Line 86: |
Line 86: |
| | Subscripted TIME$/DATE$ allow write access to DATA/BSS | | | Subscripted TIME$/DATE$ allow write access to DATA/BSS |
| | Utf-16 characters can be assigned to subscripted TIME$/DATE$ interpreter sysvars which results in write-only access to all of DATA and some BSS in userland. | | | Utf-16 characters can be assigned to subscripted TIME$/DATE$ interpreter sysvars which results in write-only access to all of DATA and some BSS in userland. |
− | TIME$[0]/DATE$[0] actually point to somewhere in rodata, and an overly large subscript can be used to write well past it and into the aforementioned areas. | + | TIME$[0]/DATE$[0] actually point to somewhere in rodata, and an overly large subscript can be used to write well past it and into the aforementioned areas. Demo [https://github.com/zoogie/smilehax-IIe here.] |
| | App: 3.6.2 (3.6.0 latest for US/EU, JP appvers. can be downgraded) | | | App: 3.6.2 (3.6.0 latest for US/EU, JP appvers. can be downgraded) |
| | System: [[11.13.0-45]]. | | | System: [[11.13.0-45]]. |
| | April 2020 | | | April 2020 |
| | February 2020 | | | February 2020 |
− | | bug publicly documented [https://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fsmilebasic.com%2Fdebug%2Farchive%2F here] | + | | bug publicly documented [https://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fsmilebasic.com%2Fdebug%2Farchive%2F here.] |
| Exploited by Zoogie | | Exploited by Zoogie |
| |- | | |- |
Line 216: |
Line 216: |
| | February 8, 2019 | | | February 8, 2019 |
| | [[User: ChampionLeake|ChampionLeake]] and [[User: Kartik|Kartik]] | | | [[User: ChampionLeake|ChampionLeake]] and [[User: Kartik|Kartik]] |
| + | |- |
| + | | Picross 3D: Round 2 |
| + | | Out of bounds array access allowing to point to fabricated objects and vtable |
| + | | Game only checks save header. With the last interacted save slot index at +0xb270 in the save data unchecked we can achieve a predictable out of bounds access, as well inserting ROP data without detecting save corruption. Game references an object from an array of 3 elements and passes it to a function that will read object pointers and hit a vtable call. With a copy save data left in memory and a properly calculated index, we can point to a fake object position in the save, vtable jump to a stack pivot and start the ROP chain. |
| + | | None |
| + | | App: Initial version |
| + | | September 10, 2020 |
| + | | August 24, 2020 |
| + | | [[User: Luigoalma|Luigoalma]] and [[User: Kartik|Kartik]] |
| + | |- |
| + | | Me and My Pets 3D |
| + | | String buffer overflow |
| + | | The game stores some strings in the savegame. Using a large enough string, once can overwrite addresses on the stack and form a ropchain. |
| + | | None |
| + | | App: Initial Version |
| + | | June 24, 2022 |
| + | | June 12, 2022 |
| + | | [[User: Kartik|Kartik]] |
| |} | | |} |
| | | |
Line 348: |
Line 366: |
| | June/July 2016 | | | June/July 2016 |
| | [[User:nedwill|nedwill]] | | | [[User:nedwill|nedwill]] |
| + | |- |
| + | | [[EShop]] |
| + | | When creating an audio decoder object for the moflex movie player, if the audio codec is PCM16, the application uses an uninitialized value as a pointer. One can spray the heap to get control of that pointer and achieve ROP. |
| + | | None |
| + | | [[11.14.0-46]] |
| + | | 2020 |
| + | | [[User:Nba_Yoh|MrNbaYoh]] |
| |} | | |} |
| | | |
Line 417: |
Line 442: |
| ! Timeframe this was discovered | | ! Timeframe this was discovered |
| ! Discovered by | | ! Discovered by |
| + | |- |
| + | | u8 brightness setting OOB index (menuhax67) |
| + | | Config block 0x50001, which contains a u8 brightness setting that indexes a table of u32 addresses, can be set to an out-of-bounds index (it's normally 1-5). Located within cfg block 0x50009, there exists a single controllable u32 that's located within the u8's range. With these set properly, one can eventually redirect a function pointer to an address of their choice. This is triggered after the Home Menu quick launch tab is activated. POC [https://github.com/zoogie/menuhax67 here]. |
| + | | None |
| + | | [[11.13.0-45]] |
| + | | |
| + | | October 4, 2020 |
| + | | September, 2020 |
| + | | Zoogie |
| |- | | |- |
| | bossbannerhax | | | bossbannerhax |