Difference between revisions of "Spider exploit"
(little fixes) |
(→projects List: Added more projects to the list) |
||
| Line 58: | Line 58: | ||
|- | |- | ||
| [https://gbatemp.net/threads/attempt-running-gw3-0-web-exploit-on-a-local-network.378058/page-3#post-5268233 Official Payloads] | | [https://gbatemp.net/threads/attempt-running-gw3-0-web-exploit-on-a-local-network.378058/page-3#post-5268233 Official Payloads] | ||
| − | | | + | | Files |
| Download the payload used by Go.gateway-3ds.com, extracted by Falo | | Download the payload used by Go.gateway-3ds.com, extracted by Falo | ||
|- | |- | ||
| Line 66: | Line 66: | ||
|- | |- | ||
| [https://gbatemp.net/threads/attempt-running-gw3-0-web-exploit-on-a-local-network.378058/page-9#post-5269706 PHP script] | | [https://gbatemp.net/threads/attempt-running-gw3-0-web-exploit-on-a-local-network.378058/page-9#post-5269706 PHP script] | ||
| − | | | + | | Files |
| PHP script to host the exploit yourself on your own server. | | PHP script to host the exploit yourself on your own server. | ||
|- | |- | ||
| [https://gbatemp.net/threads/attempt-running-gw3-0-web-exploit-on-a-local-network.378058/page-9#post-5270319 PHP script] | | [https://gbatemp.net/threads/attempt-running-gw3-0-web-exploit-on-a-local-network.378058/page-9#post-5270319 PHP script] | ||
| − | | | + | | Files |
| a single file PHP script to host the exploit yourself on you own server. | | a single file PHP script to host the exploit yourself on you own server. | ||
|- | |- | ||
| Line 92: | Line 92: | ||
| Android | | Android | ||
| An android application to serves the exploit. -removed from google play- | | An android application to serves the exploit. -removed from google play- | ||
| + | |- | ||
| + | | [https://gbatemp.net/threads/release-go-gateway-offline-exploit-host-on-android.378474/ Go! Gateway] | ||
| + | | Android | ||
| + | | Android application to serves the exploit. Possibility to change the exploit file name (default : Launcher.dat) | ||
| + | |- | ||
| + | | [https://gbatemp.net/threads/multilauncher-a-webpage-to-launch-gateway-launcher-and-smealum-launcher-on-same-sdcard.379031/ MultiLauncher] | ||
| + | | Online | ||
| + | | A mirror website, with ability to specify the filename to load from SD card. Allows launching different "Launcher.dat" file. | ||
| + | |- | ||
| + | | [https://gbatemp.net/threads/release-static-html-javascript-gw-multilauncher.379080/ Static GW Multilauncher] | ||
| + | | Online/Files | ||
| + | | PHP script to host the files yourself. Allows specifying filename to launch using a GET parameter. | ||
|} | |} | ||
Revision as of 16:48, 7 February 2015
| Spider exploit | |
|---|---|
| General | |
| Author | MathewE |
| Links | |
| Download | |
| Website | |
| Discussion | |
| Exploit working on v2.0 to v9.2 | |
The spider exploit was found by MathewE and used by Gateway-3DS team to launch their flashcard's Gateway v3.0 payload on 3DS system menu version 2.0.x to 9.2.x.
It uses a vulnerability in webkit browser (code name Spider) to load a ROM chain using javascript and DOM which allows loading a file from SD card (usually the Launcher.dat file).
This vulnerability has been fixed in System menu version 9.3.0
Description
The exploit uses 5 different ROP chains based on the browser's version, detected using the user agent string.
- 3DS System version 2.0 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7412.US"
- 3DS System version 2.1-3.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7498.US"
- 3DS System version 4.0-4.X = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7455.US"
- 3DS System version 5.0-7.0 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7552.US"
- 3DS System version 7.1-9.2 = "Mozilla/5.0 (Nintendo 3DS; U; ; en) Version/1.7567.US"
A 6th version is served for browsers with a non compatible user agent.
By visiting the webpage, it checks the user agent and serves the corresponding page based on the user agent. The ROP chain loads the Launcher.dat file located on SD card.
Usage
Place the Launcher.dat file (Gateway v3.0 or newer) you want to boot on the root of your SD card, and visit http://go.gateway-3ds.com to trigger the exploit.
Custom servers
Since the release of this exploit by Gateway 3DS team, users analyzed how this exploit works and extracted all the different user agent's ROP payload.
Users ported this exploit to multiple supports, such as Android or offline private web servers.
By analyzing the payload, it has been found that the path to the loaded file is included in the ROP chain, users can then keep multiple version of launcher.dat files (either exploit or homebrew) on their SD card and select the one to launch by visiting custom websites.
You can find a list of custom projects, sources or websites based on the Spider exploit.
projects List
| Name | Type | comment |
|---|---|---|
| Official Payloads | Files | Download the payload used by Go.gateway-3ds.com, extracted by Falo |
| ROP Reverse engineering | - | Analyze of the ROP chain exploit by Yifan Lu. |
| PHP script | Files | PHP script to host the exploit yourself on your own server. |
| PHP script | Files | a single file PHP script to host the exploit yourself on you own server. |
| esp8266 module | Offline | Hardware mod by lukas_2511 to insert a wifi webserver chipset inside the console |
| Android webserver tutorial | Android | Tutorial to setup an android webserver as Access point. |
| SD Card Wifi access point | Offline | You can use SD Card with Wifi Access point capability to serves the exploit directly from your 3DS. |
| http://go.scmods.com/ | Online | mirror website by Gary Opa serving the gateway exploit |
| GW3DS Loader | Android | An android application to serves the exploit. -removed from google play- |
| Go! Gateway | Android | Android application to serves the exploit. Possibility to change the exploit file name (default : Launcher.dat) |
| MultiLauncher | Online | A mirror website, with ability to specify the filename to load from SD card. Allows launching different "Launcher.dat" file. |
| Static GW Multilauncher | Online/Files | PHP script to host the files yourself. Allows specifying filename to launch using a GET parameter. |
