Using CVE-2016-4657 to dump Browser Binary

Discussion in 'Switch - Hacking & Homebrew' started by chilliam, Mar 17, 2017.

  1. chilliam
    OP

    chilliam Newbie

    Newcomer
    1
    9
    Mar 17, 2017
    United States
    Long time lurker here ever since I became interested in r4 cards for my old DS and I feel like I finally have something to contribute (literally created an account today to post this info).

    I got a Switch recently and became extremely interested when I heard news that a WebKit exploit still exists in the browser of the console. I watched LiveOverflow's video on this subject like 15 times and studied his code and the code he derived his from (the iOS jailbreak code) and I think I've finally managed to dump some interesting binary data from the browser.

    I first tried adapting LiveOverflow's code but after much testing I figured that he cut out a key piece of the exploit. So referencing the original code from qwertyoruiop, I was able to strip out the part that loaded the iOS binary loader, used some of the code from the Phrack article to find memory addresses, and found the exploit can work the exact same way. If we had shellcode to execute to gain root privileges of the Switch, we could do it here and run our arbitrary code in the same way it does for iOS. But, since we don't have shellcode to operate (yet) on the Switch, I just decided to try to dump the browser's executable binary from memory.

    I need to take a break from this but I wanted to post my 16 hours of straight research before I did that and post what I believe to be the first 2(1024^2) bytes (~9 MB of data) of the browser's binary (searching through I can find the source code to my webpage in plaintext, too bad I have no general idea of how WebKit looks in binary). Since I'm generally naive when it comes to how WebKit stores executable and JITcompiler code in memory, this could be more than the browser's binary (though I highly doubt it) and is really just the first 2(1024^2) bytes in memory after the calculated executable's address.

    It's only the first two parts because the Switch crashes before it can finish reading all of the data. Probably needs some more refining on finding the length of the executable.

    TL;DR: I have dumped the beginnings of what I believe to be the Switch's browser binary from memory using the WebKit exploit.

    The code and binary parts are on my GitHub:
    https://github.com/weelcheel/Switch-Exploit

    Feel free to discuss and/or tell me I'm wrong about this (seriously, I'm not 100% sure on what the data I found is).

    Edit: Math is hard.
     
    Last edited by chilliam, Mar 17, 2017
    sentimental, cheuble, julialy and 6 others like this.
  2. iAqua

    iAqua feel the... envy.

    Member
    GBAtemp Patron
    iAqua is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    2,721
    2,215
    Dec 7, 2015
    Canada
    great job, I might try to look into this too!
     
  3. Jhynjhiruu

    Jhynjhiruu GBAtemp Fan

    Member
    463
    98
    Dec 31, 2016
    Where does it dump to?
    Or am I just confused?
     
  4. thomasnet

    thomasnet Advanced Member

    Newcomer
    90
    79
    Mar 6, 2016
    France
    It dumps to a file on your computer, in the directory where is the nodejs script.
     
  5. Jhynjhiruu

    Jhynjhiruu GBAtemp Fan

    Member
    463
    98
    Dec 31, 2016
    I'm confused as to how to make this work. I put all the files I downloaded from the GitHub in C:/inetpub/wwwroot, got my Switch to go to that page, ran the exploit... and then...?
     
  6. thomasnet

    thomasnet Advanced Member

    Newcomer
    90
    79
    Mar 6, 2016
    France
    Did you start the nodejs server ?
    You don't need to have a webserver like IIS or Apache HTTPd.
    Just modify the switchhax0r.html (search in it 192.168.1.1 and replace that with your PC's IP), start the server using the command nodejs switchtest.js, make your switch go to your PC's IP:5001 and done.
    Also make sure you have put the js and the html in the same directory (it can be anywhere).
     
    Last edited by thomasnet, Mar 18, 2017
  7. Jhynjhiruu

    Jhynjhiruu GBAtemp Fan

    Member
    463
    98
    Dec 31, 2016
    Umm
    No
     
  8. thomasnet

    thomasnet Advanced Member

    Newcomer
    90
    79
    Mar 6, 2016
    France
    Ok, I don't think you have nodejs, so download it now here.
     
  9. Jhynjhiruu

    Jhynjhiruu GBAtemp Fan

    Member
    463
    98
    Dec 31, 2016
    Just did - got it installed and stuff

    — Posts automatically merged - Please don't double post! —

    Still stuck though
     
  10. thomasnet

    thomasnet Advanced Member

    Newcomer
    90
    79
    Mar 6, 2016
    France
    Open a cmd window and type in nodejs. Do you see a ">" symbol ?
    If not, restart and try again.
     
  11. Jhynjhiruu

    Jhynjhiruu GBAtemp Fan

    Member
    463
    98
    Dec 31, 2016
    'nodejs' is not recognised as an internal or external command
     
  12. Jhyrachy

    Jhyrachy GBAtemp Regular

    Member
    213
    71
    Jul 25, 2011
    Italy
    @Jhynjhiruu this is something more for dev, not something for end user.

    This does not allow any kind of homebrew or piracy, it's just study of the console, if you do not know what you are doing, probably you do not need this
     
    iAqua and Tenshi_Okami like this.
  13. Jhynjhiruu

    Jhynjhiruu GBAtemp Fan

    Member
    463
    98
    Dec 31, 2016
    @Jhyrachy I kinda actually do know what I'm doing, I just don't know that much about web servers and stuff
     
  14. thomasnet

    thomasnet Advanced Member

    Newcomer
    90
    79
    Mar 6, 2016
    France
    Check your PMs.