I've been reading a lot into the switch (even though I don't have one and probably won't for a while), and, after watching LiveOverflow's video, decided to get in on the action. I found a similar vulnerability than the one used in his video, allowing arbitrary code execution via shellcode. Here is the link to the writeup/source** for the vulnerability. So, in theory, this could work, but now all we need is some shellcode to make some magic.
After some searching, I found the python program ARMSCGen, a shellcode generator for ARM, Thumb, and ARM64. Included in the source is a "bindshell" shellcode for ARM64 (the switch's architecture). This means it will listen on a port for a connection and create a local shell for a remote user.
Now, in no sense is this going to be perfect. There could/will be multiple problems with it, and since I don't personally own a switch, I can't test it on my own.
So what do you think? Could this work, or is it complete baloney? I'm not the best at this kind of stuff, so I could be wrong on some parts, but constructive criticism please!
Thanks!
**: This zip is on the bottom, but you need to have a Linux distro, copy everything from right before "begin" and right before "--[EOF" and save it to a file, then run 'uudecode -o output.zip < ./[your_created_file]. You will need to install "sharutils" on your preferred distro.
EDIT: I have attached the files needed for the exploit, although this assumes there is an SH binary somewhere in the filesystem, which there may not be. In the future I may create something that implements SASH, but I would need some help. This is based on the shellcode created by alexpark07 in ARMSCGen, and CVE-2016-4622. Here's how to run it:
REQUIREMENTS:
First, go to the terminal, cd to the files, and run "shellcode.py" with the python interpreter. Here are the arguments you will need to enter (respectively):
Keep in mind, you will probably have to try a couple of options for the SH/Bash Location argument, since it is not confirmed if it's actually in the Switch filesystem, and if it is, where. This will print out only the assembly for the shellcode, so you can redirect the output to a file with
at the end of the command.
Next, run
to get an object file.
Now we can run a special command that will format a objdump output for easy use in JavaScript:
NOTE: If you get an invalid hex character (such as 0xse) in your output, DELETE IT AND EVERYTHING AFTER! This comes from a bug in my code that will confuse as/objdump because I had to add a extra line at the end of the shellcode to format it correctly for Python. Here is a regular objdump to explain this.
Now that you have your final shellcode, copy it and paste it into the SHELLCODE array in pwn.html (near the bottom). I already have a premade shellcode there for port 31337 and /bin/sh.
Next, place all the .html and .js files into the root of your web server, and configure your DNS settings on the Switch to redirect you to your pwn.html file (Not sure how to do this, if anyone could shed some light on it I would greatly appreciate it).
And that's it! If all went as it should, you should be able to connect to your Switch via a netcat session (google it, I'm too tired to write more).
Post your results here! Again, I don't actually have a Switch yet so I can't test it out, so I'm relying on you guys to help me.
I'll edit this further in the future, when I have more information.
EDIT2: I've updated the zip file in the attachments with a new "version." This one implements a "sash" executable, included in the zip, which you will have to put on the SD card root.
The previous edit now does not apply, as I've already inserted the shellcode into "pwn.html". Now all you need to do is put the .html and .js files on a web server, on any OS, and then after navigating to those files on your Switch, open a connection with netcat to the Switch's IP address on port 1337.
If all goes as it should, you will have a "real" shell on the Switch. Do whatever you want with it.
Post your results here, and have a good day!
After some searching, I found the python program ARMSCGen, a shellcode generator for ARM, Thumb, and ARM64. Included in the source is a "bindshell" shellcode for ARM64 (the switch's architecture). This means it will listen on a port for a connection and create a local shell for a remote user.
Now, in no sense is this going to be perfect. There could/will be multiple problems with it, and since I don't personally own a switch, I can't test it on my own.
So what do you think? Could this work, or is it complete baloney? I'm not the best at this kind of stuff, so I could be wrong on some parts, but constructive criticism please!
Thanks!
**: This zip is on the bottom, but you need to have a Linux distro, copy everything from right before "begin" and right before "--[EOF" and save it to a file, then run 'uudecode -o output.zip < ./[your_created_file]. You will need to install "sharutils" on your preferred distro.
REQUIREMENTS:
- A Linux distro
- gcc-aarch64-elf
- Python 2.7
- A web server (like Apache httpd)
- gnu-netcat
- A basic knowledge of Linux/Unix commands.
- A Switch (duh)
- Port -- Enter a port number to bind the shell to. This is required.
- SH/Bash Location -- Enter the path to the SH/Bash binary. This is not required, and the default is /bin/sh.
Code:
> shellcode.asm
Next, run
Code:
aarch64-elf-as [your file from shellcode.py] -o [output]
Now we can run a special command that will format a objdump output for easy use in JavaScript:
Code:
for i in `aarch64-elf-objdump -d [your output from the assembler] | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "0x$i, " ; done > shellcode_final.txt
NOTE: If you get an invalid hex character (such as 0xse) in your output, DELETE IT AND EVERYTHING AFTER! This comes from a bug in my code that will confuse as/objdump because I had to add a extra line at the end of the shellcode to format it correctly for Python. Here is a regular objdump to explain this.
Now that you have your final shellcode, copy it and paste it into the SHELLCODE array in pwn.html (near the bottom). I already have a premade shellcode there for port 31337 and /bin/sh.
Next, place all the .html and .js files into the root of your web server, and configure your DNS settings on the Switch to redirect you to your pwn.html file (Not sure how to do this, if anyone could shed some light on it I would greatly appreciate it).
And that's it! If all went as it should, you should be able to connect to your Switch via a netcat session (google it, I'm too tired to write more).
Post your results here! Again, I don't actually have a Switch yet so I can't test it out, so I'm relying on you guys to help me.
I'll edit this further in the future, when I have more information.
EDIT2: I've updated the zip file in the attachments with a new "version." This one implements a "sash" executable, included in the zip, which you will have to put on the SD card root.
The previous edit now does not apply, as I've already inserted the shellcode into "pwn.html". Now all you need to do is put the .html and .js files on a web server, on any OS, and then after navigating to those files on your Switch, open a connection with netcat to the Switch's IP address on port 1337.
If all goes as it should, you will have a "real" shell on the Switch. Do whatever you want with it.
Post your results here, and have a good day!
Attachments
Last edited by ZiggyDeer,