Homebrew Why exploit images or else
- Thread starter Se7ensinsMods
- Start date
- Views 3,260
- Replies 30
- Joined
- Jul 7, 2010
- Messages
- 3,882
- Trophies
- 2
- Location
- /dev/random
- Website
- www.gudenau.net
- XP
- 5,461
- Country
Just because the error is properly handled means you can't use a MP4 at all. It's not a valid image so it shows an invalid image image.
- Joined
- Mar 26, 2014
- Messages
- 1,773
- Trophies
- 2
- Age
- 24
- Location
- inside your fridge
- Website
- dochacknik.keybase.pub
- XP
- 2,230
- Country
In order to cause an exploit to occur. You must cause a Buffer Overflow. Allowing the application to crash and fall back onto some code. I'm not sure how to do this with an image file, but performing it with a .mp4 is easy. On the other hand, MiiVerse includes a video player, with the MPEG Codec. Allowing things like YouTube videos to play. If you can redirect a Video, to a corrupted one you might be able to cause a buffer Overflow. I'm just speculating.
- Joined
- Jul 7, 2010
- Messages
- 3,882
- Trophies
- 2
- Location
- /dev/random
- Website
- www.gudenau.net
- XP
- 5,461
- Country
- Joined
- Mar 26, 2014
- Messages
- 1,773
- Trophies
- 2
- Age
- 24
- Location
- inside your fridge
- Website
- dochacknik.keybase.pub
- XP
- 2,230
- Country
- Joined
- Jul 7, 2010
- Messages
- 3,882
- Trophies
- 2
- Location
- /dev/random
- Website
- www.gudenau.net
- XP
- 5,461
- Country
There are several ways to exploit stuff. Undocumented APIs, bad memory permissions letting you write where you shouldn't, integer overflows for index values, plain old not checking inputs, stack overflows, buffer over and underflows, type confusion, abusing hardware DMA, use after free.
Lots of things are possible. IIRC the Stagefright stuff is an interger overflow. I know for a fact that the Pegasus thing uses a use after free to create a flat array that is 0xFFFFFFFF bytes long and starts at 0x00000000.
Yeah lol I figured it out right after I posted that. I'm now banned from Miiverse and eShop. Can't tell if it's because I was trying to replace an eShop video and it detected an invalid certificate or because the NNU-Patcher stopped working while I was still in the eShop.
Several things to check, I wrote a decoder in python 4 or 5 years ago, so it is a bit vague, but from what I remember... You can check how it handles the memory situation by creating pngs that deflate quite large through several methods. Each chunk can be 4mb, there are 4 primrary chunk types such as image data, color palettes, and a dozen or maybe even more extra types like text data, besides making fields in headers large, since it uses DEFLATE compression, just see how many series of blocks of 0 or 1s you can encode, which it will subsequently expand, you can also create literal blocks of 64k in size, and keep on pushing them. Also I think filtering bits can expand things even more. Besides checking low memory conditions to see if any of the 14 chunk types overflow, you can check which version of libpng it uses, if it does use that library, you can check for CVEs https://www.cvedetails.com/vulnerability-list/vendor_id-7294/Libpng.html
I'd imagine with some googling there might be some specially crafted pngs online for testing these things. Of course that gets you half way, if you test out a bunch and you get a crash, like you said, the other half is the code execution.
Last edited by gbatempfan1,
I know this thread is dated but:
Is this visible to others or just you. Otherwise it's Inspect Element Craze all over again
Similar threads
