3DS Userland Flaws: Difference between revisions
| Line 140: | Line 140: | ||
! Discovered by | ! Discovered by | ||
|- | |- | ||
| [[Home Menu]] [[System_SaveData|NAND-savedata]] Launcher.dat icons | | [[Home Menu]] sdiconhax | ||
| This is basically the same as nandiconhax, the vulnerable SD/NAND functions are ''identical'' minus the file-buffer offsets. Exploitation is different due to different heap-buffer location though. Unlike nandiconhax, the icon buffer for SD is located in linearmem. This is used by [[menuhax]]. | |||
| None | |||
| [[11.0.0-33|11.0.0-X]] | |||
| Maybe v3.0? | |||
| July 27, 2016 | |||
| October 23, 2015 | |||
| [[User:Yellows8|Yellows8]] | |||
|- | |||
| [[Home Menu]] [[System_SaveData|NAND-savedata]] Launcher.dat icons (nandiconhax) | |||
| The homemenu code processing the titleid list @ launcherdat+8 copies those titleIDs to another buffer, where the offset relative to that buffer is calculated using the corresponding s8/s16 entries. Those two values are not range checked at all. Hence, one can use this to write u64(s) with arbitrary values to before/after this allocated output buffer. See [[Home_Menu|here]] regarding Launcher.dat structure. | | The homemenu code processing the titleid list @ launcherdat+8 copies those titleIDs to another buffer, where the offset relative to that buffer is calculated using the corresponding s8/s16 entries. Those two values are not range checked at all. Hence, one can use this to write u64(s) with arbitrary values to before/after this allocated output buffer. See [[Home_Menu|here]] regarding Launcher.dat structure. | ||