478
edits
Changes
Jump to navigation
Jump to search
Line 16:
Line 16: − At real Nintendo Zone APs, a laptop running Linux with a wireless NIC supporting monitor mode would be needed to use the exploit at the NZone AP location. Using airpwn at a real NZone AP location is dangerous and not recommended, you must be cautious since every DS in range of the airpwn box will receive the injected exploit html. Using airpwn at a real NZone AP shouldn't be tried as other DSes besides the one you own, that are using the DS Station/NZone client and are not playing demos will download the injected exploit.
Removed airpwn text since nzoneurlstacksmash exceeds the airpwn content limit, and DS Station NetFront is rigged to ignore redirection.
DS Station's web browser uses NetFront 3.3. This browser version has a stack smash bug in a function writing the URL from a tag field's value to the stack. This bug is present in at least one function, other functions don't seem to have this bug.
DS Station's web browser uses NetFront 3.3. This browser version has a stack smash bug in a function writing the URL from a tag field's value to the stack. This bug is present in at least one function, other functions don't seem to have this bug.
Nintendo Zone v3.0 has the bug. The layout of the Nintendo Zone binary NetFront html tag attribute strings were significantly changed, meaning NetFront was probably updated. The NetFront version user agent was removed from the NZone bin, so it's unknown what NetFront version NZone uses. Linux/hostapd compatible box and a NIC supported by hostapd is required. An SSID, and the WEP key generated from the SSID, from a real Nintendo Zone/DS Station AP is required.
Nintendo Zone v3.0 has the bug. The layout of the Nintendo Zone binary NetFront html tag attribute strings were significantly changed, meaning NetFront was probably updated. The NetFront version user agent was removed from the NZone bin, so it's unknown what NetFront version NZone uses. Linux/hostapd compatible box and a NIC supported by hostapd is required. An SSID, and the WEP key generated from the SSID, from a real Nintendo Zone/DS Station AP is required.
A DS Station exploit has been written by [[User:Yellows8|Yellows8]]. The exploit is only available on Google Code wmb-asm SVN. SVN web interface is available [http://code.google.com/p/wmb-asm/source/browse/#svn/trunk/nzoneurlstacksmash here], SVN URL available [http://wmb-asm.googlecode.com/svn/trunk/nzoneurlstacksmash here.] To use the exploit at home, you also need a HTTPS forwarder/proxy, like httpsforwarder available in SVN. This exploit hasn't been tested with Nintendo Zone. This exploit can't be tested [[User:Yellows8|until]] a Nintendo Zone AP beacons capture is obtained. This exploit can only be used with html that is transferred over http. All html on the NZone server was probably moved to HTTPS, but this won't be known for certain until [[User:Yellows8|Yellows8]] gets server access with a NZone SSID. The html for the index main and sub screens is transferred over https. However, the html for the main screen for the pages after the index,(main server for DS Station unknown for NZone and third-party companies websites) is transferred with http. The sub screen html is transferred with https, with the main server. Sub screen html with third-party companies is transferred with http.
A DS Station exploit has been written by [[User:Yellows8|Yellows8]]. The exploit is only available on Google Code wmb-asm SVN. SVN web interface is available [http://code.google.com/p/wmb-asm/source/browse/#svn/trunk/nzoneurlstacksmash here], SVN URL available [http://wmb-asm.googlecode.com/svn/trunk/nzoneurlstacksmash here.] To use the exploit at home, you also need a HTTPS forwarder/proxy, like httpsforwarder available in SVN. This exploit hasn't been tested with Nintendo Zone. This exploit can't be tested [[User:Yellows8|until]] a Nintendo Zone AP beacons capture is obtained. This exploit can only be used with html that is transferred over http. All html on the NZone server was probably moved to HTTPS, but this won't be known for certain until [[User:Yellows8|Yellows8]] gets server access with a NZone SSID. The html for the index main and sub screens is transferred over https. However, the html for the main screen for the pages after the index,(main server for DS Station unknown for NZone and third-party companies websites) is transferred with http. The sub screen html is transferred with https, with the main server. Sub screen html with third-party companies is transferred with http.
NetFront limits the size of html files that can be downloaded. The max size of a LZSS compressed .nds embedded in the exploit is between 121.7KB - 129.9KB.
NetFront limits the size of html files that can be downloaded. The max size of a LZSS compressed .nds embedded in the exploit is between 121.7KB - 129.9KB.