mirror of https://github.com/wiiu-env/ROBChain.git synced 2024-11-05 03:05:06 +01:00

PoC exploit for Super Smash Brothers Wii U to execute arbitrary ROP in userland

Go to file

jam1garner 67f5398d00 Update README with build instructions		2019-01-18 17:05:13 -05:00
kexploit	Move PoC to new build system	2019-01-18 16:51:28 -05:00
poc	Move PoC to new build system	2019-01-18 16:51:28 -05:00
pymsc@dfaf2f4fcc	More organization	2019-01-18 13:58:28 -05:00
.gitignore	Add gitignore	2019-01-18 15:09:03 -05:00
.gitmodules	More organization	2019-01-18 13:58:28 -05:00
LICENSE	Initial commit	2017-07-31 16:35:07 -04:00
README.md	Update README with build instructions	2019-01-18 17:05:13 -05:00
ROP-NOTES.txt	Initial commit	2017-07-31 16:35:28 -04:00
WRITE-UP.md	Fix spelling/grammer	2017-08-06 13:23:17 -04:00

README.md

ROBChain

PoC exploit for Super Smash Brothers Wii U to get arbitrary ROP execution under userland

Can go over any fighter (and possibly article) to gain arbitrary code execution (Only ROP atm). This is a variation of contenthax based around MSC (the main character scripting language) exploiting a heap overflow to gain arbitrary read/write within the MSC script. Use pymsc to build.

Build PoC

Required:

Python 3.6 or greater in path as python3 (Edit Makefile for other configs)
make

git clone --recurse-submodules https://github.com/jam1garner/ROBChain.git && \
cd ROBChain/poc && \
make clean && make

Install

Take the generated exploit.mscsb and install it in a patch over

/data/fighter/[fighter]/script/msc/[fighter].mscsb

then install via SDCafiine or fs contents replacement.

Video of PoC

https://youtu.be/u3qKsbGPgn0

Write up

https://github.com/jam1garner/ROBChain/blob/master/WRITE-UP.md