Changes

Jump to navigation Jump to search

Wii U system flaws (view source)

Revision as of 15:17, 28 July 2016

543 bytes added ,  15:17, 28 July 2016
→‎PPC userspace exploits
Line 17: Line 17:     
When joining an array of strings, the lengths of the strings are summed to calculate the needed storage space. This summation is vulnerable to an integer overflow, which enables a heap overflow. As a result, a sprayed value from Javascript ends up as a vtable pointer, which can be used with a forged vtable to start a ROP chain. More information [http://googleprojectzero.blogspot.com/2014/07/pwn4fun-spring-2014-safari-part-i_24.html here].
 
When joining an array of strings, the lengths of the strings are summed to calculate the needed storage space. This summation is vulnerable to an integer overflow, which enables a heap overflow. As a result, a sprayed value from Javascript ends up as a vtable pointer, which can be used with a forged vtable to start a ROP chain. More information [http://googleprojectzero.blogspot.com/2014/07/pwn4fun-spring-2014-safari-part-i_24.html here].
 +
 +
===Stagefright ‘stsc’(?) MP4 atom integer overflow===
 +
'''Present in system versions''': 5.4.0-5.5.0 (possibly older versions, too)
 +
 +
'''Publicly exploited''': Yes
 +
 +
'''Discovered by''': zhuowei, Marionumber1 and Mathew_Wi
 +
 +
Documented libstagefright MP4 integer overflow.
 +
 +
===Stagefright ‘tx3g’ MP4 atom integer overflow===
 +
'''Present in system versions''': 5.3.2-5.5.1 (possibly older versions, too)
 +
 +
'''Publicly exploited''': Yes (wiiu_browserhax_fright)
 +
 +
'''Discovered by''': yellows8
 +
 +
Documented libstagefright MP4 integer overflow.
    
==PPC kernel exploits==
 
==PPC kernel exploits==
MrRob0t
4

edits

Retrieved from "https://wiiubrew.org/wiki/Special:MobileDiff/2122"

Navigation menu