1. filfat

    OP filfat Musician, Developer & Entrepreneur
    Member

    Joined:
    Nov 24, 2012
    Messages:
    1,259
    Country:
    Sweden
    Latest Wide Exploited Version: 5.5.1

    Useful Links
    Block Auto Updates
    Go into the router and block the following domains:
    • nus.c.shop.nintendowifi.net
    • nus.cdn.c.shop.nintendowifi.net
    • nus.cdn.shop.wii.com
    • nus.cdn.wup.shop.nintendo.net
    • nus.wup.shop.nintendo.net
    Tools/Homebrew By The Community
    Current Public *Useful* Exploits
    (This post does not reflect Filiph Sandström's own personal opinions neither does it reflect filfat Studios AB's stand on these kind of issues/projects)
     
    Last edited by filfat, May 3, 2016
  2. Marionumber1

    Marionumber1 GBAtemp Maniac
    Member

    Joined:
    Nov 7, 2010
    Messages:
    1,234
    Country:
    United States
    NeKit and I are planning to clean up the build system and release it, along with instructions on how to use it.
     
  3. Kargaroc

    Kargaroc GBAtemp Regular
    Member

    Joined:
    Nov 29, 2013
    Messages:
    182
    Country:
    United States
    I wonder why you still need a ROP chain even though NX is disabled for the browser?
     
  4. filfat

    OP filfat Musician, Developer & Entrepreneur
    Member

    Joined:
    Nov 24, 2012
    Messages:
    1,259
    Country:
    Sweden
    Thats great, btw you wouldn't mind setting up a github so we all can work now when its up in public anyway? :)
     
    Margen67 likes this.
  5. Marionumber1

    Marionumber1 GBAtemp Maniac
    Member

    Joined:
    Nov 7, 2010
    Messages:
    1,234
    Country:
    United States

    fail0verflow never actually said that NX was disabled in the browser. NX is active just as it is on all other applications, meaning the stack and heap are still non-executable.The difference is that the web browser has a special region of memory, called the JIT or codegen area, which you're allowed to create code inside. You obviously need your own code running to copy the shellcode into the JIT area and run it. That code is the ROP chain.


    It will be a public repo, whether on Github, Bitbucket, or elsewhere.
     
    Margen67, filfat and Kargaroc like this.
  6. the_randomizer

    the_randomizer The Temp's official fox whisperer
    Member

    Joined:
    Apr 29, 2011
    Messages:
    30,115
    Country:
    United States
    Should people be advised to blacklist the Nintendo update servers so they can take all precautions to block any future updates? While this will prevent eShop access, it should still allow online gaming for those who wish to use it. Failing that, disabling auto updates and standby mode wouldn't hurt. All precautions should be considered :)
     
  7. filfat

    OP filfat Musician, Developer & Entrepreneur
    Member

    Joined:
    Nov 24, 2012
    Messages:
    1,259
    Country:
    Sweden
    Sure, give me a second to add that to the op :)
     
    Last edited by filfat, Aug 25, 2015
    Margen67 and the_randomizer like this.
  8. Nexus

    Nexus Newbie
    Newcomer

    Joined:
    Jun 15, 2014
    Messages:
    5
    Country:
    what should happen when running the webkit exploit on a exploitable firmware?

    I take it the main function in the html is var pointer = sprayInc(30000);
     
  9. Marionumber1

    Marionumber1 GBAtemp Maniac
    Member

    Joined:
    Nov 7, 2010
    Messages:
    1,234
    Country:
    United States

    It will load and execute the PowerPC shellcode that was sprayed by sprayCode().
     
    Margen67 likes this.
  10. the_randomizer

    the_randomizer The Temp's official fox whisperer
    Member

    Joined:
    Apr 29, 2011
    Messages:
    30,115
    Country:
    United States

    Would one of these IP adresses being blacklisted in the advanced router settings help with update prevention?

    96.17.161.145,
    184.50.229.137,
    184.50.229.158

    I haven't tested these personally, but other users state that it does work, but need confirmation. I refuse to update, not now, now that we're slowly but surely making progress.

    Edit: last deleted address was for eShop only, not necessary to add to blacklist.
    filfat is that exploit site supposed to be empty or is that a placeholder for when it actually does get released?
     
  11. filfat

    OP filfat Musician, Developer & Entrepreneur
    Member

    Joined:
    Nov 24, 2012
    Messages:
    1,259
    Country:
    Sweden
    Updated post with the IP's needed to get blocked,
    nus.cdn.wup.shop.nintendo.net
     
    Last edited by filfat, Aug 25, 2015
    the_randomizer likes this.
  12. NWPlayer123

    NWPlayer123 GBAtemp Addict
    Member

    Joined:
    Feb 17, 2012
    Messages:
    2,642
    Country:
    United States
    Nope, since nus == nintendo update service
     
    Margen67 and Goku Junior like this.
  13. filfat

    OP filfat Musician, Developer & Entrepreneur
    Member

    Joined:
    Nov 24, 2012
    Messages:
    1,259
    Country:
    Sweden
    Yeah, that makes sense.

    The website is currently hosting the latest "leak" of the exploit, so unless you are looking on it through a Wii U so is everything you will see a iframe.
     
    Margen67 and Fpsrussia117 like this.
  14. Goku Junior

    Goku Junior GBAtemp Advanced Fan
    Member

    Joined:
    Dec 27, 2013
    Messages:
    951
    Country:
    Argentina
    So, it could be stupid to ask this, but you are currently working in the exploit? you know a lot about Wii U Hacking
    Edit.
    I tried the exploit in 5.0.0 and it frezze, I know it isn't working in 5.0, but it happends the same in 4.1.0?
     
  15. kettenschutz

    kettenschutz Member
    Newcomer

    Joined:
    Jul 15, 2010
    Messages:
    34
    Country:
    France
    So i guess no Script was compiled, fe hello.c
     
  16. NWPlayer123

    NWPlayer123 GBAtemp Addict
    Member

    Joined:
    Feb 17, 2012
    Messages:
    2,642
    Country:
    United States
    Yes, I was with MN1 watching him put it all together since the very beginning, starting with me testing extracting the BootROM for him when his Wii U was broken (the release from 4 months ago that got so much fkn useless attention) up until now, and I try to help as best I can, whether it's answering questions or what.

    As for 4.1.0, hello.c basically calls OSFatal which makes the system shutdown, creates a black screen, and print a specific message, in this case "Hello from the new buffer!", and it shows up on both the gamepad and TV screen. As for the others, it depends.
     
    Margen67, filfat and Goku Junior like this.
  17. WulfyStylez

    WulfyStylez SALT/Bemani Princess
    Member

    Joined:
    Nov 3, 2013
    Messages:
    1,149
    Country:
    United States
    How'd you guys find addresses for ROP gadgets? I can't imagine it was totally trial and error...?
     
  18. Goku Junior

    Goku Junior GBAtemp Advanced Fan
    Member

    Joined:
    Dec 27, 2013
    Messages:
    951
    Country:
    Argentina
    OK, so, in 4.1.0 shows that message? or we need to have the donwloaded exploit in the SD?, because in Wii you need the SD to make exploits works (exept for letterbomb and Wilbrand) but I don't think the SD would be useful (because the Wii U ignore it) I don't lose anything by asking this.
     
  19. NWPlayer123

    NWPlayer123 GBAtemp Addict
    Member

    Joined:
    Feb 17, 2012
    Messages:
    2,642
    Country:
    United States
    Heheh, we kinda had some help from F0F with that.



    Yes, but the exploit is useless on an SD, this is through the web browser so you need to host it through XAMPP or something similar.
     
    Margen67 likes this.
  20. filfat

    OP filfat Musician, Developer & Entrepreneur
    Member

    Joined:
    Nov 24, 2012
    Messages:
    1,259
    Country:
    Sweden
    Updated <non-working-url> to show warning before the user runs the exploit.
     
    Last edited by filfat, Jan 26, 2016
    Margen67 and TeamScriptKiddies like this.
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - Discussion, Homebrew, Hacking