Jump to content

Mario Kart 8 Exploit

Conéctate para seguir esto  

¿Quieres enterarte al momento de las nuevas descargas? Síguenos en Twitter!

1 Screenshot

A implementation of the Mario Kart 8 exploit which allows abritrary Userland code execution and read/write with kernel permissions.

Preparation

Before using the ROP-chain, some files need to be generated, you can do it with make.

The makefile expects some binaries/files.

  • Download RPX Gadget Finder (requires Java 11(!))
  • tmp/550/coreinit.rpl from 00050010-1000400A OSv10 v15702
  • tmp/550/gx2.rpl from 00050010-1000400A OSv10 v15702
  • tmp/Turbo.rpx the binary of the Mario Kart 8 version you want to exploit (only tested with EUR v64)

When you have all needed files, you can use make.

On success, you can now find the following files:

  • ropgadget_addr.py

The default ropgadget_addr.py can be used with the EUR V64 of Mario Kart on EUR 5.5.x consoles.

Usage

  1. Download Nintendo Clients.
  2. Checkout commit d044b3f9717e096862517b060c2370627a4bcf56 or rewrite exploit.py to be compatible with the latest commit.
  3. Fill in the required information, like your device id and serial number in the config.py.
  4. Make sure have a valid ropgadget_addr.py with the needed gadgets addresses.
  5. Create a friend room in Mario Kart 8 and run do_memory_mapping.py. If everything went right, the game should restart.
  6. Create an other friend room in Mario Kart 8 and run run_codebin_loader_ropchain.py. If everything went right, the given payload should be executed.

Technical details

  • The exploit itself allows to abritrary 4 byte writes which is enough to get a (size limited) rop chain execution by carefully overriding a vtable.
  • This allows us to remotely execute rop chain < ~1000 bytes.
  • 1000 bytes are enough to create a new thread on the main core and implement a small TCP client which receives a bigger payload that will be copied into memory.
  • With the help of a stack pivot this new (and bigger) rop chain can be executed.

From now on it's possible execute a bigger rop chain (as long as it fits in one TCP packet) which can be used to:

  1. Perform a kernel exploit to get read/write with kernel priviliges
    • Which is enough to restart the game with a different memory mapping, which allows modifcations of executable memory, effectively bypasing the NX-Bit.
  2. After the restart the exploit will be executed again with a different payload which copies a code.bin into memory and executes it.
    • => This leads to: userland code execution with a usable kernel memcpy syscall (0x25) (for copying data with kernel priviliges).

Credits

  • Maschell: Ideas, testing, rop chain implementation, adding serveral rop gadgets, implementing all other rop chains
  • NexoCube: Ideas, testing, rop chain implementation and creating the rop chain to load bigger one via TCP
  • Kinnay: Discovery and initial implementation of the exploit

¿Tienes alguna duda o aporte? Utiliza el foro!



×