DSiWare VulnList: Difference between revisions

(11 intermediate revisions by the same user not shown)

Line 9:

|-

| Incomplete

| 20

| 16

|-

| Done

| 18

| 27

|-

| DSiWare which probably aren't exploitable

Line 72:

| None

| Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.

|-

~~| Crazy Sudoku~~

~~| Player name~~

~~| None~~

~~| Has ASCII strings for player name.~~

|-

| Crystal Monsters

Line 93:

Line 88:

| Has ASCII string but the checksum is unknown.

|-

| ~~Field Runners~~

| Jelly Car 2

| High~~-Scores~~

| High Score name

| ~~Started~~

| None

| ~~The xml .plist the game uses~~ for ~~storing savedata contains high-~~scores ~~strings.~~

| Uses ASCII player name for time scores; It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.

|-

~~| Guitar Rock Tour~~

~~| High-Scores~~

~~| Started~~

~~| Has ASCII high~~-~~scores.~~

|-

~~| Legends of Exidia~~

~~| Player name~~

~~| Started~~

~~| Has ASCII player name~~.

|-

| Lets golf

Line 127:

Line 112:

| None

| Has ASCII strings.

|-

~~| UNO~~

~~| Player name and high-scores~~

~~| Started~~

~~| Has ASCII text. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.~~

|}

Line 150:

Line 130:

| High-Scores

| Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.

|-

| Academy: Checkers

| Profile names

| Game didn't crash with a long profile string.

|-

| Arcade Hoops Basketball

Line 166:

Line 150:

| High-scores and word list

| Has ASCII null-terminated high-score list names and null-terminated word list strings. ( No crash, just nice very high scores, and very long words displayed. )

|-

| Crazy Sudoku

| Profile names/Data File

| The ASCII player name or the game data aren't exploitable. This game can still be crashed.

|-

| Dark Void Zero

Line 182:

Line 170:

| None

| Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.

|-

| Fieldrunners

| High-Scores

| The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax fieldrunnerhax].

|-

| Frogger Returns

| High-Scores

| Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.

|-

| Guitar Rock Tour

| High-Scores

| Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn grtpwn].

|-

| Legends of Exidia

| Player name

| Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax exidiahax].

|-

| Mario Calculator

Line 202:

| High-scores

| Has English-only high-scores and a trivial checksum, not exploitable.

|-

| Rayman

| Player name

| No overflow, with a long string the game only displays one extra character.

|-

| Soul of Darkness

Line 211:

Line 215:

| Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].

|-

| ~~Rayman~~

| Telegraph Sudoku & Kakuro

| ~~Player~~ name

| Profile name

| No overflow, with a ~~long string~~ the game ~~only displays one extra character~~.

| No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars

|-

| The Legend of Zelda: Four Swords Anniversary

| Savedata filesize

| The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/4swordshax 4swordshax].

|-

| UNO

| Profile names

| Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as [https://github.com/ChampionLeake/UNO-pwn UNO*pwn].

|-

| WordSearcher

| Player name & WordSearch Board

| Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable

|}

@@ Line 9: / Line 9: @@
 |-
 |  Incomplete
-|  20
+|  16
 |-
 |  Done
-|  18
+|  27
 |-
 |  DSiWare which probably aren't exploitable
@@ Line 72: / Line 72: @@
 |  None
 |  Has ASCII strings. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
-|-
-|  Crazy Sudoku
-|  Player name
-|  None
-|  Has ASCII strings for player name.
 |-
 |  Crystal Monsters
@@ Line 93: / Line 88: @@
 |  Has ASCII string but the checksum is unknown.
 |-
-|  Field Runners
+|  Jelly Car 2
-|  High-Scores
+|  High Score name
-|  Started
+|  None
-|  The xml .plist the game uses for storing savedata contains high-scores strings.
+|  Uses ASCII player name for time scores; It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
-|-
-|  Guitar Rock Tour
-|  High-Scores
-|  Started
-|  Has ASCII high-scores.
-|-
-|  Legends of Exidia
-|  Player name
-|  Started
-|  Has ASCII player name.
 |-
 |  Lets golf
@@ Line 127: / Line 112: @@
 |  None
 |  Has ASCII strings.
-|-
-|  UNO
-|  Player name and high-scores
-|  Started
-|  Has ASCII text. It's unlikely this can be exploited, seems to crash /w out-of-bounds array-index.
 |}
@@ Line 150: / Line 130: @@
 |  High-Scores
 |  Has ASCII high-scores with null terminated strings. string bugs only corrupted the display, making the game unplayable.
+|-
+|  Academy: Checkers
+|  Profile names
+|  Game didn't crash with a long profile string.
 |-
 |  Arcade Hoops Basketball
@@ Line 166: / Line 150: @@
 |  High-scores and word list
 |  Has ASCII null-terminated high-score list names and null-terminated word list strings.  ( No crash, just nice very high scores, and very long words displayed. )
+|-
+|  Crazy Sudoku
+|  Profile names/Data File
+|  The ASCII player name or the game data aren't exploitable. This game can still be crashed.
 |-
 |  Dark Void Zero
@@ Line 182: / Line 170: @@
 |  None
 |  Has high-scores without names, scores are ASCII null-terminated strings. Managed to semi-crash this, but system reset still worked so this probably isn't exploitable.
+|-
+|  Fieldrunners
+|  High-Scores
+|  The xml, ".plist", in the game is used for storing savadata which contains high-score strings. Using a very large string crashes the game leading it to stack buffer overflow. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/fieldrunhax fieldrunnerhax].
 |-
 |  Frogger Returns
 |  High-Scores
 |  Has ASCII high-scores. strcpys to a static buffer from savedata, unknown if this is exploitable but there's only <10KB free space available(way too low for a payload) so meh.
+|-
+|  Guitar Rock Tour
+|  High-Scores
+|  Has ASCII high-score strings stored in the savedata. Using a very long excessive string can crash the game to lead into a stack smash. This game was successfully exploited through [https://github.com/yellows8/dsi/tree/master/exploits/grtpwn grtpwn].
+|-
+|  Legends of Exidia
+|  Player name
+|  Has ASCII player name stored in the savadata. Using an extensive long string will cause a stack smash to saved registers and can eventually be exploited through [https://github.com/yellows8/dsi/tree/master/exploits/exidiahax exidiahax].
 |-
 |  Mario Calculator
@@ Line 202: / Line 202: @@
 |  High-scores
 |  Has English-only high-scores and a trivial checksum, not exploitable.
+|-
+|  Rayman
+|  Player name
+|  No overflow, with a long string the game only displays one extra character.
 |-
 |  Soul of Darkness
@@ Line 211: / Line 215: @@
 |  Has ASCII player name for each of the 3 save slots. Game was crashed with an excessively long player name. The game has already been exploited through [[Sudokuhax]].
 |-
-|  Rayman
+|  Telegraph Sudoku & Kakuro
-|  Player name
+|  Profile name
-|  No overflow, with a long string the game only displays one extra character.
+|  No overflow, the game slot acts as if things are normal, only gives you a lot of completion stars
+|-
+|  The Legend of Zelda: Four Swords Anniversary
+|  Savedata filesize
+|  The game has 2 savefiles. When one savefile fails to load (larger than a usual savefile), the game loads the backup save and will continue load without any errors. That being said, one can crash the game with a larger game filesize to attack the heap and successfully overwrite the stack registers including the pointer counter. The game has already been exploited through [https://github.com/yellows8/dsi/tree/master/exploits/4swordshax 4swordshax].
+|-
+|  UNO
+|  Profile names
+|  Has ASCII Player name each for of the 5 save slots. The game was crashed with a very large player name which overwritten the stack registers including the pointer counter. The game was successfully exploited which is known as [https://github.com/ChampionLeake/UNO-pwn UNO*pwn].
+|-
+|  WordSearcher
+|  Player name & WordSearch Board
+|  Has ASCII strings (profile or slot names) and has plaintext crossword levels. No overflows with a large string nor a bigger crossword board resulting thus, not exploitable
 |}