savegame bug for extdata
"hellow_world.khb" test homebrew

The notes

savegame bug:
rop:
set 0x00 as start instead of 0x2000
0x00000100
0x00000010
0x00004120
0x00000200
0x0000FF20
0x01111110 
0x00001210
0x00000100
0x0023A010
0x0023A010
0x00000100
0x0000FF20
0x0023A010
0x0B1BCE90
0x0000FF20
0x0000FF20
0x0023A010
0x0000A1B0
0x0000A1B0
0x0000A1B0
0x0000A1B0
0x0000A1B0
0x0000A1B0
0x00000100
0x0023A010
0x0023A010
0x0023A010
0x00000100
0x00000100
0x0BIBCE90
0x00000100
0x0A121730 
0x0000FCF0
0x0000FCF0
0x0000FCF0
0x0A121730 
0x0A121730 
0x0A121730 
0x00000100
0x00004120
0x00004120
0x00004120
0x00004120
jump to internetBrowser

webkit bug:
localhost.***/savegame/gameID/1112/bug.html
FF FF FF FF 01 22 00 20
byte 4
FF^0x1
0xF(G)/FF 01/(02)
(0x0102 02 01)

 

[hias]

Nice work. If this is not more than you found that means we can mirror Gateways files on a local webserver and can start the launcher even when Gateway Go is down?
Or is there still a payload that gets downloaded on boot?

Would be nice if you could try this, thanks

 

[CalebW]

Interesting, does anyone know who this MathewE fellow is?

 

[ken28]

A well know ps3 hacker. Matthew cfw and so on if I remember right

 

[DSoryu]

So in order to make Ninjhax work with the new 4.0-9.2 browser exploit, the launher.dat needs to be updated specifically for this exploit?

 

[Dr Eggman]

It looks like the "GO Exploit" is the Swebug exploit that the enigmatic MathewE documented on this pastebin in early December, as it mentions the 0x200 bytes in the notes.
-snip-

How did this go unnoticed??

Hopefully the ROP chain is friendly so we can get homebrew up and running ASAP

[user]ernilos[/user] what CFW are you talking about for this RAM dumping?

 

[Bug_Checker_]

How did this go unnoticed??

Hopefully the ROP chain is friendly so we can get homebrew up and running ASAP

[user]ernilos[/user] what CFW are you talking about for this RAM dumping?

It did not go unnoticed. just unmentioned until https://gbatemp.net/threads/3ds-softmod.378018/#post-5264571

 

[Vappy]

It'd been mentioned prior to that, by piratesephiroth and a few other people, but it kind of went unnoticed or just forgotten about because no one knew who MathewE was, or how to get in contact with him. And it's almost certain he won't be publicly releasing his work either way.

 

[PewnyPL]

So, as this exploit launches Launcher.dat from SD card... does anyone know if Gateway's exploit could be used to load Homebrew? Anyone tried?

 

[OuahOuah]

So, as this exploit launches Launcher.dat from SD card... does anyone know if Gateway's exploit could be used to load Homebrew? Anyone tried?

GW can run homebrew directly

 

[WaryLouka]

GW can run homebrew directly

But if we could execute homebrew/binaries only using a specially crafted launcher file?
It would be useful for those who wants to play homebrew without a Gateway.

 

[PewnyPL]

GW can run homebrew directly

Well yeah, it can. But this would be for people WITHOUT Gateway (and without Cubic Ninja)

 

[Vappy]

Well yeah, it can. But this would be for people WITHOUT Gateway (and without Cubic Ninja)

You'd need to reverse the Launcher.dat to find the exploit it uses. Without that, you're limited to basic ROP with the browser.

 

[ernilos]

[user]ernilos[/user] what CFW are you talking about for this RAM dumping?

http://gbatemp.net/index.php?posts/5144453
It has some commands really usefulls for developers and that stuff ^-^

 

[cearp]

GW can run homebrew directly

but not with pure 100% nand access

 

[PewnyPL]

You'd need to reverse the Launcher.dat to find the exploit it uses. Without that, you're limited to basic ROP with the browser.

But is the ROP chain of the bowser identical to MSET ROP chain? Or even more limited (as in, the actual exploit to launch unsigned code is in Launcher.dat this time)

 

[Vappy]

But is the ROP chain of the bowser identical to MSET ROP chain? Or even more limited (as in, the actual exploit to launch unsigned code is in Launcher.dat this time)

Functionally similar, if not identical, both confined to usermode ROP, no arbitrary execution.

but not with pure 100% nand access

No real ARM9 access either, I believe, which is why there was never a .3ds or .cia of the decryptor homebrews.