48
edits
Changes
Jump to navigation
Jump to search
Line 316:
Line 316: − + + + + + + + + + + + +
→System applications
Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring.
Interesting note: A line feed wchar (00 0A) at any point in the string before the crash offset will prevent the crash from occurring.
| None
| None
| [[11.10.0-43]]
| [[11.13.0-45]]
| Dec. 2018
| Dec. 2018
| Zoogie
|-
| 3DS SAFE_MODE [https://www.3dbrew.org/wiki/System_Settings#System_Updater System Updater] stack smash from proxy-url string
| During [[Recovery Mode]] and after all 3 wifi slots fail to find an access point for sysupdate, a user is permitted to access the wifi settings mode to make changes. Here, if the proxy-url field string's NULL terminator had been altered beforehand, a stack smash can occur when the user selects Proxy Settings -> Detailed Setup and the corrupted url string is displayed.
This is a difficult crash to control because the url string is converted from ascii to utf-16 between the slot and stack, effectively reducing the available gadgets to 0.4% of the normal amount. It's possible to improvise an "escape" using an eoreq pc w/shift gadget to combine registers and form a jump that can access 1/2 of all available gadgets.
Because this exploit runs *under* SAFE_MODE, it's possible to run safehax with one's choice of k11 and arm9 hax. Prerequisite: a userland exploit with cfg:s/i access to modify the wifi slot. A demonstration can be viewed [https://github.com/zoogie/unSAFE_MODE here].
| None
| [[11.13.0-45]]
| Jan. 2020
| Zoogie
| Zoogie
|-
|-