WebKit vuln testing, for vuln stockpiling. Find as *many* useful testcases as you can for whatever system browser you prefer, regardless of whether browserhax is publicly available for latest version.

[yellows8]

Instead of asking for "new browserhax when"(such issues will only get closed eventually), actually helping with the vuln testing would be preferred.

This applies mainly to Old3DS, but New3DS is fine too.

You could try using crash-trigger WebKit test-cases(from the WebKit SVN, in particular https://trac.webkit.org/browser/trunk/LayoutTests) with the latest web-browser to see if any crash occurs. Remember to test with the raw HTML. Do not send any test-cases publicly which actually trigger crashes with a 3DS browser, it should be done privately via IRC. Try to locate the change-set for any test-cases which cause crashes as well.

You should check the Nintendo OSS(https://www.nintendo.co.jp/support/oss/index.html) to verify that each test-case actually affects the browser, and is actually useful(no NULL-deref for example), before testing the test-case, if you can.

[yellows8]

I haven't really attempted much with this myself for Old3DS, more interested in non-{yet-another-browser-exploit} 3DS stuff right now.

[yellows8]

If anyone actually does have any crash-triggers, please privmsg the changeset link(s) via IRC regardless of the /away status(my IRC client runs on a dedicated server after all).

[n1-d]

Yeah I'll definitely start trying it and seeing if anything crashes.

[reichman2]

would something like crashchrome.com be possible too, of course it would have to be modified though.

[staticsn0w]

I heard there was a recently patched exploit in iOS 9.3 in some font thing that when loading a malicious font file, would allow arbitrary code execution. Not sure if this is a viable option for browserhax, but since the web browsers use WebKit (I think?) it may be vulnerable too, but it might just be in some apple exclusive thing......I will start testing the exploits on that page though!

[profi200]

Just my 2 cents but it would be clever not to post any vuln details here in case a potential vuln turns out exploitable (even untested ones). People should just try them and report them in private message like the first post says. You can safely assume that big N reads the posts here.

[staticsn0w]

@yellows8 by any chance does the DS/DSi browser use WebKit?

[yellows8]

@staticsn0w It's Opera, never got an useful crash with that.

[tomaspinho]

Hello. Are the 3ds' browser sources public? Can someone actually compile it? I'm interested in this and would be willing to do some heavy fuzz testing as I have access to relatively powerful computational resources. I'm not an asm reverser by any chance, but I can manage C/C++ and would really like to help out.

[yellows8]

https://www.nintendo.co.jp/support/oss/index.html "Can someone actually compile it?" As-is, no.

[staticsn0w]

Sorry to get off topic, but I THINK I found a way to run unsigned code: DownloadPlay! I was running a CIA of Ice Climber, and let my friend with a non-hb enabled n3ds join in with DownloadPlay. Did it download an executable from the internet? Because I dont think either of us were on wifi. Does this mean someone could make a malicious CIA that allows launching of the hbmenu [it gets it from the internet if not on the SD] once? [probably to install another sploit like oot3dhax or something] [they would also have to figure out how to do download play and what file it uses for the games]

[yellows8]

https://www.3dbrew.org/wiki/Download_Play

[yellows8]

FWIW this is still needed, new-browserhax still doesn't exist.

[Carbuino]

So if we were to go testing for crashes, in what section do you think that we would have the most luck?

[yellows8]

Whatever directory you want -> "(from the WebKit SVN, in particular https://trac.webkit.org/browser/trunk/LayoutTests)"

[Carbuino]

By directory, I meant which folder on https://trac.webkit.org/browser/trunk/LayoutTests would be more probable to crash.

[yellows8]

Who knows.

[DxDen1004]

Hello yellows8, thanks for your hard work! Since I have a n3ds running 11.0.0-33e, how can I test WebKit vulnerabilities? I mean, I'm quite new to this, so please tell me what to do and I will! Oh, you have to explain in a "noob" language :) I have to surf the folders until the browser crashes or am I supposed to do something else?

[Carbuino]

DxDen, from what I know you kinda just have to try everything until you get crash...

[yellows8]

"n3ds running 11.0.0-33e" New3DS is actually preferred atm. :)

[ghost]

Make sure the crash isn't caused by a null dereference. It's useless if it is.

[DxDen1004]

Hi all,

since I don't know how to trigger a crash and I have no idea on how to check if the crash happens due to a null dereference I give up, at least until someone releases a Noob Proof guide. Anyway, I managed to get several crashes with an application that can be acquired on the eShop. I reproduced the crash many times and it always worked (the application crashes and the console must be restarted). I don't know if this can be helpful or if it was just luck (5 tests on 5 succesful, I think it's not just a coincidence). Since the application works with an internet connection I think it uses WebKit, and maybe this could be a good starting point. I'll be doing more tests on this in the next days and if the results are good I will sharemy experience. I really hope I can bring some good news.

Regards

[yellows8]

@DxDen1004 STOP spamming. EDIT: Extra comments were deleted.

[yellows8]

"Since the application works with an internet connection I think it uses WebKit" Sounds like a guess with zero proof...

[DxDen1004]

I'm so sorry, actually this was not intentional, I was typing with my 3DS and when I pressed "Comment" nothing happened, so I raped the button before reloading the page and pasting the text again. Really sorry for this.

"Souns like a guess with zero proof" Smealum said that every application on the 3DS able to connect to the internet uses webKit.. Maybe it's wrong, then thanks for letting me know.

[Darius20103104]

i think that you could do something with the backups when you backup your game saves and replacing it with the hax then restoring load the save and there the hax are becuse no one really talked about it you could try making an exploit im going to try it right now plus im not really good at programming but im gonna try. oh and i know that nintendo go to these forms becuse they are gonna try to block off the hax by finding them first

[yellows8]

"Smealum said that every application on the 3DS able to connect to the internet uses webKit" Sounds like you misunderstood him.

@MrDarius125 No ......... https://3dbrew.org/wiki/SD_Savedata_Backups

[DxDen1004]

@yellows8

https://smealum.github.io/3ds/32c3/#/25

Probably I misunderstood him.

Anyway, could this crash be used to launch the homebrew channel? I'm trying to help but seems like you're not interested, if this is the case just tell me and I'll go away.

Regards.

[yellows8]

*"I misunderstood him."

So how did you crash this app exactly?

[DxDen1004]

You want me to write how to trigger the crash here? I can upload a video if you prefer and send you the link, if Nintendo reads those posts may fix it before we can say "cactus".

Regards.

[yellows8]

First post does mention IRC if you prefer privately...

[TheGreekBoy]

how we can try? I WILL DO MY BEST

[yellows8]

Read first post etc...

[etard]

I don't understand the issue with null ref derefs, they can be great in certain situations. what happens if the last command was call with ==000000000? but user supplied? same with any write 00000000, reads are up in the air but still can be useful.f this is for testing and exploit dev in general and I see no reason it wouldn't work on a 3ds xl... been looking for a decent debugger for one, cant find it so maybe I will have to dump the ram and chips and write an ida plug in or something similar (I do do RCE for a living. :)

[yellows8]

"I don't understand the issue with null ref derefs" <- Memory below address 0x00100000 isn't mapped.

[TheGreekBoy]

i see support for 10.6 HERE https://github.com/yellows8/3ds_browserhax_common/commit/658c2080b50d270dabc9445e215890c3ec804180 FINALLY :)

[Selivanof]

Is v11 supported or should I keep trying?

[TheGreekBoy]

@gselivanof no 11.0 10.7 10.6 yet

[ghost]

It's usually easy to google first to find a null-deref. I also recommend looking at Chromium's LayoutTests in the /fast/ directory.

[etard]

"I don't understand the issue with null ref derefs" <- Memory below address 0x00100000 isn't mapped. d interesting. I assume you mean isn't means cant? because if it can be mapped then just make the page, I'm a bit windows centric, but I work on a lot of military bespoke systems which run on a variety of hardware from fpga's to arm, but I need to catchup on the ds scene. I have a mk1 3dsxl. still, whilst they are probably useless, they still maybe exploitable. (dtors/ctors) I will happily take a look and trace code for nulls. send em over thpthial at gmail com

Thanks for the tip MrRean. will do.

http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html

yes, it is old, but:

Julien TinnesAugust 16, 2009 at 2:16 PM No, it's not a bug in pulseaudio. It was a bug in the Linux kernel and we already corrected it there. Reply

AnonymousNovember 23, 2009 at 6:27 AM Could this be used to gain root in Android? The current method does not work anymore, they patched mmap_min_addr. Reply

MiloNovember 30, 2009 at 5:25 AM "So what we need is a setuid binary that will give us control back without going through exec." We'd need to find such a binary on Android to use this method as far as I understand.'

[yellows8]

Userland-process < 0x001000000 mem-access is useless since that memory is not allowed to be mapped by svcControlMemory. " then just make the page" <- Please remember that this is for userland-hax.

[ghost]

I think this'll help? http://gbatemp.net/threads/release-webkit-exploit-dumper-tester-browserhax.435684/

[yellows8]

Remember that this still applies regardless of recent releases, hence the title.

[yellows8]

"Do not send any test-cases publicly which actually trigger crashes with a 3DS browser, it should be done privately via IRC."

[yellows8]

https://www.3dbrew.org/wiki/Main_Page/Header

[yellows8]

"email" Not interested.