3DS System Flaws: Difference between revisions
GSP DMA + RO stuff |
More RO stuff |
||
| Line 1,323: | Line 1,323: | ||
| None | | None | ||
| [[11.17.0-50|11.17.0-50]] | | [[11.17.0-50|11.17.0-50]] | ||
| | | May 2025 | ||
| May 2025 | | May 2025 | ||
| [[User:kynex7510|kynex7510]], probably others | | [[User:kynex7510|kynex7510]], probably others | ||
| Line 1,332: | Line 1,332: | ||
| None | | None | ||
| [[11.17.0-50|11.17.0-50]] | | [[11.17.0-50|11.17.0-50]] | ||
| | | June 2025 | ||
| June 2025 | | June 2025 | ||
| [[User:kynex7510|kynex7510]] | | [[User:kynex7510|kynex7510]] | ||
| Line 1,359: | Line 1,359: | ||
| None | | None | ||
| [[11.17.0-50|11.17.0-50]] | | [[11.17.0-50|11.17.0-50]] | ||
| June 2025 | | June 2025 | ||
| June 2025 | |||
| [[User:kynex7510|kynex7510]] | |||
|- | |||
| [[RO_Services|RO]]: target process patching | |||
| A custom CRS file can be used to apply relocation patches anywhere in the target process, and since all pages are mapped as RW, this includes executable pages aswell. | |||
A possible exploitation strategy takes advantage of relocation type 2 (R_ARM_ABS32), where the payload data is encoded as a series of import patches, each encoding 4 bytes of data in the "addend" field. | |||
| Arbitrary write in the target process bypassing page protections, hence code execution. | |||
| None | |||
| [[11.17.0-50|11.17.0-50]] | |||
| June 2025 | |||
| July 2025 | |||
| [[User:kynex7510|kynex7510]] | | [[User:kynex7510|kynex7510]] | ||
|- | |- | ||