mirror of
https://github.com/wiiu-env/Mario-Kart-8-Exploit.git
synced 2024-11-23 09:19:40 +00:00
Exploits a stack overflow in the P2P protocol
| .gitignore | ||
| codebin_loader_ropchain.py | ||
| common_defines.py | ||
| config.py | ||
| coreinit.yml | ||
| do_memory_mapping.py | ||
| exploit_base.py | ||
| exploit_utils.py | ||
| gx2.yml | ||
| LICENSE | ||
| Makefile | ||
| memory_mapping_ropchain.py | ||
| nsysnet.yml | ||
| README.md | ||
| ropgadget_addr.py | ||
| ropgadgets.py | ||
| run_codebin_loader_ropchain.py | ||
| tcp_ropchain.py | ||
| turbo.yml | ||
Mario-Kart-8-Exploit
Check the original repository repository for more details about the actual exploit.
This repository hold a implementation of the Mario Kart 8 exploit which allows abritrary Userland code execution and read/write with kernel permissions.
Preparation
Before using the ROP-chain, some files need to be generated, you can do it with make.
The makefile expects some binaries/files.
bin/rpxgadgetfinder.jarDownload (requires Java 11(!))tmp/550/coreinit.rplfrom 00050010-1000400A OSv10 v15702tmp/550/gx2.rplfrom 00050010-1000400A OSv10 v15702tmp/Turbo.rpxthe binary of the Mario Kart 8 version you want to exploit (only tested with EUR v64)
When you have all needed files, you can use make.
On success, you can now find the following files:
ropgadget_addr.py
The default ropgadget_addr.py can be used with the EUR V64 of Mario Kart on EUR 5.5.x consoles.
Usage
- Clone the following python package: https://github.com/Kinnay/NintendoClients
- Checkout commit
d044b3f9717e096862517b060c2370627a4bcf56or rewrite exploit.py to be compatible with the latest commit. - Fill in the required information, like your device id and serial number in the
config.py. - Make sure have a valid
ropgadget_addr.pywith the needed gadgets addresses. - Create a friend room in Mario Kart 8 and run
do_memory_mapping.py. If everything went right, the game should restart. - Create an other friend room in Mario Kart 8 and run
run_codebin_loader_ropchain.py. If everything went right, the given payload should be executed.
Technical details.
Check the original repository repository for more details about the actual exploit.
- The exploit itself allows to abritrary 4 byte writes which is enough to get a (size limited) rop chain execution by carefully overriding a vtable.
- This allows us to remotely execute rop chain < ~1000 bytes.
- 1000 bytes are enough to create a new thread on the main core and implement a small TCP client which receives a bigger payload that will be copied into memory.
- With the help of a stack pivot this new (and bigger) rop chain can be executed.
From now on it's possible execute a bigger rop chain (as long as it fits in one TCP packet) which can be used to:
- Perform a kernel exploit to get read/write with kernel priviliges
- Which is enough to restart the game with a different memory mapping, which allows modifcations of executable memory, effectively bypasing the NX-Bit.
- After the restart the exploit will be executed again with a different
payload which copies a
code.bininto memory and executes it.
=> This leads to: userland code execution with a usable kernel memcpy syscall (0x25) (for copying data with kernel priviliges).
Credits
- Maschell: Ideas, testing, rop chain implementation, adding serveral rop gadgets, implementing all other rop chains
- NexoCube: Ideas, testing, rop chain implementation and creating the rop chain to load bigger one via TCP
- Kinnay: Discovery and initial implementation of the exploit