3dbrew

3DS Userland Flaws: Difference between revisions

← Older editNewer edit →
PabloMK7 (talk | contribs)
38 edits
No edit summary
(6 intermediate revisions by 4 users not shown)
Line 82: Line 82:
| slackerSnail, 12Me12, incvoid
| slackerSnail, 12Me12, incvoid
Exploited by MrNbaYoh and [[User:Plutooo|plutoo]].
Exploited by MrNbaYoh and [[User:Plutooo|plutoo]].
|-
| SmileBASIC 3.x
| Subscripted TIME$/DATE$ allow write access to DATA/BSS
| Utf-16 characters can be assigned to subscripted TIME$/DATE$ interpreter sysvars which results in write-only access to all of DATA and some BSS in userland.
TIME$[0]/DATE$[0] actually point to somewhere in rodata, and an overly large subscript can be used to write well past it and into the aforementioned areas. Demo [https://github.com/zoogie/smilehax-IIe here.]
| App: 3.6.2 (3.6.0 latest for US/EU, JP appvers. can be downgraded)
| System: [[11.13.0-45]].
| April 2020
| February 2020
| bug publicly documented [https://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fsmilebasic.com%2Fdebug%2Farchive%2F here.]
Exploited by Zoogie
|-
|-
| The Legend of Zelda: Tri Force Heroes
| The Legend of Zelda: Tri Force Heroes
Line 205: Line 216:
| February 8, 2019
| February 8, 2019
| [[User: ChampionLeake|ChampionLeake]] and [[User: Kartik|Kartik]]
| [[User: ChampionLeake|ChampionLeake]] and [[User: Kartik|Kartik]]
|-
| Picross 3D: Round 2
| Out of bounds array access allowing to point to fabricated objects and vtable
| Game only checks save header. With the last interacted save slot index at +0xb270 in the save data unchecked we can achieve a predictable out of bounds access, as well inserting ROP data without detecting save corruption. Game references an object from an array of 3 elements and passes it to a function that will read object pointers and hit a vtable call. With a copy save data left in memory and a properly calculated index, we can point to a fake object position in the save, vtable jump to a stack pivot and start the ROP chain.
| None
| App: Initial version
| September 10, 2020
| August 24, 2020
| [[User: Luigoalma|Luigoalma]] and [[User: Kartik|Kartik]]
|-
| Me and My Pets 3D
| String buffer overflow
| The game stores some strings in the savegame. Using a large enough string, once can overwrite addresses on the stack and form a ropchain.
| None
| App: Initial Version
| June 24, 2022
| June 12, 2022
| [[User: Kartik|Kartik]]
|}
|}


Line 315: Line 344:


Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring.
Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring.
| None
| [[11.17.0-50]]
| [[11.13.0-45]]
| [[11.13.0-45]]
| Dec. 2018
| Dec. 2018
Line 337: Line 366:
| June/July 2016
| June/July 2016
| [[User:nedwill|nedwill]]
| [[User:nedwill|nedwill]]
|-
| [[EShop]]
| When creating an audio decoder object for the moflex movie player, if the audio codec is PCM16, the application uses an uninitialized value as a pointer. One can spray the heap to get control of that pointer and achieve ROP.
| None
| [[11.14.0-46]]
| 2020
| [[User:Nba_Yoh|MrNbaYoh]]
|}
|}


Line 406: Line 442:
!  Timeframe this was discovered
!  Timeframe this was discovered
!  Discovered by
!  Discovered by
|-
| u8 brightness setting OOB index (menuhax67)
| Config block 0x50001, which contains a u8 brightness setting that indexes a table of u32 addresses, can be set to an out-of-bounds index (it's normally 1-5). Located within cfg block 0x50009, there exists a single controllable u32 that's located within the u8's range. With these set properly, one can eventually redirect a function pointer to an address of their choice. This is triggered after the Home Menu quick launch tab is activated. POC [https://github.com/zoogie/menuhax67 here].
| None
| [[11.13.0-45]]
|
| October 4, 2020
| September, 2020
| Zoogie
|-
|-
| bossbannerhax
| bossbannerhax
Retrieved from "https://www.3dbrew.org/wiki/3DS_Userland_Flaws"