Changes

Jump to navigation Jump to search
367 bytes added ,  09:23, 21 November 2022
Credited Kinnay for documenting everything NEX / PIA / LDN / ENL related
Line 1,080: Line 1,080:  
|}
 
|}
   −
=== Enl ===
+
=== ENL ===
This section documents vulnerabilities for Enl. A framework used by Nintendo games including Mario Kart 8 Deluxe, Splatoon 2 / 3, Mario Maker 2
+
This section documents vulnerabilities for [https://github.com/kinnay/NintendoClients/wiki/ENL-Protocol ENL].
.
+
A framework used by Nintendo games including Mario Kart 8 Deluxe, Splatoon 2 / 3, Mario Maker 2, and more.
 +
 
 +
Fun fact, this library appears to re-use network code and concepts from older Nintendo titles such as Mario Kart 7 and some Wii multiplayer games.
 +
 
 +
 
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 1,095: Line 1,099:  
|-
 
|-
 
| enl::TransportManager::updateReceiveBuffer_() nullptr deref
 
| enl::TransportManager::updateReceiveBuffer_() nullptr deref
| enl::TransportManager::updateReceiveBuffer_() is called when the ENL framework receives a PIA packet from a client, it will fully trust the ENL header which includes a "ContentTransporter" type (ID / Index) and a length.
+
| enl::TransportManager::updateReceiveBuffer_() is called when the ENL framework receives a PIA packet from a client, it will fully trust the ENL header which includes a "ContentTransporter" type (ID) and a length.
The function will try to fetch the content transporter by ID using <code>enl::TransportManager::getContentTransporter(unsigned char const &)</code>
+
The function will try to fetch the content transporter by ID using <code>enl::TransportManager::getContentTransporter(unsigned char const &)</code>, it returns NULL if there's no content transporter with the same ID
 +
 
 +
*NOTE: The function may be inlined
   −
Then it will try to dereference the pointer to call a virtual method: <code>virtual size_t readyReceiveStream(enl::RamReadStream&, enl::Buffer*, size_t)</code>
+
Then it will try to call a virtual method: <code>virtual size_t readyReceiveStream(enl::RamReadStream&, enl::Buffer*, size_t)</code>, dereferencing the pointer to fetch the vtable ptr
    
[https://gist.github.com/Rambo6Glaz/c088e2ed7a12db08f6322e9f7a3c4911 Pseudocode of the function before it was fixed]
 
[https://gist.github.com/Rambo6Glaz/c088e2ed7a12db08f6322e9f7a3c4911 Pseudocode of the function before it was fixed]
Line 1,107: Line 1,113:  
| Early April 2022
 
| Early April 2022
 
| November 16, 2022
 
| November 16, 2022
| [[User:Rambo6Glaz|Rambo6Glaz]]
+
| [[User:Rambo6Glaz|Rambo6Glaz]], Kinnay (massive RE help)
 
|}
 
|}
    
There's another one more interesting but it will have to wait a bit :)
 
There's another one more interesting but it will have to wait a bit :)
2

edits

Navigation menu