2
edits
Changes
Jump to navigation
Jump to search
Line 1,080:
Line 1,080: − + − + − + + + + + Line 1,095:
Line 1,099: − + − + + + − + Line 1,107:
Line 1,113: − +
Credited Kinnay for documenting everything NEX / PIA / LDN / ENL related
|}
|}
=== Enl ===
=== ENL ===
This section documents vulnerabilities for Enl. A framework used by Nintendo games including Mario Kart 8 Deluxe, Splatoon 2 / 3, Mario Maker 2
This section documents vulnerabilities for [https://github.com/kinnay/NintendoClients/wiki/ENL-Protocol ENL].
.
A framework used by Nintendo games including Mario Kart 8 Deluxe, Splatoon 2 / 3, Mario Maker 2, and more.
Fun fact, this library appears to re-use network code and concepts from older Nintendo titles such as Mario Kart 7 and some Wii multiplayer games.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
|-
|-
| enl::TransportManager::updateReceiveBuffer_() nullptr deref
| enl::TransportManager::updateReceiveBuffer_() nullptr deref
| enl::TransportManager::updateReceiveBuffer_() is called when the ENL framework receives a PIA packet from a client, it will fully trust the ENL header which includes a "ContentTransporter" type (ID / Index) and a length.
| enl::TransportManager::updateReceiveBuffer_() is called when the ENL framework receives a PIA packet from a client, it will fully trust the ENL header which includes a "ContentTransporter" type (ID) and a length.
The function will try to fetch the content transporter by ID using <code>enl::TransportManager::getContentTransporter(unsigned char const &)</code>
The function will try to fetch the content transporter by ID using <code>enl::TransportManager::getContentTransporter(unsigned char const &)</code>, it returns NULL if there's no content transporter with the same ID
*NOTE: The function may be inlined
Then it will try to dereference the pointer to call a virtual method: <code>virtual size_t readyReceiveStream(enl::RamReadStream&, enl::Buffer*, size_t)</code>
Then it will try to call a virtual method: <code>virtual size_t readyReceiveStream(enl::RamReadStream&, enl::Buffer*, size_t)</code>, dereferencing the pointer to fetch the vtable ptr
[https://gist.github.com/Rambo6Glaz/c088e2ed7a12db08f6322e9f7a3c4911 Pseudocode of the function before it was fixed]
[https://gist.github.com/Rambo6Glaz/c088e2ed7a12db08f6322e9f7a3c4911 Pseudocode of the function before it was fixed]
| Early April 2022
| Early April 2022
| November 16, 2022
| November 16, 2022
| [[User:Rambo6Glaz|Rambo6Glaz]]
| [[User:Rambo6Glaz|Rambo6Glaz]], Kinnay (massive RE help)
|}
|}
There's another one more interesting but it will have to wait a bit :)
There's another one more interesting but it will have to wait a bit :)