Homebrew Why exploit images or else

Dr.Hacknik

Dr.Hacknik

Ashley | Developer | Trans
Member
Level 10
Joined
Mar 26, 2014
Messages
1,773
Trophies
1
Age
24
Location
inside your fridge
Website
dochacknik.keybase.pub
XP
2,219
Country
United States
In order to cause an exploit to occur. You must cause a Buffer Overflow. Allowing the application to crash and fall back onto some code. I'm not sure how to do this with an image file, but performing it with a .mp4 is easy. On the other hand, MiiVerse includes a video player, with the MPEG Codec. Allowing things like YouTube videos to play. If you can redirect a Video, to a corrupted one you might be able to cause a buffer Overflow. I'm just speculating.
 
gudenau

gudenau

Largely ignored
Member
Level 16
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,420
Country
United States
Dr.Hacknik said:
In order to cause an exploit to occur. You must cause a Buffer Overflow. Allowing the application to crash and fall back onto some code. I'm not sure how to do this with an image file, but performing it with a .mp4 is easy. On the other hand, MiiVerse includes a video player, with the MPEG Codec. Allowing things like YouTube videos to play. If you can redirect a Video, to a corrupted one you might be able to cause a buffer Overflow. I'm just speculating.
Click to expand...
Buffer overflows are not needed. :3
 
gudenau

gudenau

Largely ignored
Member
Level 16
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,420
Country
United States
Dr.Hacknik said:
How? I remember using them, especially in early Wii U exploits.
Click to expand...
There are several ways to exploit stuff. Undocumented APIs, bad memory permissions letting you write where you shouldn't, integer overflows for index values, plain old not checking inputs, stack overflows, buffer over and underflows, type confusion, abusing hardware DMA, use after free.

Lots of things are possible. IIRC the Stagefright stuff is an interger overflow. I know for a fact that the Pegasus thing uses a use after free to create a flat array that is 0xFFFFFFFF bytes long and starts at 0x00000000.
 
  • Like
Reactions: Dr.Hacknik
Wolfer473

Wolfer473

Active Member
Newcomer
Level 1
Joined
Jul 27, 2017
Messages
30
Trophies
0
XP
103
Country
United States
iAqua said:
set it as proxy
Click to expand...
Yeah lol I figured it out right after I posted that. I'm now banned from Miiverse and eShop. Can't tell if it's because I was trying to replace an eShop video and it detected an invalid certificate or because the NNU-Patcher stopped working while I was still in the eShop.
 
G

gbatempfan1

Well-Known Member
Member
Level 7
Joined
Nov 2, 2010
Messages
200
Trophies
1
XP
1,203
Country
Dr.Hacknik said:
In order to cause an exploit to occur. You must cause a Buffer Overflow. Allowing the application to crash and fall back onto some code. I'm not sure how to do this with an image file,.
Click to expand...

Several things to check, I wrote a decoder in python 4 or 5 years ago, so it is a bit vague, but from what I remember... You can check how it handles the memory situation by creating pngs that deflate quite large through several methods. Each chunk can be 4mb, there are 4 primrary chunk types such as image data, color palettes, and a dozen or maybe even more extra types like text data, besides making fields in headers large, since it uses DEFLATE compression, just see how many series of blocks of 0 or 1s you can encode, which it will subsequently expand, you can also create literal blocks of 64k in size, and keep on pushing them. Also I think filtering bits can expand things even more. Besides checking low memory conditions to see if any of the 14 chunk types overflow, you can check which version of libpng it uses, if it does use that library, you can check for CVEs https://www.cvedetails.com/vulnerability-list/vendor_id-7294/Libpng.html

I'd imagine with some googling there might be some specially crafted pngs online for testing these things. Of course that gets you half way, if you test out a bunch and you get a crash, like you said, the other half is the code execution.
 
Last edited by gbatempfan1,

Site & Scene News

Go to forum More news

Popular threads in this forum

Gaming  Online services for the 3DS and Wii U have been shutdown. Here is how to get back online!

Super Mario Maker Save Collection (All Event and Staff Courses Preserved, 3DS Mario Challenge Port, and More)

Hacking Hardware  Wii U No Display (Logs dumped)

Hacking Gaming  Xenoblade Chronicles X - Lifeline and Enhancement Mod

Can you hack your wii u with something other than sd card

Pretendo not working with updated games?!

Very annoying that Nintendo never fixed this bug

Hacking Hardware  Broken WII U, MLC replaced with an SD card De_fuse 0.8 not working

General chit-chat
Help Users
  • No one is chatting at the moment.
    The Real Jdbye @ The Real Jdbye: never had one before that, and never had one since