Hacking Restricted Webkit bug finder

dojafoja

life elevated
OP
Member
Joined
Jan 2, 2014
Messages
693
Trophies
0
XP
2,403
Country
All the information found below is outdated and has links to old/not working files etc.
The project and it's usage is now on my github here: https://github.com/dojafoja/Restricted-Webkit-Bug-Finder





ORIGINAL THREAD FROM 2015, THIS IS OBSOLETE NOW, VISIT MY GITHUB LINK ABOVE :

We all know that MarioNumber1 and NWPlayer123 are too busy with the kernel exploit to help do anything else. We also know that our best way in to the WiiU is the browser and that we need to find a new browser bug that will lead to an exploit.. How can the community help? We need to collectively find browser bugs that crash the browser. So I decided to pitch in and I wrote this handy little gui application in python. I pulled a svn log from WebKit repo, manually trimmed the log to only include commits entered after October 16, 2012 and ran it through my log parser. This produced 40,811 individual commit entries. My script attempts to extract all the urls for the bug. Unfortunately it isn't perfect and doesn't handle bug urls with leading or trailing characters or commits with multilple bug urls. Then the script scans every single url and if the bug is restricted it is marked as such and all of this is stored neatly into a sqlite3 database. This found 427 restricted bugs and took several hours to scrape every url. My gui presents this to the user. If the log parser were fixed or rewritten to handle all urls properly there may be more potential restricted bugs.

Things you should know:
1. I am not a great programmer. I'm more like a hobbyist. I taught myself everything I know and have very little time to do this stuff because I have a job, wife, 2 kids, other obligations, etc.
2. I was planning on this being python 2.7 and python 3 compatible but I have not fully implemented it yet, only partially.
3. I DO realize that obtaining a svn log in xml format would be much easier to parse but thats not how I did it. It must be a simple txt output.
4. I do NOT have much time to help answer too many questions.
5. I just noticed that I didn't put a scroll bar on the left box in the results tab, I will fix it later. Use your mouse wheel or keyboard arrow.
6. It does not resize properly because I manually set the width and height of the text and list boxes and I also didn't set the column and row weight properties.
7. The database file MUST be named 'commits.db' because it is hardcoded into the script.
8. The database contains ALL commit logs, not just ones with restricted bugs. Restricted ones are marked 1 in the 'restricted' field. Performance in the Results view could be dramatically increased if the db were stripped to erase all entries that are not restricted
9. The program will crash if you click the Parser log button and and invalid or blank path is given. This is easy to fix.
10. It is sometimes not the fastest program in the world. I have some redundant database queries all over the place, duplicate code in spots and is very procedural because it was thrown together very quickly
11. There is no context menu on right click. To copy/paste just use the keyboard Ctrl-C/Ctrl-V
12. It is buggy and not finished. Please feel free to make it better if it bothers you.

12. I AM NOT A GREAT PROGRAMMER :)

The community as a whole can pledge to scour the output and test all bugs which contain layout tests.
Do not publicly talk about which bugs crash the browser, we don't want to give Nintendo a nice list of all bugs they need to patch.

INSTRUCTIONS:
Requires Python 2.7, the only external libs you might need are beautifulsoup4 and possibly the tkinter packages if they arent included with your python dist. This also uses sqlite3 but that is usually shipped with python. Everything else should just be shipped with python. If you are going to use the Windows exe file then you will not need to satisfy the above mentioned dependencies.

You MUST have a local copy of the webkit repo so the program can host the proper files.
get it here: http://www.webkit.org/building/checkout.html

DOWNLOAD:
There are two versions available for download, a regular python script as well as a windows executable.


1. You can download the regular python script here: http://www.mediafire.com/download/c1mvzc0fsoi55cf/wbf_v0.4.rar

2. You can download the Windows exe file from here: http://www.mediafire.com/download/4vox8l896vo145u/wbf_v0.3_exe.rar

The Windows exe was created with cx_freeze for python. You will not need to satisfy any dependencies. Just extract the rar and run test_parser.exe This was tested on Windows7 with older hardware(1Ghz Pentum4) and performance was Ok.


OPTION A:
1. Download and extract the rar file found above.

2. To simply use the output I have provided, run the test_parser.py script or test_parser.exe, switch to the Results tab and click on Refresh list.

2. ALL commits with bugs marked as restricted in the db are listed on the left. Click on commit title and the entire commit entry will be displayed on the right.

3. Some of the commits will have layout tests listed. Copy the location of the layout test html file found in the results view.

4. Switch to the hosting tab, click Get my IP button or manually provide your local IP address. Next, click Browse and provide the location to your LayoutTests directory. Now paste the html file location into the bottom entry and then click the host file button.

5. Point the console browser to your_local_ip:8000, no need to provide a file name to the browser. The file is being hosted as index.html so the browser will automatically load it. If no crash or buggy behaviour occurs, find another layout test, host it and repoint the browser to local_ip:8000. I recommend creating a bookmark and select it over and over each time you host a new file. It will load the new file being hosted each time you do this!


OPTION B:
1. If you would like to parse your own log and generate your own database instead of using the one provided,
be sure that you have svn and obtain a webkit svn log as a plain txt file.

2. Download and extract the rar file found above.

3. Run the script test_parser.py or test_parser.exe

4. To parse your own log and generate a commits database, click the Browse button or provide a path to the svn log txt file. Click Parse log. It will parse the log into a database and automatically stop to only include entries prior to 10/16/2012. I have provide a svn_log.txt that is trimmed. This log was pulled on 1/07/2015.

5. To scan all urls, attempt to find all restricted bugs and mark them as restricted in the database, click the Scan for Restricted bugs button. This will take a VERY Long time!! It took several hours to complete on my machine(6 or more).

6. Optionally, you can strip the database of all entries that do not contain restricted bugs by clicking the Strip database button. This will dramatically increase performance in the Results view window.

7. To view the output of the commits.db database click the Results tab at the top of the program, click Refresh list and ALL commits with bugs marked as restricted in the db are listed on the left. Click on commit title and the entire commit entry will be displayed on the right.

8. Some of the commits will have layout tests listed. Copy the location of the layout test html file found in the results view.

9. Switch to the hosting tab, click Get my IP button or manually provide your local IP address. Next, click Browse and provide the location to your LayoutTests directory. Now paste the html file location into the bottom entry and then click the host file button.

10. Point the console browser to your_local_ip:8000, no need to provide a file name to the browser. The file is being hosted as index.html so the browser will automatically load it. If no crash or buggy behaviour occurs, find another layout test, host it and repoint the browser to local_ip:8000. I recommend creating a bookmark and select it over and over each time you host a new file. It will load the new file being hosted each time you do this!


Tested on Ubuntu 14.04 and Windows7


The generated db file is a standard sqlite3 db and can be viewed with any sqlite3 compatible viewer as well. The db has field named 'restricted' and restricted bugs will have a value of 1.

I encourage anybody with more time and knowledge to fix the log parser to handle some urls better. Also, if you can make the code more efficient please do so. I would love to learn from other peoples changes to the code. Just please be nice if you think my code sucks, when I don't quite know how to do stuff, I just dirty hack the hell out of it until it works :-P
 

Attachments

  • Screenshot from 2015-01-15 23:09:09.png
    Screenshot from 2015-01-15 23:09:09.png
    43 KB · Views: 419
  • Screenshot from 2015-01-15 23:11:44.png
    Screenshot from 2015-01-15 23:11:44.png
    12.5 KB · Views: 415
  • Screenshot from 2015-01-18 21:55:12.png
    Screenshot from 2015-01-18 21:55:12.png
    36.3 KB · Views: 373
Last edited by dojafoja,

dojafoja

life elevated
OP
Member
Joined
Jan 2, 2014
Messages
693
Trophies
0
XP
2,403
Country
It's pretty simple. It's just finding bugs, particularly restricted ones. If the restricted ones are later revealed they are quite likely exploitable and it is quite likely Wii U's webkit will not be updated.
Restricted ones don't get revealed for webkit but svn logs sometimes still contain layout tests to trigger the bug ;-) my script extracted every url from the log and scraped them all one by one looking for 'Acess Denied' in the <title> </title> tag.
 
  • Like
Reactions: Margen67

endoverend

AKA zooksman
Member
Joined
Jun 6, 2013
Messages
2,846
Trophies
0
Website
zooksman.com
XP
2,869
Country
United States
Restricted ones don't get revealed for webkit but svn logs sometimes still contain layout tests to trigger the bug ;-) my script extracted every url from the log and scraped them all one by one looking for 'Acess Denied' in the <title> </title>

Thanks for clearing it up. I only skimmed the OP lol
 
  • Like
Reactions: Margen67

dojafoja

life elevated
OP
Member
Joined
Jan 2, 2014
Messages
693
Trophies
0
XP
2,403
Country
So this is a WebKit issue database builder?
Wii U usually uses old WebKit versions anw.

This can build a database consisting of all svn commit logs. Within those logs, some commits contain a url to the bug. All the svn logs with these urls are scanned, if they are restricted bugs then it keeps track of them. Then you can view the the commit log for each bug in hopes that it contains layout test information for triggering the bug. Host these locally and test them to see which ones crash the WiiU browser. This only keeps track of commits after 10/16/2012
 
  • Like
Reactions: Margen67

dojafoja

life elevated
OP
Member
Joined
Jan 2, 2014
Messages
693
Trophies
0
XP
2,403
Country
New version added and links updated and screenshots added to the OP

Changes:
1. Added missing scrollbar in results view
2. Resizing now works for results view
3. Added some error checks to prevent some crashes
4. Added some notifications when operations complete
5. Added the option to strip database of non restricted entries.
6. Now comes with pre-stripped database
 
  • Like
Reactions: Margen67 and Vappy

dojafoja

life elevated
OP
Member
Joined
Jan 2, 2014
Messages
693
Trophies
0
XP
2,403
Country
Thank you, good sir! I will be sure to take a look at this! Hopefully with more people checking for bugs, things will move along faster, webkit exploit-wise :)
No problem. I might have some time this afternoon to throw down a little code(no promises). If I do, I have an idea to make this MUCH more useful for the average user.
I'm thinking of having the program also act as a local server and host the layout tests for you, moving the .html file to the servers working directory and renaming it to a static filename. Then the user wouldn't have to change the url in the browser each time they perform a layout test. Simply tell the program which file you want to host and that file will be hosted as a static file name ie: test.html
 
  • Like
Reactions: Kelton2

endoverend

AKA zooksman
Member
Joined
Jun 6, 2013
Messages
2,846
Trophies
0
Website
zooksman.com
XP
2,869
Country
United States
Found one at r169475. The browser freezes and locks up using the layout test at fast/events/beforeload-iframe-crash.html

BTW to anyone who wants to do this: download Mongoose and it will host a web server in whatever directory the executable is in. From there you can copy the contents of the layout test into a .html file and navigate to it in the Wii U's browser.
 

dojafoja

life elevated
OP
Member
Joined
Jan 2, 2014
Messages
693
Trophies
0
XP
2,403
Country
Could someone please tell me how to get html files with the exploits from the results?
There is a link to the webkit repo in the the OP Download a local copy of the repo and the html files you seek are in the layout tests directory. Ps. I have a big update coming later tonight after some testing that will host the files for you if you have a local copy of the repo. Just copy/paste the layout test location from the results tab into a new hosting section. The server will place itself into the proper layou test directory and find the file and make a copy named index.html. This way you simply host the file and navigate the browser to local_ip:8000. index.html is always loaded automatically so copy/paste,click host,point browser to your ip. If no crash, copy paste click host, refresh browser........coming real soon
 

dojafoja

life elevated
OP
Member
Joined
Jan 2, 2014
Messages
693
Trophies
0
XP
2,403
Country
Found one at r169475. The browser freezes and locks up using the layout test at fast/events/beforeload-iframe-crash.html

BTW to anyone who wants to do this: download Mongoose and it will host a web server in whatever directory the executable is in. From there you can copy the contents of the layout test into a .html file and navigate to it in the Wii U's browser.
Good! , just a suggestion though, if we point out all bugs that crash the browser then Nintendo will know which bugs we know about and which ones to patch
 

endoverend

AKA zooksman
Member
Joined
Jun 6, 2013
Messages
2,846
Trophies
0
Website
zooksman.com
XP
2,869
Country
United States
404 is file not found!!

That's not how it works. Just google the github webkit and find the beforeload-iframe-crash.html file, copy the contents into a blank txt file, change the extension to html, then load it up in a web server. If you don't know how to do something like this then maybe finding bugs in Wii U software isn't what you should be focusing on.
 

Theeze

Member
Newcomer
Joined
Feb 13, 2013
Messages
18
Trophies
0
XP
96
Country
Canada
Good! , just a suggestion though, if we point out all bugs that crash the browser then Nintendo will know which bugs we know about and which ones to patch

Very true...I remember Sony had their ninjas on ps3 hacking scenes and followed everything. One of them was an active user as well. If they patch, they patch. Whoever's on 5.3.2 is best to stay there. turn off wifi for now as this is scene is going to blow up soon. Last time a scene was this active was the LV0 leak on the ps3.
 

You may also like...

General chit-chat
Help Users
  • No one is chatting at the moment.
  • captainbob321 @ captainbob321:
    Hello!
  • captainbob321 @ captainbob321:
    What's so Funny, @M4x1mumReZ
    ?
    +1
  • M4x1mumReZ @ M4x1mumReZ:
    Welcome new user
  • trepp0 @ trepp0:
    Just got the notice that school is being released 2 hours early cause of the winter storm
  • trepp0 @ trepp0:
    lets go
  • Psionic Roshambo @ Psionic Roshambo:
    Better than 3 hours late from a lockdown lol
    +1
  • FAST6191 @ FAST6191:
    While I know you mean in case of someone confusing schooling establishment from shooting establishment (many of the same letters) I am still going to read that as lockdown (also known as lock in) for a pub
  • FAST6191 @ FAST6191:
    where if you were in the club you could be invited to be there as a guest of the landlords after things are supposed to stop being served
  • FAST6191 @ FAST6191:
    Have technically done that in a school but it was the sports centre associated with the school more than the school itself
  • FAST6191 @ FAST6191:
    being drunk in school was either because drunk on playing field or could not be arsed with one particular Thursday afternoon so went and had some beers and played some games instead before returning for an ill advised last lesson/period
  • K3N1 @ K3N1:
    Being drunk and high in school was cool
  • K3N1 @ K3N1:
    It was high school
  • The Real Jdbye @ The Real Jdbye:
    my power cut out twice
  • The Real Jdbye @ The Real Jdbye:
    my pi running octoprint wiped all my plugins and i cba to fix it
  • Psionic Roshambo @ Psionic Roshambo:
    No pi for you lol
  • Sonic Angel Knight @ Sonic Angel Knight:
    Psi, you didn't spell your name right
  • Sonic Angel Knight @ Sonic Angel Knight:
    It's "Psionic" not "PI"
  • Psionic Roshambo @ Psionic Roshambo:
    So R Kelly is probably pissing himself right now
  • K3N1 @ K3N1:
    R Kelly knows how to piss on himself?
    Psionic Roshambo @ Psionic Roshambo: Lol