A implementation of the Mario Kart 8 exploit which allows abritrary Userland code execution and read/write with kernel permissions.
Before using the ROP-chain, some files need to be generated, you can do it with make.
The makefile expects some binaries/files.
- Download RPX Gadget Finder (requires Java)
- tmp/550/coreinit.rpl from 00050010-1000400A OSv10 v15702
- tmp/550/gx2.rpl from 00050010-1000400A OSv10 v15702
- tmp/Turbo.rpx the binary of the Mario Kart 8 version you want to exploit (only tested with EUR v64)
When you have all needed files, you can use make.
On success, you can now find the following files:
The default ropgadget_addr.py can be used with the EUR V64 of Mario Kart on EUR 5.5.x consoles.
- Download Nintendo Clients.
- Checkout commit d044b3f9717e096862517b060c2370627a4bcf56 or rewrite exploit.py to be compatible with the latest commit.
- Fill in the required information, like your device id and serial number in the config.py.
- Make sure have a valid ropgadget_addr.py with the needed gadgets addresses.
- Create a friend room in Mario Kart 8 and run do_memory_mapping.py. If everything went right, the game should restart.
- Create an other friend room in Mario Kart 8 and run run_codebin_loader_ropchain.py. If everything went right, the given payload should be executed.
- The exploit itself allows to abritrary 4 byte writes which is enough to get a (size limited) rop chain execution by carefully overriding a vtable.
- This allows us to remotely execute rop chain < ~1000 bytes.
- 1000 bytes are enough to create a new thread on the main core and implement a small TCP client which receives a bigger payload that will be copied into memory.
- With the help of a stack pivot this new (and bigger) rop chain can be executed.
From now on it's possible execute a bigger rop chain (as long as it fits in one TCP packet) which can be used to:
Perform a kernel exploit to get read/write with kernel priviliges
- Which is enough to restart the game with a different memory mapping, which allows modifcations of executable memory, effectively bypasing the NX-Bit.
After the restart the exploit will be executed again with a different payload which copies a code.bin into memory and executes it.
- => This leads to: userland code execution with a usable kernel memcpy syscall (0x25) (for copying data with kernel priviliges).
- Maschell: Ideas, testing, rop chain implementation, adding serveral rop gadgets, implementing all other rop chains
- NexoCube: Ideas, testing, rop chain implementation and creating the rop chain to load bigger one via TCP
- Kinnay: Discovery and initial implementation of the exploit