exploit

70 Articles

Kickflips And Buffer Slips: An Exploit In Tony Hawk’s Pro Skater

August 8, 2024 by 6 Comments

[Ryan Miceli] wanted to build some reverse engineering skills by finding a new exploit for an original Xbox. Where he ended up was an exploit that worked across the network, across several games, and several different consoles. But it all started with an unbounded strcpy in Tony Hawk Pro Skater (THPS).

Xbox, PlayStation 2, and Gamecube (often referred to as the sixth generation) are wonderful hacking targets as they don’t possess many of the security enhancements of the seventh generation, like hypervisors, privilege levels, and hardware executability protections. The console launches the game, and control is fully within the game, so once you get your code executing, you’re done. The exploit started with a feature in many Tony Hawk games, the custom map editor. In the editor, you can create gaps between jumps with a name so that when a player completes the gap, it can flash “you jumped x” in big letters. However, on Xbox, the gap name is copied with an unbounded strcpy to the stack, meaning you can overwrite the return pointer. Additionally, there are no stack cookies for THPS, which meant nothing stopped [Ryan] from smashing his way through. He includes a small memcpy stub in the header of the level, which the gap name jumps to, which then copies and executes his full payload.

The other games in the series, like Tony Hawk’s Pro Skater 3 (THPS3), had the bug, but the gap name was copied to the heap, not the stack. However, he could overflow into a vtable of the next object that would call his code when the object was freed. However, the level save data wasn’t an executable region of memory, which meant he needed ROP (return-oriented programming). Just a few gadgets later, and [Ryan] had another exploit working.

Tony Hawk’s Underground 1 and 2 had stack cookies turned on. This meant a random value was placed on the stack before a function, then popped off and checked. This meant the program could check if its stack had been smashed. Unfortunately for [Ryan], this proved to be a major roadblock. However, the PC and PS2 versions of these games do not have stack cookies, which means they can be exploited in the same manner.

The beauty of the exploit is that the game allows you to invite a friend to play a custom level. This means once the level is transferred over the network, their console is hacked as well. However, the full payload wasn’t sent to the client console, which meant the exploit had to send the payload to the other console using the game’s existing net code. The exploit sets up an asynchronous file transfer then hands control back to the game. Of course, there was a memory leak in the netcode, because the game had never sent large amounts of data over the network before. So, part of the exploit was a hot patch for a memory leak.

As a last hurrah, [Ryan] ported the hack to Gamecube, PS2, and PC. The code is on GitHub, and the video is after the break. We love the attention the Xbox has been getting, and if you’re curious about a hardware hack, this 256MB ROM mod goes deep into the internals.

Continue reading “Kickflips And Buffer Slips: An Exploit In Tony Hawk’s Pro Skater”

Hackaday Links Column Banner

Hackaday Links: August 20, 2023

August 20, 2023 by 14 Comments

In some ways, we’ve become a little jaded when it comes to news from Mars, which almost always has to do with the Ingenuity helicopter completing yet another successful flight. And so it was with the report of flight number 54 — almost. It turns out that the previous flight, which was conducted on July 22, suffered a glitch that cut the flight short by forcing an immediate landing. We had either completely missed that in the news, or NASA wasn’t forthcoming with the news, perhaps until they knew more. But the details of the error are interesting and appear related to a glitch that happened 46 flights before, way back in May of 2021, that involves dropped frames from the video coming from the helicopter’s down-facing navigational camera. When this first cropped up back on flight six, it was only a couple of missed frames that nearly crashed the craft, thanks to confusion between the video stream and the inertial data. Flight engineers updated the aircraft’s software to allow for a little more flexibility with dropped frames, which worked perfectly up until the aborted flight 53.

Continue reading “Hackaday Links: August 20, 2023”

Remote Code Execution On An Oscilloscope

July 17, 2023 by 10 Comments

There are a huge number of products available in the modern world that come with network connectivity now, when perhaps they might be better off with out it. Kitchen appliances like refrigerators are the classic example, but things like lightbulbs, toys, thermostats, and door locks can all be found with some sort of Internet connectivity. Perhaps for the worse, too, if the security of these devices isn’t taken seriously, as they can all be vectors for attacks. Even things like this Rigol oscilloscope and its companion web app can be targets.

The vulnerability for this oscilloscope starts with an analysis of the firmware, which includes the web control application. To prevent potentially bricking a real oscilloscope, this firmware was emulated using QEMU. The vulnerability exists in the part of the code which involves changing the password, where an attacker can bypass authentication by injecting commands into the password fields. In the end, the only thing that needs to be done to gain arbitrary code execution on the oscilloscope is to issue a curl command directed at the oscilloscope.

In the end, [Maunel] suggests not connecting this oscilloscope to the Internet at all. He has informed the producer about it but as of this writing there has not been a resolution. It does, however, demonstrate the vulnerabilities that can be present in network-connected devices where the developers of the software haven’t gone to the lengths required to properly secure them for use with the modern Internet. Even things not connected to a traditional Internet connection can be targets for attacks.

Exploring The Anatomy Of A Linux Kernel Exploit

June 25, 2023 by 21 Comments

A lot of talk and discussion happens anytime a hardware manufacturer releases a new line of faster, more powerful, or more efficient computers. It’s easy to see better and better specifications and assume that’s where all the progress is made. But without improved software and algorithms, often the full potential of the hardware can’t be realized. That’s the reason for the creation of io_uring, an improved system call interface in the Linux kernel. It’s also where [chompie] went to look for exploits.

The reason for looking here, in a part of the kernel [chompie] had only recently learned about, was twofold. First, because it’s a place where user space applications interact with the kernel, and second because it’s relatively new and that means more opportunities to find bugs. The exploit involves taking advantage of a complicated asynchronous buffer system, specifically at a location where the code confuses a memory location being used by the kernel with one which is supposed to be used for user space.

To actually get this to work as an exploit, though, a much more involved process is needed to make sure the manipulation of these memory addresses results in something actually useful, but it is eventually used to gain local privilege escalation. More about it can be found in this bug report as well. Thanks to the fact that Linux is open-source, this bug can quickly be fixed and the patch rolled out to prevent malicious attackers from exploiting it. Open-source software has plenty of other benefits besides being inherently more secure, though.

Breaking Into The Nintendo DSi Through The (Browser) Window

March 13, 2023 by 9 Comments

The Nintendo DSi was surpassed by newer and better handhelds many years ago, but that doesn’t stop people like [Nathan Farlow] from attempting to break into the old abandoned house through a rather unexpected place: the (browser) window.

When the Nintendo DSi was released in 2008, one of its notable features was a built-in version of the Opera 9.50 web browser. [Nathan] reasoned an exploit in this browser would be an ideal entry point, as there’s no OS or kernel to get past — once you get execution, you control the system. To put this plan into action, he put together two great ideas. First he used the WebKit layout tests to get the browser into weird edge cases, and then tracked down an Windows build of Opera 9.50 that he could run on his system under WINE. This allowed him to identify the use-after-free bugs that he was looking for.

Now that he had an address to jump to, he just had to get his code into the right spot. For this he employed what’s known as a NOP sled; basically a long list of commands that do nothing, which if jumped into, will slide into his exploit code. In modern browsers a good way to allocate a chunk of memory and fill it would be a Float32Array, but since this is a 2008 browser, a smattering of RGBA canvases will do.

The actual payload is designed to execute a boot.nds file from the SD card, such as a homebrew launcher. If you want to give it a shot on your own DSi, all you need to do is point the system’s browser to stylehax.net.

If you’re looking for a more exotic way to crack into a DSi, perhaps this EM glitching attack might tickle your fancy?

Continue reading “Breaking Into The Nintendo DSi Through The (Browser) Window”

Screenshot of the PS4 screen, showing a "Waiting to receive disc image file..." notification on the left, and a Windows commandline window with nc running on the right, sending an .iso file to some IP address - presumably the PS4

Subverting PS4 And PS5 Through The PS2 Emulator

October 3, 2022 by 7 Comments

Game console hacking remains a fascinating area, and we’re glad when someone brings the spoils of exploration for us to marvel at. This time, we’re looking at the [mast1c0re] hack story by [cturt] – an effort to find bugs in PS2 emulation toolkit present on Sony PlayStation 4 and 5 consoles, proving fruitful in the end. What’s more, this exploit seems unpatchable – not technically, but under the Sony’s security practices, this emulator falls under the category of things they refuse to patch when identified.

In this story, we’re taken on a journey through the PS2 emulator internals, going through known-exploitable PS2 games and learning about a prospective entry point. Circling around it, collecting primitives and gadgets, bypassing ASLR on the way there, the emulator is eventually escaped, with a trove of insights shared along the way. As a demonstration, [cturt] successfully loaded a different PS2 game from outside the PS2 emulator, transferring it to the PS4 over WiFi! Continue reading “Subverting PS4 And PS5 Through The PS2 Emulator”

Hackaday Links Column Banner

Hackaday Links: August 21, 2022

August 21, 2022 by 3 Comments

As side-channel attacks go, it’s one of the weirder ones we’ve heard of. But the tech news was filled with stories this week about how Janet Jackson’s “Rhythm Nation” is actually a form of cyberattack. It sounds a little hinky, but apparently this is an old vulnerability, as it was first noticed back in the days when laptops commonly had 5400-RPM hard drives. The vulnerability surfaced when the video for that particular ditty was played on a laptop, which would promptly crash. Nearby laptops of the same kind would also be affected, suggesting that whatever was crashing the machine wasn’t software related. As it turns out, some frequencies in the song were causing resonant vibrations in the drive. It’s not clear if anyone at the time asked the important questions, like exactly which part of the song was responsible or what the failure mode was on the drive. We’ll just take a guess and say that it was the drive heads popping and locking.

Continue reading “Hackaday Links: August 21, 2022”