3DS Userland Flaws: Difference between revisions
EvilFlight (talk | contribs) |
|||
| Line 316: | Line 316: | ||
Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring. | Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring. | ||
| None | | None | ||
| [[11. | | [[11.13.0-45]] | ||
| Dec. 2018 | | Dec. 2018 | ||
| Zoogie | |||
|- | |||
| 3DS SAFE_MODE [https://www.3dbrew.org/wiki/System_Settings#System_Updater System Updater] stack smash from proxy-url string | |||
| During [[Recovery Mode]] and after all 3 wifi slots fail to find an access point for sysupdate, a user is permitted to access the wifi settings mode to make changes. Here, if the proxy-url field string's NULL terminator had been altered beforehand, a stack smash can occur when the user selects Proxy Settings -> Detailed Setup and the corrupted url string is displayed. | |||
This is a difficult crash to control because the url string is converted from ascii to utf-16 between the slot and stack, effectively reducing the available gadgets to 0.4% of the normal amount. It's possible to improvise an "escape" using an eoreq pc w/shift gadget to combine registers and form a jump that can access 1/2 of all available gadgets. | |||
Because this exploit runs *under* SAFE_MODE, it's possible to run safehax with one's choice of k11 and arm9 hax. Prerequisite: a userland exploit with cfg:s/i access to modify the wifi slot. A demonstration can be viewed [https://github.com/zoogie/unSAFE_MODE here]. | |||
| None | |||
| [[11.13.0-45]] | |||
| Jan. 2020 | |||
| Zoogie | | Zoogie | ||
|- | |- | ||