Hacking WIP: Getting Gateway website exploit running on local webserver

  • Thread starter Thread starter Deleted-19228
  • Start date Start date
  • Views Views 4,811
  • Replies Replies 15
  • Likes Likes 1
D

Deleted-19228

Guest
The magic numbers are based on the User-Agent that is sent over to the go.gateway-3ds.com website. I have copied my UA from my 3ds xl and dumped the html source from the gateway site to one of my own and it says "Failed to load web page" and after a few seconds dumps you back to the main menu with an error like what other people are getting when attempting to run the exploit which require them to clear cookies or some such. That's definitely not the cause in this case. If anyone has any ideas on what to do please share. I don't like the idea of having to rely on their web server. It's gone down too many times recently :P
 
  • Like
Reactions: Margen67
This user does not have permission to use the HTML BB code.

frame.html source
This user does not have permission to use the HTML BB code.
 
  • Like
Reactions: Margen67
they're using index.php, actual is http://go.gateway-3ds.com/index.php

unfortunately php-source is cannot be seen from user side,.

if they're running some php-code within...you cannot replicate it.

unless you can reverse enginering (which is not possible by only looking at above html code), or you can get the index.php source from gateway team (unlike)


.. most probably they're running something, otherwise they can just use index.html or index.htm
 
  • Like
Reactions: Margen67
that html code above, is already processed by php (web server) only to show html content / java, php code itself is cannot be seen, unless you find exploit in their server/hack then grab than index.php (and all related items) .

that's how php work

sample php code

<?php
sample = "hello world";
echo $sample;
?>

what you see from user browser then "view source" only

helloworld
 
you cant exploit browser with php cause its server side

so all of the things that gateway webpage does is about javascript codes which is client side and you can view it
 
Well I managed to get the exploit up without connecting to gateway website...

Basically i set up a proxy server on my linux box, and on my 3ds connected to said proxy, dumped the index.html and frame.html, and created a simple web server to serve the two pages

turns out the index.html I dumped with this method is different from what I got when I just changed my PC's web browser's user agent to 3ds user agent
 
  • Like
Reactions: Margen67
Well I managed to get the exploit up without connecting to gateway website...

Basically i set up a proxy server on my linux box, and on my 3ds connected to said proxy, dumped the index.html and frame.html, and created a simple web server to serve the two pages

turns out the index.html I dumped with this method is different from what you get if you simply changed user agent to 3DS user agent


I used Fiddler and set it up as a proxy on my 3DS. It's weird because the page I posted worked when I dumped it, but when I use Fiddler's autoresponder (loads pages locally instead of sending requests) or host them on my own server I only get an error. Don't know what's wrong, but I don't have a gateway card to do anything right now anyways.
 
What do you think the php code is for? If it's just for detecting and distributing the payload then it shouldn't matter.
 
Thomas12345 said he got it working, could try replicating his method. Of course that only gives you the static html for your 3DS configuration, and not the PHP script generating them, but that one set of pages would probably work for all other consoles of the same model and version. If someone made an archive of all combinations, it'd be a fine alternative to Gateway's own site.
 
  • Like
Reactions: bendrr
The payload differs according to the user agent you are using. You need the correct user agent according to your 3ds firmware version. You can find information about the user agent strings on 3dsbrew:

http://3dbrew.org/wiki/Internet_Browser

The easiest way to get the correct agent for your 3ds is to setup a site on your local webserver which display the user agent of the accessing web browser, then visit it with your 3ds. If it does not work if you use a proxy the proxy uses a wrong user agent.

Just use the user agent switcher addon for firefox and you are good to go.
Gateway uses PHP do supply the correct payload according to the user agent, no exploit is going on here server side.

You can also use sites like this

http://www.whatsmyua.com
 
  • Like
Reactions: Margen67
The payload differs according to the user agent you are using. You need the correct user agent according to your 3ds firmware version. You can find information about the user agent strings on 3dsbrew, google it.

The easiest way to get the correct agent for your 3ds is to setup a site on your local webserver which display the user agent of the accessing web browser, then visit it with your 3ds. If it does not work if you use a proxy the proxy uses a wrong user agent.

Just use the user agent switcher addon for firefox and you are good to go.
Gateway uses PHP do supply the correct payload according to the user agent, no exploit is going on here server side.

Or just follow this:
Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7567.US

<lang> is "en", "fr", etc. <region> is "US", "EU", etc. See below for <version>

Version is in browser settings.
 
  • Like
Reactions: Margen67
It's not generated using ONLY the UA. There is something else that is sent over.
 

Site & Scene News

Popular threads in this forum