str2hax

From WiiBrew
Jump to navigation Jump to search

str2hax
str2hax icon
General
Author(s)Fullmetal5
TypeExploit
Links
Source
Peripherals
Loads files from the Front SD slot Internet

str2hax is an exploit for the EULA app in the Wii that doesn't require an SD card. (Exploits CVE-2009-0689)

str2hax requires a Wii with an internet connection to work. The payload may be hosted locally if you do not have access to internet. (See the building instructions in the str2hax repository)

str2hax was created by Fullmetal5, with parts from Savezelda.

Usage & Installation

Howto

  1. (OPTIONAL) If you would like to boot a payload from an SD card then simply format it as FAT32, place it the root of the SD card, and name it "boot.elf"
  2. Make sure you have an active internet connection on your Wii.
  3. Navigate to the settings menu on your Wii and select Internet then Connection Settings.
  4. Select the connection that you are currently using.
  5. Select Change settings and scroll to the right until you get to Auto-Obtain DNS.
  6. Select No then select Advanced Settings.
  7. Change the Primary DNS to 3.143.163.250.
  8. Select Confirm and then Save and run the mandatory connection test.
  9. When prompted, do NOT update. Depending on the console, you might brick from the update, and this type of brick requires a hardware modification to fix.
  10. Back out to the Internet panel and choose User Agreements. Select Yes to the question about the Wii Shop Channel/WiiConnect24.
  11. You will be taken to a screen telling you to review the User Agreements for the Wii. Select Next.
  12. If you see a pony on screen telling you to wait then you have done everything correctly. Do not press I ACCEPT or I DO NOT ACCEPT. The exploit takes 1-2 minutes (1:25 is usually how long mine takes), if it takes longer than 2 minutes then it probably failed. Just turn off your Wii and start again from step 9.

Thanks

  • fail0verflow (Thank you guys for everything you've done for the Wii community. This wouldn't be possible without you.)
  • The Dolphin developers.
  • Maksymilian Arciemowicz (Vulnerability author)

How it works

The EULA app on the Wii is actually a webpage showing inside the UI. The webpage itself can be found at "http://cfh.wapp.wii.com/eula/XXX/YY.html" where XXX is your country code and YY is your language. When a webpage is loaded with a domain, the computer first checks with a special server called the DNS server to find the IP address of this domain. To perform this exploit, the user changes their DNS address to point to a special Str2hax server, which causes the cfh.wapp.wii.com domain to point to a Str2hax server, allowing a custom webpage to be displayed.

At this point, while JavaScript code can be executed, there is no way to run homebrew from there, so an exploit from JavaScript needs to be done. Luckily, there is one in the Opera browser ready to go. The function for taking a floating-point value from a string created big integers, which are handled by a special library. When one of size k needs to be allocated, the library checks its recycle linked lists to see if one is available, and if not, it allocates a new one. Each of these linked lists corresponds to a different size, and therefore 16 have been prepared. To free a big integer, it simply puts it at the front of the linked list of the appropriate size. However, only big integers with sizes less than 16 normal integers can be handled, although there is no check to ensure that this actually happens; the code using the library is responsible for that, and Opera does not check this.

When a big integer of size 17 is allocated, the next area in memory is used, which happens to be another big integer of size 2. However, Opera still treats it as a size 17 big integer, and attempts to fill it. This leads to a buffer overflow, allowing the big integer after that to be overwritten. When the function using that is finished with it, it will attempt to free it, putting it back onto its linked list. Again, it does not check to see if that index is in bounds, which means if it is put out of bounds, a return address can be overwritten.

Unfortunately, this is not all. The return address gets changed to point at the big integer's struct, which means the Wii will begin executing the big integer as code. The first two elements of the struct are the next pointer and the size, so they are pretty limited. However, after that is a field for something else that can be controlled freely, so that third field is set to an instruction to jump to another area in the oversized buffer where more control is present. For the first two fields, there is a bit of control over the second one, but the first one is always whatever the return address used to be, so the return address overwritten must be a valid instruction, as well as the k size, and neither of these instructions can be a jump or branching instruction. Luckily, there is a return pointer that meets both of these criteria that gets reached pretty quickly after this processing, allowing code execution to be done, and for the SaveZelda loader to be run.