arbitrary code execution

3 Articles

Remote Code Execution On An Oscilloscope

July 17, 2023 by 10 Comments

There are a huge number of products available in the modern world that come with network connectivity now, when perhaps they might be better off with out it. Kitchen appliances like refrigerators are the classic example, but things like lightbulbs, toys, thermostats, and door locks can all be found with some sort of Internet connectivity. Perhaps for the worse, too, if the security of these devices isn’t taken seriously, as they can all be vectors for attacks. Even things like this Rigol oscilloscope and its companion web app can be targets.

The vulnerability for this oscilloscope starts with an analysis of the firmware, which includes the web control application. To prevent potentially bricking a real oscilloscope, this firmware was emulated using QEMU. The vulnerability exists in the part of the code which involves changing the password, where an attacker can bypass authentication by injecting commands into the password fields. In the end, the only thing that needs to be done to gain arbitrary code execution on the oscilloscope is to issue a curl command directed at the oscilloscope.

In the end, [Maunel] suggests not connecting this oscilloscope to the Internet at all. He has informed the producer about it but as of this writing there has not been a resolution. It does, however, demonstrate the vulnerabilities that can be present in network-connected devices where the developers of the software haven’t gone to the lengths required to properly secure them for use with the modern Internet. Even things not connected to a traditional Internet connection can be targets for attacks.

Arbitrary Code Execution Is In Another Castle!

April 23, 2017 by 13 Comments

When one buys a computer, it should be expected that the owner can run any code on it that they want. Often this isn’t the case, though, as most modern devices are sold with locked bootloaders or worse. Older technology is a little bit easier to handle, however, but arbitrary code execution on something like an original Nintendo still involves quite a lot of legwork, as [Retro Game Mechanics Explained] shows with the inner workings of Super Mario Brothers 3.

While this hack doesn’t permanently modify the Nintendo itself, it does allow for arbitrary code execution within the game, which is used mostly by speedrunners to get to the end credits scene as fast as possible. To do this, values are written to memory by carefully manipulating on-screen objects. Once the correct values are entered, a glitch in the game involving a pipe is exploited to execute the manipulated memory as an instruction. The instruction planted is most often used to load the Princess’s chamber and complete the game, with the current record hovering around the three-minute mark.

If you feel like you’ve seen something like this before, you are likely thinking of the Super Mario World exploit for the SNES that allows for the same style of arbitrary code execution. The Mario 3 hack, however, is simpler to execute. It’s also worth checking out the video below, because [Retro Game Mechanics Explained] goes into great depth about which values are written to memory, how they are executed as an instruction, and all of the other inner workings of the game that allows for an exploit of this level.

Continue reading “Arbitrary Code Execution Is In Another Castle!”

There’s A Mew Underneath The Truck Next To The SS Anne

March 17, 2017 by 26 Comments

Before we dig into this, I need to spend a paragraph or two conveying the knowledge of a twelve-year-old in 1996. Of course, most Hackaday readers were twelve at least once, but we’re just going to do this anyway. The payoff? This is an arbitrary-code-execution virus for Pokemon, and maybe the most amazing Game Boy hack of all time.

In the first generation of Pokemon games, there is a spectacularly rare Pokemon. Mew, the 151st Pokemon, could learn every move in the game. It was a psychic type, which was overpowered in the first gen. You could not acquire a Mew except by taking your Game Boy to a special event (or to Toys R Us that one time). If someone on the playground had a Mew, they really only had a GameShark.

There was a mythos surrounding Mew. Legend said if you went to the SS Anne and used Strength to move a truck sprite that appeared nowhere else in the game, a Mew would appear. Due to the storyline of the game, you didn’t have the ability to get to this truck the first time you passed it. However, if you started a new game – thus losing all your progress and your entire roster of Pokemon – you could test this theory out. Don’t worry, you can just trade me all your good Pokemon. I’ll give them back once you have a Mew. Screw you, Dylan. Screw you.

Now the Mew truck trick is real. You can do it on a copy of Red or Blue on an original Game Boy. If this hack existed in 1998, kids would have lost their god damned minds.

The basis for this hack comes from [MrCheeze], who created a ‘virus’ of sorts for the first generation of Pokemon games. Basically, given the ability to manually edit a save file, it is possible to replicate this save file over a Game Link cable. The result is a glitchy mess, but each Pokemon game has the same save file when it’s done.

Combine this virus with arbitrary code execution, and you have something remarkable. [MrCheeze] created a save file that allows you to move the truck next to the SS Anne. When the truck is moved, a Mew appears. It’s exactly what everyone was talking about over the sound of their sister’s Backstreet Boys marathon.

The new ‘Mew Truck virus’ is not as glitchy as the first attempt at a self-replicating save file. In fact, except for the music glitching for a few seconds, nothing appears abnormal about this Pokemon virus. It’s only when the Mew truck trick is attempted does something seem weird, and it’s only weird because we know it shouldn’t happen. Combine the self-replicating nature of this virus, and you have something that would have drawn the attention of Big N. This is a masterpiece of Pokemon-based arbitrary code execution and a hack that may never be equaled.

You can check out the video below.

Continue reading “There’s A Mew Underneath The Truck Next To The SS Anne”