Wednesday, 13 January 2016

Wii U: Browserhax released for 5.5.0

The Wii U 5.5.1 update patched some critical vulnerabilities in libstagefright. This triggered two hack releases that rely on similar (if not the same?) exploits in the lib.Earlier Today, Mathew_Wi released an exploit for 5.4.0/5.5.0 that he described as “lazy” and is not directly usable by end users. But Yellows8 comes to the rescue with a Browserhax based on a libstagefright exploit as well. And yes, it also supports 5.4.0 and 5.5.0.
To be clear, both these exploits are patched with the new 5.5.1 firmware, and this is why both developers have decided to release their work on libstagefright.
Smealum described Yellows8’s hack as “super stable”. Incidentally, you might already know Yellows8 for his work on 3DS hacks, it’s great to see hackers work on several consoles, as it’s been proven countless times now that these devices all rely on similar security concepts, in particular from the same manufacturer.
To be clear, both these exploits are patched with the new 5.5.1 firmware, and this is why both developers have decided to release their work on libstagefright. Smealum described Yellows8’s hack as “super stable”. Incidentally, you might already know Yellows8 for his work on 3DS hacks, it’s great to see hackers work on several consoles, as it’s been proven countless times now that these devices all rely on similar security concepts, in particular from the same manufacturer.


You’ll need your own server to host the file, although I assume this can work with a basic apache server running on your local network (for those asking, you can set that up for free on your own computer, yes even on windows).
From the Readme:

To use this you must host the exploit script on a server, then you must setup wiiuhaxx_common as documented in that repo. If you’re going to use libwiiu with your payload binary, then you must use a coreinit.h which actually supports your system-version. The max size of the final payload(loader included) is 0x4000-bytes, so your input payload max size is a bit less than 0x4000-bytes(the script will throw an error if the size is too large). Once all setup, just access an URL like the below one where “browserhax_fright_tx3g_wiiu.php” is hosted, with the browseNote that issues occur when the final URL you use is too long, so you should keep it short like with the following: “http(s)://{server}/wiiuhaxx.php?sysver={version listed in wiiuhaxx_common}”. This hasn’t been debugged yet.
The only known time this exploit has ever failed pre-native-code-exec(on a supported system-version), was when the URL was too long as described above. However, this is mostly with testing with just one open tab(in particular with automatically loading the page).
wiiu
Yellows8 credits plutoo for getting exception-dumps / memdumps, etc, on 5.3.2.

Download Yellows8’s Browserhax for Wii U 5.5.0

Download BrowserHax for Wii U 5.5.0 (a.k.a. WiiU_Browserhax_Fright) on the project’s github here
Via @Smealum

No comments :

Post a Comment