3DS Userland Flaws: Difference between revisions
No edit summary |
|||
| Line 115: | Line 115: | ||
| Around July 15, 2016 | | Around July 15, 2016 | ||
| [[User:Nba_Yoh|MrNbaYoh]], Vegaroxas | | [[User:Nba_Yoh|MrNbaYoh]], Vegaroxas | ||
|- | |||
| 1001 Spikes | |||
| Buffer overflow via unchecked array-indexes in XML savefile parsing | |||
| The savefiles are stored as renamed .xml files, which contain several tags with attributes like 'array-index="array-value"', where both of these are converted from ASCII strings to integers as signed-int32, and the array-value given blindly written to an array inside a structure using the (unchecked) index given. With several of these attributes, one can overwrite the stack starting from the stored lr of the function that does this parsing, and write a ROP chain there. Testing used the "LevelAttempts" tag which is the last such tag parsed in that function. | |||
| None | |||
| App: v1.2.0 (TMD v2096) | |||
| December 27, 2016 | |||
| Around November 2, 2016 | |||
| [[User:Riley|Riley]] | |||
|} | |} | ||