115
edits
Changes
Jump to navigation
Jump to search
Line 86:
Line 86: − + − + Line 216:
Line 216: + + + + + + + + + + + + + + + + + + Line 348:
Line 366: + + + + + + + Line 417:
Line 442: + + + + + + + + +
→Non-system applications: Add Me and My pets 3d
| Subscripted TIME$/DATE$ allow write access to DATA/BSS
| Subscripted TIME$/DATE$ allow write access to DATA/BSS
| Utf-16 characters can be assigned to subscripted TIME$/DATE$ interpreter sysvars which results in write-only access to all of DATA and some BSS in userland.
| Utf-16 characters can be assigned to subscripted TIME$/DATE$ interpreter sysvars which results in write-only access to all of DATA and some BSS in userland.
TIME$[0]/DATE$[0] actually point to somewhere in rodata, and an overly large subscript can be used to write well past it and into the aforementioned areas.
TIME$[0]/DATE$[0] actually point to somewhere in rodata, and an overly large subscript can be used to write well past it and into the aforementioned areas. Demo [https://github.com/zoogie/smilehax-IIe here.]
| App: 3.6.2 (3.6.0 latest for US/EU, JP appvers. can be downgraded)
| App: 3.6.2 (3.6.0 latest for US/EU, JP appvers. can be downgraded)
| System: [[11.13.0-45]].
| System: [[11.13.0-45]].
| April 2020
| April 2020
| February 2020
| February 2020
| bug publicly documented [https://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fsmilebasic.com%2Fdebug%2Farchive%2F here]
| bug publicly documented [https://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fsmilebasic.com%2Fdebug%2Farchive%2F here.]
Exploited by Zoogie
Exploited by Zoogie
|-
|-
| February 8, 2019
| February 8, 2019
| [[User: ChampionLeake|ChampionLeake]] and [[User: Kartik|Kartik]]
| [[User: ChampionLeake|ChampionLeake]] and [[User: Kartik|Kartik]]
|-
| Picross 3D: Round 2
| Out of bounds array access allowing to point to fabricated objects and vtable
| Game only checks save header. With the last interacted save slot index at +0xb270 in the save data unchecked we can achieve a predictable out of bounds access, as well inserting ROP data without detecting save corruption. Game references an object from an array of 3 elements and passes it to a function that will read object pointers and hit a vtable call. With a copy save data left in memory and a properly calculated index, we can point to a fake object position in the save, vtable jump to a stack pivot and start the ROP chain.
| None
| App: Initial version
| September 10, 2020
| August 24, 2020
| [[User: Luigoalma|Luigoalma]] and [[User: Kartik|Kartik]]
|-
| Me and My Pets 3D
| String buffer overflow
| The game stores some strings in the savegame. Using a large enough string, once can overwrite addresses on the stack and form a ropchain.
| None
| App: Initial Version
| June 24, 2022
| June 12, 2022
| [[User: Kartik|Kartik]]
|}
|}
| June/July 2016
| June/July 2016
| [[User:nedwill|nedwill]]
| [[User:nedwill|nedwill]]
|-
| [[EShop]]
| When creating an audio decoder object for the moflex movie player, if the audio codec is PCM16, the application uses an uninitialized value as a pointer. One can spray the heap to get control of that pointer and achieve ROP.
| None
| [[11.14.0-46]]
| 2020
| [[User:Nba_Yoh|MrNbaYoh]]
|}
|}
! Timeframe this was discovered
! Timeframe this was discovered
! Discovered by
! Discovered by
|-
| u8 brightness setting OOB index (menuhax67)
| Config block 0x50001, which contains a u8 brightness setting that indexes a table of u32 addresses, can be set to an out-of-bounds index (it's normally 1-5). Located within cfg block 0x50009, there exists a single controllable u32 that's located within the u8's range. With these set properly, one can eventually redirect a function pointer to an address of their choice. This is triggered after the Home Menu quick launch tab is activated. POC [https://github.com/zoogie/menuhax67 here].
| None
| [[11.13.0-45]]
|
| October 4, 2020
| September, 2020
| Zoogie
|-
|-
| bossbannerhax
| bossbannerhax