|Author(s)||Team Twiizers & Fullmetal5|
str2hax is an exploit for the EULA app in the Wii that doesn't require an SD card. (Exploits CVE-2009-0689)
str2hax requires a Wii with an internet connection to work. The payload may be hosted locally if you do not have access to internet. (See the building instructions in the str2hax repository)
Usage & Installation
- (OPTIONAL) If you would like to boot a payload from an SD card then simply format it as FAT32, place it the root of the SD card, and name it "boot.elf"
- Make sure you have an active internet connection on your Wii.
- Navigate to the settings menu on your Wii and select Internet then Connection Settings.
- Select the connection that you are currently using.
- Select Change settings and scroll to the right until you get to Auto-Obtain DNS.
- Select No then select Advanced Settings.
- Change the Primary DNS to 220.127.116.11 and the Secondary DNS to 18.104.22.168.
- Select Confirm and then Save and run the mandatory connection test.
- Back out to the Internet panel and choose User Agreements. Select Yes to the question about the Wii Shop Channel/WiiConnect24.
- You will be taken to a screen telling you to review the User Agreements for the Wii. Select Next.
- If you see a pony on screen telling you to wait then you have done everything correctly. The exploit takes 1-2 minutes (1:25 is usually how long mine takes), if it takes longer than 2 minutes then it probably failed. Just turn off your Wii and start again from step 9.
- Team Twiizers (Thank you guys for everything you've done for the Wii community. This wouldn't be possible without you.)
- The Dolphin developers.
- Maksymilian Arciemowicz (Vulnerability author)
How it works
The EULA app on the Wii is actually a webpage showing inside the UI. The webpage itself can be found at "http://cfh.wapp.wii.com/eula/XXX/YY.html" where XXX is your country code and YY is your language. When a webpage is loaded with a domain, the computer first checks with a special server called the DNS server to find the IP address of this domain. To perform this exploit, the user changes their DNS address to point to a special Str2hax server, which causes the cfh.wapp.wii.com domain to point to a Str2hax server, allowing a custom webpage to be displayed.
When a big integer of size 17 is allocated, the next area in memory is used, which happens to be another big integer of size 2. However, Opera still treats it as a size 17 big integer, and attempts to fill it. This leads to a buffer overflow, allowing the big integer after that to be overwritten. When the function using that is finished with it, it will attempt to free it, putting it back onto its linked list. Again, it does not check to see if that index is in bounds, which means if it is put out of bounds, a return address can be overwritten.
Unfortunately, this is not all. The return address gets changed to point at the big integer's struct, which means the Wii will begin executing the big integer as code. The first two elements of the struct are the next pointer and the size, so they are pretty limited. However, after that is a field for something else that can be controlled freely, so that third field is set to an instruction to jump to another area in the oversized buffer where more control is present. For the first two fields, there is a bit of control over the second one, but the first one is always whatever the return address used to be, so the return address overwritten must be a valid instruction, as well as the k size, and neither of these instructions can be a jump or branching instruction. Luckily, there is a return pointer that meets both of these criteria that gets reached pretty quickly after this processing, allowing code execution to be done, and for the SaveZelda loader to be run.