Changes

449 bytes added ,  00:48, 28 July 2016
Line 140: Line 140:  
!  Discovered by
 
!  Discovered by
 
|-
 
|-
| [[Home Menu]] [[System_SaveData|NAND-savedata]] Launcher.dat icons
+
| [[Home Menu]] sdiconhax
 +
| This is basically the same as nandiconhax, the vulnerable SD/NAND functions are ''identical'' minus the file-buffer offsets. Exploitation is different due to different heap-buffer location though. Unlike nandiconhax, the icon buffer for SD is located in linearmem. This is used by [[menuhax]].
 +
| None
 +
| [[11.0.0-33|11.0.0-X]]
 +
| Maybe v3.0?
 +
| July 27, 2016
 +
| October 23, 2015
 +
| [[User:Yellows8|Yellows8]]
 +
|-
 +
| [[Home Menu]] [[System_SaveData|NAND-savedata]] Launcher.dat icons (nandiconhax)
 
| The homemenu code processing the titleid list @ launcherdat+8 copies those titleIDs to another buffer, where the offset relative to that buffer is calculated using the corresponding s8/s16 entries. Those two values are not range checked at all. Hence, one can use this to write u64(s) with arbitrary values to before/after this allocated output buffer. See [[Home_Menu|here]] regarding Launcher.dat structure.
 
| The homemenu code processing the titleid list @ launcherdat+8 copies those titleIDs to another buffer, where the offset relative to that buffer is calculated using the corresponding s8/s16 entries. Those two values are not range checked at all. Hence, one can use this to write u64(s) with arbitrary values to before/after this allocated output buffer. See [[Home_Menu|here]] regarding Launcher.dat structure.