About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Buffer Overflow in Super Mario Maker level decompression- 479

mrnbayoh - hackeronePosted 4 Years Ago
  • The Nintendo 3DS is a handheld gaming platform several generations after the GameBoy. Streetpass is a functionality that allows passive communication between Nintendo 3DS systems held by users in close proximity, commonly used to share information such as Miis.
  • When a Streetpass sends a level of Super Mario Maker, the data is compressed. The buffer size is 0x18000 bytes (which is the maximum that is will receive). Because of this, the developers did not consider a bounds check for the size to be necessary. They thought wrong!
  • The decompressed section sits directly AFTER the compressed section. The parser will continue parsing until it finds no more data to be parsed! Because of this, the parser will attempt to decompress already decompressed data, causing a buffer overflow on the heap.
  • The 3DS does not have ASLR enabled and there appear to be function pointers on the heap. So, it is trivial to take this buffer overflow to code execution via a specially crafted packet.
  • This can be done in a drive-by fashion, sort of like Bluetooth level attacks. Although, what is there to gain from compromising a kids 3Ds!? Interesting find that reminded me of the Pokewalker hack as well.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed