Hacking ROP from within IOS_USB (5.5.1)

[NexoCube]

http://pastebin.com/zZhkTX2B

Here is my own IOS_Write32 exploitation, i haven't tested it yet, i'll try with the IOSU_Shutdown(1) syscall

EDIT: There's some little error like at the EOF, i wrote "return ret" instead of "return return_value" and i redeclared ctr after i have performed the IOCTL, i'll fix it once i've tested it ou with the shutdown syscall

 

[SciresM]

http://pastebin.com/zZhkTX2B

Here is my own IOS_Write32 exploitation, i haven't tested it yet, i'll try with the IOSU_Shutdown(1) syscall

EDIT: There's some little error like at the EOF, i wrote "return ret" instead of "return return_value" and i redeclared ctr after i have performed the IOCTL, i'll fix it once i've tested it ou with the shutdown syscall

Did...did you just copy my implementation of the arbitrary write when literally the first post in this thread contains code that uses the write to get ROP? Hell, you even copied my MEM1 constant with a weird comment about how "it's the only way i managed for it to work".


That comment doesn't even make sense because you can use anywhere in MEM1 if you adjust the pointers, or else just use a temporary allocated buffer on the fly. And the write is just a means to get ROP, so this was outdated as of the second the first post in this thread got made.


What the fuck was the point?

 

[sdtg34520]

-deleted-

 

[NexoCube]

Did...did you just copy my implementation of the arbitrary write when literally the first post in this thread contains code that uses the write to get ROP? Hell, you even copied my MEM1 constant with a weird comment about how "it's the only way i managed for it to work".


That comment doesn't even make sense because you can use anywhere in MEM1 if you adjust the pointers, or else just use a temporary allocated buffer on the fly. And the write is just a means to get ROP, so this was outdated as of the second the first post in this thread got made.


What the fuck was the point?

Yeah, i stole some info with the stuff i got around and about the MEM1 constants, i have a modified libwiiu lib

And i'm sorry you took it like this but i didn't mean to stole your stuff and tell people this is mine !
And thanks you ! You're "ios_write32"pastebin helped me understanding how it works, like really !

And can you tell me please where the SysCall_0x15 address is ? (not the "UND #0x150") The real function, not the handler !

--------------------- MERGED ---------------------------

NexoCube(TM).

nexposed

 

[sdtg34520]

-deleted-

 

[NexoCube]

You seriously don't know how to search functions?

I do know but searching it in fw.img isn't easy as it looks like, the only thing i've founded is

 

[sdtg34520]

-deleted-

 

[NexoCube]

No, it's incredibly easy if you have a proper IDA database. Literally just CTRL+F in the functions list.

Already done but my IOSU image .idb isn't that good, maybe you could link me with a "proper" one

 

[EclipseSin]

Don't do eet.

 

[sdtg34520]

-deleted-

 

[rw-r-r_0644]

Just FIY, saying "syscall 0x15" isn't enough. There's IOS-USB syscall 0x15, IOS-MCP syscall 0x15, IOS-KERNEL syscall 0x15, ...

 

[EclipseSin]

STMFD SP!, {R4-R6,LR} ; Store Block to Memory
SUB SP, SP, #4 ; Rd = Op1 - Op2
MOV R3, #0 ; Rd = Op2
ADD R4, SP, #0x14+var_10 ; Rd = Op1 + Op2
STR R3, [R4,#-4]! ; Store to Memory
MOV R5, R0 ; Rd = Op2

 

[NexoCube]

Just FIY, saying "syscall 0x15" isn't enough. There's IOS-USB syscall 0x15, IOS-MCP syscall 0x15, IOS-KERNEL syscall 0x15, ...

IOS_USB Syscall 0x15

 

[sdtg34520]

-deleted-

 

[NexoCube]

Why do you even need 0x15?

Just to see it And why don't you just give me the adresses instead of being rude :/

 

[rw-r-r_0644]

IOS_USB Syscall 0x15

SysCall_0x15_IOS_USB=0x1012EB64

 

[NexoCube]

SysCall_0x15_IOS_USB=0x1012EB64

Thanks but...



What i need is the USB_ioctl_15

 

[rw-r-r_0644]

Thanks but...

View attachment 66327

What i need is the USB_ioctl_15

Can't you search it yourselfes? Sorry but, looks like you're using the same database so it shouldn't be difficult.

 

[NexoCube]

Can't you search it yourselfes? Sorry but, looks like you're using the same database so it shouldn't be difficult.

Fine. But there's no USB_ioctl_15 but nvm i should figure it out by myself

 

[sdtg34520]

-deleted-