5,579
edits
Changes
Jump to navigation
Jump to search
Line 31:
Line 31: + + + + + + + + +
“How it works” section
* The Dolphin developers.
* The Dolphin developers.
* Maksymilian Arciemowicz (Vulnerability author)
* Maksymilian Arciemowicz (Vulnerability author)
==How it works==
The EULA app on the Wii is actually a webpage showing inside the UI. The webpage itself can be found at "http://cfh.wapp.wii.com/eula/XXX/YY.html" where XXX is your country code and YY is your language. When a webpage is loaded with a domain, the computer first checks with a special server called the DNS server to find the IP address of this domain. To perform this exploit, the user changes their DNS address to point to a special Str2hax server, which causes the cfh.wapp.wii.com domain to point to a Str2hax server, allowing a custom webpage to be displayed.
At this point, while JavaScript code can be executed, there is no way to run homebrew from there, so an exploit from JavaScript needs to be done. Luckily, there is one in the Opera browser ready to go. The function for taking a floating-point value from a string created big integers, which are handled by a special library. When one of size k needs to be allocated, the library checks its recycle linked lists to see if one is available, and if not, it allocates a new one. Each of these linked lists corresponds to a different size, and therefore 16 have been prepared. To free a big integer, it simply puts it at the front of the linked list of the appropriate size. However, only big integers with sizes less than 16 normal integers can be handled, although there is no check to ensure that this actually happens; the code using the library is responsible for that, and Opera does not check this.
When a big integer of size 17 is allocated, the next area in memory is used, which happens to be another big integer of size 2. However, Opera still treats it as a size 17 big integer, and attempts to fill it. This leads to a buffer overflow, allowing the big integer after that to be overwritten. When the function using that is finished with it, it will attempt to free it, putting it back onto its linked list. Again, it does not check to see if that index is in bounds, which means if it is put out of bounds, a return address can be overwritten.
Unfortunately, this is not all. The return address gets changed to point at the big integer's struct, which means the Wii will begin executing the big integer as code. The first two elements of the struct are the next pointer and the size, so they are pretty limited. However, after that is a field for something else that can be controlled freely, so that third field is set to an instruction to jump to another area in the oversized buffer where more control is present. For the first two fields, there is a bit of control over the second one, but the first one is always whatever the return address used to be, so the return address overwritten must be a valid instruction, as well as the k size, and neither of these instructions can be a jump or branching instruction. Luckily, there is a return pointer that meets both of these criteria that gets reached pretty quickly after this processing, allowing code execution to be done, and for the [[SaveZelda]] loader to be run.