Changes

1,166 bytes added ,  09:15, 26 April 2020
Line 316: Line 316:  
Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring.
 
Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring.
 
| None
 
| None
| [[11.10.0-43]]
+
| [[11.13.0-45]]
 
| Dec. 2018
 
| Dec. 2018
 +
| Zoogie
 +
|-
 +
| 3DS SAFE_MODE [https://www.3dbrew.org/wiki/System_Settings#System_Updater System Updater] stack smash from proxy-url string
 +
| During [[Recovery Mode]] and after all 3 wifi slots fail to find an access point for sysupdate, a user is permitted to access the wifi settings mode to make changes. Here, if the proxy-url field string's NULL terminator had been altered beforehand, a stack smash can occur when the user selects Proxy Settings -> Detailed Setup and the corrupted url string is displayed.
 +
 +
This is a difficult crash to control because the url string is converted from ascii to utf-16 between the slot and stack, effectively reducing the available gadgets to 0.4% of the normal amount. It's possible to improvise an "escape" using an eoreq pc w/shift gadget to combine registers and form a jump that can access 1/2 of all available gadgets.
 +
 +
Because this exploit runs *under* SAFE_MODE, it's possible to run safehax with one's choice of k11 and arm9 hax. Prerequisite: a userland exploit with cfg:s/i access to modify the wifi slot. A demonstration can be viewed [https://github.com/zoogie/unSAFE_MODE here].
 +
| None
 +
| [[11.13.0-45]]
 +
| Jan. 2020
 
| Zoogie
 
| Zoogie
 
|-
 
|-
48

edits