Ninjhax

Ninjhax (sometimes misspelled Ninjahax) is a user mode exploit found by smealum for the Nintendo 3DS game Cubic Ninja. The exploit was initially released November 20, 2014^[1], supporting 3DS system menu versions 4.0 - 9.2. One of the system flaws used by ninjhax was subsequently blocked by the 9.3 update^[2]. Several months later, on July 18, 2015, smealum released ninjhax version 2.0^[3]. This new version added support for system menu versions above 9.2, up to version 9.9. The old version 1 can still be used on lower system menu versions.

Ninjhax makes use of a flaw in the level editor of Cubic Ninja. The levels can be of variable length, but are stored in fixed-length buffers without length checks^[4]. This is used to create a stack buffer overflow, which leads to ROP capabilities. The exploited level can easily be loaded through the QR code sharing feature of the game.

Changelog

v1.0 (November 20, 2014)

Initial release

v1.1 (December 25, 2014)

Improved 3dsx loader
new HB service commands

v1.1b (December 26, 2014)

Stability improvements

v2.0 (July 18, 2015)

Add support for system menu version 9.3 - 9.9

Credits

smea — 3DS research, core exploit code for all versions, ctrulib improvements, hbmenu code, testing/debugging
yellows8 — 3DS research, ctrulib improvements, auditing, help with pretty much everything
plutoo — 3DS research, ctrulib improvements, auditing, help with pretty much everything
fincs — 3DSX format/code, ctrulib improvements, devkitARM integration, testing
mtheall — ctrulib improvements, hbmenu code, testing, .gitignore files
GEMISIS — hbmenu code, testing
Fluto, Arkhandar — hbmenu design
Normmatt, ichfly — general help, testing
case — javascript master
lobo — webpage template

Links

References

[1] ttps://twitter.com/smealum/status/535552052097585152

[2] ttps://twitter.com/smealum/status/542118829422149632

[3] ttps://twitter.com/smealum/status/622293897117483009

[4] x: the writeup - smealum.net

[1]

[2]

[3]

[4]