WebKit vuln testing, for vuln stockpiling. Find as *many* useful testcases as you can for whatever system browser you prefer, regardless of whether browserhax is publicly available for latest version. #28
Comments
|
I haven't really attempted much with this myself for Old3DS, more interested in non-{yet-another-browser-exploit} 3DS stuff right now. |
|
If anyone actually does have any crash-triggers, please privmsg the changeset link(s) via IRC regardless of the /away status(my IRC client runs on a dedicated server after all). |
|
Yeah I'll definitely start trying it and seeing if anything crashes. |
|
would something like crashchrome.com be possible too, of course it would have to be modified though. |
|
I heard there was a recently patched exploit in iOS 9.3 in some font thing that when loading a malicious font file, would allow arbitrary code execution. Not sure if this is a viable option for browserhax, but since the web browsers use WebKit (I think?) it may be vulnerable too, but it might just be in some apple exclusive thing......I will start testing the exploits on that page though! |
|
Just my 2 cents but it would be clever not to post any vuln details here in case a potential vuln turns out exploitable (even untested ones). People should just try them and report them in private message like the first post says. You can safely assume that big N reads the posts here. |
|
@yellows8 by any chance does the DS/DSi browser use WebKit? |
|
@staticsn0w It's Opera, never got an useful crash with that. |
|
Hello. Are the 3ds' browser sources public? Can someone actually compile it? |
|
https://www.nintendo.co.jp/support/oss/index.html "Can someone actually compile it?" As-is, no. |
|
Sorry to get off topic, but I THINK I found a way to run unsigned code: DownloadPlay! I was running a CIA of Ice Climber, and let my friend with a non-hb enabled n3ds join in with DownloadPlay. Did it download an executable from the internet? Because I dont think either of us were on wifi. Does this mean someone could make a malicious CIA that allows launching of the hbmenu [it gets it from the internet if not on the SD] once? [probably to install another sploit like oot3dhax or something] [they would also have to figure out how to do download play and what file it uses for the games] |
ghost
mentioned this issue
|
FWIW this is still needed, new-browserhax still doesn't exist. |
|
So if we were to go testing for crashes, in what section do you think that we would have the most luck? |
|
Whatever directory you want -> "(from the WebKit SVN, in particular https://trac.webkit.org/browser/trunk/LayoutTests)" |
|
By directory, I meant which folder on https://trac.webkit.org/browser/trunk/LayoutTests would be more probable to crash. |
|
Who knows. |
|
Hello yellows8, thanks for your hard work! Since I have a n3ds running 11.0.0-33e, how can I test WebKit vulnerabilities? I mean, I'm quite new to this, so please tell me what to do and I will! |
|
DxDen, from what I know you kinda just have to try everything until you get crash... |
|
"n3ds running 11.0.0-33e" New3DS is actually preferred atm. :) |
|
Make sure the crash isn't caused by a null dereference. |
|
Hi all, since I don't know how to trigger a crash and I have no idea on how to check if the crash happens due to a null dereference I give up, at least until someone releases a Noob Proof guide. Anyway, I managed to get several crashes with an application that can be acquired on the eShop. I reproduced the crash many times and it always worked (the application crashes and the console must be restarted). I don't know if this can be helpful or if it was just luck (5 tests on 5 succesful, I think it's not just a coincidence). Since the application works with an internet connection I think it uses WebKit, and maybe this could be a good starting point. I'll be doing more tests on this in the next days and if the results are good I will sharemy experience. I really hope I can bring some good news. Regards |
|
@DxDen1004 STOP spamming. EDIT: Extra comments were deleted. |
|
"Since the application works with an internet connection I think it uses WebKit" Sounds like a guess with zero proof... |
|
I'm so sorry, actually this was not intentional, I was typing with my 3DS and when I pressed "Comment" nothing happened, so I raped the button before reloading the page and pasting the text again. "Souns like a guess with zero proof" Smealum said that every application on the 3DS able to connect to the internet uses webKit.. Maybe it's wrong, then thanks for letting me know. |
|
i think that you could do something with the backups when you backup your game saves and replacing it with the hax then restoring load the save and there the hax are becuse no one really talked about it you could try making an exploit im going to try it right now plus im not really good at programming but im gonna try. oh and i know that nintendo go to these forms becuse they are gonna try to block off the hax by finding them first |
|
"Smealum said that every application on the 3DS able to connect to the internet uses webKit" Sounds like you misunderstood him. @MrDarius125 No ......... https://3dbrew.org/wiki/SD_Savedata_Backups |
|
https://smealum.github.io/3ds/32c3/#/25 Probably I misunderstood him. Anyway, could this crash be used to launch the homebrew channel? I'm trying to help but seems like you're not interested, if this is the case just tell me and I'll go away. Regards. |
|
*"I misunderstood him." So how did you crash this app exactly? |
|
You want me to write how to trigger the crash here? I can upload a video if you prefer and send you the link, if Nintendo reads those posts may fix it before we can say "cactus". Regards. |
|
First post does mention IRC if you prefer privately... |
|
how we can try? |
|
Read first post etc... |
yellows8
changed the title
yellows8
changed the title
yellows8
changed the title
|
I don't understand the issue with null ref derefs, they can be great in certain situations. what happens if the last command was call with ==000000000? but user supplied? same with any write 00000000, reads are up in the air but still can be useful.f this is for testing and exploit dev in general and I see no reason it wouldn't work on a 3ds xl... been looking for a decent debugger for one, cant find it so maybe I will have to dump the ram and chips and write an ida plug in or something similar (I do do RCE for a living. :) |
|
"I don't understand the issue with null ref derefs" <- Memory below address 0x00100000 isn't mapped. |
|
i see support for 10.6 HERE 658c208 FINALLY :) |
|
Is v11 supported or should I keep trying? |
|
@gselivanof no 11.0 10.7 10.6 yet |
|
It's usually easy to google first to find a null-deref. I also recommend looking at Chromium's LayoutTests in the /fast/ directory. |
|
"I don't understand the issue with null ref derefs" <- Memory below address 0x00100000 isn't mapped. Thanks for the tip MrRean. will do. http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html yes, it is old, but: Julien TinnesAugust 16, 2009 at 2:16 PM AnonymousNovember 23, 2009 at 6:27 AM MiloNovember 30, 2009 at 5:25 AM |
|
Userland-process < 0x001000000 mem-access is useless since that memory is not allowed to be mapped by svcControlMemory. " then just make the page" <- Please remember that this is for userland-hax. |
|
I think this'll help? http://gbatemp.net/threads/release-webkit-exploit-dumper-tester-browserhax.435684/ |
|
Remember that this still applies regardless of recent releases, hence the title. |
|
"Do not send any test-cases publicly which actually trigger crashes with a 3DS browser, it should be done privately via IRC." |
|
"email" Not interested. |
Instead of asking for "new browserhax when"(such issues will only get closed eventually), actually helping with the vuln testing would be preferred.
This applies mainly to Old3DS, but New3DS is fine too.
You could try using crash-trigger WebKit test-cases(from the WebKit SVN, in particular https://trac.webkit.org/browser/trunk/LayoutTests) with the latest web-browser to see if any crash occurs. Remember to test with the raw HTML. Do not send any test-cases publicly which actually trigger crashes with a 3DS browser, it should be done privately via IRC. Try to locate the change-set for any test-cases which cause crashes as well.
You should check the Nintendo OSS(https://www.nintendo.co.jp/support/oss/index.html) to verify that each test-case actually affects the browser, and is actually useful(no NULL-deref for example), before testing the test-case, if you can.
The text was updated successfully, but these errors were encountered: